Need help - Mischel Internet Security Forum

Jobs | About | Blog | Contact

Download TrojanHunter Now
Free 30-day trial!

Latest TrojanHunter Version:
TrojanHunter 5.0

Order Now
License file delivered within minutes.

Welcome, Guest. Please Login or Register.

Dec 1^st, 2008, 8:08pm

   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Need help

« Previous topic | Next topic »

Pages: 1 2

Notify of replies

Send Topic

Author

Topic: Need help (Read 786 times)

eym
Junior Member

I love YaBB 1G - SP1!

Posts: 81

Need help
« on: Sep 3^rd, 2003, 9:38am »

Quote

Modify

Hi

I am new too and just bought the license for trojan hunter hoping it will help me get rid of something i got today.
I received an email which i deleted on my server,saying my c/c data is for sell on some website with url posted.
I didn't load this email to my hard drive but when i clicked on this url i noticed something load on the page and at same time something was running in dos mode opening new box.
the box opened was windrive.exe
Now when i made a quick scan with trojan hunter got the following message under [b][/b]file scan-autostarted files-running excutables)-found possible trojan file-C:\WINDOWS\SYSTEM32\LOAD32.EXE(SUSPICIOUS UPX-PACKED FILE IN WINDOWS SYSTEM FOLDER)
Also when i reconnected later on today this dos box of windrive loaded again and i simply shut it ,but i never had it loading on start before.
So i know this email directed me to a link which installed something on my hard drive and i am afraid they try to get passwords/keyloggers and have to protect myself.
When i searched for this file saw update from symantec regarding some trojan using to load backdoor.nibu or something like that.
I had already trojan software before name boclean if anyone familiar with it but it didn't detect anything,i am using also panda antivirus titanium software and run full scan with no results.
Now what am i suppose to do?trojan hunter also didn't do a thing except for saying its possible trojan.
Do i delete this file or this file is necessary for smooth operation of win xp
I am lost and need help
Thanks in advance.
Eitan.

« Last Edit: Sep 3^rd, 2003, 9:45am by eym »

IP Logged

Jamming
Stole All the Forum Stars

Remember when a Trojan was just for protection.

Gender: male

Posts: 2039

Re: Need help
« Reply #1 on: Sep 3^rd, 2003, 12:59pm »

Quote

Modify

General Advice for Dealing with a Trojan:

Find the Process that is running with Process Viewer on the TrojanHunter Tools Menu. There will be a complete list of each process and its connected DLLs. Note those down for any suspicious files. Check those files for their names using a general Google Search or something like it. When you find a program that is listed as a trojan, dialer installer, or ect... then you can then Terminate the Process, that you suspect of being the one that is a Keylogger or other trojan.

Now then I would send the supicious file that you terminated to submit@trojanhunter.com and let Magnus have a look before I did a find file and delete from my Hard Drive. You might also want to delete any DLLs that are used only by the suspected file for the process. Then you need to save your registry to a Floppy then remove the Floppy. After the save of your original registry you need to search through the registry and delete all instances associated with either the original file and any of the other DLLs that support only the original file. Then make sure your System Restore is turned off temporarily and reboot.

Dealing with this Possible Trojan/Worm:

It could be theW32/Nugosh-A Worm, if it is it should be removed by folloeing instructions at http://www.us.sophos.com/support/disinfection/worms.html

It could be the Backdoor.Nibu click the link for removal instructions.

or it could also be W32/Dumaru.c@MM found at Network Associates.

IP Logged

Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster

eym
Junior Member

I love YaBB 1G - SP1!

Posts: 81

Re: Need help
« Reply #2 on: Sep 3^rd, 2003, 7:05pm »

Quote

Modify

scanning all harddrive brought 3 files
possibly containg trojan but with no action taken by trjanhunter.

load32.exe in windows/system32
vxdmgr32.exe in same folder
and windrive in windows folder

Probably the nibu

IP Logged

Jamming
Stole All the Forum Stars

Remember when a Trojan was just for protection.

Gender: male

Posts: 2039

Re: Need help
« Reply #3 on: Sep 3^rd, 2003, 7:30pm »

Quote

Modify

OK good work, did you submit the files? Do you need any further assistance?

IP Logged

Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster

eym
Junior Member

I love YaBB 1G - SP1!

Posts: 81

Re: Need help
« Reply #4 on: Sep 3^rd, 2003, 8:06pm »

Quote

Modify

i suspect its the backdoor.nibu
i did follow instruction provided by symantec but
i think it didn't do any good.
when i restart my computer windrive still load the minute i connect to internet so it means hackers still have connection to my computer.

quick scan indicates possible trojan in load32.exe and vxdmgr32.exe in windows/system32 folders and under hueristic scan windrive.exe also comes up as suspicious infected file but then it says no trojans found.

I went to registry and deleted the line saying %load32..% as instructed in symantec page and turn off the restore mode prior to doing so but windrive again load when i restart and i keep getting with trojanhunter same message as before when i do quick scan

what should i do next Huh

its the backdoor.nibu

I don't know what to do next
I know its still runing..i get the dos mode box with windrive.exe loads when i connect so they still have access to my machine.
also when i close this box says program not responding and i just click end now.
then a minute or 2 later i get another error saying vxdmgr had to shut down.

« Last Edit: Sep 3^rd, 2003, 8:15pm by eym »

IP Logged

Jamming
Stole All the Forum Stars

Remember when a Trojan was just for protection.

Gender: male

Posts: 2039

Re: Need help
« Reply #5 on: Sep 3^rd, 2003, 8:10pm »

Quote

Modify

What happens when you terminate the Process for Windrive.exe, with the Process Viewer? Does it restart?

Just for information purposes which brand of Windows are you running? WinNT, 2000, XP, ME?

IP Logged

Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster

eym
Junior Member

I love YaBB 1G - SP1!

Posts: 81

Re: Need help
« Reply #6 on: Sep 3^rd, 2003, 8:18pm »

Quote

Modify

I am using windows xp home adition.
I am new to trojan hunter bought just 12 hrs ago
realising i got a trojan through this email directing me to
some site where nothing loads but installed something into my windrive.exe

IP Logged

eym
Junior Member

I love YaBB 1G - SP1!

Posts: 81

Re: Need help
« Reply #7 on: Sep 3^rd, 2003, 8:24pm »

Quote

Modify

i don't know what to do next.
Iam not sure how to use trojanhunter and its features.
can you help me and chat to me through msn meseenger or icq please

IP Logged

Jamming
Stole All the Forum Stars

Remember when a Trojan was just for protection.

Gender: male

Posts: 2039

Re: Need help
« Reply #8 on: Sep 3^rd, 2003, 8:30pm »

Quote

Modify

You might want to Download Hijack this!, it is a useful file to run but sometimes TrojanHunter detects it as Supicious, when its stored, don't be scared of that. It will print out a long log of Information about your computer to a file, You could print that log here with a copy/paste. This would give me more to work with, but it will tell me alot about how you use your computer.

IP Logged

Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster

eym
Junior Member

I love YaBB 1G - SP1!

Posts: 81

Re: Need help
« Reply #9 on: Sep 3^rd, 2003, 8:35pm »

Quote

Modify

downloaded it
compressed file is invalid
can't open it.or install it.

IP Logged

Jamming
Stole All the Forum Stars

Remember when a Trojan was just for protection.

Gender: male

Posts: 2039

Re: Need help
« Reply #10 on: Sep 3^rd, 2003, 8:37pm »

Quote

Modify

http://securityresponse.symantec.com/avcenter/venc/data/pf/backdoor.nibu .html, are these the same instructions you followed for removal?

IP Logged

Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster

Jamming
Stole All the Forum Stars

Remember when a Trojan was just for protection.

Gender: male

Posts: 2039

Re: Need help
« Reply #11 on: Sep 3^rd, 2003, 8:38pm »

Quote

Modify

Do you have a Firewall?

IP Logged

Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster

eym
Junior Member

I love YaBB 1G - SP1!

Posts: 81

Re: Need help
« Reply #12 on: Sep 3^rd, 2003, 8:42pm »

Quote

Modify

Yes this is the page i was looking at.
I don't use norton tho
I just disabled the system restore and then
deleted the value in registry in hkeymachine for the load as described there.
But when i restarted my computer windrive.exe loaded again.
and then i shut the dos mode box and several mins later got vxdmgr has to shut down .

I don't use firewall..i use internetalert security suppose to monitor all open ports and alert and trach hackers.

But didn't do any good in that case.

IP Logged

Jamming
Stole All the Forum Stars

Remember when a Trojan was just for protection.

Gender: male

Posts: 2039

Re: Need help
« Reply #13 on: Sep 3^rd, 2003, 8:43pm »

Quote

Modify

I just lost power here at my location and I am on Battery Back-up, I have to shut down. I will be back here as soon as power is restored.

IP Logged

Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster