Can somone help remove this trojan called OnlineGames.BDN from my computer. Only avast with updates of as today can detect the trj and I schedule a boot time scan and deletes some files with no errors but when the desktop loads, I get the sirean saying there is OnlineGames.bdn again or it changes extentions above.
I can not unhide hidden files or change folder view options, the will return to defaul when I press Apply. I can access registry editor but I have not seen any suspicious entries.
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.
Whilst it may not be an issue with this detection, but deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.
There would appear to be other elements to this infection either restoring or downloading it again, what is your firewall ?
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.
I have shared the drive of the afected computer and managed to view the contents of C: which had 2 unusual files, namely autorun.inf and nde1ect.com.
??? the contents of autorun.inf read as follows:
Unfortunatly, I’m not with the machine now, thot I had saved the avast log file to my flash but the when I browsed the flash on another machine which could display hidden files, the logfile was not there but the files above had been copied to my flash instead. I’m still dowloading AVG antyspy and yet to find a way i can turn on the unhide file for explorer…
I would rename autorun.inf autorun-inf.old and upload ntde1ect.com for analysis.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive.
If any scanners detect this you should also send a sample to avast.
Send the sample to virus@avast.com zipped and password protected with password in email body and undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
10/2/2007 8:12:33 AM sye 1712 Sign of “Win32:Onlinegames-BDN [trj]” has been found in “D:\DOCUME~1\sye\LOCALS~1\Temp\ycx0.sys” file.
10/2/2007 8:12:50 AM sye 1712 Sign of “Win32:Onlinegames-BDN [trj]” has been found in “D:\WINDOWS\system32\wincab.sys” file.
10/2/2007 2:00:37 PM sye 1708 Sign of “Win32:Onlinegames-BDN [trj]” has been found in “D:\DOCUME~1\sye\LOCALS~1\Temp\jvd.sys” file.
10/2/2007 2:16:33 PM sye 1708 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
10/2/2007 2:16:34 PM sye 1708 An error has occured while attempting to update. Please check the logs.
10/2/2007 3:38:00 PM sye 1708 Sign of “Win32:Onlinegames-BDN [trj]” has been found in “D:\DOCUME~1\sye\LOCALS~1\Temp\wkd400d.sys” file.
10/2/2007 3:38:25 PM sye 1708 Sign of “Win32:Onlinegames-BDN [trj]” has been found in “D:\WINDOWS\system32\wincab.sys” file.
10/2/2007 3:38:59 PM sye 1708 Sign of “Win32:Onlinegames-BDN [trj]” has been found in “D:\WINDOWS\system32\wincab.sys” file.
10/2/2007 4:01:42 PM sye 1760 Sign of “Win32:Onlinegames-BDN [trj]” has been found in “D:\DOCUME~1\sye\LOCALS~1\Temp\bu.sys” file.
10/2/2007 4:02:33 PM sye 1760 Sign of “Win32:Onlinegames-BDN [trj]” has been found in “D:\WINDOWS\system32\wincab.sys” file.
10/2/2007 4:14:05 PM sye 1820 Sign of “Win32:Onlinegames-BDN [trj]” has been found in “D:\DOCUME~1\sye\LOCALS~1\Temp\k7q39r.sys” file.
10/2/2007 5:16:49 PM sye 1820 Sign of “Win32:Onlinegames-BDN [trj]” has been found in “D:\DOCUME~1\sye\LOCALS~1\Temp\zjwr.sys” file.
10/2/2007 5:16:57 PM sye 1820 Sign of “Win32:Onlinegames-BDN [trj]” has been found in “D:\WINDOWS\system32\wincab.sys” file.
10/2/2007 5:17:12 PM sye 1820 Sign of “Win32:Onlinegames-BDN [trj]” has been found in “D:\WINDOWS\system32\wincab.sys” file.
Did you download and run the other tools I suggested ?
Were you able to unhide your files ?
Did you upload the ntde1ect.com for analysis as suggested, if so what were the results.
Your results basically confirm that you have an undetected trojan downloader on your system. Whilst it is downloading to the temp folder it is also trying to place files in the system folder.
Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.
???I did mail the files to virus@avast.com, nothig has been updated, but I’m still to get AVG anti spayware. I HAVE NOT FOUND THE SOLUTION TO UNHIDING HIDDEN FILES ON AN NTFS PATTION BUT FAT I HAVE. Aybody with a solutition! :
I’m not following you. On Windows 2k/XP/Vista you can show hidden files and folders regardless of the file system (FAT32 or NTFS)?
To unhide them, open any folder and go to Tools >folder options > View, then scroll down to where it says ‘Hidden files and folders’ and then check/tick the ‘Show hidden files and folders’.
Then again try and go into the _restore folder and clear the temp folder.
Removeable drives is the main method this trojan uses to infect other computers. You will want to keep your USB drive away from all but the infected computer until things are cleaned up. Make sure the USB drive is pluggged into the infected computer when you scan with the programs recommended above so it will have a chance of being cleaned too.
No solution yet, I have managed to reduce the Avast! sound by empting the temps. No antispayware has been able to rescue like AVG, Ms Antispyware, Spybot ect… The Autorun thind I have fixed it which has made things batter. You do not have to have autorun.inf on c: but CD-ROM My job is herding to DOOM! I have to batter thing for my bosses. No solution for unhiding hidden files, if u do the norm nothing shows up and u goback to find everthing as before. I’m in a crisis guys…
Please download ComboFix from Here or Here to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.
[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
.
EDIT: Make sure your USB drive is plugged into the computer when you run ComboFix.
No, there will be some manual procedures with this. As David mentioned you should post the logs so we can find hidden files and registry entries causing this to recur.
I have found a manual way of removing the virus manually, I have not found the solution to viewing or turning on the hidden files. I you do the normal folder options way and say Apply/OK, nothing is shown and if you goback to the folder options nothing will be shown… :
My job is herding to DOOM! I have to batter thing for my bosses. No solution for unhiding hidden files, if u do the norm nothing shows up and u goback to find everthing as before. I’m in a crisis guys… 