Please help, I believe I have a trojan

Discussion in 'malware problems & news' started by Nucleus, Jun 10, 2007.

Thread Status:
Not open for further replies.
  1. Nucleus

    Nucleus Registered Member

    Jun 10, 2007
    Hello everyone. I am writing this from a Ubuntu LiveCD so it will not be read by whoever is (possibly) trojanning me. I am not 100% convinced I have a trojan but I would really appreciate your help. First off I am running nod32 anti virus and Sygate personal firewall.

    Basically, I was reading a forum when all of a sudden my browser went to a different URL (not a popup, a full page change which I believe is a common feature in some trojans.) The site went to "" but I am sure I didn't click on anything. When I went back, I noticed their was no banner ad or anything that I could of clicked on and I did a "view source" on the page and searched for "" and it couldn't find anything. This was on firefox.

    I noticed the Sygate icon was flashing as if to indicate an attack, but usually these don't mean anything and are just some random port scan or something. Because of the thing, I decided to open the log and see what IP address it was coming from. I googled for "Geobytes" because I remembered they had an IP locator and then I tried to copy and paste the IP from the log into geobytes. Although I selected it and did copy, it copied something else random that had not been in my clipboard (I forget what it was, I brushed it off as something from the computer. It wasn't that strange (like ^$(%^$(% or anything) but it wasn't what I wanted to copy. I tried several times and failed. Finally, one of the times I copied something and I am so mad but I forget what it said but it looked as if an attacker could have copied some identification settings for my computer into my own clipboard. From what I can remember, it had my user account name and my computer name. It definitely had other things as well (I am sure I would have noticed if it had my IP but I was in such a hurry trying to copy the IP address I might have missed it). Unfortunately, I copied over that text and got the IP (which wasn't able to be traced according to Geobytes).

    After that I shutdown. I am very upset as I don't see how I could recover from something like this as obviously my anti virus and firewall are insufficient. One solution I thought of would be reinstalling windows (I currently have XP). Would I be able to keep all of my data but have it clear everything that could possibly be starting up? Another option I thought of would be upgrading to Vista. Would this allow me to keep all of my data but clear everything from starting up? I know rootkits and trojans have all sorts of hiding places other than the usual registry / msconfig startup areas so I need something complete. I know Vista is supposed to be more secure, so it would make sense that upgrading to it would clear out everything that used to startup in the more insecure versions of windows.

    Any advice on this would be very much appreciated. Thank you very much!
    Last edited: Jun 10, 2007
  2. acr1965

    acr1965 Registered Member

    Oct 12, 2006
    Maybe an admin will move this thread to the NOD32 forum as you will get some detailed help there. They also will be interested in any infection you may have gotten. You will be asked if you have NOD32 updated and set to Blackspear's settings. If so, you'll need to do an on-demand scan to see if anything is detected. Otherwise, you'll most likely need to adjust NOD32 to Blackspear's settings and then do a scan. Have you checked your NOD32 logs? I usually run NOD but am trialing something different now so I am just going off memory. But see if there is a threat log and open it. See if anything is in there. If anything is in quarantine you will be told how to send it to ESET on the NOD forum.

    So, first copy and paste your post in the NOD32 forum.
    Then check your threat center logs to see if anything is in there.
    If you have not configured NOD32 to Blackspear's settings you should probably do that.
    I believe there is a setting in NOD to check for potentially harmful malware (worded something like that in settings)- you'll need to make sure that is checked.
    After those things you'll need to make sure NOD is updated and do an on-demand, in-depth scan.
    By the time you get that done you'll probably have some replies to your post in the NOD forum- check the forum often as they are pretty good about getting back to people.
Thread Status:
Not open for further replies.