Persistent Trojan

Discussion in 'Trojan Defence Suite' started by dougdoug, Aug 6, 2004.

Thread Status:
Not open for further replies.
  1. dougdoug

    dougdoug Registered Member

    Joined:
    Aug 1, 2004
    Posts:
    3
    Location:
    Studio City, CA
    Hello,

    This is my first post to this forum. I bought a roving license for TDS3 last week while trying to clean a friend's system. It's a wonderful tool... but I think I have run into a problem it can't solve (at least with my current level of expertise).

    My friend asked me to look at his system because it was "out of control". Indeed it was... his virus protection had been disabled, IE would launch itself without warning every couple of minutes, and huge popup windows would announce "YOU HAVE SPYWARE IN YOUR COMPUTER!".

    Using Pest Patrol, Spybot, Ad-aware, HJT, NAV, and finally TDS3, I was able to get rid of > 100 different viruses, trjoans, BHO's, etc. I finally got down to one problem, and that's what I'd like to ask for help with.

    The file is called ST.EXE. TDS3 identifies it as "TrojanDownloader.Win32.Small.oc". It disables Norton Personal Firewall.
    I have turned system restore off, killed the process in memory, and located and deleted the EXE file that launched it. TDS3 found two other encrypted copies in other files, and I deleted those as well.

    However, with every reboot, ST.EXE is back, and NPF is again disabled. Additionally the registry entry HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell is being changed to attempt to run C:\windows\system32\netdc.exe after every reboot, which may or may not be the same problem. (I earlier found and deleted the netdc.exe file that's being called for.)

    I have a zipped copy of the ST.EXE file. Any thoughts?
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there, and welcome!
    You did update TDS to the latest radius, did you?

    I googled and found two places,
    https://www.wilderssecurity.com/showthread.php?t=41955
    where somebody is helped out and you contribute yourself, and
    http://www.cybertechhelp.com/forums/archive/index.php/t-43646.html
    with this cleansing instruction:
    Netdc.exe, st.exe and ()shell registry changes on reboot can probably be wiped with the Security Task Manager ...

    http://www.neuber.com/taskmanager/download.html

    No guarantees but, this seems to have finally wiped this thing off my hard drive.

    Turn off System Restore
    Run STManager
    Run Ad-Aware
    Run HijackThis
    Run Virus Scanner (Panda - Housecall)
    Search for St.exe - netdc.exe - netdb.exe - netda.exe
    Delete any instances
    Clean Recycle Bin
    Clean Temp Internet files
    Run Disk Cleanup ( START/ PROGRAMS /ACC. ) from XP System Tools
    Reboot.

    I am not all 100% convinced of all those steps............
    Please be so kind as to submit the zipped copy to submit@diamondcs.com.au
    Does TDS say anything about the two files?

    Further you are familiar with HiJackThis and maybe with the DiamondCS AutoStartViewer too, to locate any suspicious/illigal startups?
     
Thread Status:
Not open for further replies.