Help! [TRJ] Win32:OnlineGames.BDN (.HR, BDA)

[lamikela]

Can somone help remove this trojan called OnlineGames.BDN from my computer. Only avast with updates of as today can detect the trj and I schedule a boot time scan and deletes some files with no errors but when the desktop loads, I get the sirean saying there is OnlineGames.bdn again or it changes extentions above.
I can not unhide hidden files or change folder view options, the will return to defaul when I press Apply. I can access registry editor but I have not seen any suspicious entries.

Can somebody help!

[DavidR]

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

Whilst it may not be an issue with this detection, but deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate.

There would appear to be other elements to this infection either restoring or downloading it again, what is your firewall ?

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode.
1. AVG anti-spyware (formerly Ewido) Resident scanner during trial On-Demand after trial ends. Or SUPERantispyware On-Demand only in free version. Or Spyware Terminator Resident scanner.

Check out these google results http://www.google.com/search?q=can+not+unhide+hidden+files and see if there is something helpful.

[lamikela]

I have shared the drive of the afected computer and managed to view the contents of C: which had 2 unusual files, namely autorun.inf and nde1ect.com.
  the contents of autorun.inf read as follows:

[AutoRun]
open=ntde1ect.com
;shell\open=Open(&O)
shell\open\Command=ntde1ect.com
shell\open\Default=1
;shell\explore=Manager(&X)
shell\explore\Command=ntde1ect.com

Unfortunatly, I'm not with the machine now, thot I had saved the avast log file to my flash but the when I browsed the flash on another machine which could display hidden files, the logfile was not there but the files above had been copied to my flash instead. I'm still dowloading AVG antyspy and yet to find a way i can turn on the unhide file for explorer....

[DavidR]

Yes it would be unusual to have autorun.inf on a fixed HDD as this is normally associated with removable media.

Info http://www.prevx.com/filenames/X2769565878543970189-X1/NTDE1ECT.COM.html

I would rename autorun.inf autorun-inf.old and upload ntde1ect.com for analysis.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive.

If any scanners detect this you should also send a sample to avast.
Send the sample to virus@avast.com zipped and password protected with password in email body and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

[lamikela]

The Avast log for yesterday....

10/2/2007 8:12:33 AM   sye   1712   Sign of "Win32:Onlinegames-BDN [trj]" has been found in "D:\DOCUME~1\sye\LOCALS~1\Temp\ycx0.sys" file. 
10/2/2007 8:12:50 AM   sye   1712   Sign of "Win32:Onlinegames-BDN [trj]" has been found in "D:\WINDOWS\system32\wincab.sys" file. 
10/2/2007 2:00:37 PM   sye   1708   Sign of "Win32:Onlinegames-BDN [trj]" has been found in "D:\DOCUME~1\sye\LOCALS~1\Temp\jvd.sys" file. 
10/2/2007 2:16:33 PM   sye   1708   Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004. 
10/2/2007 2:16:34 PM   sye   1708   An error has occured while attempting to update. Please check the logs. 
10/2/2007 3:38:00 PM   sye   1708   Sign of "Win32:Onlinegames-BDN [trj]" has been found in "D:\DOCUME~1\sye\LOCALS~1\Temp\wkd400d.sys" file. 
10/2/2007 3:38:25 PM   sye   1708   Sign of "Win32:Onlinegames-BDN [trj]" has been found in "D:\WINDOWS\system32\wincab.sys" file. 
10/2/2007 3:38:59 PM   sye   1708   Sign of "Win32:Onlinegames-BDN [trj]" has been found in "D:\WINDOWS\system32\wincab.sys" file. 
10/2/2007 4:01:42 PM   sye   1760   Sign of "Win32:Onlinegames-BDN [trj]" has been found in "D:\DOCUME~1\sye\LOCALS~1\Temp\bu.sys" file. 
10/2/2007 4:02:33 PM   sye   1760   Sign of "Win32:Onlinegames-BDN [trj]" has been found in "D:\WINDOWS\system32\wincab.sys" file. 
10/2/2007 4:14:05 PM   sye   1820   Sign of "Win32:Onlinegames-BDN [trj]" has been found in "D:\DOCUME~1\sye\LOCALS~1\Temp\k7q39r.sys" file. 
10/2/2007 5:16:49 PM   sye   1820   Sign of "Win32:Onlinegames-BDN [trj]" has been found in "D:\DOCUME~1\sye\LOCALS~1\Temp\zjwr.sys" file. 
10/2/2007 5:16:57 PM   sye   1820   Sign of "Win32:Onlinegames-BDN [trj]" has been found in "D:\WINDOWS\system32\wincab.sys" file. 
10/2/2007 5:17:12 PM   sye   1820   Sign of "Win32:Onlinegames-BDN [trj]" has been found in "D:\WINDOWS\system32\wincab.sys" file.

[DavidR]

Did you download and run the other tools I suggested ?
Were you able to unhide your files ?
Did you upload the ntde1ect.com for analysis as suggested, if so what were the results.

Your results basically confirm that you have an undetected trojan downloader on your system. Whilst it is downloading to the temp folder it is also trying to place files in the system folder.

The wincab.sys may also be associated with a rootkit, which may be what is hiding this malware. http://www.bleepingcomputer.com/startups/wincab.sys-19609.html

Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.
- BlackLight - http://www.f-secure.com/blacklight/
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip.
- AVG Anti-Rootkit http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5.

[lamikela]

 ???I did mail the files to virus@avast.com, nothig has been updated, but I'm still to get AVG anti spayware. I HAVE NOT FOUND THE SOLUTION TO UNHIDING HIDDEN FILES ON AN NTFS PATTION BUT FAT I HAVE. Aybody with a solutition!

[FreewheelinFrank]

http://www.cknow.com/vtutor/NTFSADSViruses.html

http://www.safer-networking.org/en/tools/index.html

You can scan ADS with AdAware and SUPERAntiSpyware to my knowledge: worth trying those?

[Lisandro]

???I did mail the files to virus@avast.com, nothig has been updated, but I'm still to get AVG anti spayware. I HAVE NOT FOUND THE SOLUTION TO UNHIDING HIDDEN FILES ON AN NTFS PATTION BUT FAT I HAVE. Aybody with a solutition!

I'm not following you. On Windows 2k/XP/Vista you can show hidden files and folders regardless of the file system (FAT32 or NTFS)?

To unhide them, open any folder and go to Tools >folder options > View, then scroll down to where it says 'Hidden files and folders' and then check/tick the 'Show hidden files and folders'.
Then again try and go into the _restore folder and clear the temp folder.

Tutorial here: http://www.bleepingcomputer.com/tutorials/tutorial62.html

Please disable 'Hide protected operating system files' and enable 'View Hidden Files and Folders'

[DavidR]

His problem isn't not knowing how to unhide the files but the fact that lamikela can't.

I can not unhide hidden files or change folder view options, the will return to defaul when I press Apply.

[mauserme]

Unfortunatly, I'm not with the machine now, thot I had saved the avast log file to my flash but the when I browsed the flash on another machine which could display hidden files, the logfile was not there but the files above had been copied to my flash instead.

Removeable drives is the main method this trojan uses to infect other computers.   You will want to keep your USB drive away from all but the infected computer until things are cleaned up.  Make sure the USB drive is pluggged into the infected computer when you scan with the programs recommended above so it will have a chance of being cleaned too.

[lamikela]

No solution yet, I have managed to reduce the Avast! sound by empting the temps. No antispayware has been able to rescue like AVG, Ms Antispyware, Spybot ect... The Autorun thind I have fixed it which has made things batter. You do not have to have autorun.inf on c: but CD-ROM My job is herding to DOOM! I have to batter thing for my bosses. No solution for unhiding hidden files, if u do the norm nothing shows up and u goback to find everthing as before. I'm in a crisis guys..... :'(

[mauserme]

Please download ComboFix from Here or Here to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.



Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  
• Put a check by Create a desktop icon then click Next again.
  
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
  

.


EDIT:   Make sure your USB drive is plugged into the computer when you run ComboFix.

[lamikela]

None has worked yet

[DavidR]

The idea is to post the results of the ComboFix and HJT logs so that mauserme can analyse them.

They are usually quite lare so you will need to split them copying and pasting them over several posts.