1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

To the T.S.G techies

Discussion in 'Virus & Other Malware Removal' started by $teve, Oct 11, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. $teve

    $teve Thread Starter

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    This is for any any tech reading this.These are the tell tale signs of the peper.a trojan. which is a particularly difficult one to remove.

    These 2 processes will morph their file size and filenames on every re-boot or H/T scan to keep from being deleted or spotted.....So dont note down the name,they always sit side by side in the running processes in the bottom third(Those of you who dont check the rp`s better start:D)
    C:\WINDOWS\System32\Rcij.exe
    C:\WINDOWS\System32\Szw2E5.exe

    The same with this one.....The only constant is
    the" [2LRX2W83X2T3MQ]"Obviously its random and different for every infection but its a dead givaway.
    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Vju9.exe

    All three are always found on the infected machine.....easy to spot but hard to remove.
    We spent a couple of days banging or heads againt the wall getting rid of this baby but the best way and only real efficient way is to download TDS-3 from http://www.wilders.org/anti_trojans.htm
    and update it following the instructions here:
    http://tds.diamondcs.com.au/index.php?page=update
    JUST A NOTE...IF THE POSTER ALREADY HAS AN A/V PROGRAM HE SHOULD DISABLE IT BEFORE RUNNING THE ABOVE!

    Then enable the real-time protection and run a full system scan.

    Just thought I would give you the heads up on this one.

    Thanx;)
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    $teve

    I have something that I would like clarified concerning TD-3. I have seen the instructions given to enable "Execution protection" here and at Spywareinfo. I have downloaded TD-3 to familiarize myself with it so I would know what I was talking about when I instructed someone to use it. However, I have found that you cannot enable execution protection unless you purchase a reg key ($49). I am going to purchase one myself as I think it is a great program. Am I missing something here?
     
  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,202
    First Name:
    Derek
    I have found out that NOD antivirus also stops & cures this particular trojan but the problem with N OD is that it is not a good idea to run 2 anti-viruses on your computer, so I only advise NOD trial edition when I see the infected computer hasn't got any AV running

    Pieter, (MEtalica) has submitted copies of the trojan to all the major AV vendors, NOrton MCCrappy etc, but as of a couple of days ago only NOD & TD-3 could fix it.


    The problem being that most AV's and the vast majority of Anti-trojans cannot deal with a polymorphic trojan/virus. Most rely on a definite signature, which this along with other polymorphic ones don't have, it changes, not just it's name but it's file size and content and contolling server each time it morphs, so you can see the problem with fixing it.

    I just wish the scum who use their undoubted talents to make these trojans would put their talents to a better use
     
  4. $teve

    $teve Thread Starter

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    As far as I know mark thats the way it is till you buy the program.

    ;)
     
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Thanks $teve. I just wanted to make sure. I didn't think I missed anything.
     
  6. $teve

    $teve Thread Starter

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Anyone know if NOD32 trial version is updatable?
     
  7. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Hi guys, I'll pin this to the top for a bit for your continued discussion and others FOR READING PURPOSES ONLY.

    Do NOT post hijack this logs to this thread!

    Where's that angry smiley I had found.................

















    [​IMG]
     
  8. $teve

    $teve Thread Starter

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    No.............like this:

    DO NOT POST HIJACKTHIS LOGS IN THIS THREAD!!! GRRR! PLEASE


    ;)
     
  9. wedor

    wedor

    Joined:
    Nov 7, 1999
    Messages:
    4,504
    TrendMicro lists this as having been discovered on 09/22/2003 their pattern 632 and up detects it.
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    wedor

    Do you have a link to this info? I can't find anything on peper.a at Trend.
     
  11. EvileYe

    EvileYe

    Joined:
    Aug 30, 2003
    Messages:
    1,281
    According to the Virus Bulletin Magazine The world's foremost independent authority on virus detection.

    Nod 32 is the only virus scanner to detect 100% of Viral infections whether polymorphic or not, it is also has very fast scan rates.
    I have been using it for 3 months now and it hasn't failed me yet.
    I wouldn't hesitate in recommending it to anyone :)
     
  12. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,202
    First Name:
    Derek
    This is a link to the trend info page,
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PEPER.A
    it seems that it detects it but doesn't remove it, that has to be done manually, and we all know how bl**dy difficult, if not virtually impossible that is to do.

    It might be possible to a knowledgeable person wiyh phsyical access to the infected computer, but trying to explain it via the forums or email to a non tech minded person is extremely difficult, especially due to the way it morphs.

    I agree with evilye, at this time the only antivirus cappable of actually dealing with it and other polymorphic malwares is NOD 32

    and the only trojan killer is TD-3
    I hope other av developers will take heed and make their av's & anti-trojans capable of fixing this new breed of polymorphic pests

    It looks like they are the latest form of malware and we can expect to see a lot more of them
    as an example CWS is now using a similar method of polymorphic dropping and is getting harder to find & cure that infection
     
  13. gotrootdude

    gotrootdude

    Joined:
    Feb 19, 2003
    Messages:
    8,812
    My systemsuite 5 uses trendmicro antivirus.. It detects it, delete's it, and keeps you from installing it. :D
     
  14. wedor

    wedor

    Joined:
    Nov 7, 1999
    Messages:
    4,504
    What is "systemsuite 5"?
     
  15. gotrootdude

    gotrootdude

    Joined:
    Feb 19, 2003
    Messages:
    8,812
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/171157

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice