PDA

View Full Version : Damned TROJAN!



Kansas
26-11-2004, 04:24 PM
HELP! HELP! HELP!

I keep getting pop ups to say that Norton Antivirus has detected and deleted viruses. Reoccuring even after I've turned system restore off and then scanned for viruses and then reactivated system restore.

After doing this yesterday, and using the computer - I just received another pop up. This is what it says:

NORTON ANTIVIRUS HAS DETECTED AND DELETED A VIRUS
Object Name: C:\WINDOWS\system32\.pif
Virus Name: Download.Trojan
Action Taken: The file was automatically deleted.


Can anyone please help me with 'straight forward' advice?

Thanks :)

nomad
26-11-2004, 04:36 PM
run spybot with the latest def file.
also post your hijackthis log, by running hijackthis software. it will scan your system for all stuff u are running ..

I believe u maybe infected with a virus that regenerates itself after each reboot or after each time you go back on the net....

Pheonix
26-11-2004, 05:05 PM
Actually it is a trojan , not a virus.

First you need to cleanout your temp internet files and temp folder. The easiest way to do this is use Ccleaner (http://www.ccleaner.com/)

Next is to ensure your definitions for Nortons are up to date. Restart into safemode , then run Nortons again.

You can also get a second-opinion by using an online AntiVirus sacn/clean from Trend online (http://housecall.antivirus.com/housecall/start_frame.asp)

metla
26-11-2004, 05:19 PM
There is an exe that respawns it,Norton fails to delete the .exe.

You need to shut down the service/remove it from startup,clean up the files manually and then do a system scan.

Luckily when it respawns (which it will probally do as soon as you start tracking it) it randomly renames itself.

Good luck.

Pheonix
26-11-2004, 05:25 PM
Hence the advice to startup in safemode. The trojan will not start, and then Nortons will kill it.

Kansas
28-11-2004, 08:36 PM
Thanks.

I feel though that I have exhausted all efforts. I have done the whole system restore, scans and starting in safe mode, and finally just completed all the recommended steps in Norton help and support to get rid of a 'worm' Korgo. I was not able to find anything in the start up, and failed to delete a worm that was being detected by Norton, but failing to delete. I have all the filenames of everything that was in the threat alerts log, but have had no luck.

Possibly a lost cause, going to take this to a technician as a last resort, as I'm lost! Preparing my own 'eulogy' as my sister is coming for her computer tomorrow - Oh! There goes that pop up warning again :(

Farewell Cruel World

Spacemannz
28-11-2004, 08:45 PM
Did u try trojan remover for the last post u posted about the other trojan/worm I replied to??

John Grieve
28-11-2004, 09:16 PM
I just very recently had a hell of a tussle with a variant of this thing.

Metla is bang on but depending on the variant it can be an extremely clever adversary and I have to admit I lost the fight and I consider myself a pretty advanced user nowadays having saved literally dozens of PCs from virii, worms and trojans.

Sounds to me like you are in the same position I eventually found myself in and realistically it is going to be far cheaper and easier to just give up trying, save what you need, reformat (including the MBR just in case) and reinstall clean.

Kansas
28-11-2004, 09:43 PM
Thanks for your post Spacemannz...just went through the process of downloading and scanning with your recommended Trojan remover. It detected nothing.

Thanks anyway :)

Kansas
28-11-2004, 09:46 PM
Thanks for your post John :)

Could you explain in more detail what you mean....just so that I'm perfectly clear on the instruction. How do I clean and reinstall etc...

Thanks :)

Spacemannz
28-11-2004, 09:48 PM
Hmm ok thats no good :( !

I'll send an email to the author and ask does it do anything at all, if u dont register it. If the trojan/whatever is in its database.

Kansas
28-11-2004, 09:50 PM
Would appreciate more detailed instructions if you don't mind :)
Not completely up to play in this technological world :_|

Kansas
28-11-2004, 10:05 PM
> There is an exe that respawns it,Norton fails to
> delete the .exe.
>
> You need to shut down the service/remove it from
> startup,clean up the files manually and then do a
> system scan.
>
> Luckily when it respawns (which it will probally do
> as soon as you start tracking it) it randomly renames
> itself.
>
> Good luck.

Would appreciate more detailed instructions if you don't mind
Not completely up to play in this technological world ?:|

Spacemannz
28-11-2004, 10:14 PM
Try start/run and type msconfig. Go to startup tab, what exe files are under the startup tab?

Any unusual file names?

Murray P
28-11-2004, 10:29 PM
These things can be defeated but they're blimmin difficult. It's probably what is called a dropper, they usually have two components, a virus like bit that carries a trojan or worm which it deposits in your system (all the usual backdoor bits). As others have said, these critters not only replicates but leave replications with random file names so that your antivirus doesn't identify it immediately, the copies may lie dormant in your windows folder (often in Temp or Documents & Settings) while others are madly infecting files.

I've seen one get up to 1300 odd infections withing 4 or 5 minutes before I shut down and booted back to safe mode. I got it in the end but the damage done by the invader and me getting rid of it meant a format and reload of the OS anyway. At least it gave me breathing space to save some data. Hence the advice above, data is more important than your OS, save the safe data, reload the OS.

BTW, if your on a network, get off it, you could be spreading the critter or reinfecting yourself from the network.

If you want to try to kill it, search for dropper virus/worm.

John Grieve
28-11-2004, 10:42 PM
I am going to hazard a guess here and make the assumption you are a novice PC user. As such (and please do not be offended by my assumptions) you sound like you really need help from a professional to sort this as the particular "nasty" can be very tricky.

It may be there is a simple fix to this particular infection that has come out since I struggled with it so it might be fixable easily by someone whose job is to "fix" PCs now.

What I am talking about doing is relatively straightforward with enough knowledge and experience but I am assuming from your request you do not have sufficient experience yet to attempt a clean reinstall of the operating system.

You really should give it another couple of days here to see if one of the members has successfully dealt with this variant as well and can explain simply what to do.

However failing that it would be best for yourself I would say to take it to a professional and have them reinstall a clean version of windows.

What you also need to do is ask that person to install the following BEFORE you take the PC online again. They are Zonealarm free edition, Adaware, Spybot search and destroy, an antivirus of choice (good free one AVG antivirus), BHODemon and every security update for your particular version of Windows. Then you can take it online safely for longer than 5 minutes. :D

zqwerty
28-11-2004, 11:01 PM
Googling I found this:

http://www.simplysup.com/tremover/download.html

and this:

http://www.soft32.com/download_583.html

Maybe worth a try.

zqwerty
28-11-2004, 11:03 PM
Also some advice from another forum:

http://www.bullguard.com/forum/10/downloadtrojan-removal-help_4396.html

zqwerty
28-11-2004, 11:06 PM
This looks a good thing to try:

http://home9.inet.tele.dk/le01/Sikkerhed.htm

zqwerty
28-11-2004, 11:08 PM
This is the link to the scan:

http://home9.inet.tele.dk/le01/mwav.exe

Kansas
29-11-2004, 10:04 PM
> I am going to hazard a guess here and make the
> assumption you are a novice PC user. As such (and
> please do not be offended by my assumptions) you
> sound like you really need help from a professional
> to sort this as the particular "nasty" can be very
> tricky.
>
> It may be there is a simple fix to this particular
> infection that has come out since I struggled with it
> so it might be fixable easily by someone whose job is
> to "fix" PCs now.
>
> What I am talking about doing is relatively
> straightforward with enough knowledge and experience
> but I am assuming from your request you do not have
> sufficient experience yet to attempt a clean
> reinstall of the operating system.
>
> You really should give it another couple of days here
> to see if one of the members has successfully dealt
> with this variant as well and can explain simply what
> to do.
>
> However failing that it would be best for yourself I
> would say to take it to a professional and have them
> reinstall a clean version of windows.
>
> What you also need to do is ask that person to
> install the following BEFORE you take the PC online
> again. They are Zonealarm free edition, Adaware,
> Spybot search and destroy, an antivirus of choice
> (good free one AVG antivirus), BHODemon and every
> security update for your particular version of
> Windows. Then you can take it online safely for
> longer than 5 minutes. :D

Thanks again John :)

I have since downloaded AVG and ran in safemode after a clean up with Ccleaner (downloaded last night) - my heart skipped a beat when it detected and deleted an .exe file that was plaguing Norton over the last couple of days, which was also failing to delete on Norton. I held my breathe - right up until it deleted it.

After completely shutting down the system - restarting and resetting system restore - I ventured back into the net to 'test the water', and was disappointed to get yet another trojan pop up from Norton and then followed the Korgo worm warning.

I think - YES - time to reinstall. Whilst all the recommendations for possible links with free downloads etc to help - do sound good, but also scary - I fear what I could be downloading even more now.

THANK YOU TO ALL WHO GAVE ME ADVICE - I HAVE VERY MUCH APPRECIATED YOUR ASSISTANCE :) It's time to face the music (my Sister) - the earbashing will hurt more! I'm a very careful 'surfer' but this experience has certainly awoken me to the vulnerability one faces in today's techonological world!!!!

THANK YOU ALL AGAIN :)

Merlin
29-11-2004, 10:41 PM
Read this and follow the method.
While not perfect, this is what professionals use.

http://www.michaelhorowitz.com/removespyware.html





Critics of the Bible regard the truth as their most valuable possession. Therefore they are careful to use it as seldom as possible
- Anonymous

Kansas
30-11-2004, 01:50 AM
Thank you Merlin for your post :)

I'm still here folks :D hoping the trojans and spybots will 'magically' vanish - and stop tormenting my life - the little demons! ]:)

I'm still searching and reading and scanning and restoring and .....blah....blah....blah......:_|

Just noticed some files that I had uninstalled some days ago, thought it was a little odd that they popped up as being deleted by Ccleaner. Have since completed a search for those files and deleted them.

You will see from my other post that I have downloaded AVG, and have Norton Antivirus on board too....is it ok to download extra virus detectors etc...? How are they affected? Do I have to disable one to run the other and such? I'm abit concerned about all these links to download, could I be overkilling the system - that is of course aside from the 'bugs' probably doing their own 'damage' to the system anyway.

Cheers :)