PDA

View Full Version : Can't get rid of navprotect



bpt2
23-01-2005, 10:40 AM
I have so far tried in vain to remove navprotect a trojan horse IRC/BackDoor.SdBot.109.BA which keeps recreating itself in the system32 folder. It is detected by AVG and successfully deleted but just comes back after a reboot (with system restore turned off).
The object details in AVG show that the source of the file is a backup copy. If system restore is turned off could there be some other program that keeps backup copies?
Any suggestions?

Speedy Gonzales
23-01-2005, 10:50 AM
Try this http://www.simplysup.com/tremover/

Make sure its up to date, then do a scan

Or do a online scan here http://housecall.trendmicro.com/

or try this http://vil.nai.com/VIL/STINGER/

Prescott
23-01-2005, 12:10 PM
hey there, have you tried running hijackthis as mentioned in the other thread? i noticed that i have it too so i ran hijackthis and i am brought to screen (http://www.csc.school.nz/home/01190/hijack.JPG). i have marked the dodgie ones, are they safe to delete, you may need to do the same.

bpt2
23-01-2005, 05:53 PM
I've run hijack this a number of times to remove navprotec but it just keeps reappearing.
A scan by Trendmicro identified three trojans (asa.dbx, cmd.ftp and kalvslij.exe) which it could not clean; but no mention of navprotect!
Does changing the extenstion to 000 disable any program file?

Cicero
23-01-2005, 08:23 PM
I've run hijack this a number of times to remove navprotec but it just keeps reappearing.
A scan by Trendmicro identified three trojans (asa.dbx, cmd.ftp and kalvslij.exe) which it could not clean; but no mention of navprotect!
Does changing the extenstion to 000 disable any program file?
Looking forward to see how this is sorted.Sounds tricky. :badpc:

Onyks
23-01-2005, 08:48 PM
well in the other thread i mentioned removing it from startup list in msconfig

also since (from the screenshot) HijackThis apparently removes the reg keys infected... i myself am confused. ill do some lookin around for ya and if i find anything worth trying ill let you know.

Onyks
23-01-2005, 08:56 PM
http://www.webuser.co.uk/cgi-bin/forums/showflat.pl?Cat=&Board=hijackthis&Number=148438&page=1&view=collapsed&sb=5&o=93&part=

that didnt take long... i do not know this forum nor the posters/mods on it. Take it as it is.

The person with the problem seemed to helped fully so i would say make a restore point or whatever you can do to backup files then follow the posts directions.

good luck!

Onyks
23-01-2005, 08:58 PM
ugh yes me again sorry, i revisited the site and just to let you know you do not have to read all of the filenames/locations... pretty much the first post can be left out. just to save some time, im sure you are frustrated.

bpt2
23-01-2005, 09:25 PM
I think I nailed it. I deleted a trojan in the windows\security folder (asa.dbx) and that seemed to do the trick.
Thanks