View Full Version : trojan or virus?

27-10-2008, 11:09 AM
Trend has reported distr[4]1.exe as a virus. Problem is, I can't delete it. Does anyone know what this is/how I can get rid of it? Thanks.

Speedy Gonzales
27-10-2008, 11:29 AM
Disable system restore. It maybe in the SR folder/s

If that file is running now, open task manager and kill its process

Then delete it

If that doesnt work boot into safe mode and delete it (keep system restore disabled)

I would use something like trojan remover below. See if it put anything in the registry / elsewhere. Then select all options under the utilities menu in TR

27-10-2008, 01:54 PM
The only bolded dates in system restore are yesterday and today - the .exe file described earlier was first identified yesterday. I am unable to select any other restore points or change the month in SR from the current (Oct). I looked at SR because I thought it might be an idea to try that first. Obviously if only yesterday/today are available there would be no point in doing that.

Speedy Gonzales
27-10-2008, 01:58 PM
So is that file still there now?

If it is,right mouse on my computer on the desktop. If its there / properties / system restore. Turn SR off

Kill that file's process if its running then delete the file, then reboot, then do another scan

27-10-2008, 02:02 PM
So far I've done nothing other than look at SR. As I said, there are no restore points before yesterday so I figure if the file arrived on my PC yesterday there's no point in doing SR to the same date the PC was infected.

27-10-2008, 02:04 PM
Don't run system restore- disable it

Speedy Gonzales
27-10-2008, 02:07 PM
Yup I'm talking about disabling it, not running it, or going back to a previous date

27-10-2008, 02:08 PM
It's disabled. Have run PC in safe mode. I can't locate the dist[4]1.exe file to delete it. What now?

Speedy Gonzales
27-10-2008, 02:12 PM
If SR is still disabled boot into normal windows and do another scan.

If it cant be found disabling SR probably removed it. If it was in the system restore folder

Did the previous scan, when it was picked up, tell you WHERE it was??

If it did go to the folder, and see if its still there

27-10-2008, 04:09 PM
Trend reported the file in temporary Internet Files\...\Local Sett... wth the rest of the path truncated. The file is called distr4[1].exe not distr[4]1.exe as reported in earlier message.

27-10-2008, 04:22 PM
try this
goto start...programs.. accessories..system tools. Run disk cleanup put a tick in temporary internet files as a well as any others you are inclined to, click on ok
when its finished

also clear out your java cache go to the java controll applet in control panel to do this

then do a complete virus scan with your virus software

Speedy Gonzales
27-10-2008, 04:23 PM
Clear the cache in IE, or use ccleaner and run it. It should remove it

Get trojan remover if you havent yet, its below, install update then scan.

Then select all options under the utilities menu

27-10-2008, 08:24 PM
Okay, I've done everything you suggested. I ran Trend again and it found nothing. However, it's still reporting that file distr4[1].exe has been quarantined. Is this because it found it in an earlier scan? How do I access the quarantined file to delete it? When I try to remove it from within Trend I get the message "Unable to delete the file. Your computer may have locked the file, or you may lack sufficient privileges to access the file." Ta.

27-10-2008, 08:31 PM
has that virus checker program got a help file, sorry I never used your virus checker.

If its quarantined I would think that trend is not going to let you do anything to it, thats why I suggest the help file within the virus checker app.

Speedy Gonzales
27-10-2008, 08:38 PM
I wouldnt worry about it. If its quarantined, it wont do any harm

Are you the only user on this PC?? Or a guest?

27-10-2008, 08:49 PM
There's me and two other family members who use this PC. After I restarted the PC, Trend now reports another virus found: TROJ_ADCLICKE.IB in kcntktdl.exe. I can delete it, but it comes back after each restart. Says its in WINDOW\system32 but I can't find it. And ads pop up spontaneously - one came up just now wth the header RON ads by bannerstyles 15. This is getting really annoying...

Speedy Gonzales
27-10-2008, 09:08 PM
Install malwarebytes. Make sure it gets installed for all users.

Then update it then scan

27-10-2008, 09:31 PM
While you're at it, get Hijackthis from Speedys Sig, download/run and select save a log - Copy post the complete log back here.

SPEEDY--- Don't have time at the moment - but when the logs posted take a look at This page (http://www.threatexpert.com/report.aspx?uid=214fc57a-5f1f-48e0-b9c8-57042e9e858f) - the reg may need to be cleaned out further.

Speedy Gonzales
27-10-2008, 09:36 PM
Trojan remover MAY find that.

Its got Adclicker, Adclicker.C, O, (looks like these can get installed or bundled with software)

And trojan.adclicker (Generic detection for a program designed to simulate clicks on website banner advertisements to increase traffic artificially in its database)

If its the same thing

28-10-2008, 05:17 PM
Thanks for all your help, but I think HWMBO (but only sometimes) is going to reformat the c drive - wouldn't be the first time. Cheers

29-10-2008, 10:01 AM
OMG! There's another problem created by the first one. Now he's reformatted the c: drive he can't get that PC to interact with our network. The other 3 PCs are fine. They talk with each other/internet. Probably something simple (hopefully) we've missed. File sharing is enabled on all PCs. Can anyone suggest anything that might help, please? Thanks.

29-10-2008, 10:12 AM
HWMBO? That's more like it! :D

Did he install the drivers after reinstalling windows on the PC?

IF you're not sure, go into the device manager and look for any devices in yellow with question marks on them.

To open the device manager, type devmgmt.msc into the run box (start/run) and click OK.

Speedy Gonzales
29-10-2008, 10:20 AM
You need / have to install the chipset / sound / LAN drivers after

29-10-2008, 10:37 AM
Thanks for the suggestions. Will check them out when I get home later today.

29-10-2008, 02:00 PM
HWMBO? That's more like it!

I also like this one - gooooooooooooooooooooooood. :clap



30-10-2008, 11:39 AM
Update: all fixed thanks to combination of your suggestions and the Dell resource CD. Cheers all.