reply
From: rock (anonymous_at_discussions.microsoft.com)
Date: 11/26/03
- Next message: optikl: "Re: NIS 2004 is a virus itself"
- Previous message: David H. Lipman: "Re: Backdoor.Trojan Help"
- In reply to: Vincyman: "Can't remove aTrojan Horse type bug"
- Next in thread: Ozgirl: "Re: reply"
- Reply: Ozgirl: "Re: reply"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 25 Nov 2003 17:17:22 -0800
>-----Original Message-----
>There is a "trojan horse" program in my PC that refuses
to
>be removed. I have tried Ad-Aware, Spy Bots and also
>tried deleting it from the msconfig Startup tool system,
>and searched for it in the registry, but I am unable to
>remove it. I unchecked it in the msconfig Start up
>program, but it reappears again with a checked box on a
>new line in the list. It listed name is: 2N7NDTN44L@@AN,
>and a command name in the windows system that changes
each
>time it returns in the Startup list, example
>C:\Windows\system\OqxNq.exe. When I tried the Search
>function, neither the listed name or command line name
>produced any results. It constantly generates web page
ads
>on my pc. Is there any other method I can use to remove
>it?. I suspect it was attached to a free copy of a
>downloaded Grisoft AVG Anti Virus software. I have a
>Presario Intel 4,1.7GHZ PC with 256RAM and Win ME.
>
>Peace through understanding,
>
>
>.
>
Reply:
The reason that it keeps replicating itself is that there
is a mother file that is set to do such, from another
location. You need to delete the mother file or the
replicating won't stop. It is probably hidden, as well as
the replicated files, this is why WinME won't pick them up
in the search. I have a couple of suggestions:
First, ME comes with a registry backup application, try
restoring an old registry backup, this may remove all
registry keys that are generated by the trojan.
If the replicated files keep appearing in the
C:\windows\system\ folder, try locking access to this
folder temporarily by using attrib.exe:
In DOS (you may have to restart into DOS to lock this
folder since it is in use), type:
cd\
attrib +r c:\windows\system\
this can be undone later in DOS by typing:
cd\
attrib -r c:\windows\system\
(write down the undo command line, if Windows does not
load or work properly after locking the system folder, and
you only have access to DOS, undo the locking process by
typing that in the command line)
If this works and WinME loads correctly with the system
folder locked, try deleting the replicating file in the
system folder, selecting yes when you are prompted if you
want to delete a write-protected file. Check to see if
there are any new files in the system folder. If there are
not, you can either roam through all of the modified files
on the day and time that you downloaded what you suspect
to be the culprit, AVG Virus Scanner, or you can exit to
DOS once again, and outside of WinME, try to remove the
command line from the startup file (maybe I didn't
understand what you were saying, but it looked like to me
that the trojan is suspected of running at WinME startup
by placing itself either in the registry or writing a
command line in a startup file, such as autoexec.bat) If
the trojan did place a command line in, say autoexec.bat
or system.ini, you can manually edit these programs
outside of WinME by exiting to DOS, and typing:
cd\
edit c:\autoexec.bat (or c:\system.ini or whatever file)
Then save the changes and restart your computer, if
everything is running fine, you will still need to remove
the mother program (assuming this is how the trojan is
layed out). You will need to manually find an delete this
file, or get a scanner (other then AVG) that will find and
delete the file.
This is just some suggestions, not saying any of them will
work, but I don't really have too much background on the
type of trojan to help you out more.
- Next message: optikl: "Re: NIS 2004 is a virus itself"
- Previous message: David H. Lipman: "Re: Backdoor.Trojan Help"
- In reply to: Vincyman: "Can't remove aTrojan Horse type bug"
- Next in thread: Ozgirl: "Re: reply"
- Reply: Ozgirl: "Re: reply"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
