Re: reply
From: Ozgirl (news_onlyxx_at_hotmail.com)
Date: 11/26/03
- Next message: Ozgirl: "Re: Backdoor.Trojan Help"
- Previous message: Ozgirl: "Re: troyan virus"
- In reply to: rock: "reply"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 26 Nov 2003 12:58:19 +1100
Rock, you need to reply to a message in the same
thread, not create a new subject. That way everyone
including the original poster knows who you are
replying to.
"rock" <anonymous@discussions.microsoft.com> wrote in
message news:08e901c3b3bb$0b788590$a101280a@phx.gbl...
> >-----Original Message-----
> >There is a "trojan horse" program in my PC that
refuses
> to
> >be removed. I have tried Ad-Aware, Spy Bots and
also
> >tried deleting it from the msconfig Startup tool
system,
> >and searched for it in the registry, but I am unable
to
> >remove it. I unchecked it in the msconfig Start up
> >program, but it reappears again with a checked box
on a
> >new line in the list. It listed name is:
2N7NDTN44L@@AN,
> >and a command name in the windows system that
changes
> each
> >time it returns in the Startup list, example
> >C:\Windows\system\OqxNq.exe. When I tried the Search
> >function, neither the listed name or command line
name
> >produced any results. It constantly generates web
page
> ads
> >on my pc. Is there any other method I can use to
remove
> >it?. I suspect it was attached to a free copy of a
> >downloaded Grisoft AVG Anti Virus software. I have a
> >Presario Intel 4,1.7GHZ PC with 256RAM and Win ME.
> >
> >Peace through understanding,
> >
> >
> >.
> >
>
>
> Reply:
>
>
> The reason that it keeps replicating itself is that
there
> is a mother file that is set to do such, from another
> location. You need to delete the mother file or the
> replicating won't stop. It is probably hidden, as
well as
> the replicated files, this is why WinME won't pick
them up
> in the search. I have a couple of suggestions:
> First, ME comes with a registry backup application,
try
> restoring an old registry backup, this may remove all
> registry keys that are generated by the trojan.
> If the replicated files keep appearing in the
> C:\windows\system\ folder, try locking access to this
> folder temporarily by using attrib.exe:
> In DOS (you may have to restart into DOS to lock this
> folder since it is in use), type:
> cd\
> attrib +r c:\windows\system\
>
> this can be undone later in DOS by typing:
> cd\
> attrib -r c:\windows\system\
>
> (write down the undo command line, if Windows does
not
> load or work properly after locking the system
folder, and
> you only have access to DOS, undo the locking process
by
> typing that in the command line)
> If this works and WinME loads correctly with the
system
> folder locked, try deleting the replicating file in
the
> system folder, selecting yes when you are prompted if
you
> want to delete a write-protected file. Check to see
if
> there are any new files in the system folder. If
there are
> not, you can either roam through all of the modified
files
> on the day and time that you downloaded what you
suspect
> to be the culprit, AVG Virus Scanner, or you can exit
to
> DOS once again, and outside of WinME, try to remove
the
> command line from the startup file (maybe I didn't
> understand what you were saying, but it looked like
to me
> that the trojan is suspected of running at WinME
startup
> by placing itself either in the registry or writing a
> command line in a startup file, such as autoexec.bat)
If
> the trojan did place a command line in, say
autoexec.bat
> or system.ini, you can manually edit these programs
> outside of WinME by exiting to DOS, and typing:
> cd\
> edit c:\autoexec.bat (or c:\system.ini or whatever
file)
>
> Then save the changes and restart your computer, if
> everything is running fine, you will still need to
remove
> the mother program (assuming this is how the trojan
is
> layed out). You will need to manually find an delete
this
> file, or get a scanner (other then AVG) that will
find and
> delete the file.
>
> This is just some suggestions, not saying any of them
will
> work, but I don't really have too much background on
the
> type of trojan to help you out more.
>
>
- Next message: Ozgirl: "Re: Backdoor.Trojan Help"
- Previous message: Ozgirl: "Re: troyan virus"
- In reply to: rock: "reply"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
