Re: sticky trojan

From: Li'l Roberto (whoisit_at_nospam.net)
Date: 12/23/04 

Date: Thu, 23 Dec 2004 13:18:25 +1030

David
unfortunately your "canned" reply is worthless, please re read my
original post you will see I have already used sysclean in conjunction
with other tools.

rgds
Li'l Roberto

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:Oz0bftB6EHA.1524@TK2MSFTNGP09.phx.gbl...
> 1) Download the following two items...
>
> Trend Sysclean Package
> http://www.trendmicro.com/download/dcs.asp
>
> Latest Trend signature files.
> http://www.trendmicro.com/download/pattern.asp
>
> Create a directory.
> On drive "C:\"
> (e.g., "c:\New Folder")
> or the desktop
> (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
>
> Download SYSCLEAN.COM and place it in that directory.
> Dowload the signature files (pattern files) by obtaining the ZIP file.
> For example; lpt313.zip
>
> Extract the contents of the ZIP file and place the contents in the same
> directory as
> SYSCLEAN.COM.
>
> 2) If you are using WinME or WinXP, disable System Restore
> http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
> 3) Reboot your PC into Safe Mode
> 4) Using the Trend Sysclean utility, perform a Full Scan of your
> platform and
> clean/delete any infectors found
> 5) Restart your PC and perform a "final" Full Scan of your platform
> 6) If you are using WinME or WinXP, Re-enable System Restore and
> re-apply any
> System Restore preferences, (e.g. HD space to use suggested 400 ~
> 600MB),
> 7) Reboot your PC.
> 8) If you are using WinME or WinXP, create a new Restore point
> 9) Please report back your results
>
> Dave
>
>
>
>
>
> "Li'l Roberto" <whoisit@nospam.net> wrote in message
> news:%23eIBonA6EHA.2196@TK2MSFTNGP11.phx.gbl...
> | Have just come across a paricularly stuborn trojan, after spending
> | almost two hours in a fruitless attempt to remove it, regretably I
> had
> | to format and start over. [clients insistance]
> |
> | Here are the symptons:
> | The desktop was hijacked as web page with the warning that the
> | system had been compromised and displayed a link to the following
> web
> | site: for a "cure" www.topantispyware.com/overview.php?30. Right
> | clicking on the "desktop" and choosing properties showed
> | C:\Windows\Web\desktop.html not the normal properties ***.
> |
> | Panda would detect the trojan downloader.small.11.BU and heal it on
> each
> | reboot, but always came back with a different file name, EG
> | C:\windows\system32\jgglaaaa.dll and wisadwsfndos.exe, plus there was
> | always a file r.exe on the root of C:.
> |
> | I ran uptodate versions of FPROTDOS, sysclean, AD-Aware, Hijackthis and
> | Spybot S and D, but just couldn't remove it. Anyone come across this
> | and have a fix? for next time
> |
> | rgds
> | Li'l Roberto
> |
> |
> |
> |
> |
> |
> |
> |
> |
>
>