Re: Trojan.killAV-similar experiance?
- From: Malke <notreally@xxxxxxxxxxxxxxx>
- Date: Tue, 18 Sep 2007 11:50:28 -0700
I've run into two different windows XP machines at 2 different clients now. Norton picks it up as Trojan.KillAV. The files: info.exe, system.exe and print.exe all show up in the system with this infection in the %winnt%/system32 folder, the startup folder and the run reg keys for HKEY_LOCAL_USER and HKEY_LOCAL_MACHINE. In addition you'll see a process running called print.exe. Also, you get the following message when attempting to access the properties of my computer, when trying to access control panel or other system changing areas, either directly or via the RUN menu: "THIS OPERATION HAS BEEN CANCELLED DUE TO RESTRICTIONS IN EFFECT ON THIS COMPUTER. PLEASE CONTACT YOUR SYSTEM ADMINISTRATOR". The previous error message did not relate to a local or group policy. Also, the control panel is no longer visable. Oh, and some popups too. It's very resistant to removal and the most i've been able to do is disable it by killing the files with a program and replacing the infected files with dummy files and locking them. But I can never repair the error message with accessing system changing areas. Has anyone else had any luck with this?? perhaps been able to remove and repair? Any advice or experiance with this would be helpful.
Sorry its so long! Thanks in advace.
I haven't seen this on any of my clients' machines but there is a lot of information about removing it available:
Elephant Boy Computers
MS-MVP Windows - Shell/User