OT: Virus Gurus, FARK! Options

[Howard]

Got this cutie today. Anti_Troj.exe
Screws up the works.

Knocked out my Norton and won't let me reinstall nor get any new AV software installed. RegEdit the entry as per Symantec instructions, but can't run anti virus scan to kill it. Help!

[J P Stein]

Goggle AVG. and run their free av scan off the net.
Their updates are very current . I get em' daily.

Good luck.

[bd1308]

dude.

try this--Microsoft AntiSpyware

http://reactornet.net/~britt/MAS.exe

its the bomb diggity.

b

[Rocket]

go get lavasoft's anti spyware. and Spybot Search and Destroy. using both of thoes gets most of the stuff off. along with microsofts antispyware.

also. try F-Prot's antivirus software. you can get the trial online for free. have to hunt on their website.

[r_towle]

most of these have a pre-boot function...

You probably need to boot in safe mode and then run the symantic cleaner agent for this specific problem...

Only in safe mode can you ensure that nothing got loaded...


Rich

[lagunero]

QUOTE (r_towle @ Nov 23 2005, 08:35 PM)

most of these have a pre-boot function... Only in safe mode can you ensure that nothing got loaded... Rich

Yup.

Howard, that's what you get for letting the Narpster site go (IMG:http://www.914world.com/bbs2/html/emoticons/laugh.gif)

[Howard]

Thanks, guys. I'll try 'em one at a time. No effect on Mycrosoft anti spy, still running no problems. Alberto, I didn't kill the narp, the free server went out of biz.

[bd1308]

Howie, you got my PM regarding that right?

did MS antispyware work?

b

[Howard]

Yeah, Britt. Set it up and I'll get it over to you. Unfortunately, we'll lose everthing that was in there.

MS Anti spy doesn't find it. And this guy is good... won't let me visit any AV site to get a download. Don't think I can access DSL in safe mode, so may have to get it on another machine. Back to the drawing board

[bd1308]

what OS are you using?

can you send me the file in a email?

i'll look at it.....we'll come up with something

b

[r_towle]

Howard...
This is from Syamntec.
You have a bad Trojan horse...it downloads more bad files to your computer....

first thing...unlpug it from the internet...
then follow these instructions...
Print them out and follow them to a T

At a high level.
You have to boot in safe mode to disable the service from starting...
Then you need to use the current version of the Virus software to get rid of it...
Then you need to edit the registry to make sure its gone.
There might also be some of the files left...the files it downloaded....

After you do that...boot in normal mode and get all the latest patches from symantec.

then run it once again in normal mode.

READ BELOW



Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again.

After the files are deleted, restart the computer in Normal mode and proceed with the next section.

Warning messages may be displayed when the computer is restarted, since the threat may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following:

Title: [FILE PATH]
Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.


4. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.

Click Start > Run.
Type regedit
Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.


Navigate to the subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run


In the right pane, delete the value:

"anti_troj" = "%System%\anti_troj.exe"


Navigate to the subkey:

HKEY_CURRENT_USER\Software\FirstRRRun


In the right pane, delete the value:

"FirstRRRun" = "1"


Exit the Registry Editor.

[J P Stein]

Are you on IE or Mozilla?
If you're on IE, you may want to load Mozilla and get a clean
tool for the net.

[Howard]

Did that before, but not in safe mode. I'll try again. Thanks

[r_towle]

the part is pasted here says do it in safe mode...

its the part of the cure under the heading "if that did not work and you cant get rid of it...do this"

Rich

[bd1308]

before you clean yourself....can you send that to me? i want to dissect it....
b

[MecGen]

Hey

This summer I got infected with a simmilar troj...
3 PC shops and countless hours of net research...
Cleaned my regit...no more internet... (IMG:http://www.914world.com/bbs2/html/emoticons/headbang.gif)
Get the patches...worked ok but, final solution was, flush windows and start from scratch...

I realy hope yours turns out better. Next time I,m calling Britt (IMG:http://www.914world.com/bbs2/html/emoticons/pray.gif)

Later Poz

(IMG:http://www.914world.com/bbs2/html/emoticons/drunk.gif)

[bd1308]

when i do work for somebody...

it costs less money for the customer (i do weekend house visits) if i dump the OS and reload.

I'm going to setup a machine where i purposely infect it to see what goes on. Kinda like Jake blowing up and melting engines.

b

[bd1308]

(IMG:http://www.914world.com/bbs2/html/emoticons/sad.gif) no message with troj attachment.

i'll figure something else out.

b

[Howard]

Britt, appreciate your help. We've got 20 people to feed today for t/g so I can't screw with this too much. Found the file, couldn't delete in windows, so rebooted in dos, changed the attrib and deleted. Can load AV software now and am running scans. According to Norton it's brand new as of yesterday, so they're still working out the bugs.

DON'T OPEN ZIP FILES FOR THE NEXT FEW DAYS UNTIL THEY FIGURE THIS LITTLE EFFER OUT.

Brett, pm your phone number so I can ask you a few questions.

[bd1308]

QUOTE (Howard @ Nov 24 2005, 10:36 AM)

Britt, appreciate your help. We've got 20 people to feed today for t/g so I can't screw with this too much. Found the file, couldn't delete in windows, so rebooted in dos, changed the attrib and deleted. Can load AV software now and am running scans. According to Norton it's brand new as of yesterday, so they're still working out the bugs. DON'T OPEN ZIP FILES FOR THE NEXT FEW DAYS UNTIL THEY FIGURE THIS LITTLE EFFER OUT. Brett, pm your phone number so I can ask you a few questions.

brett=MecGen?