can't stomp trojan.Tofger - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 14 of 14

Thread: can't stomp trojan.Tofger

  1. #11
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    Very good point there TheSpecialist.

    Non-Microsoft software in the Windows and system32 folders

    The first is supposed to relate to a voice modem and the second to HP writing to disk, but the other entries suggest that the computer is actually a Dell?

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  2. #12
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    anywho...
    O4 - Startup: winupdate23036105[1].exe
    O4 - HKLM\..\Run: [Setup experation] C:\WINDOWS\svchost.exe
    What happened after you deleted these ?? ( to my knowledge svchost.exe does not belong in the /WINDOWS directory, err ... , sorry, \WINDOWS directory: it is most likely a virus or trojan. And the other one, same-same, does not belong there to my knowledge. ( looks awfully suspicious to me )

    Also, did you delete all your temp folder contents?

    Did you restart it in safe mode and run the AV ?

    So what did the HjackThis log look like afterwards?
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  3. #13
    Iknownot:
    Exactly, the svchost in the windows folder was part of the trojan. The real svchost is in windows\system32. So when I deleted it, it happily died a painful death.

    Also, yes i removed all temp files (thanks to a batch file I found in this forum, sorry, i forget who wrote it).

    The AV scans we did were as follows:
    All definition updates were downloaded on all scanners
    1. removed physical drive, installed in clean machine, scanned w/norton
    found and removed 350+ instances of bagel and other small viruses
    2. returned drive to original machine, booted to winpe, scanned w/mcafee command line
    3. booted to xp, scanned w/norton
    4. booted to xp safe mode, scanned w/norton
    5. booted to xp, scanned w/trendmicro housecall

    All scans found the dltime.dll file, but none could remove it completely.

    I also scaned the machine with adaware (reg, safemode, winpe), spybot, and pest patrol. pest patrol found the false svchost, but failed to remove it.

    The|Specialist|: (or whatever your old nick looked like)
    I thought those entries were suspicious also. But as Nihil said, the files checked out. The HP one made me wonder, since the machine was indeed a dell, but it was not causing problems.
    You are so bored that you are reading my signature?

  4. #14
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    In my last post I could not remember where I got PV.exe (prossess view) from but here is the download page with some info on usage, etc.

    http://www.teamcti.com/pview/
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides