April 17th, 2005, 03:43 AM
Help: Persistant trojan horse!
aiight, ive had it upto HERE with this trojan. a friend of mine is havin a very persistant trojan. norton keeps on giving alerts that it found socks.exe and its a trojan, after deleting it, it comes back. and before u state the obvious, yes i know there is something thats generating the trojan again and again. and that is my dellima, i cant find the dropper.
anyone here got some suggestions? ive been lookin around the web, and all i get are definitions of the trojan and ppl havin same unsolved problem.
attached here is the screenshot of da norton alert.
April 17th, 2005, 04:09 AM
Question...is this trojan the same as this...
Zone Labs Virus Information Center
a Mitglieder.J virus member?
I tried to find your solution...but I think we might have to look under something else.
April 17th, 2005, 04:30 AM
If in Win ME, 2k or XP, disable system restore, then scan and remove in safe mode. Viruses and trojans LOVE those restore folders as they allow them to achieve an "immortality" of sorts.
Hope this helped.
It isn't paranoia when you KNOW they're out to get you...
April 17th, 2005, 08:12 AM
Hi there s0nIc!
This threat is quite old. It could already infected the system hard and down to the registry.
Check this complete information and instruction from Symantec - Backdoor.Trojan http://securityresponse.symantec.com...or.trojan.html
Since the OS is Win XP, you can find more technical information about the situation here - Common loading points of threats in Windows 2000/XP http://service1.symantec.com/SUPPORT...01060517115206
Hope it could help.
WARNING: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.
an\"to*nym (noun) [Greek: a word used in substitution for another]
A word of opposite meaning ; a counter-term ; used as a correlative of synonym
- Dr. Gung-ho
April 18th, 2005, 12:11 PM
the best way to get rid of trojans that are not sneaky is to remove the registry keys and check the win.ini. there is a tutorial by somone one here about the sneak trojans written by nihil i believe which can go deeper in depth. but knowing EVERYTHING that is suppose to start with windows on your computer is the main strategy to defend against trojans/spyware/malware. knowing your computer is the same as knowing your woman. if her snatch is sloppy you know shes been with another man earlier right?
April 18th, 2005, 01:54 PM
lol u have an odd way of puttin it. but yeah i really dont know da computer myself coz its not mine, am just helpin out. but i did ask her to check her startup folder. im thinkin she could send me her hijack this log. i asked her to check her Program Files folder for any odd new folders coz i know thats where they usually multiply. check her windows temp folder aswell. alas no sign of the dropper. so my only hope right now is for her to send me the HijackThis log. and try ur suggestions.
am thinkin the culprit is a .dll or a .bat.
April 18th, 2005, 03:17 PM
Did you try what allenb suggested? (system restore off, boot to safe mode, rescan)
Experience is something you don't get until just after you need it.
April 20th, 2005, 05:59 PM
Turn off syste restore, clean the trojan, Use Crap Cleaner ( from www.ccleaner.com )and clean your system and then reboot................ This should so the trick........................
If this does not work, use Hijack this t create a log file and give it to an expert or just post it here........
April 20th, 2005, 08:14 PM
s0nIc, don't feel bad. I'm going through the identical situation you are. My brother's computer is infected with a trojan that posesses the same characteristics as yours does. This thing is a real s.o.b. I only had limited time (a couple hours) to work on this computer and here's what I tried to no availnormal mode scans were ineffective)
-disabled system restore
-booted into safe mode
-ran Norton 2005, The Cleaner, and Spybot
-both Norton and The Cleaner found the trojan (generically named "Trojan Horse") and claimed to clean it.
-rebooted normally and Norton warnings went nuts. I was getting warnings just about every 20 seconds about a potentially infected ****.exe. The .exe files kept changing. I counted about 10 different .exe's that Norton warned me about being infected. In addition to that, M$ AntiSpyware kept giving me warnings about something trying to change IE Internet Settings to minimal security.
I didn't get a chance to delve into the win.ini file nor the registry. I also haven't had a chance to run HiJackThis yet either. I do remember a malicious .exe running when I checked it via TCActive. It was LF00!.exe, I checked it out and found one website with that .exe listed under W32/Downloader.
I haven't had any time to work on it since but I'm hoping someone knows where this s.o.b of a trojan is residing and why the hell both Norton and The Cleaner can't get to it, even in safe mode with system restore disabled.
The object of war is not to die for your country but to make the other bastard die for his - George Patton
April 21st, 2005, 05:49 AM
i remember years ago when trojans were becoming even more popular back in the mid 90's they used win.ini mainly because a lot of people still used windows 3.1/and 95 respectively. they were sneaky with the "run=" and "load=" lines in the win.ini file. what they would do is this:
run= (lots of spaces) "c:\blah\trojan.exe" or
load= " " "
im not sure if they fixed that since 98+ but the average person wouldnt notice it even with notepad maximized when editing, the only real way to notice was using the scrollbar to scroll
all the way over and also hitting end on such lines.