Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: trojan.wimad.a

Hybrid View

  1. #1
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187

    trojan.wimad.a

    I am trying to help my brother clean a trojan off of his computer. He is running Vista Home Premium. The trojan is trojan.wimad.a ... it was originally found by AVG AV... and was originally listed as trojan horse generic5.ijc. I have been searching google for a solution, and found a forum that suggested running Ewido in safemode. Looks like Ewido got bought out by Grisoft, so now it is AVG Anti-Spyware. Regardless, we downloaded it, booted to safemode, and started a scan. Pretty early on in the scan we got an information balloon that said:

    c:\c:\$Recycle.bin\s-1-5-21-2501116068-1111772687-1608448203-1000\$row5w3j is corrupt and unreadable please run the chkdsk utility.
    We have not yet run the check disk utility... I was wondering if anyone here had come across this.

    here are some other steps that were taken:

    Ran AVG AV in normal and safemode, both times it found the trojan but was unable to remove it, reported 1 error and 0 files healed.

    Ran Spybot S&D, but found no evidence of a Trojan.

    Ran Adaware 2007 in safemode, it found the trojan and claimed to quarantine it, but after that we ran AVG AV again and the trojan was still there.

    Ran Hijack this, and pasted the log file at hijackthis.de. There were no "nasty" entries.

    We are currently still in the middle of the AVG Spyware scan in safemode.

    All of the software and definitions are up to date.

    It is getting late, and I am getting ready to go home. So I will probably continue this battle sometime in the next couple of days.

    Any help is greatly appreciated.

    Thanks for your time.

    Westin
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  2. #2
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    well... just got this email from my brother, looks like the problem is cleared up... when he originally saw the infection, he navigated to the directory that the file in question was reported to reside in, and deleted the folder... I guess that is why the chkdisk thing came up... here is his email:

    I downloaded Avast! And ran it. It found a WMA file with the Trojan horse in the same directory we had deleted. It was able to quarantine it. I then ran AVG only to have the same file pop up again. I shut the system down, ran chkdsk, then booted up in safe mode. I ran AVG again, and it still popped up. I then went to the disk cleanup util and ran it. Then I thought, “I ought to run the disk defrag.” So I did. I think the directory I deleted was still resident on the HD. After running defrag, the directory didn’t even show up during the scan.
    any insight? I could probably muster some... but it is about time for bed...
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi,

    I use this tool:

    http://www.ccleaner.com/

    It cleans out all sorts of places where nasties tend to hide

    Incidentally, it might be a good idea to create a new system restore point and delete the old ones?
    Last edited by nihil; January 14th, 2008 at 12:32 PM.

  4. #4
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Thanks nihil... your advice is always most appreciated. I will do that when I get over there tonight...
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  5. #5
    Ran Adaware 2007 in safemode, it found the trojan and claimed to quarantine it, but after that we ran AVG AV again and the trojan was still there.
    Was AVG scanning the Adaware quarantine folder?

  6. #6
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Quote Originally Posted by AngelicKnight
    Was AVG scanning the Adaware quarantine folder?

    excellent question... I am not sure, but that could very well have been the case...
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  7. #7
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    Most AV's or Antispyware apps will find the file if it's been saved to the systemvolumeinformation folder (restore points, folders are hidden), as a quarantined item.

    Each system restore point is a chain so you need to flush all the restore points and not just the folder with the infected file...
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  8. #8
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Thanks for the info dalek... I went over tonight, ran ccleaner, and went to delete/create restore points, and there was only one... from today. Not sure what happened to the other ones... the computer is still coming up clean on the scans, so I am optimistically thinking that the problem is resolved... though any more tips or insight is still greatly appreciated... once again thanks to everyone for their ideas and suggestions.

    Cheers!
    Westin
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  9. #9
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    I use the same tool that Nihil has suggested for over a year now - It works great to flush out most things.
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  10. #10
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    I had used it before, but I always thought of it as more of a privacy tool than a malware eradicator... looks like it is effective in both ways... it is a very handy piece of software...
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •