-
January 14th, 2008, 05:12 AM
#1
trojan.wimad.a
I am trying to help my brother clean a trojan off of his computer. He is running Vista Home Premium. The trojan is trojan.wimad.a ... it was originally found by AVG AV... and was originally listed as trojan horse generic5.ijc. I have been searching google for a solution, and found a forum that suggested running Ewido in safemode. Looks like Ewido got bought out by Grisoft, so now it is AVG Anti-Spyware. Regardless, we downloaded it, booted to safemode, and started a scan. Pretty early on in the scan we got an information balloon that said:
c:\c:\$Recycle.bin\s-1-5-21-2501116068-1111772687-1608448203-1000\$row5w3j is corrupt and unreadable please run the chkdsk utility.
We have not yet run the check disk utility... I was wondering if anyone here had come across this.
here are some other steps that were taken:
Ran AVG AV in normal and safemode, both times it found the trojan but was unable to remove it, reported 1 error and 0 files healed.
Ran Spybot S&D, but found no evidence of a Trojan.
Ran Adaware 2007 in safemode, it found the trojan and claimed to quarantine it, but after that we ran AVG AV again and the trojan was still there.
Ran Hijack this, and pasted the log file at hijackthis.de. There were no "nasty" entries.
We are currently still in the middle of the AVG Spyware scan in safemode.
All of the software and definitions are up to date.
It is getting late, and I am getting ready to go home. So I will probably continue this battle sometime in the next couple of days.
Any help is greatly appreciated.
Thanks for your time.
Westin
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
January 14th, 2008, 07:37 AM
#2
well... just got this email from my brother, looks like the problem is cleared up... when he originally saw the infection, he navigated to the directory that the file in question was reported to reside in, and deleted the folder... I guess that is why the chkdisk thing came up... here is his email:
I downloaded Avast! And ran it. It found a WMA file with the Trojan horse in the same directory we had deleted. It was able to quarantine it. I then ran AVG only to have the same file pop up again. I shut the system down, ran chkdsk, then booted up in safe mode. I ran AVG again, and it still popped up. I then went to the disk cleanup util and ran it. Then I thought, “I ought to run the disk defrag.” So I did. I think the directory I deleted was still resident on the HD. After running defrag, the directory didn’t even show up during the scan.
any insight? I could probably muster some... but it is about time for bed...
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
January 14th, 2008, 11:55 AM
#3
Hi,
I use this tool:
http://www.ccleaner.com/
It cleans out all sorts of places where nasties tend to hide
Incidentally, it might be a good idea to create a new system restore point and delete the old ones?
Last edited by nihil; January 14th, 2008 at 12:32 PM.
-
January 14th, 2008, 03:20 PM
#4
Thanks nihil... your advice is always most appreciated. I will do that when I get over there tonight...
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
January 14th, 2008, 03:44 PM
#5
Ran Adaware 2007 in safemode, it found the trojan and claimed to quarantine it, but after that we ran AVG AV again and the trojan was still there.
Was AVG scanning the Adaware quarantine folder?
-
January 15th, 2008, 02:24 AM
#6
Originally Posted by AngelicKnight
Was AVG scanning the Adaware quarantine folder?
excellent question... I am not sure, but that could very well have been the case...
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
January 15th, 2008, 03:41 AM
#7
Most AV's or Antispyware apps will find the file if it's been saved to the systemvolumeinformation folder (restore points, folders are hidden), as a quarantined item.
Each system restore point is a chain so you need to flush all the restore points and not just the folder with the infected file...
PC Registered user # 2,336,789,457...
"When the water reaches the upper level, follow the rats."
Claude Swanson
-
January 15th, 2008, 07:17 AM
#8
Thanks for the info dalek... I went over tonight, ran ccleaner, and went to delete/create restore points, and there was only one... from today. Not sure what happened to the other ones... the computer is still coming up clean on the scans, so I am optimistically thinking that the problem is resolved... though any more tips or insight is still greatly appreciated... once again thanks to everyone for their ideas and suggestions.
Cheers!
Westin
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
January 15th, 2008, 10:22 AM
#9
I use the same tool that Nihil has suggested for over a year now - It works great to flush out most things.
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
January 15th, 2008, 03:36 PM
#10
I had used it before, but I always thought of it as more of a privacy tool than a malware eradicator... looks like it is effective in both ways... it is a very handy piece of software...
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|