can't get rid of trojan horse loader

[BigTrouble]

You need to do all your scanning and repairs in safe-mode with networking(so you can access online scanners) F8 (on bootup) Run spybot and your virus software in safemore.

)url removed(] use this scanner from there is a few more tools here too )url removed(

[jholland1964]

[quote=BigTrouble;38208]You need to do all your scanning and repairs in safe-mode with networking(so you can access online scanners) F8 (on bootup) Run spybot and your virus software in safemore.

)url removed( use this scanner from there is a few more tools here too )
This is NOT required unless specifically requested. sck1971 is and has followed the instructions given here on our READ ME Before Posting A Request For Assistance!
which has the steps that we ask all of our posters requesting help and is following the steps given by cauzomb. Unless cauz requests it safe mode scanning this is not needed at this time.

[cauzomb]

It is only "SOMETIMES" necesary to do the work in safemode, due to the virus files being loaded and "protected" as operating system files or "currently in use" this is the ONLY reason we wind up needing to do any work in safe mode... I'm saying this because the anti-virus application authors seem to be dropping the "BALL" instead of doing their part in being able to take care of business in any OS state... It is getting better with "delete on reboot" variables, but! here's the issue, viruses make themselfs out of several resources that are already on the computer, which come together as one or two files that an antivirus software has to be able to identify... now some of these files are being put out there by "NEED TO KNOWS" who opperate with a certain amount of plausible deniability.... and in no case is it good.. Some of the files I've seen with this particular infection are directly targeted at internal networks with the ability to send spam and phishing emails.... I have downloaded source and taken apart the codes, but I cannot identify all the infected files, and there are a large number of possible infected files.. These things come in from fraudulent places, where peoples computers can be hit, infected, and have worms and other viruses spread from the inside OUT... pushing the point of origin into another level of obscurity...... I have seen this one first hand, it has even got stuff popping up in the background/active x desktop, and has removed the desktop control panel config tabs to "turn these features off" to retain the infection warning, and prevent the user from just reverting their desktop properties, it has infected numerous registry entries, removing bho's, run/runonce etc... efectively causing the virus warning to not be displayed as "ontop of everything" active desktop item...... this ploy to get someone to buy a license to un-infect their computer using an illegitimate anti-virus application called; antivirus 2008.. With no name brand, or legit website, and in turn may even cause an always on computer to become host to an illegitimate carbon copy of the anti-virus application vendor site... to avoid tracing, so they can "steel" credit card information, maybe to fund their terrorist attacks on stolen credit cards.. So this is why we take it seriously.

BigTrouble, If you want this app to be aproved for suggestion and recommended to "other people" you better bring it to our attention first, instead of soliciting our members.. for now, your suggestion has been removed due to that website and your suggested application has not yet been approved or reffered to by Ianag staff.

[sck1971]

here is the bit defender log
edited by admin and abbreviated.
Status
According to the log there were over 1500 items found and nearly 3000 files removed.
Infected with: Generic.Malware.sp!.FC7A718F
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\030C0000.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\030C0000.VBN=>(Quarantine-PE)
Deleted

Infected with: Trojan.Peed.JPX
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08A80000.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08A80000.VBN=>(Quarantine-PE)
Deleted

Infected with: DeepScan:Generic.Zlob.65CB727B
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09740000.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09740000.VBN=>(Quarantine-PE)
Deleted
There were literally 100's of these on the log.
Infected with: Trojan.FakeAlert.TR
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A140001.VBN=>(Quarantine-PE)
Deleted

C:\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008


Detected with: Adware.AWS.A

C:\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008

Deleted
C:\Program Files\AIM\Sysfiles\WxBug.EXE
Update failed
C:\Program Files\AIM\Sysfiles\WxBug.EXE=>(Embedded EXE r)=>wise0008
Detected with: Adware.AWS.A
C:\Program Files\AIM\Sysfiles\WxBug.EXE=>(Embedded EXE r)=>wise0008
Deleted
C:\Program Files\AIM\Sysfiles\WxBug.EXE=>(Embedded EXE r)
Update failed
__________________________________________________ ________________
Reason For Editing:
For some reason this post, if one tried to copy/paste was over 260 pages long. It was freezing browsers trying to open or read it. Haven't a clue how poster was able to post it as normally there is a limit in size. Therefore it was decided by admins to abbreviate the post in order to show others pertinent information.

[jholland1964]

Everything that was found and removed happened to be in your Norton Quarantine so they were not harming the system any way. Don't know how long all those had been there but this should tell you to empty those quarantine files after a few days when you know for certain an error wasn't made by the programs and a vital file had been removed.
This also is why a clean up of quarantine files, temp files, temporary internet files recycle bin and the like are recommended prior to running the clean up programs.
Judging by that log it looks as though the computer is clean.

[cauzomb]

As Jholland mentioned, all those were quarantined files. Some antivirus apps can quarantine infected system files that might cause errors on the system after being quartined, but it looks ok now.

The adware.aws logs apear to have removed what that scanner considered "adware" and possibly rightfully detected as adware, however, please check to ensure that your AOL application is still functioning. Worst case is that AOL app decides that it shouldn't work right without the files, either that or they are part of your weather application. If it does not work, just re-install your AOL /weather application, however, keep in mind that those apps may contain "adware" designed to present you with popup ads or banner ads from within the application.

Now I'd recommend that you go into safe mode, open up startmenu, settings/control panel, then open internet options, then clear out your temporary internet files, check the box that says delete all temporary internet files, then click "delete" then, in there somewhere is the settings tab, check view files to see if it left anything, you may see some cookies, it's generally a good idea to clear the cookies out then open view files, to see if they are gone. then click on view objects.. In view objects, select and delete them all. If you used "flash player" or other multimedia/interactive web plugins, you will have to download them again, but get them from the authors website, instead of the website containing the multimedia/interactive content.

If you use the internet explorer address drop down menu to open websites that you vissit, don't clear your "history" unless you know the addresses of the websites that are in there.

You can always use the internet explorer drop down menu to open up each address, then add each one at a time to your bookmarks. then clear the history. A bit of warning, if the address of the site that you may have got the infection from is in the history drop down menu, and you go to it, you will be back at square one.

There are a couple of TEMP folders located in C:\Windows\ one is "TEMP" and the other is "temporary internet files" the "TEMP" folder contains seldom used fragments of applications, probly created at the time of installing the application, or durring the applications operations, such as a log file etc.

I haven't had any negative effects from just deleting the temp files except that some of them were not able to be deleted due to them being in use while windows was in normal mode.

The "TEMPORARY INTERNET FILES" folder will contain graphics, cookies, and some plugins, and other stuff that might be un-identified infected files, or maynot have been deleted when clearing temp internet files from the internet options menu...
Select and delete all of them if any remain.

Once you get the stuff deleted, go back to your desktop and right click on the trashcan icon, select empty trash..

Restart windows in normal mode and reset the hidden file/extension setting that I mentioned earlier, or you can leave it if you like the option to see the hidden/system files/extensions etc. Don't reset the other stuff regarding network shares.

Check that your display properties has all the tabs that it should, in windows xp it should look like the graphic in this link http://www.microsoft.com/enable/trai...ppearance.aspx

If you are missing any of the tabs, it's possible that the malware/virus/trojan infection removed them in the registry!

[sck1971]

thanks for all the help. i would have had to buy a new PC before I would have figured all this out.

[jholland1964]

Is everything working well now?