My computer seems to have contracted a trojan, which I've researched and believe it to be called "trojan.secup".

When I do a scan, ewido finds a 'small.trojan' in the registry, and I quarintined it, and then deleted it. I then restarted my comp. and did another scan to be safe, and the scan found it again, and I quarantined and deleted it again, but alas, it still haunts my dearest notebook.

Any help would be appreciated in ridding my machine if this dreadful malice.

Thanks in advace.

Try doing the scan in safe mode. :)

I've tried the safe mode thing...twice. I've even found it in the registry and manually deleted it, but it comes back within like 5 seconds.
EWido finds it all the time and quarintines it, but that doesn't stop the pop ups and crap, and it just won't be rid of:'(

Am I SOL on this or what?:-\

Merci bien

P.S. When Ewido finds it, it's lists it as "Trojan.small.
In the registry, it's under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\\kernel32.dll

Hi, folks: Try this: Turn off system restore, boot into safe mode, and then manually delete it (you have mentioned that you can do it). Boot back into normal mode to see if it is still there. If not, turn on the system restore, bingo, you are back to normal.

Hi uhoh,

kernel32.dll is a legitimate windows file:-

http://www.fileproperties.com/k/kernel32-dll.htm

http://www.webopedia.com/TERM/K/kernel32_dll.html

Clearly something is putting the entry back into Regedit each time you remove it.

When you look at the 'Run' Key in Regedit, is there any data in the next column alongside the kernel32.dll value, such as an .exe file? The Zlob Trojan for example may have <System>\mssearch.exe as a data entry next to kernel32.dll. Or it could say something like:-

kernel32.dll = "%System%\mssearchnet.exe

Because kernel32.dll loads with windows, this would be a way of getting a trojan to run every bootup. If you find an .exe mentioned you would need to try and remove it.

One thing you should try with ewido though is a memory scan in safe - does that find anything?

You mention pop-ups, are they like this:-

http://vic.zonelabs.com/tmpl/body/CA/virusDetails.jsp?VId=50213

You probably can't remove the file because it is running, but so long as you have the file path you can try and delete it on a reboot by using PocketKillBox:-

http://www.majorgeeks.com/Pocket_KillBox_d4709.html

Yes TopperID, the pop-ups are like the ones mentioned in your link, there are others, but the 2 shown are among them.

THe Data beside the kernel32.dll = C:\WINDOWS\system32\isnotify.exe

I will try and the memory scan in safe mode.

Thanks again guys (or girls). :thumb:

O.K., now I can see you've probably got a SmitFraud variant, which would normally require running a special tool, for that reason I think it would be best if you posted a HijackThis log at a Forum dealing with that sort of thing.

Here are some suggestions that I gave in another thread:-

http://www.wilderssecurity.com/showpost.php?p=792974&postcount=2

I think it would be better for you to be guided through a cleanup rather than thrashing around yourself.