|
|
#1
August 12th, 2004, 05:37 PM
|
||||
|
||||
Trojan ST.EXE
My Norton Anti Virus pops up an information about a Trojan Horse
st.exe / strojan.exe, and says it is unable to repair. I've run Xoftspy 3.44, Trojan Remover, Trojan Hunter, System Mechanic SpyHunter, Spybot-SD, Ad-aware 6.0, Stinger, kremove, FxNetsky, FxMydoom, bremove, CWShredder and none was able to find it. When I check the file on C:\WINDOWS\ST.EXE, there it is, but when I try to remove, it wound let me. I try to close the running program by ctrl+alt+del, but it does not appear there, I try then the viwers Pview2 and Asviewer and they also do not show st.exe or strojan.exe, so I am unable to remove it. I also did two other things, turn off the system restore, enter the safe mode, deleted the file st.exe, but it keeps coming back. I've done some 4 online scans, but so far no luck. Is there any other way to solve this? I am using WIN XP Home. Tks for any help, Ricardo |
|
#2
August 12th, 2004, 06:15 PM
|
||||
|
||||
|
Re: Trojan ST.EXE
|
|
#4
August 13th, 2004, 12:30 AM
|
||||
|
||||
|
Re: Trojan ST.EXE
When your antivirus detected the file it locks access so you cant touch it
You could disable the protection for a moment (maybe while not online) and then try to delete the file. I would ask that you zip it with a password first, and send me that zip file to submit@diamondcs.com.au for analysis The other option to remove it so it isnt locked for access - is Safe Mode |
|
#6
August 19th, 2004, 04:36 PM
|
||||
|
||||
|
Re: Trojan ST.EXE
I believe I finaly got rid of this pest. I want to thank everyone that send all the suggestions for their help, and I got a lot of
help, from the forums: PC Magazine, Annoyances.org, TomCoyote, Windows BBS, Wilders Security, Spyware Warrior, Computing.Net, Dell Community. I tried many online scans, but the only one that was able to find the netda/db/dc.exe was on mcafee, but they only showed some files where the exe was. I finally had to search manually, due to the fact that the windows search was only 70% reliable, so I found this lines and deleted them: C:\windows\prefetch\NETDC.EXE-00DA8B70.pf C:\windows\prefetch\NETDB.EXE-006fa9bb.pf C:\windows\prefetch\NETDC.EXE-00da8870.pf C:\Documents and Settings\All Users\Application Data\SecTaskMan\_netdcF01200 C:\Documents and Settings\All Users\Application Data\SecTaskMan\_netdbq_52cf307_q C:\Documents and Settings\All Users\Application Data\SecTaskMan\_netdbq_80411e_q C:\Documents and Settings\All Users\Application Data\SecTaskMan\-net6559200 C:\Documents and Settings\All Users\Application Data\SecTaskMan\-net65596 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Netdb.exe C:\Windows\pss\netdb.exestartup Also, went through the registry keys bellow, after all these, I haven't found the netda/db/dc.exe again (hopefully never again). Another way to start a file is use the shell method. The file name following explorer.exe will start whenever Windows starts. As with Win.ini, file names might be preceeded by considerable space on such a line, to reduce the chance that they will be seen. Normally, the full path of the file will be included in this entry. If not, check the \Windows directory. The Startup Directory Any file in C:\WINDOWS\Start Menu\Programs\StartUp will start when windows is booted. The Registry There are many registry entries that can be used to automatically invoke a program when the machine boots. These include: Type 1 Here are the most common autostart keys: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices] Type 2 If keys below don't have the "\"%1\" %*" value as shown, and are changed to something like "\"somefilename.exe %1\" %*" than they are automatically invoking the specified file. [HKEY_CLASSES_ROOT\exefile\shell\open\command] ="\"%1\" %*" [HKEY_CLASSES_ROOT\comfile\shell\open\command] ="\"%1\" %*" [HKEY_CLASSES_ROOT\batfile\shell\open\command] ="\"%1\" %*" [HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] ="\"%1\" %*" [HKEY_CLASSES_ROOT\piffile\shell\open\command] ="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] ="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] ="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] ="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] ="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] ="\"%1\" %*" Type 3 Additional autostart methods. The first two are used by SubSeven 2.2 HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\explorer\User shell folders So, if these information is of some value, I hope whoever needs, may get lucky, and get rid of it faster. Tks all Ricardo |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
