Trojan\cleaning info needed

Discussion in 'malware problems & news' started by snowman, May 6, 2002.

Thread Status:
Not open for further replies.
  1. snowman

    snowman Guest

          the following is not on my computer....its on the computer of a friend's children.  these people can not afford to purchase a payed for trojan scanner.



         I installed ants free version....ran a scan....an was alerted to the following trojan



      <c:\windows\command\choice.com>


           ants was instructed to "remove"....but was not able to do so.        I did a short search for more information on this but the results were very slim.....found only one english website....describing certain code that could be used with the debug in win95 box to execute a range of commands.

         frankly I am at a lost on how to remove this entirely........I possibly can prevent it for executing by aborting the "com" script..but that would not remove anything........being that its located in c:\windows perhaps I could re-name it possibly....deleting it entirely may cause os problems......so anyone who can offer any suggestions it would be appreciated.

         
                         
                            snowman


       
     
  2. Raygun

    Raygun Registered Member

    Joined:
    Apr 24, 2002
    Posts:
    31
    Location:
    The Beach!
    maybe you found this, but it's all i could find so it may help you.

    good luck..

    http://www.geocities.com/thestarman3/asm/debug/debug.htm
     
  3. snowman

    snowman Guest

           Raygun

           thank you for taking of your time to reply......yes the link you listed is what I located also.....later I located more info suggesting that this may be a backdoor type trojan such as a sub-seven type....

         the fact that Debug can be used command style may indicate that it can be used by a trojan.....my knowledge in this area is lacking so must rely on other suggestions offered...........will take a wait and see responses position for right now...

                             thanks

                              snowman
     
  4. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I'll start looking for stuff right now, snowman. Pete
     
  5. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    snowman - Are they using NAV? I've got choice.com here twice and it looks like a NAV system rescue file. Pete
     
  6. snowman

    snowman Guest

               Pete

               I really appreciate your help.....I think you know how protective I am when there are children involved.....

               have just found a free program called Backwork2....supposedly will catch 250 odd trojans at start-up......

                Pete I am wondering if maybe I didn't use Ants correctly to clean this thing.....when Ants alert I choose the option "yes,to all"     afterwards I checked "options" an it had changed to "remove trojan now"   an that have removed this darn thing.

              file sharing is enabled on the computer....aol messenger is used extentsively.....they have AVG and ZA installed............

             Pete I have never seen a computer as messed up as the one mention here........rundll.32 is shown in ZA as a running application accessing the internet....it baffles me that the computer even works at all......its jammed pack with files an programs......nither of the parents have any knowledge of computers.....

            I've a feeling this may be a file-sharing bot.....


                                 snowman
     
  7. snowman

    snowman Guest

           PETE

          no they don't have NAV...........just AGV....

          you have me wondering now.....recently they install two games.....".OUTBOUND..." being one...its non-spyware but does have an internet access feature to post high score......they have INCANTA GOLF....non-spyware...but I seem to recall it has some form of internet access for help.......other than that.. I install "MAXMEM" because the computer needed it desperately.

                                 snowman
     
  8. snowman

    snowman Guest

             Pete

             if you are showing <choice.com> then I seriously doubt that this thing I am mentioning here is a trojan....I base this on knowing your knowledge and intent observation of your computer.....

           maybe this is why Ants didn't clean it.....maybe what I'll do is block the "com" script an see what shows up.

                                   snowman
     
  9. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    snowman - Three things:

    (1) Get pgremove.com tool from the Wilders 'Downloads' page, here: http://www.wilders.org/downloads.htm and run that on their computer.

    (2) Get the TrojanRXAssistance Pack from this page: http://www.wilders.org/free_tools.htm , run the tools in it and see if anything looks hinky.

    (3) get SwatIt from here: http://www.lockdowncorp.com/bots/downloadswatit.html and run that as a cross-check.

    (Okay, four things! :) )

    (4) Online scan: http://pcpitstop.com/antivirus/default.asp

    If this isn't merely a case of a false alarm, we'll need the exact name of what the infector is. Pete
     
  10. snowman

    snowman Guest

         PETE

         Will do.......much thanking you Pete....I'll have to wait until the dad gets home from work to do this....but will post the results as soon as possible.


          sure hope you realize that your help is greatly appreciated.


                                    snowman
     
  11. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    snowman - You (and they) are quite welcome! I'm smelling 'false alarm' all over that one, so let's hope I'm right!

    It would be nice if someone would jump in and confirm/deny that command.com is simply a system file, though. Pete
     
  12. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    I guess you installed the old Ants version 2.0. That produces some false positives. Especially the heuristic. Did you enable the heuristic? A good idea would be a cross check with Kaspersky Anti Virus or TDS-3.

    If you are unsure about the file you can send it to your antivirus software company. They would check the file for free and return to you wether the file is malicious or not.

    wizard
     
  13. snowman

    snowman Guest

                Wizard


          yes, Ants 2.0 was installed.....I thought that is the newest version ?  an that the upgrade version hadn't been released as yet?

          this would appear to yes..be a false positive...their poor old computer is so overloaded it takes a full 10 minutes to start-up......took well over an hour for ants to complete its scan....an ants in my imo is rather a fast engine................the overload is making it difficult for me to install and run programs .....but took the advice that has been offered here.......the slowness of the scans is making this a very time consuming project.

           well keep everyone advised.........an to all...on their behalf..thank you ....

                                      snowman
     
  14. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    The last release of signatures for Ants 2.0 is from the end of last year. Ants 2.0 is no longer supported anymore.

    wizard
     
Thread Status:
Not open for further replies.