Trojan removal help please

Hi

I'd like to ask for some help please. I'm running xp pro and was given a warning by Norton antivirus that I had downloaded a trojan and it could not be removed. So I closed down the Norton window by clicking the OK button. It said it was trojan moo.exe and gave a file path : C:\Documents and setting.....\wv[1].ani
Having never encountered a trojan before here's what I did:

1. I reran Norton and adaware 6 but it came up clean.
2. I restored my computer to an earlier time (2 days earlier).
3. I found this terrific forum and after reading about TDS-3 I downloaded the trial 30 day version. I've updated the radius td-3 file and ran the full system scan. It came up clean also. This is a great program and looks to my newbie eyes to be very thorough. I'll be buying this program.
4. I've located the file mentioned by norton: wv[1].ani Properties says its an animated cursor. and gives a Web address. Should I right click and delete this?
How do I get rid of this trojan please. How can I be sure its gone? Thanks very much.

Kind regards
Ed

 

Hi Ed,

Welcome to the Wilders forum

Could you please send (if possible zipped) that file wv[1].ani to DiamondCS:
submit(at)diamondcs.com.au

Thanks !
Regards, Jan.

 

Ed,

I guess this was the Trojan (Symantec site):
http://securityresponse.symantec.com/avcenter/venc/data/trojan.moo.html

or this one:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.moo.b.html

You can read there about it.

 

Hi Ed, welcome to the age of security online!
you might like to upload the file for a second opinion at jotti's online scan too in the meantime.
http://virusscan.jotti.org/
Hope you're clean though. Let us know what DiamondCS tells you too.
For animated cursors it depends where you got them. the kind of funstuff can contain all kinds of extras you'll find undesirable like adware, spyware, trackware, infections, loggers, etc.
I wrote CAN, i did not say it has all that at all time. Just scan the whole lot and see what is found on your system with several scanners.

 

Thanks for your helpful replies! Sorry I won't be able to zip and send the file. I mistakenly left clicked the .ani file and I think it triggered Norton into action. I got a window from Norton saying that the Trojan has been detected and removed. This 3 days after the Trojan was downloaded!
I'm still very impressed with TDS-3 knowing the deep and thorough scan it does. Although I don't yet understand all the options I find it easy to use and will make the purchase.
This is the best security forum I've seen and I've marked it as a favorite. I know I'll learn a lot from everyone here.

Kind regards
Ed

 

Hope your system is all clean, it might even have been a false positive, but most of times we try to find out everything related to a possible infection till really proven innocent.
Of course you could go back to your later (infected) system restore points, but i wouldn't do so if it were mine.
Thought Norton put everything in a quarantine area instead of deleting it?

On top of this TDS forum you'll find several very helpful sticky threads, some tests, settings, other explanation.

 

Hi Jooske
It may have been quarantined but it isn't there now.
Thanks for mentioning the sticky threads and other posts, I'll be sure to read them.

Best regards
Ed

 

You can try a scan in safe mode (F8 during startup on mine) and this allows TDS3 to access many locked directories. Also I like to disable page file and Hibernation so it doesn't come back later, then scan then re enable these options of course. Keep your eye on your ports with Port explorer to be sure your scan configuration was set right. Look for hidden processes first.

 

Hi guys! I also had the same wv[1].ani file and Norton has been giving me the same warning for the past 3 days. The problem is I couldn't seem to find it in my folders. Any help is much appreciated. Thanks guys!

 

by the way, I also tried running ad-aware, spybot and Norton but everything comes out clean. It also showed a location in my IE.5 folder but everytime I try searching for it, the folder seems to be gone. Has anyone ever had the same problem? thanks again!

 

Hi atonky.

Sometimes the IE5 folder is not where you may think it should be, like as in your username.
Mine is found C:/Documents and Settings/Default User/Local Settings/Temporary Internet Files/Content IE5

Look there, or make sure you look under all the user settings you may have after Documents and Settings

Cheers, TAS

 

Hi Tassie! thanks for the reply. I know exactly what you mean and I have also unhidden the folder and files but everytime I open the internet files folder under my username... the IE.5 folder is not there. When my Norton gives me a warning about the wv[1].ani virus, the location is actually in that IE.5 folder but I've scanned and searched for it... but I can't seem to find it. Weird!

 

Hi atonky
I'm new to this search and destroy business but you may want to try a search by clicking start> search> All Files and Folders> then type in .ani
It gave me a list of 36 .ani items. I looked down the list and found it there. I then right clicked and chose properties to get the file path. Mine was located in c:\windows\cursors.
Regards
Edw.