Ewido and Trojan.Pakes

Discussion in 'ewido anti-spyware forum' started by Tyreabusa, May 17, 2006.

Thread Status:
Not open for further replies.
  1. Tyreabusa

    Tyreabusa Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    13
    Hi. Ewido works fine on my system and I have recommended it to many friends, but when it come to Trojan.Pakes ( whatever that is ) it can not delete it. I tried a free software trojan remover just to see what happened and it picked up 7 spy ware and trojans that Ewido has not dealt with. Anyone got any ideas whats going on here ??

    Nick
     
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Are you able to give the full file path of Trojan.Pakes and similarly for the other bugs found? What free trojan remover did you use?

    Without more details it is impossible to answer your question.
     
  3. Tyreabusa

    Tyreabusa Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    13
    The scan doesnt give the full path. It just detects it and says "error removing" when you view the log afterwards. The free software was Spyware Doctor. If you need more info please tell me how to get it........sorry !

    Nick
     
  4. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    I'll not interfere as Topper assists you with Ewido and Trojan.Pakes but concerning Spyware Doctor. Would you mind posting the log that references those items it found Please.

    1) Open Spyware Doctor
    2) Select Settings from left menu
    3) Select the log that contains those items and select View Log
    4) Copy\Paste all the info below Infection Name\Location\Risk contained in that log to a post here Please.
    **Note: While you are viewing the log which should be displayed as an html page....you can select File\Save As and save it as a .txt file. You can then upload that .txt file as an attachment to a post.

    Also select the Staus tab and post what Product version and Database version you have Please.

    The latest database contains a few False positives which is why I am requesting you post that info so we can get that out of the way as Topper helps you further with Trojan.Pakes.
     
  5. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    With regard to the ewido finding, when you run a scan you should find a button in the bottom right corner of the GUI marked 'View Report' which, when clicked, gives file name and file path of things found.

    You can also click the button to save the report, which would enable you to upload and post it, should that be necessary.

    Perhaps the object is being found in Memory, in which case it should have a PID Number instead of a file path. Does it show up on a Memory scan?

    If that were the case you would need to go into Safe Mode and ensure the relevant Process was Terminated before attempting to delete the object.
     
  6. Tyreabusa

    Tyreabusa Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    13
    I ran the scan again and it came up with a path. Here is the path:

    [2256]VM_014E0000

    Once again Ewido said there was a fault when cleaning the file. Thanks for your help everyone. I will post the Spyware Doctor file later.

    Nick
     
  7. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    One thing you can try is running ewido again, get the path and note the number in square brackets; this should be the PID which is 2256 in your example but which is likely to change after each reboot.

    Then you click the Analysis/Processes tabs in ewido and scroll down to the relevant PID number. Make a note of the process involved and select it by clicking it, you then need to click 'Terminate Process'. Once you have done that it might be possible run ewido again to clean the object. You may need to do this in Safe Mode.

    That is the theory, however if the object is lodged into an important system file such as Winlogon.exe it may not be possible.

    Another thing would be to try an online scan to see if you can find other things being missed:-

    http://www.kaspersky.com/service?chapter=161739400

    Let us know if that finds anything.
     
  8. Tyreabusa

    Tyreabusa Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    13
    Ran Kaspersky on line scanner and it found no infections at all.

    Ran Ewido again. It found the Trojan.Pakes again the PID was the same number. Terminated the process for that file which was:

    C:\WINDOWS\Explorer.EXE

    Ran Ewido again. It found Trojan Pakes again but the PID was:
    [536]_00AD0000. This time it was in :

    C:\WINDOWS\Programme Files\IEXPLORER.exe

    I terminated the process again. Can it change folders ?? What next guys ?

    Thanks,

    Nick
     
  9. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    It could manifest in more than one process and you would need terminate all relevant processes simultaneously to have success. You can do that in ewido by selecting the first process and then holding down the Ctrl key while selecting the other one/s, before clicking to Terminate.

    I agree it is odd that KAV found nothing. Probably your best bet at this stage is to run HijackThis and have your log read at a Forum that deals with them. You can get HJT here:-

    http://www.spywareinfoforum.com/~merijn/downloads.html

    Here are a couple of tutorials, should you need them:-

    http://www.tomcoyote.com/hjt/

    http://www.bleepingcomputer.com/tutorials/tutorial94.html

    http://www.bleepingcomputer.com/tutorials/tutorial42.html

    Here are a few Forums to choose from, though only post at one:-

    http://forums.tomcoyote.org/index.php?showforum=27

    http://forums.subratam.org/index.php?showforum=7

    http://z13.invisionfree.com/BFC_Computer_Help/index.php?showforum=5

    http://castlecops.com/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html

    Let us Know how it goes and good luck.

    P.S. you can still post your Spyware Doctor log if you want Bubba to check whether it is showing FPs or not.
     
  10. Tyreabusa

    Tyreabusa Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    13
    RE: Spyware Doctor post:

    As its the evaluation copy, I cant copy and paste any files, but it has found 63 threats !!! I'll try and quote the main ones.

    Pearl Echo HKCR\keycode.keydecoder.2
    Also: HKCR\Interface\{9D573D0E-663C-435F-BF31-2C4497373C41}
    There are more HKCR and they have either ## on the end or ProxyStubClsid or with ## , or 32##, or TypeLib, or TypeLib##Version, or different numbers in the parenthesis.

    Trojan.Downloader.Agent.AAE
    Trojan.Downloader.Agent.SY C:\WINDOWS\system32\msblank.html
    same C:\WINDOWS\system32\winctrl16.exe
    same C:\WINDOWS\system32\winctrl32.exe
    same same \winctrl64.exe

    Trojan.Downloader.Ruins multiple locations

    Trojan.MSNAgent C:\WINDOWS\help\SPAlert.chm

    Strangely enough, it doesnt find the Trojan.Pakes !! Help !!!

    Nick
     
  11. John_McKenna

    John_McKenna Registered Member

    Joined:
    Oct 12, 2004
    Posts:
    8
    You will need LonnyRJones' Fixwareout tool to remove Trojan.Pakes

    Any of the forums listed above will give you instructions for using Fixwareout.
     
Thread Status:
Not open for further replies.