trojan not going away...

Discussion in 'ewido anti-spyware forum' started by uhoh, Jul 10, 2006.

Thread Status:
Not open for further replies.
  1. uhoh

    uhoh Registered Member

    Joined:
    Jul 10, 2006
    Posts:
    3
    My computer seems to have contracted a trojan, which I've researched and believe it to be called "trojan.secup".

    When I do a scan, ewido finds a 'small.trojan' in the registry, and I quarintined it, and then deleted it. I then restarted my comp. and did another scan to be safe, and the scan found it again, and I quarantined and deleted it again, but alas, it still haunts my dearest notebook.

    Any help would be appreciated in ridding my machine if this dreadful malice.

    Thanks in advace.
     
  2. dah145

    dah145 Registered Member

    Joined:
    Jul 3, 2006
    Posts:
    262
    Location:
    n/a
    Try doing the scan in safe mode. :)
     
  3. uhoh

    uhoh Registered Member

    Joined:
    Jul 10, 2006
    Posts:
    3
    I've tried the safe mode thing...twice. I've even found it in the registry and manually deleted it, but it comes back within like 5 seconds.
    EWido finds it all the time and quarintines it, but that doesn't stop the pop ups and crap, and it just won't be rid of:'(

    Am I SOL on this or what?:doubt:

    Merci bien

    P.S. When Ewido finds it, it's lists it as "Trojan.small.
    In the registry, it's under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\\kernel32.dll
     
  4. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks: Try this: Turn off system restore, boot into safe mode, and then manually delete it (you have mentioned that you can do it). Boot back into normal mode to see if it is still there. If not, turn on the system restore, bingo, you are back to normal.
     
  5. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Hi uhoh,

    kernel32.dll is a legitimate windows file:-

    http://www.fileproperties.com/k/kernel32-dll.htm

    http://www.webopedia.com/TERM/K/kernel32_dll.html

    Clearly something is putting the entry back into Regedit each time you remove it.

    When you look at the 'Run' Key in Regedit, is there any data in the next column alongside the kernel32.dll value, such as an .exe file? The Zlob Trojan for example may have <System>\mssearch.exe as a data entry next to kernel32.dll. Or it could say something like:-

    kernel32.dll = "%System%\mssearchnet.exe

    Because kernel32.dll loads with windows, this would be a way of getting a trojan to run every bootup. If you find an .exe mentioned you would need to try and remove it.

    One thing you should try with ewido though is a memory scan in safe - does that find anything?

    You mention pop-ups, are they like this:-

    http://vic.zonelabs.com/tmpl/body/CA/virusDetails.jsp?VId=50213

    You probably can't remove the file because it is running, but so long as you have the file path you can try and delete it on a reboot by using PocketKillBox:-

    http://www.majorgeeks.com/Pocket_KillBox_d4709.html
     
  6. uhoh

    uhoh Registered Member

    Joined:
    Jul 10, 2006
    Posts:
    3
    Yes TopperID, the pop-ups are like the ones mentioned in your link, there are others, but the 2 shown are among them.

    THe Data beside the kernel32.dll = C:\WINDOWS\system32\isnotify.exe

    I will try and the memory scan in safe mode.

    Thanks again guys (or girls). :thumb:
     
  7. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    O.K., now I can see you've probably got a SmitFraud variant, which would normally require running a special tool, for that reason I think it would be best if you posted a HijackThis log at a Forum dealing with that sort of thing.

    Here are some suggestions that I gave in another thread:-

    https://www.wilderssecurity.com/showpost.php?p=792974&postcount=2

    I think it would be better for you to be guided through a cleanup rather than thrashing around yourself.
     
Thread Status:
Not open for further replies.