Trojan ST.EXE

Discussion in 'malware problems & news' started by ricardo56, Aug 12, 2004.

Thread Status:
Not open for further replies.
  1. ricardo56

    ricardo56 Registered Member

    Joined:
    Aug 12, 2004
    Posts:
    13
    My Norton Anti Virus pops up an information about a Trojan Horse
    st.exe / strojan.exe, and says it is unable to repair.
    I've run Xoftspy 3.44, Trojan Remover, Trojan Hunter, System Mechanic SpyHunter,
    Spybot-SD, Ad-aware 6.0, Stinger, kremove, FxNetsky, FxMydoom, bremove, CWShredder
    and none was able to find it. When I check the file on C:\WINDOWS\ST.EXE, there it
    is, but when I try to remove, it wound let me. I try to close the running program
    by ctrl+alt+del, but it does not appear there, I try then the viwers Pview2 and Asviewer
    and they also do not show st.exe or strojan.exe, so I am unable to remove it. I also
    did two other things, turn off the system restore, enter the safe mode, deleted the
    file st.exe, but it keeps coming back. I've done some 4 online scans, but so far
    no luck. Is there any other way to solve this?
    I am using WIN XP Home.
    Tks for any help,
    Ricardo
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,779
    Location:
    Texas
  3. ricardo56

    ricardo56 Registered Member

    Joined:
    Aug 12, 2004
    Posts:
    13
    Yes, I' saw that before, but it did not help at all.
    Hope to find some other way.

    Tks
    Ricardo
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    When your antivirus detected the file it locks access so you cant touch it

    You could disable the protection for a moment (maybe while not online) and then try to delete the file. I would ask that you zip it with a password first, and send me that zip file to submit@diamondcs.com.au for analysis

    The other option to remove it so it isnt locked for access - is Safe Mode
     
  5. ricardo56

    ricardo56 Registered Member

    Joined:
    Aug 12, 2004
    Posts:
    13
    Hi,

    Just sent an email with a zip file withou password, because I do not know how to put a password.
    Tks
    Ricardo
     
  6. ricardo56

    ricardo56 Registered Member

    Joined:
    Aug 12, 2004
    Posts:
    13
    I believe I finaly got rid of this pest. I want to thank everyone that send all the suggestions for their help, and I got a lot of
    help, from the forums: PC Magazine, Annoyances.org, TomCoyote, Windows BBS, Wilders Security, Spyware Warrior,
    Computing.Net, Dell Community. I tried many online scans, but the only one that was able to find the netda/db/dc.exe
    was on mcafee, but they only showed some files where the exe was. I finally had to search manually, due to the fact
    that the windows search was only 70% reliable, so I found this lines and deleted them:

    C:\windows\prefetch\NETDC.EXE-00DA8B70.pf
    C:\windows\prefetch\NETDB.EXE-006fa9bb.pf
    C:\windows\prefetch\NETDC.EXE-00da8870.pf
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\_netdcF01200
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\_netdbq_52cf307_q
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\_netdbq_80411e_q
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\-net6559200
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\-net65596
    C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Netdb.exe
    C:\Windows\pss\netdb.exestartup

    Also, went through the registry keys bellow, after all these, I haven't found the netda/db/dc.exe again (hopefully never again).

    Another way to start a file is use the shell method. The file name following explorer.exe will start whenever Windows starts.
    As with Win.ini, file names might be preceeded by considerable space on such a line, to reduce the chance that they will
    be seen. Normally, the full path of the file will be included in this entry. If not, check the \Windows directory.

    The Startup Directory
    Any file in C:\WINDOWS\Start Menu\Programs\StartUp will start when windows is booted.

    The Registry
    There are many registry entries that can be used to automatically invoke a program when the machine boots. These include:

    Type 1
    Here are the most common autostart keys:
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]

    Type 2
    If keys below don't have the "\"%1\" %*" value as shown, and are changed to something like "\"somefilename.exe %1\" %*"
    than they are automatically invoking the specified file.


    [HKEY_CLASSES_ROOT\exefile\shell\open\command] ="\"%1\" %*"
    [HKEY_CLASSES_ROOT\comfile\shell\open\command] ="\"%1\" %*"
    [HKEY_CLASSES_ROOT\batfile\shell\open\command] ="\"%1\" %*"
    [HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] ="\"%1\" %*"
    [HKEY_CLASSES_ROOT\piffile\shell\open\command] ="\"%1\" %*"
    [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] ="\"%1\" %*"
    [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] ="\"%1\" %*"
    [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] ="\"%1\" %*"
    [HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] ="\"%1\" %*"
    [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] ="\"%1\" %*"

    Type 3
    Additional autostart methods. The first two are used by SubSeven 2.2

    HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\explorer\User shell folders

    So, if these information is of some value, I hope whoever needs, may get lucky, and get rid of it faster.
    Tks all
    Ricardo
     
Loading...
Thread Status:
Not open for further replies.