Trojan ST.EXE

My Norton Anti Virus pops up an information about a Trojan Horse
st.exe / strojan.exe, and says it is unable to repair.
I've run Xoftspy 3.44, Trojan Remover, Trojan Hunter, System Mechanic SpyHunter,
Spybot-SD, Ad-aware 6.0, Stinger, kremove, FxNetsky, FxMydoom, bremove, CWShredder
and none was able to find it. When I check the file on C:\WINDOWS\ST.EXE, there it
is, but when I try to remove, it wound let me. I try to close the running program
by ctrl+alt+del, but it does not appear there, I try then the viwers Pview2 and Asviewer
and they also do not show st.exe or strojan.exe, so I am unable to remove it. I also
did two other things, turn off the system restore, enter the safe mode, deleted the
file st.exe, but it keeps coming back. I've done some 4 online scans, but so far
no luck. Is there any other way to solve this?
I am using WIN XP Home.
Tks for any help,
Ricardo

 

Yes, I' saw that before, but it did not help at all.
Hope to find some other way.

Tks
Ricardo

 

When your antivirus detected the file it locks access so you cant touch it

You could disable the protection for a moment (maybe while not online) and then try to delete the file. I would ask that you zip it with a password first, and send me that zip file to submit@diamondcs.com.au for analysis

The other option to remove it so it isnt locked for access - is Safe Mode

 

Hi,

Just sent an email with a zip file withou password, because I do not know how to put a password.
Tks
Ricardo

 

I believe I finaly got rid of this pest. I want to thank everyone that send all the suggestions for their help, and I got a lot of
help, from the forums: PC Magazine, Annoyances.org, TomCoyote, Windows BBS, Wilders Security, Spyware Warrior,
Computing.Net, Dell Community. I tried many online scans, but the only one that was able to find the netda/db/dc.exe
was on mcafee, but they only showed some files where the exe was. I finally had to search manually, due to the fact
that the windows search was only 70% reliable, so I found this lines and deleted them:

C:\windows\prefetch\NETDC.EXE-00DA8B70.pf
C:\windows\prefetch\NETDB.EXE-006fa9bb.pf
C:\windows\prefetch\NETDC.EXE-00da8870.pf
C:\Documents and Settings\All Users\Application Data\SecTaskMan\_netdcF01200
C:\Documents and Settings\All Users\Application Data\SecTaskMan\_netdbq_52cf307_q
C:\Documents and Settings\All Users\Application Data\SecTaskMan\_netdbq_80411e_q
C:\Documents and Settings\All Users\Application Data\SecTaskMan\-net6559200
C:\Documents and Settings\All Users\Application Data\SecTaskMan\-net65596
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Netdb.exe
C:\Windows\pss\netdb.exestartup

Also, went through the registry keys bellow, after all these, I haven't found the netda/db/dc.exe again (hopefully never again).

Another way to start a file is use the shell method. The file name following explorer.exe will start whenever Windows starts.
As with Win.ini, file names might be preceeded by considerable space on such a line, to reduce the chance that they will
be seen. Normally, the full path of the file will be included in this entry. If not, check the \Windows directory.

The Startup Directory
Any file in C:\WINDOWS\Start Menu\Programs\StartUp will start when windows is booted.

The Registry
There are many registry entries that can be used to automatically invoke a program when the machine boots. These include:

Type 1
Here are the most common autostart keys:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]

Type 2
If keys below don't have the "\"%1\" %*" value as shown, and are changed to something like "\"somefilename.exe %1\" %*"
than they are automatically invoking the specified file.


[HKEY_CLASSES_ROOT\exefile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] ="\"%1\" %*"

Type 3
Additional autostart methods. The first two are used by SubSeven 2.2

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\explorer\User shell folders

So, if these information is of some value, I hope whoever needs, may get lucky, and get rid of it faster.
Tks all
Ricardo