|
|
 |
Re: FN-FORUM: Trojan troubles resolved!
date posted 12th November 2007 20:13
Sometime what looks like _ is actually another character or the name
contains an invisible null character or something so you can't delete it
easily. What sometimes works is to use the command line to move *.dat to
a new folder (created specially for the purpose), move back anything you
actually want and then delete the folder. Can sometimes be permissions
too - in that case you'd use a scheduled task (running as system) to do
the delete or move. What error message did you get?
--
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Kathy
http://www.vendetta.co.uk
+44(0)7005 982 261
DNRC Minister for Useful but Irritating Information and Trivia
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
----- Original Message -----
From: "Carrie" [EMAIL REMOVED]
To: [EMAIL REMOVED]
Sent: Sunday, November 11, 2007 11:40 PM
Subject: FN-FORUM: Trojan troubles resolved!
>
> Hi all,
>
> Just to say thanks for all the help.
>
> I used hijack this to remove the offending file - hooray!
>
> Carrie
>
> Just for your information: (ie this is long and detailed)
> it was
>
> Win32.BHO.df
>
> it instals a browser helper object - unlimited access to your machine.
> it also installs a file in the system32 folder- (on every reboot.)
>
> I could see the trojan in spybot, but avg anti spy and windows
defender
> both missed it.
>
> Spybot said it had fixed it but it reappeared on every re-boot -
> including those from safe mode, and where I crashed out of safe mode
> (laptop - removed the battery) after doing the clean.
>
> the browser helper tool BHOdemon couldn't see the BHO alledgedly
> insalled- but i never use ie other than for testing my sites, and I
had
> repeatedly cleaned before.
>
> Hijack this was the answer - it shows the bits of registry that used
by
> hijackers and gives you a report on all those values, it is not very
> user freindly to start with, but with the information from spybot that
> it was trying to load a file from the sytem32 folder you can work it
out
>
> spybot gives the filename loaded in - not auto run - sorry its gone
now
> - so I can't check.
>
> any way it begins __c???.dat
>
> I couldn't get windozexp (service pack 2) to see it let alone delete
it
> so it is still there.(could anyone tell how? please, del from the
> command line didn't work.
>
> I used hijackthis, to spot where the file was being loaded and
removed
> the entry.
>
> AND IT WORKED!!!
> 3 days of hell trying to find out what to do. google was no help at
all
> and neither were any of the help forums.
>
> I credit my fixing it to a lovely afternoon visiting a new windfarm
site
> in Watchfield, Wiltshire, where the first Big Green Gathering was
held.
> A friend of mine has invested £3000, (return in theory 9-12% pa long
> term investment though. more projects happening in your area - this
one
> was a co-operative now closed - I think)
>
>
> pub lunch, walked the dog, had interesting conversations, BLISS.
>
> Carrie
>
>
>
> PS [So sometimes it is good to be indexed by google.] if you got here
> from there - don't use any of the sponsored links to help you they
will
> make your problem worse.
> get hijack this and spybot and remove that entry - sorry I can't tell
> you what it is (I didn't write it down) but it is below the autorun
> section which is why I didn't spot it earlier, scroll down looking for
a
> file in the sytem32 folder starting with whatever spybot said it was
> looking for - I couldn't see it any other way, and couldn't get winxp
to
> see it at all.
>
> --
> Freelancers, contractors earn more with Prosperity4
> Call 0870 870 4414 or visit www.prosperity4.com
> and benefit from Inland Revenue approved expenses today.
>
> To advertise here: http://www.freelancers.net/advertising.html
>
> |
|
|
