Need help with removal of some sort of trojan
john
Spyware, Windows Defender, Malwarebytes, and BitDefender Antivirus all
fail to work. I have found something called Poprock and Test-dummy in
the registry. PC Tools Spyware Doctor works but, does not remove or
detect the problem.
Thanks,
John
Rich Barry
file. When you expand the entry in SD where does it lead you?
"john" <jmck...@cableone.net> wrote in message
news:uD4Wceg...@TK2MSFTNGP05.phx.gbl...
db
from the registry.
but before you do, look at the keys
and ascertain their folder locations
and delete those afterwards.
incidentally, you can delete those
entries from the registry and disk.
however, since they are trojans as
you elude to then this implies there
is a software installed that is doing
one thing as it was marketed to be
but in the background it is also unleashing
the trojans.
so find out which program is unleashing
them, or you will never see the end of
the trojan infections.
incidentally, sometimes trojans corrupt
the system files.
so don't be surprised if after you inoculate
your system, you have to initiate a repair
install to replace corrupted system files
with genuine ones.
--
db���`�...�><)))�>
DatabaseBen, Retired Professional
- Systems Analyst
- Database Developer
- Accountancy
- Veteran of the Armed Forces
- @Hotmail.com
- nntp Postologist
~ "share the nirvana" - dbZen
~~~~~~~~~~~~~~~
>
>
"john" <jmck...@cableone.net> wrote in message
news:uD4Wceg...@TK2MSFTNGP05.phx.gbl...
1PW
Hello John:
If you *DO* already have MBAM installed previously, you may rename the
MBAM executable. For example:
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
to
C:\Program Files\Malwarebytes' Anti-Malware\johnmbam.exe
Then launch MBAM as usual, *update* the database and scan in the
system's normal mode as opposed to "Safe" mode.
Although the registry entries you found may indeed be toxic, some
don't relish the thought of using regedit.
Please post a follow-up to this thread with your progress.
--
1PW
David H. Lipman
| Thanks,
| John
John:
What do you mean "fail to work" ?
Fail to execute ?
Fail to find and eliminate the trojan ?
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
john
should also add that Spy Bot does not work either.
The specific message that is given each time the programs attempt to
load is: "Windows cannot access the specified device,path, or file. You
may not have the appropriate permissions to access the item"
John
john
> you might simply try to delete them
> from the registry.
>
> but before you do, look at the keys
> and ascertain their folder locations
> and delete those afterwards.
>
> incidentally, you can delete those
> entries from the registry and disk.
>
> however, since they are trojans as
> you elude to then this implies there
> is a software installed that is doing
> one thing as it was marketed to be
>
> but in the background it is also unleashing
> the trojans.
>
> so find out which program is unleashing
> them, or you will never see the end of
> the trojan infections.
>
> incidentally, sometimes trojans corrupt
> the system files.
>
> so don't be surprised if after you inoculate
> your system, you have to initiate a repair
> install to replace corrupted system files
> with genuine ones.
reappear.
John
john
> From: "john" <jmck...@cableone.net>
>
> | I seen to have acquired some sort of Trojan on my computer. Super Anti
> | Spyware, Windows Defender, Malwarebytes, and BitDefender Antivirus all
> | fail to work. I have found something called Poprock and Test-dummy in
> | the registry. PC Tools Spyware Doctor works but, does not remove or
> | detect the problem.
>
> | Thanks,
> | John
>
> John:
>
> What do you mean "fail to work" ?
>
> Fail to execute ?
> Fail to find and eliminate the trojan ?
>
John
The Real Truth MVP
Download it here http://www.ms-mvp.org/
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
"john" <jmck...@cableone.net> wrote in message
news:eRbTsWiQ...@TK2MSFTNGP05.phx.gbl...
john
The Real Truth MVP wrote:
> Use my Remove-it software. Choose yes for all options when prompted.
> Download it here http://www.ms-mvp.org/
>
>
>
The Real Truth MVP
be next advice someone will give you. So before you do that try my software
you will have nothing to loose and you see what a big idiot you have been
for listening to those trolls who lie about me.
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
"john" <jmck...@cableone.net> wrote in message
news:eNXBCriQ...@TK2MSFTNGP04.phx.gbl...
Buffalo
Try renaming SuperAntiSpyware.exe to something else, like gotcha.exe.
Try the same for the Malwarebytes AntiMalware executable.
Buffalo
PS: You may even want to try installing the infected HDD in another computer
as a Slave Drive and clean it there.
David H. Lipman
| Fail to execute. I posted the error message in one of my replies.
| John
TDSS RootKit ?
Close all running programs and utilities and download Gmer
http://www.gmer.net/#files
Buffalo
Follow David Lipman's advice.
That is your best chance for success.
Buffalo
Elmo
Burn BitDefender, or another program listed at the link below, to a CD
(using a working machine) and test the infected machine with it.
BitDefender also has a Rootkit checker on the Linux Desktop; run it if
you think that's the problem:
http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/
Download the executable rather than the .iso image, if one is
available.. it prompts you to insert a CD and burns the file, no problem.
Then run these:
Malwarebytes© Corporation
http://www.malwarebytes.org/mbam/program/mbam-setup.exe
SuperAntispyware
http://www.superantispyware.com/superantispywarefreevspro.html
--
Joe =o)
Leythos
> From: "The Real Truth MVP" <t...@void.com>
> Newsgroups: microsoft.public.windowsxp.help_and_support
> Subject: Re: Need help with removal of some sort of trojan
> Date: Wed, 30 Sep 2009 16:52:40 -0700
> Organization: A noiseless patient Spider
> Lines: 52
> Message-ID: <ha0r0a$h97$1...@leythos.motzarella.org>
>
Well, it appears that PCBUTTS has confirmed that he's stalking me again.
Notice how he's registered an account using my name - showing his
sickness and how unethical he is.
--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
spam9...@rrohio.com (remove 999 for proper email address)
Leythos
says...
> They do NOT have the expertise or knowledge to fix your issue. Do not waste
> your time.
> David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
>
How come you posted from another server instead of your giganews
account?
You have to resort to stalking me from multiple Usenet providers now?
Patrick Keenan
That can be a clear symptom of a trojan, or a rootkit underneath it,
defending itself. You'd probably find that things like the malwarebytes
installer couldn't run, either. Rename the installer or the executable,
then run it.
ccleaner can help you with this process, but these infections are likely
hiding in the Windows folder structures, rather than the temp folders. A
lot of the help ccleaner affords here is reducing the time required for
scanning.
Also, if your system is infected, restore points will also be infected.
And be sure that you have created another user account, because it's
possible to damage the user profile.
HTH
-pk
M.I.5�
"The Real Truth MVP" <t...@void.com> wrote in message
news:ha0r0a$h97$1...@leythos.motzarella.org...
> Use my Remove-it software. Choose yes for all options when prompted.
> Download it here http://www.ms-mvp.org/
>
DO NOT downlaod anything from this known purveyor of malware. Even the
authentic looking URL is a complete fake.
Google 'pcbutts1' for more info.
db
registry.
you need to figure out which process
that is running is unleashing them
so, the keys should provide some
clue.
if not, run autoruns from microsoft and
or process explorer.
also, people forget about the prefetch
files - they get loaded at boot time.
and third party drivers get loaded at
boot time as well.
--
db���`�...�><)))�>
DatabaseBen, Retired Professional
- Systems Analyst
- Database Developer
- Accountancy
- Veteran of the Armed Forces
- @Hotmail.com
- nntp Postologist
~ "share the nirvana" - dbZen
~~~~~~~~~~~~~~~
>
>
"john" <jmck...@cableone.net> wrote in message
news:eRbTsWiQ...@TK2MSFTNGP05.phx.gbl...
Buffalo
After deleting the two entries and without rebooting, will MBAM or SAS run?
john
db
antiviral intervene users from modifying
the registry.
so perhaps it is another reason why
your deletions don't take.
just a thought to consider.
--
db�ソス�ソス�ソス`�ソス...�ソス><)))�ソス>
DatabaseBen, Retired Professional
- Systems Analyst
- Database Developer
- Accountancy
- Veteran of the Armed Forces
- @Hotmail.com
- nntp Postologist
~ "share the nirvana" - dbZen
~~~~~~~~~~~~~~~
>
>
"db" <datab...@hotmail.com> wrote in message
news:Op$5zipQK...@TK2MSFTNGP02.phx.gbl...
> the likely would get re entered in the
> registry.
>
> you need to figure out which process
> that is running is unleashing them
>
> so, the keys should provide some
> clue.
>
> if not, run autoruns from microsoft and
> or process explorer.
>
> also, people forget about the prefetch
> files - they get loaded at boot time.
>
> and third party drivers get loaded at
> boot time as well.
>
> --
> db�ソス�ソス�ソス`�ソス...�ソス><)))�ソス>
Buffalo
john wrote:
> Buffalo wrote:
>> After deleting the two entries and without rebooting, will MBAM or
>> SAS run?
>>
>>
> no
Did you try renaming the exe for SuperAntiSpyware.exe to something else and
then running it?
Perhaps something like Begone.bat or similar and then double-clicking on
it to execute it?
Buffalo
Unknown
john
> From: "john" <jmck...@cableone.net>
>
>
> | Fail to execute. I posted the error message in one of my replies.
>
> | John
>
> TDSS RootKit ?
>
> Close all running programs and utilities and download Gmer
> http://www.gmer.net/#files
>
which I think stores all the windows updates, and promptly shut down. I
can not delete the file from my down load directory. I am thinking that
this nasty critter is located in the windows directory but, not at all
sure how to find it. I am wondering if it might be wise to create a log
file when the system boots up. Any thoughts on that?
John
David H. Lipman
| I ran Gmer but, it got to the folder in the windows directory $hf_mig$
| which I think stores all the windows updates, and promptly shut down. I
| can not delete the file from my down load directory. I am thinking that
| this nasty critter is located in the windows directory but, not at all
| sure how to find it. I am wondering if it might be wise to create a log
| file when the system boots up. Any thoughts on that?
| John
Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe
Then post the contents of the HJT log in your post with a full explanation of your problem
and what you have done to date in one of the below expert forums...
{ Please - Do NOT post the HJT Log here ! }
Forums where you can get expert advice for HiJack This! (HJT) Logs.
NOTE: Registration is REQUIRED in any of the below before posting a log
Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0
Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/index.php?showforum=7
Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13
john
I'll try the programs you suggested above.
Thanks,
John
john
> From: "john" <jmck...@cableone.net>
>
>
> | Fail to execute. I posted the error message in one of my replies.
>
> | John
>
> TDSS RootKit ?
>
> Close all running programs and utilities and download Gmer
> http://www.gmer.net/#files
>
thing in the Rootkit. I ran Stopzilla between the 3rd and 4th runs of
gmer. What remains is that none of the programs--SypBot,Bit Defender,
Malwarebytes, HijackThis, or SuperAntiSpyware work and they cannot be
removed.
The error message when I try to delete them is:
"Can not delete <HijackThis.exe>: Access is denied. Make sure the disk
is not full or write-protected and that the file is not currently in use"
Do I need to take control of these to delete them?
John
Buffalo
Just curious. Did you ever try renaming SuperAntiSpyware.exe to something
else and then executing it?
Buffalo
David H. Lipman
>> | John
>> Suggested primary:
>> http://www.thespykiller.co.uk/index.php?board=3.0
Rename HJT to something like TOM.COM and try again.
john
offending Trojan is gone but, I will not know for sure until I
re-install everything that I un installed. BitDefender is now working
and that is a good sign. I'll keep you all posted on the final outcome.
Thanks,
John
Buffalo
Thanks, Bit Defender sounds promising, since it runs.
Buffalo
PS:Something wouldn't let you change the name or the extension of the SAS
executable?
I am not good at this stuff, so thanks for the info.
john
posted were of great help. It appearers that the Trojans have been
removed. I had to un install all the anti malware software and re
install it all. Everything seems to be working properly. It seemed to
be just keep trying to run each suggested program until you found one
that worked and then go back to the beginning and start over.
Thank you all,
John
David H. Lipman
| I would like to thank all of you for your help. The links that David
| posted were of great help. It appearers that the Trojans have been
| removed. I had to un install all the anti malware software and re
| install it all. Everything seems to be working properly. It seemed to
| be just keep trying to run each suggested program until you found one
| that worked and then go back to the beginning and start over.
| Thank you all,
| John
Thanx for the feedback John!