Help removing Trojans please

Discussion in 'Computer Security' started by flopstocks, Sep 11, 2007.

  1. flopstocks

    flopstocks Nibble Poster

    53
    0
    19
    A friend of mine asked me to try and fix thier computer for them - Bad move. It's got pop up's appearing everwhere saying to click here to remove trojans and all kind of other ****! The machine was running xp (not even SP2!) and had AVG not updated.

    Since receiving the machine I have tried AVG, AVG spware, AVG rootkit, Spybot, C cleaner and adware they all found issues, but have not fixed the problems. After doing a full online scan using the Windows Online Saftey It appers there are Trojans on the machine!

    Win32/Zlob.gen!L which has infected msmhost.dll, and msmdev.dll

    Win32/Zlob.gen!M which has infected nsdu.dll

    Unfortunately the scan was unable to fix them nad now I have run out of ideas. My last option is to completely reformat the machine but I want to avoid doing this if I can!

    Any ideas would be appreciated!
     
    Certifications: A+, Network+, CCNA, BSc(Hons) Open
  2. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    If he's that badly infected, you might be better off reinstalling. Plus, you see the spyware that you've detected... what about the spyware (or worse, rootkits) that you haven't been able to detect? :blink

    Just a thought. I agree that a reinstall should be the last option... but a compromised system is worse than having to reinstall.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  3. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    I'm sorry, but I just couldn't help myself this morning, so here goes.

    Are you sure you need help removing a Trojan? :twisted:

    And, do you really wear more than one Trojan a time? :lolbang

    Alright, alright. You can say I'm just taking this grammar thing too far.... :biggrin
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  4. flopstocks

    flopstocks Nibble Poster

    53
    0
    19
    Its terrible I've never seen a system so bad! Normally I run a few programs and it sorts itself out. Not this time :(
     
    Certifications: A+, Network+, CCNA, BSc(Hons) Open
  5. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,624
    117
    224
    I recomend following the proceedure given at CastleCops on their Wiki page here.

    The main infection appears to be one of the Smitfraud types - so follow the instructions for that type.

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  6. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    That Smitfraud junk is plain old nasty. If you don't have quite a bit of experience with this I'd recommend following BM's advice... Reformat and start over so you can really trust the machine again, as who knows what else has been put on that machine. If' it's been root-kitted you're in really big trouble as until you reformat it someone else will still "own" that machine.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  7. Theprof

    Theprof Petabyte Poster

    4,607
    83
    211
    I also agree with BM, reinstallation of the OS is the last resort but at this point, its going to be pretty tough to get rid of all the spyware, viruses, malware, etc. Even if you do end up removing all that junk, there a great chance that the system files could get corrupt, deleted, infected, etc.
     
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV
    WIP: VCAP5-DCA/DCD | EMCCA
  8. flopstocks

    flopstocks Nibble Poster

    53
    0
    19
    Yea i'm think i'm going to have to. I need to back up documents and stuff first! If I plug this HD in my computer to take documents etc off, is it possible my pc can become infected too?
     
    Certifications: A+, Network+, CCNA, BSc(Hons) Open
  9. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    It's not likely to, but it's certainly possible.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  10. Mr.Cheeks

    Mr.Cheeks 1st ever Gold Member! Gold Member

    5,373
    89
    190
    agreed with both of BM's comments.
    but what i would do, is

    * back any data that is on the external hard drive to your hardrive

    *copy data from infected machine to ext harddrive

    *format and reinstall clean version of windows, with latest SP and antiviral updates

    *restore data back from ext hardddrive to computer

    *confirm data has been restored and no problems with restoration

    *format ext harddrive again. this should ensure that there is no infection on the external harddrive

    Seems long winded, but this is the only option i can think of that decreased the chance of infection on your harddrive, obviously, the risk decreases on the type of program you will use to remove data from ext harddrive and how secure or "deep" it will clean...

    Hope this helps
     
  11. Mitzs
    Honorary Member

    Mitzs Ducktape Goddess

    3,286
    85
    152
    reformat that puppy. Then install avg back and some spyware and a dam firewall. Zonealarm has a free home edition. Then take it back to your friend. Make sure that they know and understand how to update all that software. Then tell them if they can not be bother to do the updates, they need to call someone else next time and let them pay for the service to be done. They should really pay you something if it is that bad and they did know how to do the updates but were just to lazy too.
     
    Certifications: Microcomputers and network specialist.
    WIP: Adobe DW, PS
  12. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    Install Linux and you won't have to worry about all that malware, or all the anti-malware junk either. Plus, your buddy will actually own his computer again. :biggrin
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  13. Mathematix

    Mathematix Megabyte Poster

    969
    35
    74
    For the record, copying infected files to other locations is a very high-risk activity that I wouldn't consider. If there are files on there are too valuable to be deleted I would keep these to an absolute minimum and throughly scan them before copying.

    With an infection of such scale there is no option but to reformat as you cannot possibly determine exactly what is on there due to the lack of protection. Lastly, AV software etc. prevent much better than they clean.

    As they say: prevention is better than cure.
     
    Certifications: BSc(Hons) Comp Sci, BCS Award of Merit
    WIP: Not doing certs. Computer geek.
  14. Mitzs
    Honorary Member

    Mitzs Ducktape Goddess

    3,286
    85
    152
    Can we get a smile that farts and then goes up in flames please? :tune
     
    Certifications: Microcomputers and network specialist.
    WIP: Adobe DW, PS
  15. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    Best I could do...

    :fart

    [​IMG]

    [​IMG]

    [​IMG]
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  16. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    Hmmm. I say things just for your benefit, and then you go and let me down.... I barely even got a rise out of you. :duel :twisted:
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  17. Mitzs
    Honorary Member

    Mitzs Ducktape Goddess

    3,286
    85
    152
    :biggrin I will choose when to make a stand and plant a MS flag. Belive me, you will know when I do because it will be stuck to your head.:twisted:

    :offtopic
     
    Certifications: Microcomputers and network specialist.
    WIP: Adobe DW, PS
  18. flopstocks

    flopstocks Nibble Poster

    53
    0
    19
    All fixed now! I decided to upgrade the RAM too - like a new machine now. It really annoys me when a relatively new computer only has 256mb ram! Adding 256mb totally transformed the machine.
     
    Certifications: A+, Network+, CCNA, BSc(Hons) Open
  19. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,878
    181
    256
    Good move flopstocks! 8)
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  20. flopstocks

    flopstocks Nibble Poster

    53
    0
    19
    Cheers. How do I get some power points by the way?
     
    Certifications: A+, Network+, CCNA, BSc(Hons) Open

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.