problem with trojan

Discussion in 'Malware Help (A Specialist Will Reply)' started by dannylauda, Jul 7, 2005.

Page 2 of 2
  1. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well that did not find anything. Can we be more specific about when this bad file actually reappears. I know you said once you get it to delete, it does not reappear until reboot. What I need to know it the following:

    1) does it come back immediately after reboot. Meaning if you do not do anything else especially open any browsers or connect to the internet in any form, has it already come back.

    2) or does it only come back after opening a browser
    3) or does connecting to the internet bring it back

    What kind of connection to the internet do you have (dial-up, cable, DSL)? If cable or DSL, in item 1 above, make sure the cable is unplugged so nothing can go in or out.


    Now do the following and get me three logs but make sure the bad process is actually running when doing this and also only have one Internet Explorer window remaining open (leave the one open you do the below download in).

    Download ProcessExplorer from http://www.majorgeeks.com/Process_Explorer_d4566.html

    Unzip it and now run ProcessExplorer and lets configure some options first:
    Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked. Now click on explorer.exe. Now also under the View menu choose "Select columns" and put a check mark on "Image Path". Now click on File and then Save As. And save the process list. Post it back here as an attachment. Also, from now on if I say to kill a process, use ProcessExplorer instead of Task Manager. Sometimes ProcessExplorer can kill things that Task Manager cannot.

    Repeat the above two more times but instead of selecting explorer.exe select:
    - iexplore.exe
    - whatever the bad process is named now

    To post these three logs will take two messages because you can only have two attachments in a message.
     
    chaslang, Jul 21, 2005
    #51
  2. dannylauda

    dannylauda Private E-2

    ok if i try to delete the file directly from the folder it says that is protected from windows, but if i kill the process it actually disappears and if i reboot without the cable plugged the file recreates itself in the same folder but with a different name. here are the logs.
     

    Attached Files:

    dannylauda, Jul 21, 2005
    #52
  3. dannylauda

    dannylauda Private E-2

    the other
     

    Attached Files:

    dannylauda, Jul 21, 2005
    #53
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please clarify! Does it recreate itself immediately before you have done anything else?


    Hmmm! The first thing that seems suspicious is that it look to be loading under your Trend Micro application:

    NTRtScan.exe 260 Trend Micro Inc. C:\Programmi\Trend Micro\OfficeScan Client\NTRtScan.exe
    WOEFA7.EXE 656 C:\WINDOWS\Temp\WOEFA7.EXE
    Please uninstall Trend Micro and then reboot your PC. Then llok for this bad process again. If you find, kill it and delete the file again. Now reboot and see what happens. You can do all of this while disconnected from the internet to be safe.

    Let me know what happens.
     
    Last edited: Jul 21, 2005
    chaslang, Jul 21, 2005
    #54
Page 2 of 2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds