Troj/Forn-A found by SpySweeper - unable to quarantine

Pilgrim · Oct 30, 2007

First, the simple question. More may flow . . . I confess to being a software-work noob, abysmally ignorant, but able to follow simple instructions.

Spy Sweeper on my laptop (not this machine) reports this being found : Troj/Fortn-A. A follow-up sweep with AVG does not find it, but it does reflect that several files have been changed:
kernel32.dll
user32.dll
shell32.dll
ntoskml.exe

I can find very little about Troj/FORTN-A on the 'net and a search here brings up nothing.

It is my lightly-informed understanding that some trojans don't go to work until the machine is booted, so I didn't shut things down.

After printing your malware removal instructions, I skimmed them and started in. I returned msconfig to its default, then told the machine to reboot into SAFE mode. (Minor question: was that the way to proceed, assuming the trojan kicks off on a boot-up? Is SAFE MODE really safe?)

Then I came to your instruction to download CCleaner, which brings us to the MAJOR QUESTION: Should I fire up my browser (IE or FIREFOX or MSN) to enable the download? Or might that set off some unstoppable, irredeemable cascade of events that will let all the smoke out of my computer and bring sparks, fire, smells, and destruction to my world?

Or, since the malware is identified already, is there a quick and easy way to eliminate it?

Thanks,

Pilgrim

chaslang · Oct 31, 2007

Welcome to Major Geeks!

First to answer your question about safe mode. It has nothing to do with being "safe" from malware. It has to do with a mode where Windows boots up without loading all of the normal drivers and processes. It does not guarantee anything about malware.

Now back to the procedure. You don't appear to be following steps in the correct order. You are not supposed to be in safe mode until you get to step 5. Ccleaner should have been download and installed long before this in step 1. In fact ALL of the tools should have been downloaded and configured before getting into safe mode where some, but not all, scans are run. GetRunKey, ShowNew, and HijackThis are run in normal boot mode after all other scans have been run.

Are you using a paid version of Spy Sweeper or a free trial version? If free, you should just uninstall it because it is of no use to you. I would bet the log does not even show where it is finding this "trojan" which is normally just a Java class file. Emptying your browser caches for IE, FireFox, & MSN may even remove it.

Pilgrim · Oct 31, 2007

chaslang said: ↑

Welcome to Major Geeks!

First to answer your question about safe mode. It has nothing to do with being "safe" from malware. It has to do with a mode where Windows boots up without loading all of the normal drivers and processes. It does not guarantee anything about malware. Thanks, Chas. I was working on the assumption that since most of the normal drivers and processes didn't load there was a chance that SAFE mode might avoid activating the trojan. The thought was it was purely inferential, not based on any knowledge. My mistake.

Now back to the procedure. You don't appear to be following steps in the correct order. The only reason I'll quibble with a guy trying to help me is that it might clear something up for subsequent users: The very first step under Preliminary House Cleaning and Setup is to make sure the system boots in Normal mode. It was when I suddenly realized I was rebooting after reverting to Normal mode (and thus, in my mind, maybe opening the trojan), that I went into SAFE.
You are not supposed to be in safe mode until you get to step 5. Ccleaner should have been download and installed long before this in step 1. In fact ALL of the tools should have been downloaded and configured before getting into safe mode where some, but not all, scans are run. GetRunKey, ShowNew, and HijackThis are run in normal boot mode after all other scans have been run.

Are you using a paid version of Spy Sweeper or a free trial version? Free - I see it as just another adware finder when it runs while I sleep; my primary AV program is AVG. In this case, AVG found nothing but the altered files I mentioned - and at that, it generated no alerts. If free, you should just uninstall it because it is of no use to you. I would bet the log does not even show where it is finding this "trojan" (True) which is normally just a Java class file. Emptying your browser caches for IE, FireFox, & MSN may even remove it.
Click to expand...

You've cleared some things up for me; thanks for taking the time. The remaining question is this: Do the four changed files I listed reflect anything bad going on, or are they changes I might normally expect to see? They are in the Win32 file:
kernel32.dll
user32.dll
shell32.dll
ntoskml.exe

Based on what you've said, I'm going to dump the caches and temp files (although I think I did early on) and see what happens. AVG, when it reported alterations to the four files I mentioned, showed that a bunch of temp files had been created that were apparently related to the changes.

Then I'll re-run AVG, etc, and see what I get.

SOPHOS is the only place I saw that has anything on Fortn-A. They said it was a trojan that might dump malware on my system. DUH!

Pilgrim

chaslang · Oct 31, 2007

Pilgrim said: ↑

The only reason I'll quibble with a guy trying to help me is that it might clear something up for subsequent users: The very first step under Preliminary House Cleaning and Setup is to make sure the system boots in Normal mode. It was when I suddenly realized I was rebooting after reverting to Normal mode (and thus, in my mind, maybe opening the trojan), that I went into SAFE.
Click to expand...

The first step of the READ ME tells you to use MSconfig to set you system to Normal Startup mode. It does not say anything about normal boot mode or mention safe mode. Normal Startup mode is set to make sure that you are not stopping anything from loading at startup which could make it more difficult for us to cleanup any malware if it exists because you could be hiding it. Normal Startup does not equal Normal Boot mode. You can be in normal boot mode but not in normal startup mode.

Pilgrim said: ↑

Free - I see it as just another adware finder when it runs while I sleep; my primary AV program is AVG. In this case, AVG found nothing but the altered files I mentioned - and at that, it generated no alerts.
Click to expand...

Are you referring to AVG Antivirus or AVG Antispyware which are two totally differnet things. If AVG Antivirus, then it is not the same thing as what Spy Sweeper is meant to do. The free trial version Spy Sweeper is not worth having on your PC. It will not fix anything and it will not properly report exactly what it is finding and where it is finding it. Thus making it not a useful tool to aid in the manual cleaning that may be needed. You need a real antispyware blocking, scanning and removal tool.

Pilgrim said: ↑

Do the four changed files I listed reflect anything bad going on, or are they changes I might normally expect to see? They are in the Win32 file:
kernel32.dll
user32.dll
shell32.dll
ntoskml.exe
Click to expand...

This can be normal as it could have even been due to a recent update from Microsoft Windows that changed or accessed these files, but the only way we will know if your PC has any malware for sure is by having you complete the READ & RUN ME and attaching the logs.

Pilgrim · Oct 31, 2007

chaslang said: ↑

The first step of the READ ME tells you to use MSconfig to set you system to Normal Startup mode. It does not say anything about normal boot mode or mention safe mode. (Noob sloppy language on my part. We're talking about the same thing, here - Normal Startup established on MSCONFIG. As usual, it generates a reboot unless you tell it not to, which I neglected to do.)

Are you referring to AVG Antivirus or AVG Antispyware (AVG Antispyware is my antivirus software) which are two totally different things. If AVG Antivirus, then it is not the same thing as what Spy Sweeper is meant to do. It will not fix anything . . . . (But it does find and quarantine the odd spyware that neither of the other two programs (Spybot & AdAware) I use do. You need a real antispyware blocking, scanning and removal tool. (In your opinion, does that include AVG? I ask since it did not notice FORTN-A.)

This can be normal as it could have even been due to a recent update from Microsoft Windows that changed or accessed these files, but the only way we will know if your PC has any malware for sure is by having you complete the READ & RUN ME and attaching the logs.
Click to expand...

Which I will do tomorrow and get back to you if it indicates problems exist.

Thanks again.

Pilgrim

chaslang · Oct 31, 2007

AVG Antispyware is not an antivirus prorgam. And if you are using the free version AVG Antispyware, it provides no protection after the trial period.

The trial version of Spy Sweeper does not fix, quarantine or delete anything. It is purely a scanner that has inadquate reporting features.

Log in or Sign up

Troj/Forn-A found by SpySweeper - unable to quarantine

Pilgrim Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Pilgrim Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Pilgrim Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member