Hidden Trojan.. anyone help out?

Discussion in 'Computers' started by NightTrain, Oct 31, 2004.

  1. NightTrain
    Offline

    NightTrain VIP Member

    Joined:
    Aug 29, 2003
    Messages:
    1,425
    Thanks Received:
    87
    Trophy Points:
    83
    Location:
    Wasilla, Alaska
    Ratings:
    +87
    Well, I've been gone most of the Summer, and I've got a trojan on this machine at home.

    I'm running XP Pro, AVG anti-virus, Spybot S&D and Adaware.

    AVG says I'm clean.

    Adaware says I'm clean.

    Spybot tells me I've got 5 entrees of DSO Exploit, and it can't remove them, even when I tell it to go ahead and run at next startup.

    Then, after roughly 15 minutes of inactivity, I get a message from windows:

    Virus
    Trojan horse Downloader.winshow.AT detected at C:\System Volume Information\_restore{7BF9A251-DD3O-488D-BF66-BAE458F9ACEA}\RP187\A004958.dll

    I'm reluctant to rip out that .dll file in that System Volume Information area... as I've had very bad experiences with doing such things in the past. I'm surprised that AVG isn't detecting it, unless the message itself is a bogus message.

    XP Pro is fighting my attempts to access the System Volume Information, I've already turned off the 'hide system files' and the like under Tools, but it's still telling me to go away when I try to open it although it's visible now.

    Any ideas?
     
  2. jimnyc
    Offline

    jimnyc ...

    Joined:
    Aug 28, 2003
    Messages:
    10,113
    Thanks Received:
    244
    Trophy Points:
    83
    Location:
    New York
    Ratings:
    +246
  3. eric
    Online

    eric Guest

    Ratings:
    +0
    The DSO exploit is nothing to worry about. As far as the trojan is concerned try this; click on start, programs, acessories, system tools, system restore, and turn it off, allowing XP to delete all previous restore points (they already contain the trojan). Now reboot and turn system restore back on. Let me know if this helps.

    Also never delete a dll or ocx unless you are absolutely sure there are no dependencies.
     
  4. eric
    Online

    eric Guest

    Ratings:
    +0
    This is due to the security permissions of the folder. It is set by window to system, meaning only the OS has access to it, not even the administrator.
     
  5. NightTrain
    Offline

    NightTrain VIP Member

    Joined:
    Aug 29, 2003
    Messages:
    1,425
    Thanks Received:
    87
    Trophy Points:
    83
    Location:
    Wasilla, Alaska
    Ratings:
    +87
    Thanks, guys.

    Forgot to post that I tried what Eric suggested right before I walked out the door on my way back down here... running short on time as usual. Worked like a charm! Once XP dumped the SVI files, she's clean as a whistle!

    My guess is that the SVI files are kept isolated from all other programs, which makes sense if you have a virus running rampant through the rest of your machine. That way, you have an uncorrupted set of files available to reload with. Am I on track?

    Again, thanks for the help fellas!
     
  6. RFB
    Offline

    RFB Rookie

    Joined:
    Nov 1, 2004
    Messages:
    5
    Thanks Received:
    0
    Trophy Points:
    1
    Ratings:
    +0
    use Linux
     
  7. eric
    Online

    eric Guest

    Ratings:
    +0
    From a tech point of view, I agree, but for the average end user, this is not a good option.
     
  8. rtwngAvngr
    Offline

    rtwngAvngr Guest

    Joined:
    Jan 5, 2004
    Messages:
    15,755
    Thanks Received:
    511
    Trophy Points:
    48
    Ratings:
    +511
    Get a mac!
     
  9. eric
    Online

    eric Guest

    Ratings:
    +0
    You mean the one with : 2 all beaf patties, special sauce, lettuce, cheese, pickles, onions, on a sesame seed bun ?????
     
  10. 5stringJeff
    Offline

    5stringJeff Senior Member

    Joined:
    Sep 15, 2003
    Messages:
    9,990
    Thanks Received:
    536
    Trophy Points:
    48
    Location:
    Puyallup, WA
    Ratings:
    +540
    Last hidden Trojan I knew about was in my bedroom... :D
     

Share This Page