Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

who can identify this trojan?

Status
Not open for further replies.
413345

413345

Technical User
Mar 8, 2005
17
0
0
NO
have become infected with a truly elaborate trojan which has performed the following on my system, starting with a windows error message: "Registry restored. One of the files containing the systems register data, had to be restored"...

1. Norton Internet Security is nothing but a blank screen upon opening it (leaving it useless)
2. I am unable to access internet through IE5: the system attempts to download files instead, failing.
3. The Run-command button has been removed from the start menu, although the settings imply it should be there (right-clicking).
4. Unable to access programs through start menu. The button is there but nothing happens when clicked...

Hope somebody can recognize and identify this sucker! Thanks!
 
Sort by date Sort by votes
Can you post your tasklist here so I can have a look?

Open a command window, type tasklist > t.txt
 
Upvote 0 Downvote
Just noticed - you have no start menu/run button. Can you start command using ctr;/alt/del - start task manager and use new task to run cmd? (assuming you are running XP)
 
Upvote 0 Downvote
Hi thanks for your reply.

Can run commands by your suggestion or by pressing windows key+r

but I don't have xp pro, so no tasklist.

I did however find out that I have a explorer.exe running in the windows\system32 directory, which it shouldnt. It has not altered any shell entries in the registry as far as I can tell, nor in the system.ini, so I am still at loss as to which virus I have actually contracted...
 
Upvote 0 Downvote
also found wintime.exe which is the dowloader.harnig virus, but I don't think that would have caused all the troubles I have outlined above, would it?
 
Upvote 0 Downvote
I've no idea then - sorry. How about removing the hard drive & getting another machine to scan it? Or building a self booting virus scanning floppy disk on another machine?
 
Upvote 0 Downvote
Hmm, no it doesn't appear to be the Bube at all, I have no change in the win.ini file nor any of the listed registries...

The worm is certainly attempting to download something when I try to access the web, but I get a message that the download of files failed...

So I am 100% I got the downloader.harnig, but I've yet to account for the presence of the explorer.exe in the systems folder. So far I have found no match in terms of symptoms and registry changes...
 
Upvote 0 Downvote
Can you download and post a hijack this log?

Save hijack this to it's own folder such as c:\ hijack this so that it runs properly and can make back ups., and click scan then save the log and post it here so we can take a look at it for you.

hijack this

 
Upvote 0 Downvote
Thanks for the correction concerning the explorer.exe in the systems folder, turns out it is the correct location after all.

As for the hijack log, I have gone over this time and time again, and there is nothing suspicious about it at all, everything ok there. The win.ini, sys.ini and misconfig files are also ok.
 
Upvote 0 Downvote
Oh, and now I can't start up windows at all, not even in safe mode. I am seriously infected here, with no backup of important documents....

How can I make a backup of documents from DOS only?

 
Upvote 0 Downvote
I run a windows XP, and it seems impossible to enter MS DOS without entering windows first. I desperately need to back up some files on the disk (copy them to a removable device), but as I am completely unable to start windows (it hangs up no matter what kind of mode I attempt to start it in), I need to know if it is possible to do this from this messed up state my computer is in....

So please help...
 
Upvote 0 Downvote
I wonder if you have a hardware problem here? Whatever the issue is I suggest you remove the drive to another machine and back it up pronto!
 
Upvote 0 Downvote
If you have Norton Internet Security, you should have rescue discs??

Computer/Network Technician
CCNA
 
Upvote 0 Downvote
No, my NIS is supplied by my ADSL supplier, downloaded only.
Removing the drive could be a problem: it is a laptop...
 
Upvote 0 Downvote
SO: is there any way of copying files to removable drive without starting up windows XP?
 
Upvote 0 Downvote
I was talking more along the lines of the floppies you make when setting up NIS.

Computer/Network Technician
CCNA
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CCX008
  • Locked
  • Question
Barowwsoe2save , how can I remove this stubborn virus !! 3
Replies
10
Views
99
goombawaho
goombawaho
BionicJohn
  • Locked
  • Question
URUASY.A Ransomware Trojan - Help needed with removal
Replies
6
Views
75
BionicJohn
BionicJohn
MrMode
  • Locked
  • Question
Can anyone tell me what to remove with hijack this?
Replies
2
Views
57
MrMode
MrMode
SantaMufasa
  • Locked
  • Question
How can I get rid of "PC Fix Speed", a particularly nasty PC malware infection. 2
Replies
18
Views
114
kjv1611
kjv1611
Noway2
  • Locked
  • Question
What to make of this? 2
Replies
17
Views
138
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top