Sign in with
Sign up | Sign in
Your question

Identifying a trojan.

Last response: in Windows XP
Share
Anonymous
June 13, 2005 5:23:41 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hey there, I have a "trojan" (I think) on my system. Found that in the
system32 folder there is a file, keeps renaming itself stuff like oeookg.exe,
idogga.exe, ofrcrn.exe, bukpuge.exe... etc. Everytime I delete the process,
it comes back as another process and re-names the file. I have tried deleting
it in safe mode but the file still says in use. I have installed Symantec
Corporate 9.0, but it doesn't pick it up. If anyone knows of a way to remove
this, or a fix, please let me know. Thanks a lot for your help! Sincerely,
Geoffrey.

More about : identifying trojan

Anonymous
June 14, 2005 1:29:00 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Geoffrey" <Geoffrey@discussions.microsoft.com>

| Hey there, I have a "trojan" (I think) on my system. Found that in the
| system32 folder there is a file, keeps renaming itself stuff like oeookg.exe,
| idogga.exe, ofrcrn.exe, bukpuge.exe... etc. Everytime I delete the process,
| it comes back as another process and re-names the file. I have tried deleting
| it in safe mode but the file still says in use. I have installed Symantec
| Corporate 9.0, but it doesn't pick it up. If anyone knows of a way to remove
| this, or a fix, please let me know. Thanks a lot for your help! Sincerely,
| Geoffrey.

Please submit a sample EXE file to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against 18 different AV vendor's scanners.

Another way to submit is to send the suspect file to the following email address
scan<at>virustotal.com
{ replace <at> with @ } with only the word SCAN as the subject.
Then you will know what you are really deakling with if it is n ot detected by your Symantec
software.

Please post back the EXACT results.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
June 14, 2005 1:45:05 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Geoffrey" <Geoffrey@discussions.microsoft.com> wrote:

>Hey there, I have a "trojan" (I think) on my system. Found that in the
>system32 folder there is a file, keeps renaming itself stuff like oeookg.exe,
>idogga.exe, ofrcrn.exe, bukpuge.exe... etc. Everytime I delete the process,
>it comes back as another process and re-names the file. I have tried deleting
>it in safe mode but the file still says in use. I have installed Symantec
>Corporate 9.0, but it doesn't pick it up. If anyone knows of a way to remove
>this, or a fix, please let me know. Thanks a lot for your help! Sincerely,
>Geoffrey.

Norton/Symantec is a mediocre antivirus program with minimal
spyware/trojan protection capability.

Get the free Microsoft Antispyware beta from
http://download.microsoft.com and let it scan the computer.

Follow this up with AdAware (free) from www.lavasoft.de and SpyBot
Search & Destroy from http://www.safer-networking.org/

Good luck


Ron Martell Duncan B.C. Canada
--
Microsoft MVP
On-Line Help Computer Service
http://onlinehelp.bc.ca

In memory of a dear friend Alex Nichol MVP
http://aumha.org/alex.htm
Related resources
Anonymous
June 14, 2005 1:45:06 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Just for the record, there are many in the community who do not feel that
Norton Antivirus is a mediocre product. At any rate, what you have is not a
virus, but a Trojan, and best dealt with in the manner that Ron suggested.

Bobby

"Ron Martell" <ron.martell@gmail.com> wrote in message
news:1fvra15eee0q661i3s1fkontu043h6ft2p@4ax.com...
> "Geoffrey" <Geoffrey@discussions.microsoft.com> wrote:
>
>>Hey there, I have a "trojan" (I think) on my system. Found that in the
>>system32 folder there is a file, keeps renaming itself stuff like
>>oeookg.exe,
>>idogga.exe, ofrcrn.exe, bukpuge.exe... etc. Everytime I delete the
>>process,
>>it comes back as another process and re-names the file. I have tried
>>deleting
>>it in safe mode but the file still says in use. I have installed Symantec
>>Corporate 9.0, but it doesn't pick it up. If anyone knows of a way to
>>remove
>>this, or a fix, please let me know. Thanks a lot for your help! Sincerely,
>>Geoffrey.
>
> Norton/Symantec is a mediocre antivirus program with minimal
> spyware/trojan protection capability.
>
> Get the free Microsoft Antispyware beta from
> http://download.microsoft.com and let it scan the computer.
>
> Follow this up with AdAware (free) from www.lavasoft.de and SpyBot
> Search & Destroy from http://www.safer-networking.org/
>
> Good luck
>
>
> Ron Martell Duncan B.C. Canada
> --
> Microsoft MVP
> On-Line Help Computer Service
> http://onlinehelp.bc.ca
>
> In memory of a dear friend Alex Nichol MVP
> http://aumha.org/alex.htm
Anonymous
June 14, 2005 12:17:05 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hey there, I have tried that link, it was useful on clearing up some of the
problems with my pc, but I still have that one file in my system32 folder,
that runs as a process, and can't be deleted, even in safe mode. I have
installed, updated and ran; S&D, adaware, Microsoft, Scanned it with my
Symantec Corporate Edition 9.0 (which I like very much). But it is still not
removing this file. The file is 82KB, application, that will change names as
I delete the process. Any other ideas? Thanks for your ideas! -Geoffrey.

"David H. Lipman" wrote:

> From: "Geoffrey" <Geoffrey@discussions.microsoft.com>
>
> | Hey there, I have a "trojan" (I think) on my system. Found that in the
> | system32 folder there is a file, keeps renaming itself stuff like oeookg.exe,
> | idogga.exe, ofrcrn.exe, bukpuge.exe... etc. Everytime I delete the process,
> | it comes back as another process and re-names the file. I have tried deleting
> | it in safe mode but the file still says in use. I have installed Symantec
> | Corporate 9.0, but it doesn't pick it up. If anyone knows of a way to remove
> | this, or a fix, please let me know. Thanks a lot for your help! Sincerely,
> | Geoffrey.
>
> Please submit a sample EXE file to Virus Total --
> http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against 18 different AV vendor's scanners.
>
> Another way to submit is to send the suspect file to the following email address
> scan<at>virustotal.com
> { replace <at> with @ } with only the word SCAN as the subject.
> Then you will know what you are really deakling with if it is n ot detected by your Symantec
> software.
>
> Please post back the EXACT results.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Anonymous
June 14, 2005 1:10:22 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Have figured out that it is the ABetterInternet trojan running on my system.
Aurora. Now I just have to figure out how to remove it, cause my programs are
not. Thanks again for your help. Sincerely, Geoffrey.

"Geoffrey" wrote:

> Hey there, I have tried that link, it was useful on clearing up some of the
> problems with my pc, but I still have that one file in my system32 folder,
> that runs as a process, and can't be deleted, even in safe mode. I have
> installed, updated and ran; S&D, adaware, Microsoft, Scanned it with my
> Symantec Corporate Edition 9.0 (which I like very much). But it is still not
> removing this file. The file is 82KB, application, that will change names as
> I delete the process. Any other ideas? Thanks for your ideas! -Geoffrey.
>
> "David H. Lipman" wrote:
>
> > From: "Geoffrey" <Geoffrey@discussions.microsoft.com>
> >
> > | Hey there, I have a "trojan" (I think) on my system. Found that in the
> > | system32 folder there is a file, keeps renaming itself stuff like oeookg.exe,
> > | idogga.exe, ofrcrn.exe, bukpuge.exe... etc. Everytime I delete the process,
> > | it comes back as another process and re-names the file. I have tried deleting
> > | it in safe mode but the file still says in use. I have installed Symantec
> > | Corporate 9.0, but it doesn't pick it up. If anyone knows of a way to remove
> > | this, or a fix, please let me know. Thanks a lot for your help! Sincerely,
> > | Geoffrey.
> >
> > Please submit a sample EXE file to Virus Total --
> > http://www.virustotal.com/flash/index_en.html
> > The submission will then be tested against 18 different AV vendor's scanners.
> >
> > Another way to submit is to send the suspect file to the following email address
> > scan<at>virustotal.com
> > { replace <at> with @ } with only the word SCAN as the subject.
> > Then you will know what you are really deakling with if it is n ot detected by your Symantec
> > software.
> >
> > Please post back the EXACT results.
> >
> > --
> > Dave
> > http://www.claymania.com/removal-trojan-adware.html
> > http://www.ik-cs.com/got-a-virus.htm
> >
> >
> >
Anonymous
June 14, 2005 4:25:42 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Geoffrey" <Geoffrey@discussions.microsoft.com>

| Hey there, I have tried that link, it was useful on clearing up some of the
| problems with my pc, but I still have that one file in my system32 folder,
| that runs as a process, and can't be deleted, even in safe mode. I have
| installed, updated and ran; S&D, adaware, Microsoft, Scanned it with my
| Symantec Corporate Edition 9.0 (which I like very much). But it is still not
| removing this file. The file is 82KB, application, that will change names as
| I delete the process. Any other ideas? Thanks for your ideas! -Geoffrey.
|

Download Pocket KillBox
http://www.bleepingcomputer.com/files/spyware/KillBox.z...

Extract killbox.exe from the ZIP file.
Execute; KillBox.exe

Click on Tools --> Select; Delete Temp Files.

Choose; OK

In the Full Path of File to Delete box, type the entire fully qualifed path exactly

C:\Windows\system32\filename.exe

Select; Replace on Reboot

put a check in the box "Use Dummy"

Click The Red circle and a white X

When prompted to Replace on Reboot, click YES

If prompted to Reboot Now, Click YES

Allow the PC to shutdown and reboot

Re-scan with the anti malware tool that detects 'A Better Internet.'

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
June 25, 2005 12:02:11 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi Everyone,

While I am new to google groups, I am a PC veteren with over 20 yrs
experience. I've just come across the same 82k file in the ..\system32
folder. The symptoms are the same. The filename is random and can't
be deleted unless you end the process that file starts. Once you use
the task manager to kill the process, the 82k file renames itself and
start a new process.

Note the file is always 82k and always in the system32 folder. The
process too keeps renaming itself. The time stamp also changes
randomly. This is the nastiest virus I've ever come across. I blew
three hours trying to remove it. I ended up reformatting the C: drive
(I always keep data on the D: partition)

Other facts:
- safe mode didn't help
- the latest AdAware (1.06), Spybot (1.4) and Microsoft tools all
detect it, but none can remove it, it always comes back
- I tried disabling it in the startup control panel, no use, it comes
back
- I used several tools to 'delete on reboot', but it comes back
- I even tried unplugging the A/C thinking it may rename itself on
power down, still comes back
- I checked the boot.ini and win.in file, nothing
- norton finds it but can't fix, quarantine or delete it

It must have a sister process/virus working in tandem. I suspect is
works something like:
say you have trojan A and B, everything ID's it, but when you kill A,
B recreates it as C, then when you delete B, C recreates it as D and
the lopp goes on.

I've traced it to variants of VX2, abetterinternet, auroa and all
research shows it is a bitch to remove.

Even SAFE mode showed the expected 12 processes but I can't seem to
trace the source of the reinfection.

If anyone has more info, please email me directly

Thanks


Richard
richard@compunetics.ca
Anonymous
June 25, 2005 8:02:52 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "RickMtl" <richard@compunetics.ca>

| Hi Everyone,
|
| While I am new to google groups, I am a PC veteren with over 20 yrs
| experience. I've just come across the same 82k file in the ..\system32
| folder. The symptoms are the same. The filename is random and can't
| be deleted unless you end the process that file starts. Once you use
| the task manager to kill the process, the 82k file renames itself and
| start a new process.
|
| Note the file is always 82k and always in the system32 folder. The
| process too keeps renaming itself. The time stamp also changes
| randomly. This is the nastiest virus I've ever come across. I blew
| three hours trying to remove it. I ended up reformatting the C: drive
| (I always keep data on the D: partition)
|
| Other facts:
| - safe mode didn't help
| - the latest AdAware (1.06), Spybot (1.4) and Microsoft tools all
| detect it, but none can remove it, it always comes back
| - I tried disabling it in the startup control panel, no use, it comes
| back
| - I used several tools to 'delete on reboot', but it comes back
| - I even tried unplugging the A/C thinking it may rename itself on
| power down, still comes back
| - I checked the boot.ini and win.in file, nothing
| - norton finds it but can't fix, quarantine or delete it
|
| It must have a sister process/virus working in tandem. I suspect is
| works something like:
| say you have trojan A and B, everything ID's it, but when you kill A,
| B recreates it as C, then when you delete B, C recreates it as D and
| the lopp goes on.
|
| I've traced it to variants of VX2, abetterinternet, auroa and all
| research shows it is a bitch to remove.
|
| Even SAFE mode showed the expected 12 processes but I can't seem to
| trace the source of the reinfection.
|
| If anyone has more info, please email me directly
|
| Thanks
|
| Richard
| richard@compunetics.ca

Start by downloading and using the Lavasoft VX2 plug-in for Ad-aware SE.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
June 27, 2005 2:06:28 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi Dave,

Thanks so much for that information. I didn't realize there were
options for AdAware. I downloaded the plugin and have added it to my
aresenal of files that I bring around to clients with me.

I am concerned that the writters of these things are getting nastier.
99% of Malware used to be relativeley simple to remove. Lately I've
come across several (this VX2 / ABetterInternet was the worst) that took
hours to trace and remove. :( 

Thanks again!

Richard

David H. Lipman wrote:
> From: "RickMtl" <richard@compunetics.ca>
>
> | Hi Everyone,
> |
> | While I am new to google groups, I am a PC veteren with over 20 yrs
> | experience. I've just come across the same 82k file in the ..\system32
> | folder. The symptoms are the same. The filename is random and can't
> | be deleted unless you end the process that file starts. Once you use
> | the task manager to kill the process, the 82k file renames itself and
> | start a new process.
> |
> | Note the file is always 82k and always in the system32 folder. The
> | process too keeps renaming itself. The time stamp also changes
> | randomly. This is the nastiest virus I've ever come across. I blew
> | three hours trying to remove it. I ended up reformatting the C: drive
> | (I always keep data on the D: partition)
> |
> | Other facts:
> | - safe mode didn't help
> | - the latest AdAware (1.06), Spybot (1.4) and Microsoft tools all
> | detect it, but none can remove it, it always comes back
> | - I tried disabling it in the startup control panel, no use, it comes
> | back
> | - I used several tools to 'delete on reboot', but it comes back
> | - I even tried unplugging the A/C thinking it may rename itself on
> | power down, still comes back
> | - I checked the boot.ini and win.in file, nothing
> | - norton finds it but can't fix, quarantine or delete it
> |
> | It must have a sister process/virus working in tandem. I suspect is
> | works something like:
> | say you have trojan A and B, everything ID's it, but when you kill A,
> | B recreates it as C, then when you delete B, C recreates it as D and
> | the lopp goes on.
> |
> | I've traced it to variants of VX2, abetterinternet, auroa and all
> | research shows it is a bitch to remove.
> |
> | Even SAFE mode showed the expected 12 processes but I can't seem to
> | trace the source of the reinfection.
> |
> | If anyone has more info, please email me directly
> |
> | Thanks
> |
> | Richard
> | richard@compunetics.ca
>
> Start by downloading and using the Lavasoft VX2 plug-in for Ad-aware SE.
>
Anonymous
July 6, 2005 11:37:50 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"" wrote:
> Hi Dave,
>
> Thanks so much for that information. I didn't realize there
> were
> options for AdAware. I downloaded the plugin and have added
> it to my
> aresenal of files that I bring around to clients with me.
>
> I am concerned that the writters of these things are getting
> nastier.
> 99% of Malware used to be relativeley simple to remove.
> Lately I've
> come across several (this VX2 / ABetterInternet was the worst)
> that took
> hours to trace and remove. :( 
>
> Thanks again!
>
> Richard
>
> David H. Lipman wrote:
> > From: "RickMtl" <richard@compunetics.ca>
> >
> > | Hi Everyone,
> > |
> > | While I am new to google groups, I am a PC veteren with
> over 20 yrs
> > | experience. I've just come across the same 82k file in
> the ..system32
> > | folder. The symptoms are the same. The filename is
> random and can't
> > | be deleted unless you end the process that file starts.
> Once you use
> > | the task manager to kill the process, the 82k file renames
> itself and
> > | start a new process.
> > |
> > | Note the file is always 82k and always in the system32
> folder. The
> > | process too keeps renaming itself. The time stamp also
> changes
> > | randomly. This is the nastiest virus I've ever come
> across. I blew
> > | three hours trying to remove it. I ended up reformatting
> the C: drive
> > | (I always keep data on the D: partition)
> > |
> > | Other facts:
> > | - safe mode didn't help
> > | - the latest AdAware (1.06), Spybot (1.4) and Microsoft
> tools all
> > | detect it, but none can remove it, it always comes back
> > | - I tried disabling it in the startup control panel, no
> use, it comes
> > | back
> > | - I used several tools to 'delete on reboot', but it comes
> back
> > | - I even tried unplugging the A/C thinking it may rename
> itself on
> > | power down, still comes back
> > | - I checked the boot.ini and win.in file, nothing
> > | - norton finds it but can't fix, quarantine or delete it
> > |
> > | It must have a sister process/virus working in tandem. I
> suspect is
> > | works something like:
> > | say you have trojan A and B, everything ID's it, but when
> you kill A,
> > | B recreates it as C, then when you delete B, C recreates
> it as D and
> > | the lopp goes on.
> > |
> > | I've traced it to variants of VX2, abetterinternet, auroa
> and all
> > | research shows it is a bitch to remove.
> > |
> > | Even SAFE mode showed the expected 12 processes but I
> can't seem to
> > | trace the source of the reinfection.
> > |
> > | If anyone has more info, please email me directly
> > |
> > | Thanks
> > |
> > | Richard
> > | richard@compunetics.ca
> >
> > Start by downloading and using the Lavasoft VX2 plug-in for
> Ad-aware SE.
> >

This trojan is identified as several different names depending on what
program your using I.E.


AntiVir TR/Agent.AY.4.A
AVG Agent.AH
Avira TR/Agent.AY.4.A
BitDefender7.0 Trojan.Agent.AY
ClamAVdevel no virus found
DrWeb no virus found
eTrust-Iris Win32/BettInet.AN!Trojan
eTrust-Vet Win32.BettInet.AN
Fortinet W32/Agent.AY-tr
Ikarus no virus found
Kaspersky Trojan.Win32.Agent.ay
McAfee potentially unwanted program Downloader-KL
NOD32v2 Win32/Agent.AY
Norman no virus found
Panda Adware/Twain-Tech
Sybari Win32/BettInet.AN!Trojan
Symantec no virus found
TheHacker Trojan/Agent.ay
VBA32 Trojan.Win32.Agent.ay

If you want directions on removing this follow this link and follow
the instructions-its works-i know because it took me two months to
find this doc and it took me maybe 20 minutes to remove the
trojan/virus.
__________________________________________________
__________

www.hauri.com.sg/html/support/virus_read.html?code=TRW3...
____________________________________________________________
I feel Your Pain :x -Destination- Good
Luck

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Security-Admin-Identifying...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1758125

Posted Via Usenet.com Premium Usenet Newsgroup Services
----------------------------------------------------------
** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **
----------------------------------------------------------
http://www.usenet.com
Anonymous
July 7, 2005 3:16:55 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "destination" <UseLinkToEmail@WindowsForumz.com>


| This trojan is identified as several different names depending on what
| program your using I.E.
|
| AntiVir TR/Agent.AY.4.A
| AVG Agent.AH
| Avira TR/Agent.AY.4.A
| BitDefender7.0 Trojan.Agent.AY
| ClamAVdevel no virus found
| DrWeb no virus found
| eTrust-Iris Win32/BettInet.AN!Trojan
| eTrust-Vet Win32.BettInet.AN
| Fortinet W32/Agent.AY-tr
| Ikarus no virus found
| Kaspersky Trojan.Win32.Agent.ay
| McAfee potentially unwanted program Downloader-KL
| NOD32v2 Win32/Agent.AY
| Norman no virus found
| Panda Adware/Twain-Tech
| Sybari Win32/BettInet.AN!Trojan
| Symantec no virus found
| TheHacker Trojan/Agent.ay
| VBA32 Trojan.Win32.Agent.ay
|
| If you want directions on removing this follow this link and follow
| the instructions-its works-i know because it took me two months to
| find this doc and it took me maybe 20 minutes to remove the
| trojan/virus.


Based upon the above Virus Total log...

The following Multi-Vendor Command Line Scanner front end utility can be used to clean the
affected PC...

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
!