Trojan problem

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Hi Group,

I have a trojan problem or at least that's what I think it's going on with
my computer.
I have Sony laptop running winXP, all updates, running NAV '03, no firewall
since I'm connected to a router with built-in firewall (Cayman).I assigned
port forwarding so I can access my laptop from home and of course I leave my
computer on every night. When I arrived Monday morning and checked my
computer, there was a message from NAV, it had encountered the W32.Gobot.A
virus and it couldn't delete it but it managed to quarantined it. I figured
no problem...then few minutes later I saw many, many outgoing e-mails being
scanned by NAV...and OE wasn't even running....it didn't report any virus,
but some were being blocked by our e-mail server because of spam, but most
were going trough. Immediately I unplug the network cable and of course it
stopped. Then I scan for virus and none were found...also used TrojanHunter
and it reported nothing...ran Spybot and it found several spyware, which
were fixed. Again I plugged back the network cable and again it tried to
send out many e-mails...again I ran the NAV, TrojanHunter and Spybot and all
came out clean, but I still have the same problem. Has anyone else
experienced this same problem, was there a fix to it? If anyone can offer me
some help, it would be greatly appreciated.

Thanks
Marco
5 answers Last reply
More about trojan problem
  1. Archived from groups: microsoft.public.windowsxp.basics (More info?)

    Have you checked here
    http://securityresponse.symantec.com/avcenter/venc/data/w32.gobot.a.html

    --

    Harry Ohrn MS-MVP [Shell/User]
    www.webtree.ca/windowsxp


    "Limonzito" <marc_ati@icsi.net> wrote in message
    news:F1Bue.1302$Lj2.226@newssvr12.news.prodigy.com...
    > Hi Group,
    >
    > I have a trojan problem or at least that's what I think it's going on with
    > my computer.
    > I have Sony laptop running winXP, all updates, running NAV '03, no
    firewall
    > since I'm connected to a router with built-in firewall (Cayman).I assigned
    > port forwarding so I can access my laptop from home and of course I leave
    my
    > computer on every night. When I arrived Monday morning and checked my
    > computer, there was a message from NAV, it had encountered the W32.Gobot.A
    > virus and it couldn't delete it but it managed to quarantined it. I
    figured
    > no problem...then few minutes later I saw many, many outgoing e-mails
    being
    > scanned by NAV...and OE wasn't even running....it didn't report any virus,
    > but some were being blocked by our e-mail server because of spam, but most
    > were going trough. Immediately I unplug the network cable and of course it
    > stopped. Then I scan for virus and none were found...also used
    TrojanHunter
    > and it reported nothing...ran Spybot and it found several spyware, which
    > were fixed. Again I plugged back the network cable and again it tried to
    > send out many e-mails...again I ran the NAV, TrojanHunter and Spybot and
    all
    > came out clean, but I still have the same problem. Has anyone else
    > experienced this same problem, was there a fix to it? If anyone can offer
    me
    > some help, it would be greatly appreciated.
    >
    > Thanks
    > Marco
    >
    >
    >
  2. Archived from groups: microsoft.public.windowsxp.basics (More info?)

    Hi Limonzito - Download and run the free or trial version of A2 Personal,
    here: http://www.emsisoft.com/en/ UPDATE, then run from a Clean Boot or Safe
    Mode with Show Hidden Files enabled as below (from my Blog, address in
    Signature). Continue to re-run A2 in Safe mode or from a Clean Boot until
    no more problems are found, then reboot to normal operation and run one more
    time. You might also want to run SysClean, below:


    Show hidden files and run all removal tools from Safe mode or a "Clean Boot"
    when possible, logged on as an Administrator. BEFORE running these tools, be
    sure to clear all Temp files and your Temporary Internet Files
    (TIF)(including offline content.) Reboot and test if the malware is fixed
    after using each tool.

    HOW TO Enable Hidden Files
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339

    Clean Boot - General Win2k/XP procedure, but see below for links for other
    OS's (This for Win2k w/msconfig - you can obtain msconfig for Win2k here:
    http://www.3feetunder.com/files/win2K_msconfig_setup.exe ):

    1. StartRun enter msconfig.

    2. On the General tab, click Selective Startup, and then clear the 'Process
    System.ini File', 'Process Win.ini File', and 'Load Startup Items' check
    boxes. Leave the 'boot.ini' boxes however they are currently set.

    3. In the Services tab, check the "Hide All Microsoft Services" checkbox,
    and then click the "Disable All" button. If you use a third party firewall
    then re-check (enable) it. For example, if you use Zone Alarm, re-check the
    True Vector Internet Monitor service (and you may also want to re-check
    (enable) the zlclient on the Startup tab.) Equivalent services exist for
    other third party firewalls. An alternative to this for XP users is to
    enable at this time the XP native firewall (Internet Connection Firewall -
    ICF). Be sure to turn it back off when you re-enable your non-MS services
    and Startup tab programs and restore your normal msconfig configuration
    after cleaning your machine.

    4. Click OK and then reboot.

    For additional information about how to clean boot your operating system,
    click the following article links to view the articles in the Microsoft
    Knowledge Base:

    310353 How to Perform a Clean Boot in Windows XP
    http://support.microsoft.com/kb/310353
    281770 How to Perform Clean-Boot Troubleshooting for Windows 2000
    http://support.microsoft.com/kb/281770/EN-US/
    267288 How to Perform a Clean Boot in Windows Millennium Edition
    http://support.microsoft.com/kb/267288/EN-US/
    192926 How to Perform Clean-Boot Troubleshooting for Windows 98
    http://support.microsoft.com/kb/192926/EN-US/
    243039 How to Perform a Clean Boot in Windows 95
    http://support.microsoft.com/kb/243039/EN-US/


    SysClean

    Boot to Safe mode with Network Support (HowTo here:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
    or a Clean Boot as above.

    Download sysclean.com , from Trend Micro, here:
    http://www.trendmicro.com/download/dcs.asp along with the latest released
    pattern file, here: http://www.trendmicro.com/download/pattern.asp Be sure
    to read the "How-to" info here:
    http://www.trendmicro.com/ftp/products/tsc/readme.txt

    You might also want to get Art's updater, SYS-UP.Zip, here for future
    updating of these:
    http://bilder.informationsarchiv.net/Nikitas_Tools/SYS-UP.ZIP). (If you
    download and use the updater from the beginning, it will automatically
    handle downloading the other files.)

    An alternative automatic updater which adds some capabilities to Art's
    updater, such as restarting in Safe mode to run, etc., SYSCLEAN_FE , is
    available here: http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe.
    There's a brief description here: http://www.ik-cs.com/more_information.htm.
    I would recommend that you use Clean Boot with either updater, however.

    NOTE: You can get a somewhat more current interim pattern file, the
    Controlled Pattern Release, here and manually unzip it to your SysClean
    folder: http://www.trendmicro.com/download/pattern-cpr-disclaimer.asp Look
    for the lptxxx.zip file after you agree to the terms. (Sorry, but the
    Updaters won't go get this one for you. However, if you manually download
    the CPR first and then use one of the updaters, SysClean will automatically
    use these CPR definitions when it starts.)

    Place them in a dedicated folder after appropriate unzipping.

    Show hidden and system files (HowTo here:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)

    If you're using WindowsME or WindowsXP, SysClean (and the other cleaning
    tools below) may find infections within Restore Points which it will be
    unable to clean. You may choose to disable Restore if you're on XP or ME
    (directions here:
    http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm) which will
    eliminate ALL previous Restore Points, or alternatively, you can wait until
    cleaning is completed and then use the procedure within the *********'s
    below to delete all older, possibly infected Restore Points and save a new,
    clean one. This approach is in the sprit of "keep what you've got" so that
    you can recover to an at least operating albeit infected system if you
    inadvertently delete something vital, and is the approach I recommend that
    you take.

    Read tscreadme.txt carefully, then do a complete scan of your system and
    clean or delete anything it finds EXCEPT EMAIL DATABASES OR FILES. These
    need special handling. See here:
    http://www.ik-cs.com/virus-emaildatabase.htm

    Reboot and re-run SysClean and continue this procedure until you get a clean
    scan or nothing further can be cleaned/removed.

    Now reboot to normal mode and re-run the scan again.

    This scan may take a long time, as Sysclean is VERY extensive and thorough.
    For example, one user reported that Sysclean found 69 hits that an
    immediately prior Norton AV v. 11.0.2.4 run had missed.


    --
    Regards, Jim Byrd, MS-MVP
    My, Blog Defending Your Machine, here:
    http://defendingyourmachine.blogspot.com/

    "Limonzito" <marc_ati@icsi.net> wrote in message
    news:F1Bue.1302$Lj2.226@newssvr12.news.prodigy.com
    > Hi Group,
    >
    > I have a trojan problem or at least that's what I think it's going on
    > with my computer.
    > I have Sony laptop running winXP, all updates, running NAV '03, no
    > firewall since I'm connected to a router with built-in firewall
    > (Cayman).I assigned port forwarding so I can access my laptop from
    > home and of course I leave my computer on every night. When I arrived
    > Monday morning and checked my computer, there was a message from NAV,
    > it had encountered the W32.Gobot.A virus and it couldn't delete it
    > but it managed to quarantined it. I figured no problem...then few
    > minutes later I saw many, many outgoing e-mails being scanned by
    > NAV...and OE wasn't even running....it didn't report any virus, but
    > some were being blocked by our e-mail server because of spam, but
    > most were going trough. Immediately I unplug the network cable and of
    > course it stopped. Then I scan for virus and none were found...also
    > used TrojanHunter and it reported nothing...ran Spybot and it found
    > several spyware, which were fixed. Again I plugged back the network
    > cable and again it tried to send out many e-mails...again I ran the
    > NAV, TrojanHunter and Spybot and all came out clean, but I still have
    > the same problem. Has anyone else experienced this same problem, was
    > there a fix to it? If anyone can offer me some help, it would be
    > greatly appreciated.
    >
    > Thanks
    > Marco
  3. Archived from groups: microsoft.public.windowsxp.basics (More info?)

    yes, tried it, but NAV doesn't find any more files infected with any
    virus...
    I'll keep checking others posts.

    thanks

    "Harry Ohrn" <harry---@webtree.ca> wrote in message
    news:uM%233dKBeFHA.1288@tk2msftngp13.phx.gbl...
    > Have you checked here
    > http://securityresponse.symantec.com/avcenter/venc/data/w32.gobot.a.html
    >
    > --
    >
    > Harry Ohrn MS-MVP [Shell/User]
    > www.webtree.ca/windowsxp
    >
    >
    > "Limonzito" <marc_ati@icsi.net> wrote in message
    > news:F1Bue.1302$Lj2.226@newssvr12.news.prodigy.com...
    >> Hi Group,
    >>
    >> I have a trojan problem or at least that's what I think it's going on
    >> with
    >> my computer.
    >> I have Sony laptop running winXP, all updates, running NAV '03, no
    > firewall
    >> since I'm connected to a router with built-in firewall (Cayman).I
    >> assigned
    >> port forwarding so I can access my laptop from home and of course I leave
    > my
    >> computer on every night. When I arrived Monday morning and checked my
    >> computer, there was a message from NAV, it had encountered the
    >> W32.Gobot.A
    >> virus and it couldn't delete it but it managed to quarantined it. I
    > figured
    >> no problem...then few minutes later I saw many, many outgoing e-mails
    > being
    >> scanned by NAV...and OE wasn't even running....it didn't report any
    >> virus,
    >> but some were being blocked by our e-mail server because of spam, but
    >> most
    >> were going trough. Immediately I unplug the network cable and of course
    >> it
    >> stopped. Then I scan for virus and none were found...also used
    > TrojanHunter
    >> and it reported nothing...ran Spybot and it found several spyware, which
    >> were fixed. Again I plugged back the network cable and again it tried to
    >> send out many e-mails...again I ran the NAV, TrojanHunter and Spybot and
    > all
    >> came out clean, but I still have the same problem. Has anyone else
    >> experienced this same problem, was there a fix to it? If anyone can offer
    > me
    >> some help, it would be greatly appreciated.
    >>
    >> Thanks
    >> Marco
    >>
    >>
    >>
    >
    >
  4. Archived from groups: microsoft.public.windowsxp.basics (More info?)

    Did you run a virus scan in Safe Mode?

    I had the same thing happen when I updated some of our PCs from Symantec 8.0
    to 9.0. I ended up having to put 8.0 back in to solve the problem. Nothing I
    did would stop it. Uninstalling, reinstalling. Hours wasted.

    "Limonzito" wrote:
    "there was a message from NAV, it had encountered the W32.Gobot.A
    virus and it couldn't delete it but it managed to quarantined it."

    I'd like to know why Norton can always find these things but not remove
    them. People rip McAfee but at least it can stop these things before the get
    their hooks in. Symantec/Norton is just a waste of money.
    --
    That's just like my opinion, Man........
  5. Archived from groups: microsoft.public.windowsxp.basics (More info?)

    Hello ,
    --
    KD If you find a virus keeps coming back after you delete it, it's most
    probably infected the System Restore folder, the best way to solve this is to
    disable System Restore, reboot your machine and then enable it again. After
    all, run a full avast! scanning. System Restore cannot be disabled on Windows
    9x.
    Turn off System Restore
    To turn off System Restore, follow these steps: 1. Click Start, right-click
    My Computer, and then click Properties.
    2. Click the System Restore tab.
    3. Select the Turn off System Restore check box (or the Turn off System
    Restore on all drives check box), and then click OK.
    4. Click Yes when you receive the prompt to the turn off System Restore.

    Turn on System Restore
    To turn on System Restore, follow these steps: 1. Click Start, right-click
    My Computer, and then click Properties.
    2. Click the System Restore tab.
    3. Clear the Turn off System Restore check box (or the Turn off System
    Restore on all drives check box), and then click OK .


    "Limonzito" wrote:

    > Hi Group,
    >
    > I have a trojan problem or at least that's what I think it's going on with
    > my computer.
    > I have Sony laptop running winXP, all updates, running NAV '03, no firewall
    > since I'm connected to a router with built-in firewall (Cayman).I assigned
    > port forwarding so I can access my laptop from home and of course I leave my
    > computer on every night. When I arrived Monday morning and checked my
    > computer, there was a message from NAV, it had encountered the W32.Gobot.A
    > virus and it couldn't delete it but it managed to quarantined it. I figured
    > no problem...then few minutes later I saw many, many outgoing e-mails being
    > scanned by NAV...and OE wasn't even running....it didn't report any virus,
    > but some were being blocked by our e-mail server because of spam, but most
    > were going trough. Immediately I unplug the network cable and of course it
    > stopped. Then I scan for virus and none were found...also used TrojanHunter
    > and it reported nothing...ran Spybot and it found several spyware, which
    > were fixed. Again I plugged back the network cable and again it tried to
    > send out many e-mails...again I ran the NAV, TrojanHunter and Spybot and all
    > came out clean, but I still have the same problem. Has anyone else
    > experienced this same problem, was there a fix to it? If anyone can offer me
    > some help, it would be greatly appreciated.
    >
    > Thanks
    > Marco
    >
    >
    >
    >
Ask a new question

Read More

Trojan Computers Windows XP