|
Posted by David H. Lipman on May 25, 2007, 2:13 pm
If you were Registered and logged in, you could reply and use other advanced thread options
| My computer has Trend antivirus install (up-to-date) and it can't get rid of
| a trojan in my pc. Is there any special tools for cleaning this virus? I
| google it and didn't find a tool.
| I have enclosed screenshot.
|
| Thank you for helping.
|
| Mingo
|
Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal
Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the
PC.
You can choose to go to each menu item and just download the needed files or you
can
download the files and perform a scan in Normal Mode. Once you have downloaded
the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode
[F8 key
during boot] and re-run the menu again and choose which scanner you want to run
in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive
PDF help
file.
Additional Instructions:
http://pcdid.com/Multi_AV.htm
* * * Please report back your results * * *
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
|
Posted by Mingo on May 28, 2007, 5:23 am
If you were Registered and logged in, you could reply and use other advanced thread options
Thx Dave for the tool!
Here is the scanreport:
****************************************************
--------------------KAV normal mode-----------------------------
Scan process completed.
Result for all objects:
Sector Objects : 0 Known viruses : 3
Files : 150990 Virus bodies : 8
Folders : 667 Disinfected : 0
Archives : 286 Deleted : 7
Packed : 17 Warnings : 0
Suspicious : 0
Scan speed (Kb/sec) : 569 Corrupted : 0
Scan time : 00:48:36 I/O Errors : 0
------------------------KAV Under safe mode--------------
Scan process completed.
Result for all objects:
Sector Objects : 0 Known viruses : 3
Files : 272607 Virus bodies : 11
Folders : 2798 Disinfected : 0
Archives : 18892 Deleted : 9
Packed : 139 Warnings : 0
Suspicious : 0
Scan speed (Kb/sec) : 1305 Corrupted : 0
Scan time : 02:15:06 I/O Errors : 5
---------------------------Sophos in safe mode---------------------
Full Scanning
Could not open C:\Documents and Settings\easter\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
Could not open C:\Documents and Settings\easter\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG
Could not open C:\Documents and Settings\NetworkService\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat
Could not open C:\Documents and Settings\NetworkService\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Password protected file C:\WINDOWS\Cache\Adobe Reader
6.0\ENUBIG\Data1.cab\RdrMsgENU.pdf
Could not open C:\WINDOWS\SYSTEM32\CatRoot2\edb.log
Could not open C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb
Could not open C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
>>> Virus 'Troj/Lineag-Gen' found in file C:\WINDOWS\SYSTEM32\PDLL.dll
Removal successful
1 master boot record swept.
93186 files swept in 1 hour, 27 minutes and 5 seconds.
8 errors were encountered.
1 virus was discovered.
1 file out of 93186 was infected.
Please send infected samples to Sophos for analysis.
For advice consult www.sophos.com, email support@sophos.com
or telephone +44 1235 559933
1 encrypted file was not checked.
Ending Sophos Anti-Virus.
*********************************************************
My Pc is back to normal. Thanks again dave!
Best regards,
Mingo
撰寫於郵件新聞:ucMtnhvnHHA.4552@TK2MSFTNGP04.phx.gbl...
|
|| My computer has Trend antivirus install (up-to-date) and it can't get rid
of
|| a trojan in my pc. Is there any special tools for cleaning this virus? I
|| google it and didn't find a tool.
|| I have enclosed screenshot.
||
|| Thank you for helping.
||
|| Mingo
||
|
|
| Download MULTI_AV.EXE from the URL --
| http://www.pctipp.ch/downloads/dl/35905.asp
|
| To use this utility, perform the following...
| Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
| Choose; Unzip
| Choose; Close
|
| Execute; C:\AV-CLS\StartMenu.BAT
| { or Double-click on 'Start Menu' in C:\AV-CLS }
|
| NOTE: You may have to disable your software FireWall or allow WGET.EXE to
go through your
| FireWall to allow it to download the needed AV vendor related files.
|
| C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
| This will bring up the initial menu of choices and should be executed in
Normal Mode.
| This way all the components can be downloaded from each AV vendor's web
site.
| The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and
Reboot the PC.
|
| You can choose to go to each menu item and just download the needed files
or you can
| download the files and perform a scan in Normal Mode. Once you have
downloaded the files
| needed for each scanner you want to use, you should reboot the PC into
Safe Mode [F8 key
| during boot] and re-run the menu again and choose which scanner you want
to run in Safe
| Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.
|
| When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
| file.
|
| Additional Instructions:
| http://pcdid.com/Multi_AV.htm
|
|
| * * * Please report back your results * * *
|
|
| --
| Dave
| http://www.claymania.com/removal-trojan-adware.html
| http://www.ik-cs.com/got-a-virus.htm
|
|
|
|
Posted by David H. Lipman on May 28, 2007, 10:05 am
If you were Registered and logged in, you could reply and use other advanced thread options
| Thx Dave for the tool!
|
< snip >
>>>> Virus 'Troj/Lineag-Gen' found in file C:\WINDOWS\SYSTEM32\PDLL.dll
< snip >
|
| My Pc is back to normal. Thanks again dave!
|
| Best regards,
|
| Mingo
|
Hi Mingo:
Don't know what Kaspersky found but Soophos found the Lineage Trojan.
I'm glad that my tool worked for you and thanx for updating the thread.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
|
Posted by Mingo on May 29, 2007, 7:16 am
If you were Registered and logged in, you could reply and use other advanced thread options
I have another infected PC (win XP) and I ran your tool with the followin'
scanrporte. I trunked donw the long list.
************************KAV under safe
mode*****************************************
Version 3.0 build 135
Last update: 29.05.2007, 333325 records.
c:\WINDOWS\AVP.EXE infected: Trojan-PSW.Win32.Maran.et
c:\WINDOWS\AVP.EXE deleted: Trojan-PSW.Win32.Maran.et
c:\WINDOWS\AVP.RAR archive: RAR
c:\WINDOWS\AVP.RAR/avp.exe infected: Trojan-PSW.Win32.Maran.et
c:\WINDOWS\AVP.RAR/avp.exe disinfection failed: Trojan-PSW.Win32.Maran.et
c:\WINDOWS\AVP.RAR disinfection failed: Trojan-PSW.Win32.Maran.et
c:\WINDOWS\HPQ1280H.BMP archive: Tar
c:\WINDOWS\HPQ1280H.BMP Tar: unknown format.
c:\WINDOWS\ZAPOTEC.BMP packed: Edit
c:\WINDOWS\SYSTEM32\NETSETUP.EXE/data0000.cab archive: CAB
c:\WINDOWS\SYSTEM32\NLSFUNC.EXE packed: ExePack
c:\WINDOWS\SYSTEM32\OD10ME~1.DLL infected: Trojan-PSW.Win32.Maran.eu
c:\WINDOWS\SYSTEM32\OD6MEDIA.DLL infected: Trojan-PSW.Win32.Maran.dy
c:\WINDOWS\SYSTEM32\OD6MEDIA.DLL deleted: Trojan-PSW.Win32.Maran.dy
c:\WINDOWS\SYSTEM32\SEASID~1.SCR infected:
not-a-virus:AdWare.Win32.GAINNetwork.b
c:\WINDOWS\SYSTEM32\SEASID~1.SCR deleted:
not-a-virus:AdWare.Win32.GAINNetwork.b
c:\WINDOWS\SYSTEM32\SHARE.EXE packed: ExePack
c:\WINDOWS\SYSTEM32\SHARE.EXE packed: Com2Exe
c:\WINDOWS\SYSTEM32\SHDOCLC.DLL archive: Embedded HTML
c:\WINDOWS\SYSTEM32\SQLSODBC.CHM archive: CHM
c:\WINDOWS\SYSTEM32\SYSPRINT.SEP archive: Mail
c:\WINDOWS\SYSTEM32\SYSPRTJ.SEP archive: Mail
c:\WINDOWS\SYSTEM32\UDHISAPI.DLL archive: Mail
c:\WINDOWS\SYSTEM32\WEBFLDRS.MSI archive: Embedded
c:\WINDOWS\SYSTEM32\WEBFLDRS.MSI/Cabinet.1.CAB archive: CAB
c:\WINDOWS\SYSTEM32\WMPLOC.DLL archive: Embedded HTML
c:\WINDOWS\SYSTEM32\XPSP2RES.DLL archive: Embedded HTML
c:\WINDOWS\SYSTEM32\XPSP3RES.DLL archive: Embedded HTML
Scan process completed.
Result for all objects:
Sector Objects : 0 Known viruses : 4
Files : 139859 Virus bodies : 5
Folders : 2434 Disinfected : 0
Archives : 10319 Deleted : 3
Packed : 176 Warnings : 0
Suspicious : 0
Scan speed (Kb/sec) : 1710 Corrupted : 0
Scan time : 01:12:11 I/O Errors : 0
**************************Sophos under safe
mode***********************************
Full Scanning
Password protected file C:\compaq\Acrobat_Reader\Data1.cab\RdrMsgENU.pdf
Password protected file C:\Documents and Settings\Administrator\Application
Data\Adobe\Acrobat.0\Messages\CHT\read0700win_CHTadbe0700.pdf
Could not open C:\Documents and Settings\Administrator\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat
Could not open C:\Documents and Settings\Administrator\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Could not open C:\Documents and Settings\NetworkService\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat
Could not open C:\Documents and Settings\NetworkService\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Password protected file C:\Program Files\Adobe\Acrobat
7.0\Reader\Messages\CHT\RdrMsgCHT.pdf
Password protected file C:\Program Files\Adobe\Acrobat
7.0\Reader\Messages\ENU\RdrMsgENU.pdf
Password protected file C:\Program Files\Adobe\Acrobat
7.0\Reader\Messages\RdrMsgSplash.pdf
Password protected file C:\Program Files\Adobe\Acrobat
7.0\Reader\WebSearch\WebSearchENU.pdf
Password protected file C:\Program Files\Adobe\Acrobat 7.0\Setup
Files\RdrBig709\CHT\Data1.cab\WebSearchENU.pdf
Password protected file C:\Program Files\Adobe\Acrobat 7.0\Setup
Files\RdrBig709\CHT_\Data1.cab\WebSearchENU.pdf
>>> Virus 'Troj/Maran-Gen' found in file C:\WINDOWS\avp.rar\avp.exe
Removal successful
Could not check
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18adf2c552e920168522e0231bd1f2f39\BIT2.tmp\SfxArchiveData\mrt.exe._p
(virus scan failed)
Could not open C:\WINDOWS\system32\config\system.LOG
>>> Virus 'Mal/Maran-A' found in file C:\WINDOWS\system32\od10media.dll
Removal failed
1 master boot record swept.
28623 files swept in 1 hour, 0 minutes and 28 seconds.
14 errors were encountered.
2 viruses were discovered.
2 files out of 28623 were infected.
Please send infected samples to Sophos for analysis.
For advice consult www.sophos.com, email support@sophos.com
or telephone +44 1235 559933
8 encrypted files were not checked.
Ending Sophos Anti-Virus.
************************************************************************
The problem is the both AV cannot remove this file (Virus 'Mal/Maran-A'
found in file C:\WINDOWS\system32\od10media.dll) and it won't let me delete
manually.
Also, the PC will not reboot or shutdown properly, it freeze at shutdown
screen. Is this problem related to the virus?
Thank you again for your time & help!
Regards,
Mingo
撰寫於郵件新聞:ueVxCFToHHA.4428@TK2MSFTNGP06.phx.gbl...
|
|| Thx Dave for the tool!
||
|
| < snip >
|
| >>>> Virus 'Troj/Lineag-Gen' found in file C:\WINDOWS\SYSTEM32\PDLL.dll
| < snip >
||
|| My Pc is back to normal. Thanks again dave!
||
|| Best regards,
||
|| Mingo
||
|
|
| Hi Mingo:
|
| Don't know what Kaspersky found but Soophos found the Lineage Trojan.
|
| I'm glad that my tool worked for you and thanx for updating the thread.
|
|
| --
| Dave
| http://www.claymania.com/removal-trojan-adware.html
| http://www.ik-cs.com/got-a-virus.htm
|
|
|
|
Posted by David H. Lipman on May 29, 2007, 5:12 pm
If you were Registered and logged in, you could reply and use other advanced thread options
| Hello Dave!
|
| I have another infected PC (win XP) and I ran your tool with the followin'
| scanrporte. I trunked donw the long list.
|
| ************************KAV under safe
| mode*****************************************
| Version 3.0 build 135
| Last update: 29.05.2007, 333325 records.
|
| c:\WINDOWS\AVP.EXE infected: Trojan-PSW.Win32.Maran.et
| c:\WINDOWS\AVP.EXE deleted: Trojan-PSW.Win32.Maran.et
| c:\WINDOWS\AVP.RAR archive: RAR
| c:\WINDOWS\AVP.RAR/avp.exe infected: Trojan-PSW.Win32.Maran.et
| c:\WINDOWS\AVP.RAR/avp.exe disinfection failed: Trojan-PSW.Win32.Maran.et
| c:\WINDOWS\AVP.RAR disinfection failed: Trojan-PSW.Win32.Maran.et
| c:\WINDOWS\HPQ1280H.BMP archive: Tar
| c:\WINDOWS\HPQ1280H.BMP Tar: unknown format.
| c:\WINDOWS\ZAPOTEC.BMP packed: Edit
|
| c:\WINDOWS\SYSTEM32\NETSETUP.EXE/data0000.cab archive: CAB
| c:\WINDOWS\SYSTEM32\NLSFUNC.EXE packed: ExePack
| c:\WINDOWS\SYSTEM32\OD10ME~1.DLL infected: Trojan-PSW.Win32.Maran.eu
| c:\WINDOWS\SYSTEM32\OD6MEDIA.DLL infected: Trojan-PSW.Win32.Maran.dy
| c:\WINDOWS\SYSTEM32\OD6MEDIA.DLL deleted: Trojan-PSW.Win32.Maran.dy
| c:\WINDOWS\SYSTEM32\SEASID~1.SCR infected:
| not-a-virus:AdWare.Win32.GAINNetwork.b
| c:\WINDOWS\SYSTEM32\SEASID~1.SCR deleted:
| not-a-virus:AdWare.Win32.GAINNetwork.b
| c:\WINDOWS\SYSTEM32\SHARE.EXE packed: ExePack
| c:\WINDOWS\SYSTEM32\SHARE.EXE packed: Com2Exe
| c:\WINDOWS\SYSTEM32\SHDOCLC.DLL archive: Embedded HTML
| c:\WINDOWS\SYSTEM32\SQLSODBC.CHM archive: CHM
| c:\WINDOWS\SYSTEM32\SYSPRINT.SEP archive: Mail
| c:\WINDOWS\SYSTEM32\SYSPRTJ.SEP archive: Mail
| c:\WINDOWS\SYSTEM32\UDHISAPI.DLL archive: Mail
| c:\WINDOWS\SYSTEM32\WEBFLDRS.MSI archive: Embedded
| c:\WINDOWS\SYSTEM32\WEBFLDRS.MSI/Cabinet.1.CAB archive: CAB
| c:\WINDOWS\SYSTEM32\WMPLOC.DLL archive: Embedded HTML
| c:\WINDOWS\SYSTEM32\XPSP2RES.DLL archive: Embedded HTML
| c:\WINDOWS\SYSTEM32\XPSP3RES.DLL archive: Embedded HTML
|
| Scan process completed.
| Result for all objects:
| Sector Objects : 0 Known viruses : 4
| Files : 139859 Virus bodies : 5
| Folders : 2434 Disinfected : 0
| Archives : 10319 Deleted : 3
| Packed : 176 Warnings : 0
| Suspicious : 0
| Scan speed (Kb/sec) : 1710 Corrupted : 0
| Scan time : 01:12:11 I/O Errors : 0
|
| **************************Sophos under safe
| mode***********************************
|
| Full Scanning
|
| Password protected file C:\compaq\Acrobat_Reader\Data1.cab\RdrMsgENU.pdf
| Password protected file C:\Documents and Settings\Administrator\Application
| Data\Adobe\Acrobat.0\Messages\CHT\read0700win_CHTadbe0700.pdf
| Could not open C:\Documents and Settings\Administrator\Local
| Settings\Application Data\Microsoft\Windows\UsrClass.dat
| Could not open C:\Documents and Settings\Administrator\Local
| Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
| Could not open C:\Documents and Settings\NetworkService\Local
| Settings\Application Data\Microsoft\Windows\UsrClass.dat
| Could not open C:\Documents and Settings\NetworkService\Local
| Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
| Password protected file C:\Program Files\Adobe\Acrobat
| 7.0\Reader\Messages\CHT\RdrMsgCHT.pdf
| Password protected file C:\Program Files\Adobe\Acrobat
| 7.0\Reader\Messages\ENU\RdrMsgENU.pdf
| Password protected file C:\Program Files\Adobe\Acrobat
| 7.0\Reader\Messages\RdrMsgSplash.pdf
| Password protected file C:\Program Files\Adobe\Acrobat
| 7.0\Reader\WebSearch\WebSearchENU.pdf
| Password protected file C:\Program Files\Adobe\Acrobat 7.0\Setup
| Files\RdrBig709\CHT\Data1.cab\WebSearchENU.pdf
| Password protected file C:\Program Files\Adobe\Acrobat 7.0\Setup
| Files\RdrBig709\CHT_\Data1.cab\WebSearchENU.pdf
>>>> Virus 'Troj/Maran-Gen' found in file C:\WINDOWS\avp.rar\avp.exe
| Removal successful
| Could not check
|
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18adf2c552e920168522e0231bd1f2f39\BIT2.tm
| p\SfxArchiveData\mrt.exe._p (virus scan failed)
| Could not open C:\WINDOWS\system32\config\system.LOG
>>>> Virus 'Mal/Maran-A' found in file C:\WINDOWS\system32\od10media.dll
| Removal failed
|
| 1 master boot record swept.
| 28623 files swept in 1 hour, 0 minutes and 28 seconds.
| 14 errors were encountered.
| 2 viruses were discovered.
| 2 files out of 28623 were infected.
| Please send infected samples to Sophos for analysis.
| For advice consult www.sophos.com, email support@sophos.com
| or telephone +44 1235 559933
| 8 encrypted files were not checked.
| Ending Sophos Anti-Virus.
| ************************************************************************
|
| The problem is the both AV cannot remove this file (Virus 'Mal/Maran-A'
| found in file C:\WINDOWS\system32\od10media.dll) and it won't let me delete
| manually.
|
| Also, the PC will not reboot or shutdown properly, it freeze at shutdown
| screen. Is this problem related to the virus?
|
| Thank you again for your time & help!
|
| Regards,
| Mingo
|
| 撰寫於郵件新聞:ueVxCFToHHA.4428@TK2MSFTNGP06.phx.gbl...
|>
||> Thx Dave for the tool!
||>
|> < snip >
|>
>>>>>> Virus 'Troj/Lineag-Gen' found in file C:\WINDOWS\SYSTEM32\PDLL.dll
|> < snip >
||>
||> My Pc is back to normal. Thanks again dave!
||>
||> Best regards,
||>
||> Mingo
||>
|> Hi Mingo:
|>
|> Don't know what Kaspersky found but Soophos found the Lineage Trojan.
|>
|> I'm glad that my tool worked for you and thanx for updating the thread.
|>
|> --
|> Dave
|> http://www.claymania.com/removal-trojan-adware.html
|> http://www.ik-cs.com/got-a-virus.htm
|>
Kaspersky:
Trojan-PSW.Win32.Maran.eu
Sophos:
Troj/Maran-Gen
C:\WINDOWS\system32\od10media.dll
This is a password stealing Trojan -- NOT GOOD !
Your accounts are now at risk and all your account passwords MUST be changed and
all bank
accounts must be closely monitored.
Objective:
1. Boot into the Recovery Console
2. Logon as administrator
3. delete C:\WINDOWS\system32\od10media.dll
4. Reboot into Normal Mode
5. Run Regedit
6. Navigate to;
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
7. Find the key that loads "od10media.dll" and delete that key under;
Winlogon\Notify
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
| Similar Threads | Posted | | RE: Is there a tools to clean Trojan-psw ? | June 23, 2007, 2:51 am |
| Clean Clean DocumentEmail MicrosoftInternetExplorer4 | January 26, 2006, 11:27 am |
| Rootkits tools | August 6, 2006, 1:17 pm |
| XP bootable CD w/tools? | December 18, 2007, 6:50 pm |
| offline virus tools? | September 6, 2008, 11:11 am |
| tools to test server Security | September 24, 2005, 10:27 pm |
| w32:Banker.adz Can愒 clean it! | March 4, 2006, 8:08 pm |
| W32.Stration.DB@mm Won't Clean | October 31, 2006, 3:49 pm |
| REGISTRY CLEAN POP UPS | February 5, 2007, 12:29 pm |
| How to clean an infected computer? | October 30, 2007, 2:27 am |
|
XML site map