Looking for some help.


Trojan Horse Downloader.Small.4.BA

Picked up this trojan, AVG picks it up and said it has healed it, but it reappears once I reeboot system.
Its path is c restore\temp.

I have system restore turned of all the time, but somehow it has got into it.
I have run, Adaware, Sbybot search and destroy, cw shredder and spyware blaster but still cannot delete.
These have also been run in safe mode without results.
I have also tried to delete the file manually, but it will not allow me to do this either.
Also tried manual deletion in safe mode.
This seems a real sh*t to get rid of.
Forgot to mention, opperating system is ME.
I have hijack this, but do not know what should and shouldn't be in my system.
I can post the log if anyone can read it and tell me what to get rid of.

Gordon

if you've got an original copy of windows download the anti spyware thing from microsoft, not sure if it'll work but worth a try :)

http://www.google.co.uk/search?client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial_s&hl=en&q=Trojan+Horse+Downloader.Small.4.BA&meta=&btnG=Google+Search

Grab Spybot from here: http://www.safer-networking.org/en/index.html

And Adware: http://www.lavasoftusa.com (free version under downloads)

These will shift it.

Also if AVG asks if you want to heal or delete, always choose delete unless it's a critical file.

Grab Spybot from here: http://www.safer-networking.org/en/index.html

These will shift it.

Cheers for that,just downloaded spybot and it found 50 odd problems,all fixed now tho . ;)

Hi Guys,

Already run all of the above and also in safe mode, but cannot get rid.
Avg will not allow me to delete.
I have also tried to delete manually, but will not allow me to either.
I have also tried to rename, in order to make it unable to function properly, then allowing me to delete, but will not allow me to rename either.
This seems a real sh*t to get rid of.
Any other ideas welcome.

Gordon

Have you tried an on line anti virus such as panda at:


http://www.pandasoftware.com/home/default.asp

Gordon,

Try finding the Trojan & download the fix at ... http://securityresponse.symantec.com/avcenter/tools.list.html

Just in from the pub, so will have a look soon & see if I can help you!

cheers,

Madoobri

Trojan Horse Downloader.Small.4.BA

This means its a Backdoor Agent (BA), its doing one of 2 things.

1) Transferring files to and from your computer while your online without your knowledge.

2) Giving remote access to someone (ability to control your computer as if they were sitting at it).

If you cannot delete it this means that it is memory resident (running in memory) Once its unloaded from memory you can delete it.

Start > Run > msconfig

Go to the startup tab and disable everything for now, reboot and see if it will delete, if not then check task manager/ service manager for any strange new entries.

Cheers Bryan and Allan.

I disabled everything through msconfig, rebooted but still will not allow me to delete it.

Could you give a non techy description how to check through task manager what is running.
I have got a program called Highjack this, as was recommended to me.
Problem being I do not know what to delete once it shows the log file.
I have enclosed a copy of the log if anyone can understand it

C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE

Try disabling the 4 of these, they are usually harmless but trojans can easily overwrite existing files to appear normal.

Hi again Gordon,

The only thing I can find that might get rid of your problem is ... http://www.noadware.net/?hop=topproduct ... it appears to be a freebie, hope this helps ...

orrabest,

Alan

C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE

Try disabling the 4 of these, they are usually harmless but trojans can easily overwrite existing files to appear normal.

Do you mean to delete these files with hijack this Bryan???

As already mentioned, I am not to pc clever, therefore do not want to delete files that could be important to the system.
As far as I am aware, Hijack this deletes the selected files, so I do not want to make a mistake.

Cheers for the help so far.

Allan, Will download now and give it a try.

Gordon

No, don't delete them they may not be infected or replaced, simply stop their tasks in task manager to eliminate them from the list when trying to remove the trojan.

Try Madoobri's app first, what you need is an app thats capable of closing down suspect processes so that it can remove the files, most don't seem to do this :(

The last time this happened to me I saved everything I wanted to keep onto 3 CDs and reinstalled Windows. It took about half a day altogether and resulted in a a fastr PC all round into the bargain.

How are you getting on Gordon ... any joy?

How are you getting on Gordon ... any joy?


Geeeeeeeeeeeeeeze,

I maybe didn't have much hair before, but I have even less now. :eek:
Give me a knack*r*d car any day.

Still plodding away, will keep you all updated, and thank you for all input.

Glad I just bought another case of beer last week :D

Gordon

How are you getting on Gordon ... any joy?


Hi Allan,

Just tried the no adaware, it found a few things, but requires you to purchase it before it will remove them.

Have a feeling it is just a plan to get you to buy the software.
The items it identified are Kazza and gnucleous, no other program has a problem with these.

It was certainly worth a try though mate, thanks for the input.

Gordon

Hi Gordon,

Well, I`m stumped now! :( Found this info on AVG`s site, don`t know if it will help you ...

What is Trojan Horse?

A Trojan Horse is a malicious application, which can not spread itself. Original Trojan Horses were programs which acted as a useful utility. Although, in fact, their start used to cause damage to disc content (or part of it).


At the present time the most spreading Trojan Horses are BackDoor Trojans. They enable remote access to infected computers and PSW (Password Stealers) - they are trying to gather as much private information from the infected computer as possible and to send the info through the Internet.

To remove the Trojan Horse, it is enough to remove infected files from the infected computer (these files are created by the Trojan Horse). Although, if the infected file is running in memory, its .EXE file is protected (by Windows) and can not be removed easily. In such cases, you need to follow the steps mentioned to remove the infected file (the steps depend on your Windows version):

Under Windows 95/98/ME, you need to remove these files under MS-DOS mode

Gordon, If your unsure in MS-DOS I would suggest you don`t tinker with it! :rolleyes: Maybe someone on here can help with that!

We tried,

orrabest,

Alan

Cheers for the help Allan.

I'm afraid ms dos mode is outwith my ability.
I wouldn't know where to start, let alone what I was doing.

I will just keep searching the net to see if I can find a solution.

My biggest fear is if the trojan can send info from my pc outwards, as I run my company website, do various banking and on line credit card transactions, I suppose it could get this info.

I have already had someone sign the guestbook on my web site with over 200 xxx links.
I deleted these last night, but it looks as if they have managed to hide some hidden script in there, I have been told possibly another trojan, as the guestbook page will not load properly.

These Tw*ts that write these programs need there arms cut of. :confused:

Gordon

Best of luck mate ... hope you get it sorted soon!

Alan

Red,

Found this site that has a few ideas on getting rid of downloader trojans: http://www.faqfarm.com/Computer/Virus/Downloader/16106

At last, three days later, I have got rid of this trojan.
It was a real tricky one to move, but thanks to a program called "Move on boot", it is gone :D :D :D :D :D :D :bigParty:

It took a bit of messing about with, and I have left bits of Windows acting a bit weird, but it is clear on all visus scans.
The above program is a big thumbs up from me, but it would only get rid once I booted into safe mode.
Nothing else would even let me move this trojan, even in safe mode, but after renaming and moving to desktop on boot, I managed to get it into recycle bin and delete it in safe mode.
I have searched for file in safe and normal mode, run full virus scan and all is clear.

Thank you to everyone who tried to help me with advice and searching the net for solutions, I really appreciate it. :D

Regards,

Gordon

That`s good Gordon, glad you got it sorted :)

cheers,

Alan

Been following the thread good to here you got it sorted, my hard drive went last week duno what caused it my PC's only 6 months old. :eek:

Bloody hate PC's but like you say in business you need them, reminds me i need to update my website will have to re-install dream weaver first :(

http://download.microsoft.com/download/8/1/5/815d2d60-49b5-44dc-ae35-fca2f2c6f0cc/MicrosoftAntiSpywareInstall.exe

Thats microsofts Anti-Spyware program... quite good actually as it did find a couple of spyware that Spybot and Adaware didnt find. And its got a handy Browser Hijack tool.. that restores Home and default pages.

Screenshot:
http://img140.exs.cx/my.php?loc=img140&image=microsoftspy2fj.jpg

Thanks Dynamited,

Have downloaded this software & it`s running a scan as I speak ... with this, spybot & adaware installed hopefully I should be covered! :)

cheers,

Madoobri