Need Help With Nasty Trojan

Backdoor.Prorat

Symantec’s removal instructions have always worked for me in the past. But this little sucker has me stumped.

Running Win2k server w/NTFS. This is a machine my Company leases and hosts sql databases for our clients. (luckily all can access the databases) (someday maybe well install a firewall – long story)

Bootup the machine and Norton finds and quarantines the two dll files that are part of the Trojan. Then Norton gets shut down by the Trojan and the two dll files get recreated. Norton or hardly any exe file will run in normal or safe mode. There are two files: Sservice.exe and Fservice.exe that get recreated as soon as you delete or rename them.

Bootup in Safe mode – follow the removal instructions – I zap one of the offending reg entries & hit the F5 refresh key, the entry comes back…..

In safe mode, there are only about 4 or 5 services running and stopping them doesn’t help.

Thinking I need to be able to boot with a DOS startup disk and zap the files but am using NTFS. I have a DOS disk that will let me view & copy an NTFS drive but not delete…

Any thoughts or suggestions would be most welcomed.

 

Thanks Dave,

Guess I've lead a shelted life. I did a search for Move-on-Boot and found:

Set of utilities that provide many useful services (copying/moving/renaming/deleting files and folders on the next system boot by gibinsoft.com


Do you use one that you'd recommend?

 

Thanks also.

Was downloading it when I came to check your reply.

 

Thanks Mark.
That's the one I downloaded while ago from gibinsoft.com. Tested the rename function and it works like a charm. Have high hopes... It's a bugger bear shuting clients down while we work on this stuff....

 

Thanks. We've tried a few of these. So far, either they won't run or they don't find anything. But, will give this one a try too.

Tried Stinger, the stand a lone .exe and it couldn't find anything.


This was highly recommened but didn't detect anything.
Download our picks:
· a² (a-squared) personal 1.1
Protects the PC against malicious software: Trojans, Dialers, Worms, Spyware

 

That would be too darn easy. Besides, I nor my IT guy didn't think of that.

 

Just read my office mail. My IT guy in California, who was up till the wee hours working on the machine via pcanywhere, reports that he killed the machine. (after getting the client's data off it)

Pretty embarassing......It's been a few weeks. Is it FORMAT C: or Format C

Thanks to ALL that replied

 

Ooops sorry.

The embarrasing part is the need to format which we know how to do

 

Way way way way back when in the IBM XT days, the super geeks at Corp downtown made a cute cartoon:

NEED MORE HARD DRIVE SPACE? (remember when ibm xts's came with a 10 MEG drive)

Anyway, Need More hard drive space?

Try: FORMAT C:

I thought the cartoon was so cute, I made several copies of it and past them out. Past them out to people that didn't know it was a joke....(nothing bad ever happened)