REG_SEEKER C JS_GIGGER.A Trojan

Please help. I'm at a loss at what to do to handle the situation that I find myself in.

Have NAV2000 with the latest updates, however it did not find this one on my system. Also am running ZoneAlarm. TrendMicro Housecall picked it up on a online scan and supposedly cleaned it. A subsequent re-scan with Housecall ran clean. However, when I ran a Find on REG_SEEKER C JS_GIGGER.A, it showed 8.340 instances of this trojan.

This is my first trojan/virus. System has been kept clean for almost 3 years now. Do I reformat C: drive? I do have a start-up floppy, but I'm afraid if I use that it will become infected. Also, can't get system restore CD on my Gateway system to load. I'm running Win98SE. Also, how do I reformat and write all ones to the hard drive without a CD?

I have been reading this board and do appreciate the help that I have received from here in the past. Any assistance would be greatly appreciated in this matter.

Thank you.

 

Steve, thanks for your reply. Checked out HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and deleted NAV DefAlert. Did not find the the other two keys listed at Symantec's for 'Windows Scripting Host' and 'TheGrave.'

What concerns me most about this is that Norton did not detect this. Wondering if this information should be followed or is Housecall the place to try to get this solved? Norton still has not detected anything although there are over 8,000 files supposedly infected with this thing on my system now. Autoexec.bat was clean, at least as far as I can tell. There is no reference to a Format C: command there the last time that I checked. Still Housecall runs clean now and so does Norton. The only thing that's indicating problems is the Find command.

Is there somebody else out there with ideas on this?

 

Have you tried the other online scanners (including Symantec's) to see if you get the same result??


Symantec

Panda

PCPitStop Note: uses Panda scanner...

AntiVirus-Online

 

*ahem*
Stoofer....are you gonna make me chase you all over, trying to solve this?

Daizy

 

Stoofer, dobhar and Daizy

Food for thought

I took a peek at the site that Daizy pointed to.

I saw the words " GO Back" and use of same. Now I have a question.

If I understand correctly how Go Back works, ( constantly monitering the system and keeping track of it ) wouldn't it be possible for any infection to be also contained in it and would put the problem right back into the system ?

Sort of like removing a dirty bandage from a cut, cleaning the cut and putting the dirty bandage back on. YUCK !!!!

I made that mistake with ME and System Restore. I fixed a problem and then did a system restore using the wrong restore point and put the problem right back in.

WOW ! Did I ever find some new names for myself.

Backups of any sort are fine and a geat idea. But many time it is not thought of that backups will ( or may ) contain a virus, trojan or any other unwanted items if it was made while same were present in the system.

BillyBob

 

Very good point BillyBob!
And you're exactly right, when I see tht others are running ME and get infected..often times they forget that they will have to purge their restore folders.

Daizy

 

dobhar, followed your advice and ran online scans at all of your links. All ran clean with no detection of REG_SEEKER C JS_GIGGER.A. I now have over 8,700 files infected with this thing and none of the virus/trojan detection software out there can help me. I should say that TrendMicro Housecall was the only one that detected this initially, but now it's also running clean.

Can someone help me get started with a Format on C:\. Daizy, I have a System Restore CD and Gateway's version of 98 on a separate CD. When I attempted to load the Restore CD nothing happened. DEAD. I should expect that on an infected machine I guess. I also have a start up disk that was made before? any of this happened????

 

I totally agree with Daizy (Hey Daizy... )...Billy Bob does make a very good point. Unfortunately ( or fortunately depending on how you see it) I know nothing about ME...never used or seen it so I can say much about it.

Stoofer...

You might want to make a brand new boot disk and you can use the link below to create yourself a Win98 boot disk...it will have format and fdisk on it...(Note: The page also has an ME boot disk creator if needed)

Boot Disk

The following link is for Fdisking...which you should do if your going to reload.

FDISK

***********************************************

I also found some more links to some Trojan scanners. Some are free, some are trial, and one free. I use BOClean version 4.10 myself...works quite well in the background. Scans my PC every 10 seconds from Trojans...

http://www.webattack.com/Freeware/security/a-fwvirus.shtml - ANTS free Trojan scanner
http://www.lockdowncorp.com/bots/downloadswatit.html
http://tds.diamondcs.com.au/html/technical.htm
http://www.agnitum.com/products/tauscan/

 

Stoofer - you say that all the scans report you as virus-free and clean. And you say you have some thousands of infected files.

I'm confused.

 

That right there is the problem. I just did a Find on "REG_SEEKER C JS_GIGGER.A" and came up with 7,931 which is totally bogus.

I think this is just a quirk in the Windows Find (search) feature.

 

From the other forum and more of my thoughts.

Hi again Stoofer
As suggested at another forum, I too am wondering, if GoBack is keeping a copy of the virus?

I Am also thinking that there is a good possibility of that being
true.

Checking for and finding that many infected files sure points to it. ( at least in my eyes )

And if they are indeed infected you are just going to be going round and round and getting nowhere with the good possibility of reinfecting the whole machine again.

Isn't there a way to get rid of the Go Back files ?

Stoofer

If you are going to reformat don't you need to unload Go Back first ?

That is only a question on my part as I just plain do not know.

BillyBob

 

Hi BillyBob

Did you read my post ?

 

Alice

Yes I did but I did not connect the dots properly I guess. Apparently you were referring to your machine.

I just did a find for files contain the text " REG_SEEKER C JS_GIGGER.A, " and found it only three references in the C:\Windows\Tmp Int Files. And all were related to this thread. Deleted Tmp Int files and it was gone.

When you did a find didn't it tell you where the files were located ?

Also what version of Windows are you running ? If by chance you are using ME and have System Restore active it * COULD * be in those files.

A just ran an updated Cleaner3 yesterday and it did not find anything. But it could be that it just not see that one also.

Or if you have some other form of backups it could be in them also.

I am not saying it is but that it is a possibility. And I may just be WAGING it and crasping at straws.

And I may have no idea what the heck I am talking about

BillyBob

 

Running Win95B

BillyBob, don't do a Find "containing text ". Just do a simple Find on files named REG_SEEKER C JS_GIGGER.A .

I did another Find on REG_SEEKER C JS_GIGGER.A and this time found 8,081 files!

It is coming up wilth all the files on my hard drive that contain the letter "C" because when I do a Find on just C it comes up with the same 8,081 files. If I do a Find on just REG_SEEKER or JS_GIGGER.A it comes up empty.

 

Well I'll be a darned.

Doing things different ways produces different results.

I had just finished a full system Virus ( Updated NAV ) and Trojan ( updated Cleaner3 ) and both came up clean.

I did as Alice suggested and got the Message that said something about exceeding the limit.

Just doing a find for REG_SEEKER C JS_GIGGER.A must create a problem.

I have a Funeral ( not family ) to attend today and will have company for the rest of the week but I will try to keep up here.

I am in with both feet and soaking wet so it is too late to back out now.



BillyBob

 

Beat ya!
Read 'em and weep: 19,565 files found!

I surely hope this isn't how Stoofer believes they're infected?

I'd hate to see the format happen for no reason.

Daizy

 

Hi Daisy..I mean Daizy,

I'm afraid that's exactly it. I read over the VirtualDr post and he is following Train's 06-25-2002 instructions here:
http://discussions.virtualdr.com/showthread.php?s=&threadid=109829&perpage=15&pagenumber=1

because on 08-13-02 he posted:

 

Well, it just goes to show.......when looking for the bigger picture, we often skip the little stuff. Good on YOU for picking up on that one Alice. Let's cross our fingers that we can happily close this thread and Stoofer's back in business.

Daizy

*edit*
And to give Train his due.....the instructions were to look for JS_Gigger Not the whole string.

Still proud of you for catching that one Alice!

 

I thank Alice also.

Even though it may not really be the actual case here but I still hold strongly to my comments about using backups or ME Restore after any actuall or even possible Virus or Trojan infection.


May I now safetly * assume * that the find for REG_SEEKER C JS_GIGGER.A, the find may not read it correctly and has an effect on the files but they are not really INFECTED ?

The files that my find turned up started out right off with the Command.Com and Autoexec.bat with 6,534 files on the C: drive alone.

If they were actually infected, would I even be here writing this reply ?

BillyBob