1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

TrojanDropper.Newbiwo

Discussion in 'Malware and Virus Removal Archive' started by silvercue, 2003/06/19.

Thread Status:
Not open for further replies.
  1. 2003/06/19
    silvercue

    silvercue Inactive Thread Starter

    Joined:
    2002/01/15
    Messages:
    63
    Likes Received:
    0
    I have a virus alert (AVG latest definitions on XP) saying I have the above Virus. I think this then introduces more viruses. I do a full scan and AVG finds about 11 infected files and cleans them. I then make sure that there is no .exe in my start up menu, and run msconfig and check the start up items there (making sue nothing unknown runs). So my system no seems clean. However, next reboot it all reappears again. Can't find any info about this at Symantics etc.
    Any ideas?
    TiA
     
  2. 2003/06/19
    aleekat

    aleekat Inactive

    Joined:
    2002/01/07
    Messages:
    902
    Likes Received:
    0
    You have to disable the "restore" feature in XP first. Then do a complete house cleaning. Then re-enable when your system is clean..
     

  3. to hide this advert.

  4. 2003/06/19
    silvercue

    silvercue Inactive Thread Starter

    Joined:
    2002/01/15
    Messages:
    63
    Likes Received:
    0
    :(

    If you mean system restore - disabling that makes no difference - same problem. If you don't what do you mean?

    Getting very frustrated now :(
     
  5. 2003/06/19
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Do this.

    Special Virus cleaners

    Stinger <http://vil.nai.com/vil/stinger/>
    PQremove <http://www.webmasterfree.com/software/2911.html>
    SysClean <http://www.trendmicro.com/download/tsc.asp>

    NOTE: When downloading SysClean get the latest defs in the LPT$ file from same page.

    These are the Delta force for only the newest and most prolific viruses today.

    Use these if it is possible that a virus may have disabled your regular scanner.

    For a quick clean, and then if they find and clean anything do a full deep scan with a full-fledged scanner.

    If you suspect a virus has disabled your regular scanner you should do 3 things

    1. Download STINGER and PQREMOVE and SysClean run them. NOTE: always download them do not run an older one that you have had; these 3 are updated almost daily.

    2. Do an online dedicated Trojan/worm scan and online regular virus scan.

    3. If your virus scanner was up to date, and "IF" either of above finds a virus then it is possible that your virus scanner has been disabled. You should completely uninstall and reinstall your virus scanner update it and run it in full mode with max settings.

    Download the above none need to be installed all run directly, BUT DO NOT RUN!

    Boot to safe mode and run them there, look at configs and preferences to ensure they are doing a max scan..

    When finished reboot to full mode and run the following

    Online Virus scanners
    <http://www.anti-trojan.net/at.asp?l=en&t=onlinecheck>
    <http://www.bitdefender.com/scan/licence.php>
    <http://www.pandasoftware.com/activescan/com/activescan_principal.htm>


    Mike
     
  6. 2003/06/20
    aleekat

    aleekat Inactive

    Joined:
    2002/01/07
    Messages:
    902
    Likes Received:
    0
    It looks like an alias. Look here for removal/advice.

    Trend
     
  7. 2003/06/20
    BillyBob Lifetime Subscription

    BillyBob Inactive

    Joined:
    2002/01/07
    Messages:
    6,048
    Likes Received:
    0
    Shutting down system restore clears any restore point that may be carrying any possible infection.

    And allows the cleaners to do a better job and I would think quicker.

    System restore backs up the system AS IS including any and ALL problems or infections.

    And even if a virus cleaner cleans them it may render some files useless therefore making the Restore point not only useless but a little dangerous to use.

    BillyBob
     
    Last edited: 2003/06/20
  8. 2003/06/27
    Cynosure

    Cynosure Inactive

    Joined:
    2003/06/27
    Messages:
    4
    Likes Received:
    0
    Oddly enough I got this same trojan and I rarely ever get trojans/viruses.

    Last night, my computer wouldn't reboot because it was missing startup files so I reinstalled Windows 2000 while leaving on the previous version so I would still have my old user files. I ran AVG Anti-Virus and it found one trojan and three infected files -- all were "repaired ". My registry is apparently clean because I've looked for those keys and nothing was there.

    My problem is that it makes a program called "serv-u" (an ftp server) and it runs at the start of windows and I can't seem to get rid of it. Also, there is this add that pops up on occasion which came when these problems began.

    I have two NTFS partitions, one is 8 gig for windows 2000 and the other is 20 for all programs. What I'm thinking (unless you can think of anything to fix this) is saving the user profiles to the 20 gig partition and reinstalling Windows 2000 again after reformatting the disk. Sound good?
     
  9. 2003/06/27
    BillyBob Lifetime Subscription

    BillyBob Inactive

    Joined:
    2002/01/07
    Messages:
    6,048
    Likes Received:
    0
    It only sound good IF you can be assured that the Virus did not get carried over to the 2nd partition.

    BillyBob
     
  10. 2003/06/27
    Cynosure

    Cynosure Inactive

    Joined:
    2003/06/27
    Messages:
    4
    Likes Received:
    0
    Well, there isn't anything important on it. Every program I use is either backed up on CD or free to download over the internet. I might as well go for it since I'm sick of seeing two error messages reading "Execution of the specific command has failed" everytime I log in. I hope this works! :D
     
  11. 2003/06/27
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Cynosure

    Just reinstalling again and again without eradicating this bad boy will get you nowhere unless you format and clean install the OS.

    Best thing is clean it and Fix the OS.

    To do so, do all in my other post above.

    Then do this additionally.

    Spyware and adware removal

    SpyBot http://security.kolla.de/index.php?lang=en&page=download
    Run this twice delete all it finds, "ALWAYS" run this before AdAware.
    Leave all it wants to leave after the second run.

    AdAware 6.0 http://www.lavasoft.com/
    Run only after SpyBot!
    Make sure to configure to Max settings, all files and compressed files.Delete all it finds

    Also get HiJackThis

    http://www.tomcoyote.org/hjt/
    Use this to remove all references to this and probably other baddies.

    Mike
     
  12. 2003/06/27
    Cynosure

    Cynosure Inactive

    Joined:
    2003/06/27
    Messages:
    4
    Likes Received:
    0
    Thanks, I never heard of Hijack This but it worked great. I didn't install a whole lot back on this drive so I just set it to remove everything and now it appears as if my problem is solved. I'm running a port scan from dslreports.com now to see if everything is gone.

    I just have one quick question which is a bit unrelated...
    When I reinstalled W2K (because it wouldn't start) I named the computer "whatever ". Now I have all my users from before reinstall (ex: JohnDoe) and created new ones thinking it would recognize the name and just link them to their old stuff. However, instead of doing this it give, for example, JohnDoe.whatever instead of just JohnDoe! How do I make the JohnDoe.whatever file associate with JohnDoe?

    My logic tells me that if I backup the JohnDoe file and delete the user (including JohnDoe's file and JohnDoe.whatever) then create the user over again and paste the JohnDoe backup into the new JohnDoe file it would work but it sounds like you've had more experience with this than me. :D

    Also, I'm not sure if you do this but I used to block all adware advertising companies in the 'hosts' file so it wouldn't even get to my computer. I would assume you are familier with this but if you're not just search for it. Since I reinstalled I lost mine. If you use my strategy can you paste yours here? Thanks! :)
     
    Last edited: 2003/06/27
  13. 2003/06/27
    BillyBob Lifetime Subscription

    BillyBob Inactive

    Joined:
    2002/01/07
    Messages:
    6,048
    Likes Received:
    0
    Same rule ( suggestion ) applies to backups as System restore.

    BB
     
  14. 2003/06/27
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Better be careful here it is not that stright forward.

    The new ones in Documents and settings that came when you reinstalled are the ones that need to be kept if you are logging in to that profile!

    The old ones could be deteted but it is also now possible to repair the 1st install and rid yourself of the 2nd if you wanted, which has to be done just as carefully .

    Basically you now have a mess of 2 installs on the same drive. In trying to remove either, make a mistake and both will not work.

    Next time ask before you do things like this. Because the first could have been repaired without the new install. Or had you just installed to another partition it would now be easy to deal with each seperately. Now they are all mixed togather.

    Can be done but carefully and is not going to be easy.

    mike
     
  15. 2003/06/29
    silvercue

    silvercue Inactive Thread Starter

    Joined:
    2002/01/15
    Messages:
    63
    Likes Received:
    0
    Hello - thanks for all the advice...however.... I have tried everything above and still have the same problem. The only thing that I had not done was reinstall AVG, so I uninstalled and tried to install the trial and the free versions - neither will install now, I get the set up nothing happens then set-up closes. So I am unprotected and still have this trojandropper.
    Any more ideas - I have tried all the programs suggested and none of them resolve this issue.
     
  16. 2003/06/29
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
  17. 2003/07/01
    silvercue

    silvercue Inactive Thread Starter

    Joined:
    2002/01/15
    Messages:
    63
    Likes Received:
    0
    Thanks again, I have now tried all above programs and installed a new version of AVG. What happens is that three nasty progs install themselves at Start Up:

    A.exe, lknq.exe and ~2.exe. I can only delete after I end process on them or run AVG.
    Then I do Start/Run/msconfig and disable them from Start Up

    However, they re-enable themselves somehow. So I then Disable ALL in the Start Up menu. However, next reboot and guess what, everything has been enabled again.

    Any other ideas guys - I am getting annoyed now!!!!
     
  18. 2003/07/01
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Below are a couple of links about this. Print these so you will have them in safe mode.

    http://www.computing.net/security/wwwboard/forum/4791.html

    http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.nebiwo.removal.tool.html

    I would do this. End theses things as you have been doing then do a search and delete the files named this. Also search for Explo*.* and if one is found with a space in the name delete it.

    After killing and deleting as above while they are not running D/L the following but do not run in full mode do so in safe mode

    Special Virus cleaners

    Stinger http://vil.nai.com/vil/stinger/

    PQremove http://www.webmasterfree.com/software/2911.html
    Note: when D/L PQremove also D/L the LPT$ file as it is the current Virus DEF file.

    SysClean http://www.trendmicro.com/download/tsc.asp

    These are the Delta force for only the newest and most prolific viruses today.

    Use these if it is possible that a virus may have disabled your regular scanner.

    For a quick clean, and then if they find and clean anything do a full deep scan with a full-fledged scanner.

    If you suspect a virus has disabled your regular scanner you should do 3 things

    1. Download STINGER, PQREMOVE and SysClean and run them. NOTE: always download them do not run an older one that you have had; these 3 are updated almost daily.

    2. Do an online dedicated Trojan/worm scan and online regular virus scan.

    3. If your virus scanner was up to date, and "IF" either 1 or 2 above finds a virus then it is possible that your virus scanner has been disabled. You should completely uninstall and reinstall your virus scanner update it and run it in full mode with max settings.

    The above 3 programs do not need installing they are totally stand alone so put in a folder and run them 1 at a time.

    So D/L the above, boot to safe mode do the search as above again, and delete any that have shown back up, or in fact maybe they did not show up at all in full mode.

    Then run the three scanners.

    While in safe mode look at the printouts and if you can search the registry for the items they show and if found, delete them.

    Good luck,
    Mike
     
  19. 2003/07/01
    BruceKrymow

    BruceKrymow Inactive

    Joined:
    2002/03/20
    Messages:
    548
    Likes Received:
    0
    Hi, Silver ~

    Did you reboot when you disabled system restore???

    1. Close all open programs. Then right-click My Computer on the Windows desktop
    2. Click Properties.
    3. Click the System restore tab
    4. Check Turn off System restore on all drives.

    After doing this, there should be no problem to access files in
    RESTORE/System Volume Information directory. if you don't then you will continue to have the virus reloaded. Now run a full system scan.

    If you are unsuccessful, then you may need to seeboth of which are from AVG's trojan page.
     
  20. 2003/07/01
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Silver

    I looked back and see I alrerady gave the links for stinger etc.

    So run them in safe mode now after deleteing the programs that load.

    Additionally I assumed system restore was still off.

    Before or after, also do the steps Bruce advised. If possible in the same session ( not rebooting) while in safe mode.

    Mike
     
  21. 2003/07/01
    BillyBob Lifetime Subscription

    BillyBob Inactive

    Joined:
    2002/01/07
    Messages:
    6,048
    Likes Received:
    0
    You may need to;

    1-- Shut System restore down COMPLETELY.( all partitions ) And leave it down until the problem is cleared up. And make sure that ALL System Volumne ( or what ever their name is ) files are GONE from the HD.

    2-- Use the Virus/Trojan cleaners.

    3--Then Do MANUAL regedit search for the items that are starting. Some of these Nasties put things in the reg that cleaners MAY NOT FIND. And look for the names as they are shown.

    In a case such as this any type of Auto backups are USELESS and may only further complicate matters because they back things up as they are. And if things are only partialy cleand up that is the way the backup will be.

    And any backups of any programs etc. should NOT BE used UNLESS you can be 100% sure that they were made BEFORE the Nasties got into the picture.

    BillyBob
     
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.