Downloader.agent and others

[Alexander Baron]

Many thanks to David Lipman for his advice; I've just scanned my
system with BitDefender and this has found another Trojan, I received
the message

C:\Program Files\SEP\sep.dll: infected with Trojan.Septic.A
C:\Program Files\SEP\sep.dll: disinfection failed

I was wondering can I delete this file?

Also, is there any literature on these Trojans? All I've managed to
find on the anti-virus sites is technical blurb. What do they do? Can
I leave them on the machine? I'm terrified I'm going to screw up my
system by running a complex disinfection procedure.

 

[David H. Lipman]

Yes Alexander, delete them.

You might want to try the below (again if done before) as the Trend Pattern File, Stinger
and Sysclean have "all been updated."
In the last few days, almost 600 new infectors have been added to Trend's targeted list.

1) Download the following three items...

McAfee Stinger
http://vil.nai.com/vil/stinger/

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Dowload the signature files (pattern files) by obtaining the ZIP file.
For example; lpt242.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

2) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
3) Reboot your PC into Safe Mode
4) Using both the Trend Sysclean utility and Stinger, perform a Full Scan of your
platform and clean/delete any infectors found
5) Restart your PC and perform a "final" Full Scan of your platform using both.
6) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
7) Reboot your PC.
8) If you are using WinME or WinXP, create a new Restore point


* * * Please report back your results * * *

Dave




| Many thanks to David Lipman for his advice; I've just scanned my
| system with BitDefender and this has fou

nd another Trojan, I received
| the message
|
| C:\Program Files\SEP\sep.dll: infected with Trojan.Septic.A
| C:\Program Files\SEP\sep.dll: disinfection failed
|
| I was wondering can I delete this file?
|
| Also, is there any literature on these Trojans? All I've managed to
| find on the anti-virus sites is technical blurb. What do they do? Can
| I leave them on the machine? I'm terrified I'm going to screw up my
| system by running a complex disinfection procedure.

 

[Alexander Baron]

I've had a thought about this Trojan, at about 00.20 London time AVG
flashed a message on my screen and it crashed. The same thing happened
about the same time yesterday, and perhaps the day before. Does this
mean it is being received about this time or does it go to sleep on
the hard drive, or something?

I think this is curious.

 

[Alexander Baron]

I'm currently running Trend Sysclean; it has found something called
TROJ_STILEN.A in a number of files, has failed to clean or move them
but has deleted some. I'm beginning to wonder how many of these things
there are on people's systems.

It's taking ages but I think this is the solution.

I wasn't able to run these in SAFE MODE so am using it in normal mode.

 

[David H. Lipman]

The reason for using Safe Mode is because it reduces the OS to loading the most important
aspects of the OS and increases the effectiveness of the scanner.

You have to make sure all software is shutdown before scanning to make sure the AV scanner
can delete the infected files which most likely have their respective File Handles open.

Dave



| I'm currently running Trend Sysclean; it has found something called
| TROJ_STILEN.A in a number of files, has failed to clean or move them
| but has deleted some. I'm beginning to wonder how many of these things
| there are on people's systems.
|
| It's taking ages but I think this is the solution.
|
| I wasn't able to run these in SAFE MODE so am using it in normal mode.