help with a trojan

[Becky O]

I'm running Norton Antivirus and just got a popup of a trojan than cannot be
repaired. I found the file, C:\install.htm and also a winrar file of the
same name. The winrar file could be deleted (currently in my recycle bin),
the other can't. It also can't be renamed. The related website gave explicit
intructions, but it involves messing with my registry. The last time I did
that I screwed up my pc so badly I had to do a complete restore from cd.

A friend suggested I run msconfig to see what was starting up when I turn on
the pc. The one thing that looks non-legit is this:

rundll32.exe irprops.cpl,, BluetoothAuthenticationAgent
location HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

I tried to look it up at
http://www.omnisoft.com.mt/info/startups/startups.htm and it lists 9
different versions of this, but not this one specifically. Most are virus
related.

Any suggestions before I go messing with things?

Any help is greatly appreciated.


Thanks,

Becky

 

[David H. Lipman]

Do you have a wireless device ?

BlueTooth is a wireless technolgy and it may be legit !

Please try the following...

1) Download the following three items...

McAfee Stinger
http://vil.nai.com/vil/stinger/

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Dowload the signature files (pattern files) by obtaining the ZIP file.
For example; lpt248.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

2) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
3) Reboot your PC into Safe Mode
4) Using both the Trend Sysclean utility and Stinger, perform a Full Scan of your
platform and clean/delete any infectors found
5) Restart your PC and perform a "final" Full Scan of your platform using both.
6) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
7) Reboot your PC.
8) If you are using WinXP, create a new Restore point


* * * Please report back your results * * *

Dave



| I'm running Norton Antivirus and just got a popup of a trojan than cannot be
| repaired. I found the file, C:\install.htm and also a winrar file of the
| same name. The winrar file could be deleted (currently in my recycle bin),
| the other can't. It also can't be renamed. The related website gave explicit
| intructions, but it involves messing with my registry. The last time I did
| that I screwed up my pc so badly I had to do a complete restore from cd.
|
| A friend suggested I run msconfig to see what was starting up when I turn on
| the pc. The one thing that looks non-legit is this:
|
| rundll32.exe irprops.cpl,, BluetoothAuthenticationAgent
| location HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
| I tried to look it up at
| http://www.omnisoft.com.mt/info/startups/startups.htm and it lists 9
| different versions of this, but not this one specifically. Most are virus
| related.
|
| Any suggestions before I go messing with things?
|
| Any help is greatly appreciated.
|
|
| Thanks,
|
| Becky
|
|

 

[Becky O]

Thank you!

After reading some other posts, I did exactly as you suggested (before
coming back and seeing your reply). Sheesh, what an ordeal.

After I finally managed to get into safe mode, I was able to delete the
infected file. Then I ran the other programs as suggested and I seem to be
fine now.

And no, I don't have any wireless device! But thanks!