Getting rid of a trojan

  • Thread starter Thread starter Larc
  • Start date Start date
L

Larc

Sorry, I hit the wrong button. :-o

A friend called last night to say he had somehow been "invaded" by a trojan and
couldn't get rid of it. Norton AntiVirus knew about it, but could do nothing
except warn him. A file called "beta.exe" was running and couldn't be deleted.
Task Manager and regedit would open, but only for a second or two. To make
matters worse, beta.exe even loaded in Safe Mode and couldn't be deleted from
there either.

I talked him through booting with the XP CD and deleting beta.exe from Recovery
Console (his system is NTFS). Even after that, however, regedit wouldn't stay
open. I got him to go to System Restore and revert the system to an earlier
date. Only then was he able to get into regedit and delete the reference to
beta.exe in the Registry.

All appears OK now, and Norton AV reports no problems. But I have the feeling
there should have been a simpler way of doing this. Any ideas?

Larc



§§§ - Please raise temperature of mail to reply by e-mail - §§§
 
Larc said:
Sorry, I hit the wrong button. :-o

A friend called last night to say he had somehow been "invaded" by a trojan and
couldn't get rid of it. Norton AntiVirus knew about it, but could do nothing
except warn him. A file called "beta.exe" was running and couldn't be deleted.
Task Manager and regedit would open, but only for a second or two. To make
matters worse, beta.exe even loaded in Safe Mode and couldn't be deleted from
there either.

I talked him through booting with the XP CD and deleting beta.exe from Recovery
Console (his system is NTFS). Even after that, however, regedit wouldn't stay
open. I got him to go to System Restore and revert the system to an earlier
date. Only then was he able to get into regedit and delete the reference to
beta.exe in the Registry.

All appears OK now, and Norton AV reports no problems. But I have the feeling
there should have been a simpler way of doing this. Any ideas?

Larc

§§§ - Please raise temperature of mail to reply by e-mail - §§§
Click to expand...

I know some trojans block exe execution. Maybe could have tried to
rename regedit.exe to regedit.com to see if it would launch.

Terry
 
Larc said:
I talked him through booting with the XP CD and deleting beta.exe from Recovery
Console (his system is NTFS). Even after that, however, regedit wouldn't stay
open. I got him to go to System Restore and revert the system to an earlier
date. Only then was he able to get into regedit and delete the reference to
beta.exe in the Registry.

All appears OK now, and Norton AV reports no problems. But I have the feeling
there should have been a simpler way of doing this.
Click to expand...

Some of these trojans do play hell with registry entries, and in many
ways SR is the safest way of getting out of it, once you are rid of the
actual file. Safe Mode - Command Prompt only might have been a slightly
easier way to do that. Then boot to regular Safe Mode, taking the
Administrator icon, and it will immediately offer SR as an option,
before going on to load the GUI
 
Back
Top