Getting rid of a trojan

L

Larc

Sorry, I hit the wrong button. :-o

A friend called last night to say he had somehow been "invaded" by a trojan and
couldn't get rid of it. Norton AntiVirus knew about it, but could do nothing
except warn him. A file called "beta.exe" was running and couldn't be deleted.
Task Manager and regedit would open, but only for a second or two. To make
matters worse, beta.exe even loaded in Safe Mode and couldn't be deleted from
there either.

I talked him through booting with the XP CD and deleting beta.exe from Recovery
Console (his system is NTFS). Even after that, however, regedit wouldn't stay
open. I got him to go to System Restore and revert the system to an earlier
date. Only then was he able to get into regedit and delete the reference to
beta.exe in the Registry.

All appears OK now, and Norton AV reports no problems. But I have the feeling
there should have been a simpler way of doing this. Any ideas?

Larc



§§§ - Please raise temperature of mail to reply by e-mail - §§§
 
F

F1Com

Larc said:
Sorry, I hit the wrong button. :-o

A friend called last night to say he had somehow been "invaded" by a trojan and
couldn't get rid of it. Norton AntiVirus knew about it, but could do nothing
except warn him. A file called "beta.exe" was running and couldn't be deleted.
Task Manager and regedit would open, but only for a second or two. To make
matters worse, beta.exe even loaded in Safe Mode and couldn't be deleted from
there either.

I talked him through booting with the XP CD and deleting beta.exe from Recovery
Console (his system is NTFS). Even after that, however, regedit wouldn't stay
open. I got him to go to System Restore and revert the system to an earlier
date. Only then was he able to get into regedit and delete the reference to
beta.exe in the Registry.

All appears OK now, and Norton AV reports no problems. But I have the feeling
there should have been a simpler way of doing this. Any ideas?

Larc

§§§ - Please raise temperature of mail to reply by e-mail - §§§
Click to expand...

I know some trojans block exe execution. Maybe could have tried to
rename regedit.exe to regedit.com to see if it would launch.

Terry
 
A

Alex Nichol

Larc said:
I talked him through booting with the XP CD and deleting beta.exe from Recovery
Console (his system is NTFS). Even after that, however, regedit wouldn't stay
open. I got him to go to System Restore and revert the system to an earlier
date. Only then was he able to get into regedit and delete the reference to
beta.exe in the Registry.

All appears OK now, and Norton AV reports no problems. But I have the feeling
there should have been a simpler way of doing this.
Click to expand...

Some of these trojans do play hell with registry entries, and in many
ways SR is the safest way of getting out of it, once you are rid of the
actual file. Safe Mode - Command Prompt only might have been a slightly
easier way to do that. Then boot to regular Safe Mode, taking the
Administrator icon, and it will immediately offer SR as an option,
before going on to load the GUI
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Getting rid of a Trojan 12
Getting rid of bp.specificclick.net 6
Trojan Threat? 13
Getting rid of Symantec programs 18
user profile cannot be located / user profile service failed the logon, 5
Any guidance on getting rid of Trojan programs 4
Can't get rid of Trojan Horse 5
Getting rid of Norton (To Twayne) LightningSand.cfd corruption 8

Top