Trojan Downloader - Clean, But Still There After Boot.

[Guest]

Hi

I got a Trojan virus that seems to be a downloader program. I was able to find and remove almost all of the files (.exe's, dlls) related to it and have isolated it to one last problem. I've got a good amount of info here for someone out there to know exactly where to look and what to do to eliminate this entirely

The virus shows up as "SWNInstaller" in the task manager after every boot of the computer. I have found files relating to it in the Registry Editor and they are located in and are as follows

HKEY_CURRENT USER - SOFTWAR
VB and VBA Program Settings- Spyware Nuke

These files are mostly named (Default) of Type "Reg_Sz" However, there is one file labeled "camp" and is of Type "woutver" The Spyware Nuker thing is false....this is truly a virus program

------------
When I log online, the 'SWNInstaller' begins downloading the virus again. However, if I delete the above registry files before going online and also End Process the installer in Task Manager, it does not download when I sign on. But, I still get pop-ups from the fake virus source. Here is the link to where these pop-up addresses are coming from: http://vn.msie.cc/popup3.php?pin=

So, my question is, how do I get rid of this thing once an for all and where do I look? I have attempted the System Restore Disable procedure, but this does not work. I may attempt a safe-start and look for the files, but would like an expert advice fix before I do anything. Have run fully updated Norton AV and it has helped identify the program files that installed the first time, which I got rid of. Just got the 'SWNInstaller' hanging around out there somewhere.

Searching for 'SWNInstaller' does not help. It is never found under that name. Some of the program files I was able to delete were labeled, "DML.exe" and "DL" If the software is fully allowed to load, it installs a program called, "Teen.exe" As you might guess, this leads to all kinds of inappropriate porn sites and takes over the Windows XP Control Panel. These problems are fixed...now let's find the downloader files. Please help with details. Thanks!

 

[Rich Barry]

Take a look here
http://camtech2000.net/Newsletters/a_new_spyware_tactic.htm

Also, try Spybot and Kephyr
http://housecall.trendmicro.com/

http://safespy.net/Spyware_Hunter.htm

http://www.lavasoft.de/software/adaware/

http://spybot-spyware.com/trojan.htm

http://www.spysweeper.com/

http://www.kephyr.com/spywarescanner/

Hi:

I got a Trojan virus that seems to be a downloader program. I was able to

find and remove almost all of the files (.exe's, dlls) related to it and
have isolated it to one last problem. I've got a good amount of info here
for someone out there to know exactly where to look and what to do to
eliminate this entirely.

The virus shows up as "SWNInstaller" in the task manager after every boot

of the computer. I have found files relating to it in the Registry Editor
and they are located in and are as follows:

HKEY_CURRENT USER - SOFTWARE
VB and VBA Program Settings- Spyware Nuker

These files are mostly named (Default) of Type "Reg_Sz" However, there

is one file labeled "camp" and is of Type "woutver" The Spyware Nuker
thing is false....this is truly a virus program.However, if I delete the above registry files before going online and also
End Process the installer in Task Manager, it does not download when I sign
on. But, I still get pop-ups from the fake virus source. Here is the link
to where these pop-up addresses are coming from:
http://vn.msie.cc/popup3.php?pin=8

So, my question is, how do I get rid of this thing once an for all and

where do I look? I have attempted the System Restore Disable procedure, but
this does not work. I may attempt a safe-start and look for the files, but
would like an expert advice fix before I do anything. Have run fully update
d Norton AV and it has helped identify the program files that installed the
first time, which I got rid of. Just got the 'SWNInstaller' hanging around
out there somewhere.

Searching for 'SWNInstaller' does not help. It is never found under that

name. Some of the program files I was able to delete were labeled,
"DML.exe" and "DL" If the software is fully allowed to load, it installs
a program called, "Teen.exe" As you might guess, this leads to all kinds of
inappropriate porn sites and takes over the Windows XP Control Panel. These
problems are fixed...now let's find the downloader files. Please help with
details. Thanks!

 

[Guest]

Hi Rich

I'm just responding to your very helpful links posted in response to my question about the Windows XP Spy Ware Nuker virus. The article you linked me to told me everything I needed to know to finally rid my system of this NASTY and time-consuming pest

I have one last task to rid myself of it and that is in regard to the HOSTS files on my computer. My local host is redirected with a different address to this Spy Ware advertisement. I've attempted to open the HOSTS file in Windows\System32 and Drivers\etc to delete the redirect. I turned Read-Only off and then deleted and saved the file making sure to leave in the original local host address

To no luck. For some reason beyond me, when I go to open those files again to check and see if the change took, I notice that it didn't. What do I have to do to make a change to the HOSTS file and ensure it sticks?

Anyone's help is very much appreciated. Thanks for taking the time to provide those links and end a big headache, Rich.

 

[wayne]

are you making sure you are saving it with no extension?

Also reset the permissions so that there is only read only permissions for
any user and inherit permissions removed.

You can always change the permissions if you need to but it should stop any
other program from changing the file!

Wayne

Hi Rich:

I'm just responding to your very helpful links posted in response to my

question about the Windows XP Spy Ware Nuker virus. The article you linked
me to told me everything I needed to know to finally rid my system of this
NASTY and time-consuming pest.

I have one last task to rid myself of it and that is in regard to the

HOSTS files on my computer. My local host is redirected with a different
address to this Spy Ware advertisement. I've attempted to open the HOSTS
file in Windows\System32 and Drivers\etc to delete the redirect. I turned
Read-Only off and then deleted and saved the file making sure to leave in
the original local host address.

To no luck. For some reason beyond me, when I go to open those files

again to check and see if the change took, I notice that it didn't. What do
I have to do to make a change to the HOSTS file and ensure it sticks?

Anyone's help is very much appreciated. Thanks for taking the time to

provide those links and end a big headache, Rich.

 

[Guest]

One more thing to add. After reading a little bit more about this virus, I discovered that it may have weaved its way into some of the Active X files on my computer. If this is the case, it has the ability to continually change the hosts files regardless of whether I save them or not. What's the best way to find all traces of the host redirect. Thanks.