Trojan Horse - Access Denied trying to Delete File

[Cody]

I need some help from you experts out here. I have an XP Pro system that
has a Trojan Horse identified by Norton AV - but it can't be deleted by
the product (AV).... nor myself when I go directly to the c:\windows
directory (file = SAMICRO.DLL) ... There is no Write or READ-ONLY
protection on the file. I tried booting into SAFE mode, but still cannot
delete the fle (Access Denied, even in Safe Mode).

I now have this permanent POP-UP on the screen idenitfying this Trojan
Horse that I can't get rid of..

Anyone have some canned instructions or advise on how to clear this
animal? Is there some process that was spoofed that this thing is
running with? If so, how can I identify it?

Thanks in advance.

 

[David H. Lipman]

From: "Cody" <na*ug*[email protected]>

| I need some help from you experts out here. I have an XP Pro system that
| has a Trojan Horse identified by Norton AV - but it can't be deleted by
| the product (AV).... nor myself when I go directly to the c:\windows
| directory (file = SAMICRO.DLL) ... There is no Write or READ-ONLY
| protection on the file. I tried booting into SAFE mode, but still cannot
| delete the fle (Access Denied, even in Safe Mode).
|
| I now have this permanent POP-UP on the screen idenitfying this Trojan
| Horse that I can't get rid of..
|
| Anyone have some canned instructions or advise on how to clear this
| animal? Is there some process that was spoofed that this thing is
| running with? If so, how can I identify it?
|
| Thanks in advance.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[Gabriele Neukam]

On that special day, Cody, (na*ug*[email protected]) said...

Anyone have some canned instructions or advise on how to clear this
animal? Is there some process that was spoofed that this thing is
running with? If so, how can I identify it?
read
http://help.lockergnome.com/index.p...&showtopic=41850&pid=315752&st=0&#entry315752

and act accordingly.


Gabriele Neukam

(e-mail address removed)

 

[Cody]

I'm a bit confused as to this approach.. This is only a "SCANNER",
right? I tested this on a machine that is *not* infected just to see
what I was to expect. It generates an HTML page with the RESULTS ... If
it discovered a Trojan, Virus, etc ... would it have fixed it???

I already *know* that I have a Trojan Horse because Symantec is
reporting that in the POP-UP that won't go away. Also, there is no
option for SYMANTEC on the Menu of this tool. Should there be if I am
running Symantec?

Can you unconfuse me as to how I GET RID of this Trojan Horse?? Else
looks like I need to got to the solution in the next REPLY from
Gabriel.... which looks to be very very involved... I was looking for
the easiest solution first..

Thanks

From: "Cody" <na*ug*[email protected]>

| I need some help from you experts out here. I have an XP Pro system that
| has a Trojan Horse identified by Norton AV - but it can't be deleted by
| the product (AV).... nor myself when I go directly to the c:\windows
| directory (file = SAMICRO.DLL) ... There is no Write or READ-ONLY
| protection on the file. I tried booting into SAFE mode, but still cannot
| delete the fle (Access Denied, even in Safe Mode).
|
| I now have this permanent POP-UP on the screen idenitfying this Trojan
| Horse that I can't get rid of..
|
| Anyone have some canned instructions or advise on how to clear this
| animal? Is there some process that was spoofed that this thing is
| running with? If so, how can I identify it?
|
| Thanks in advance.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[David H. Lipman]

From: "Cody" <na*ug*[email protected]>

| I'm a bit confused as to this approach.. This is only a "SCANNER",
| right? I tested this on a machine that is *not* infected just to see
| what I was to expect. It generates an HTML page with the RESULTS ... If
| it discovered a Trojan, Virus, etc ... would it have fixed it???
|
| I already *know* that I have a Trojan Horse because Symantec is
| reporting that in the POP-UP that won't go away. Also, there is no
| option for SYMANTEC on the Menu of this tool. Should there be if I am
| running Symantec?
|
| Can you unconfuse me as to how I GET RID of this Trojan Horse?? Else
| looks like I need to got to the solution in the next REPLY from
| Gabriel.... which looks to be very very involved... I was looking for
| the easiest solution first..
|
| Thanks

If you got a HTML log then it was the McAfee module. All modules will detect and try to
remove the infectors found and if not a HTML log file the module will generate a ASCII log
file.

Simply put, the tool is for detection and removal. I have included four different AV
scanners becuase one may catch what another may miss.