Trojan in c:\windows. I can`t delete and neither can F-prot For Windows.

B

Buddy B

How can I delete this file acrobat.dll that contains W32/backdoor.AOP
Can`t do it from DOS as I used to do, I guess?
Maybe try in safe mode?
The Cleaner couldn`t clean.
Thanks
Regards Buddy B
 
D

David H. Lipman

Look in the Registry for

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPNPClient

Is it there ?

Look at the WinXP NT Services and stop the service.

You can use MSCONFIG.EXE to find the setrvice "UPNPClient" and then disable the the service.

Reboot your PC into Safe Mode and then clean the OS using F-Prot.

--
Dave




| How can I delete this file acrobat.dll that contains W32/backdoor.AOP
| Can`t do it from DOS as I used to do, I guess?
| Maybe try in safe mode?
| The Cleaner couldn`t clean.
| Thanks
| Regards Buddy B
 
B

Buddy B

Look in the Registry for

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPNPClient

Is it there ?
NO

Look at the WinXP NT Services and stop the service.

Where? Not in msconfig | svcs

You can use MSCONFIG.EXE to find the setrvice "UPNPClient" and then disable the
the service.

YES
Reboot your PC into Safe Mode and then clean the OS using F-Prot.

Waiting for location of Win XP NT Services, if this is necessary.

I really appreciate the detailed answer, David.



Regards Buddy B
 
D

David H. Lipman

In Safe Mode, try renaming ACROBAT.DLL to ACROBAT.DLL.BAK then reboot your PC.


Please submit "ACROBAT.DLL.BAK" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against several different AV vendor's scanners.

Another way to submit is to send the suspect file to the following email address
scan<at>virustotal.com
{ replace <at> with @ } with only the word SCAN as the subject.

Please post back the EXACT results.

Then again reboot your PC into Safe Mode and shutdown as many applications as possible
before scanning your platform with F-Prot.

--
Dave




| On Thu, 24 Feb 2005 02:06:07 GMT, "David H. Lipman"
|
| >Look in the Registry for
| >
| >HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPNPClient
| >
| >Is it there ?
|
| NO
|
| >Look at the WinXP NT Services and stop the service.
|
| Where? Not in msconfig | svcs
|
|
| >You can use MSCONFIG.EXE to find the setrvice "UPNPClient" and then disable the
| the service.
|
| YES
|
| >Reboot your PC into Safe Mode and then clean the OS using F-Prot.
|
| Waiting for location of Win XP NT Services, if this is necessary.
|
| I really appreciate the detailed answer, David.
|
|
|
| Regards Buddy B
 
B

Buddy B

Then again reboot your PC into Safe Mode and shutdown as many applications as possible
before scanning your platform with F-Prot.

Dave
Deleted it 2 different times from Safe Mode and it popped back when I ran fprot
again from windows.
I did, however, delete it permanently from Windows with no problem.
It seems to be gone for the moment, anyway.

My experience is that some virus/trojans wind up in the system restore files,
which I`m guessing is in:
C:\System Volume Information folder.
The only way I know of to get rid of a problem there is to turn off System
Restore, reboot, and then turn Sys Restore back on??? Seems to work.

Comment:
Fprot seems to be much more sensitive to suspicious files than kaspersky`s AVP
that I also use.
Fprot is the monitor and AVP is the on demand.

Appreciate your help,,.
Regards Buddy B
 
J

Jolly Jumper

Buddy (e-mail address removed) a écrit :
Dave
Deleted it 2 different times from Safe Mode and it popped back when I ran fprot
again from windows.
I did, however, delete it permanently from Windows with no problem.
It seems to be gone for the moment, anyway.

My experience is that some virus/trojans wind up in the system restore files,
which I`m guessing is in:
C:\System Volume Information folder.
The only way I know of to get rid of a problem there is to turn off System
Restore, reboot, and then turn Sys Restore back on??? Seems to work.

Comment:
Fprot seems to be much more sensitive to suspicious files than kaspersky`s AVP
that I also use.
Fprot is the monitor and AVP is the on demand.

Appreciate your help,,.
Regards Buddy B
If you want to see inside the folder *C_System Volume Information* where
you can find the restore files , you can install *scesp4i.exe* available
at Microsoft's site and you'll be able to delete the restore points you
want and keep the others ( So you won't lose all your restore points ) .
I installed it and I could delete a virus in that folder in a restore
point done by the system ( Win XP ) and keep my own restore points .


Regards

JJ
 
J

Jolly Jumper

Jolly Jumper a écrit :
Buddy (e-mail address removed) a écrit :
In addition to my earlier mail : I was given *scesp4i.exe* a couple of
days ago on another forum : "fr.comp.securite.virus".

If you can't get it on Microsoft's site , you can try here :
http://www.antiserver.it/Win NT/Security/

I think I got it from there .

Don't be surprised by the title " NT Security Tools " .

It runs very well with Win XP SP2

Best regards

JJ
 
B

Buddy B

If you want to see inside the folder *C_System Volume Information* where
you can find the restore files , you can install *scesp4i.exe* available
at Microsoft's site and you'll be able to delete the restore points you
want and keep the others ( So you won't lose all your restore points ) .
I installed it and I could delete a virus in that folder in a restore
point done by the system ( Win XP ) and keep my own restore points .


Regards

JJ

Many thanks, JJ, i`ll give it a shot.
I read somewhere that you can`t delete individual restore points but must delete
all or none?
Regards Buddy B
 
J

Jolly Jumper

Buddy (e-mail address removed) a écrit :
Many thanks, JJ, i`ll give it a shot.
I read somewhere that you can`t delete individual restore points but must delete
all or none?
Regards Buddy B
No .
This "exe" install a new tab called "Security" and when you click right
on the folder ( you must see it by unchecking in Tools ..... ) , you'll
be allowed to take the full control on it .
Thus , I could open the folder "System Volume Information" and delete
*manually* all the restore points made every 24 hours by the system
itself( because I had a virus in one of those ) and *keep only mine*
which were safe .

And now , every day , I delete the non-expected restore point .

And there has been no problem at all with my computer ( and the folder
"System ...." is less heavy!! because each restore point weighs at least
40 Mo )


If you want you can keep the deleted restore points somewhere else ,
scan them with a AV and restore them ( or remove them without any
problem ) .

Hope that can help you .

JJ
 
B

Buddy B

Buddy (e-mail address removed) a écrit :
No .
This "exe" install a new tab called "Security" and when you click right
on the folder ( you must see it by unchecking in Tools ..... ) , you'll
be allowed to take the full control on it .
Thus , I could open the folder "System Volume Information" and delete
*manually* all the restore points made every 24 hours by the system
itself( because I had a virus in one of those ) and *keep only mine*
which were safe .

And now , every day , I delete the non-expected restore point .

And there has been no problem at all with my computer ( and the folder
"System ...." is less heavy!! because each restore point weighs at least
40 Mo )


If you want you can keep the deleted restore points somewhere else ,
scan them with a AV and restore them ( or remove them without any
problem ) .

Hope that can help you .

JJ

Thanks again, JJ.

Regards Buddy B
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top