Trojan.Startup.NameShifter.H

[BillyBobby]

This high risk spyware is always detected by Microsoft
AntiSpyware Beta edition.

I ask the program to remove this trojan, it does so,
supposedly, and then I reboot my computer.

Then I ran another scan with Microsoft AntiSpyware and,
lo and behold, it finds the same threatening trojan.

How can you really get rid of this?

Relatedly, the program says this trojan is in a folder
within Program Files called: ptusuxpt. I have tried to
remove the contents of this folder, but it says I am
denied access. I tried to make sure the processes are
not running, but still can't delete the files. Among the
offending files is: NxkHcAAa.exe.

Any ideas how to proceed?

Thanks

BillyBobby

 

[Bill Sanderson]

1) Please submit a tools, suspected spyware report from Microsoft
Antispyware, if possible. You may get an error message, or it may work.

I'd proceed by updating both my antivirus application and Microsoft
Antispyware's definitions, restarting in safe mode by pressing the f8
function key before the initial windows screen appears, and doing full, deep
scans with Microsoft antispyware and with my antivirus until a full scan
with each comes through clean.

If it does not, I believe that a trial download of Ewido Security Suite will
take care of this one:

http://www.ewido.net/en/download/

You may need to scan twice with a reboot in between.

 

[Alan]

Try sysclean.com
(http://www.trendmicro.com/ftp/products/tsc/sysclean.com)
from Trend Micro. Make certain to download the
lpt???.zip file found at
http://www.trendmicro.com.au/download/pattern_update.htm.

Also download mwav.exe (Kasperky antivirus) from
http://www.spywareinfo.dk/download/mwav.exe, CCleaner
(http://www.ccleaner.com/ccdownload.asp), and ewido
(http://download.ewido.net/ewido-setup.exe).

Decompress the zip file and place the lpt$vpn.??? file in
the same folder that you saved the sysclean.com
application.

Launch My Computer, go to Tools > Folder Options, click
the View tab, select the 'Show hidden files and folders'
radio button, and click Apply.

Turn off System Restore as this infection is likely
stored in a Restore Point, and using the feature in the
future once you have removed it will only cause YOU to
reinfect your own system. To do so, right-click on the
My Computer icon, select Properties, click on the System
Restore tab, and click the 'Turn off System Restore'
check box.

Download the updates to ewido and CCleaner.

Boot into Safe Mode (no network support, and no command
prompt) and run the sysclean.com appliaction. This
application can take a few hours to run, at least it did
on my system (around 18 GBs out of 74.5 GB used). After
this is done, run mwav.exe. Next run ewido. Finally run
CCleaner.

It could take a long time to run all of these
applications. I suggest running sysclean.com when you
first get home from work. You can run the others the
next day, just don't reboot the system until you have run
all of the applications to ensure that everything has
been detected and removed. If you are running XP, go to
c:\windows\prefetch and delete the entire contents of the
folder, just don't delete the folder. Doing so might
help remove code that the Trojan has linked to other
aplications which the Trojan are using to reinfect the
system once it has been removed.

Once you are done, reboot the system. Now turn System
Restore back on, and change the Folder Options back
to 'Hide hidden files and folders.'

Also, if you are running MSAS' Real-time Protection,
disable ewido's guards, as they WILL likely conflict with
MSAS' Real-time Protection. If you chose not to do this,
you WILL be putting your system at risk of infection!!

Alan

 

[Bill Sanderson]

I'd prefer, myself, to leave System Restore enabled.

Then, when the system is clean:

1) Go to Accessories, System Tools, System Restore, and click Create a
Restore point, give it a name, and click create.

2) Go to Accessories, System Tools, Disk Cleanup, and on each drive, run
Disk Cleanup, let it scan, then select the More Options tab, and click the
System Restore Clean Up button at the bottom of that page.

This cleans all the stored restore points except the most resent one, which
you know is clean.

I sure wish it were easier to do and describe, though!

--

 

[Alan]

Problem is that no AV scanner can scan, nor modify the
files in the System Restore folder.

If you look at symantec.com's recommendations regarding
any infection, if you are running either ME or XP, they
state to turn the feature off. Doing so makes certain
that if you remove the threat it does not return once the
user uses the System Restore feature. It's even possible
that once the code is in the folder it won't be removed
unless you disable System Restore. Even if you are able
to scan the Restore folder, you likely will not be able
to clean it (see
http://support.microsoft.com/default.aspx?scid=kb;en-
us;263455). I don't know if this only applies to Windows
ME or to both ME and XP.

Alan

 

[Alan]

Apparently CounterSpy (http://sunbelt-
software.com/CounterSpy-Download.cfm) can detect and
remove this Trojan.

Alan

 

[Bill Sanderson]

I agree that you can't clean the restore points, and that blowing them away
is important to do--but only once an infection is cured.

What if you sit down at an infected machine, make some change which trips a
bit of malicious code, which trashes the system. There are any number of
accidents that might happen that would make using System Restore, even with
the knowledge that a restore point is infected, an important backup to
maintain.

Yes--clean it up, but only after the machine is known to be clean.
--

 

[Frank Saunders, MS-MVP, IE/OE]

Problem is that no AV scanner can scan, nor modify the
files in the System Restore folder.

If you look at symantec.com's recommendations regarding
any infection, if you are running either ME or XP, they
state to turn the feature off. Doing so makes certain
that if you remove the threat it does not return once the
user uses the System Restore feature. It's even possible
that once the code is in the folder it won't be removed
unless you disable System Restore. Even if you are able
to scan the Restore folder, you likely will not be able
to clean it (see
http://support.microsoft.com/default.aspx?scid=kb;en-
us;263455). I don't know if this only applies to Windows
ME or to both ME and XP.

Alan

As Bill says, don't turn off system restore until _after_ the threat is
removed. Then turn it back on and create a new restore point.

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com/security/protect/