jmattson30
asked on
How to completely remove the listed Trojan viruses without using recovery mode.
Hi All,
Do any of you know what is the best antivirus program I can use to eliminate the following trojans with? I have used Symantec Antivirus, Superantispyware, and Malware bytes but have not been able to get rid of them. I hope to do this without having to go into recovery mode.
The viruses I need to get rid of are:
Downloader
Trojan.Bredolab
Infostealer.Banker.C
The server infected is running Windows 2003 R2
Thanks in advance for all your help with this.
Do any of you know what is the best antivirus program I can use to eliminate the following trojans with? I have used Symantec Antivirus, Superantispyware, and Malware bytes but have not been able to get rid of them. I hope to do this without having to go into recovery mode.
The viruses I need to get rid of are:
Downloader
Trojan.Bredolab
Infostealer.Banker.C
The server infected is running Windows 2003 R2
Thanks in advance for all your help with this.
Agree. I would follow the manual instructions for each of these viruses first. Booting into a minimal OS is a preferred method to attack a virus.
As for using another program, it's always best to remove the current A-V before installing a product from a differnet vendor, so it could get involved. Many companies provide 30-day trial software, but it's best to do this on a non-production server. There are online scans, but they may not remove it completely, since many of the malicious files mays be "in use".
Another solution would be to create a bootable CD at www.ubcd4win.org. Make sure you add the Kaspersky add-in and use it for the scanning. I've had success with these, even on servers running RAID (and didn't need additional drivers). I have many corporate clients running Symantec 10.2, SEP 11.0, and Kaspersky. Personally, I like Kaspersky's products.
As for using another program, it's always best to remove the current A-V before installing a product from a differnet vendor, so it could get involved. Many companies provide 30-day trial software, but it's best to do this on a non-production server. There are online scans, but they may not remove it completely, since many of the malicious files mays be "in use".
Another solution would be to create a bootable CD at www.ubcd4win.org. Make sure you add the Kaspersky add-in and use it for the scanning. I've had success with these, even on servers running RAID (and didn't need additional drivers). I have many corporate clients running Symantec 10.2, SEP 11.0, and Kaspersky. Personally, I like Kaspersky's products.
ASKER
I wasn't able to get into recovery mode via the CD. It did not detect any installations of Windows using this method. I then installed the recovery console on the server from the CD and was then able to login to recovery mode. The problem there was that the ntos.exe did not exist as stated in Symantec's removal process. THe wsnpoem directory did not exist either so therefore the audio.dll and video.dll were not there either. In addition to this I did not find anything wrong with all hosts files found on the C: drive. When I run a full scan on Symantec Endpoint 11 the viruses keep coming back. I delete them and then run another scan and they are back again. As per the removal document I only needed to go to recovery mode to delete the above mentioned files. Since they do not exist what do I do now?
It's possible that the server is not actually infected with these viruses, but contains files with these viruses. Where are the infected files located? Are other computers detecting viruses? If you right-click on an infected file and go to Properties, who does it say is the "Owner'?
We have to find out who keeps putting the files back. It may be the server or it may be another desktop.
Have you looked at the processes running? Have you run msconfig to see if there is anything in the Startup tap that's suspicious? If you need more info about the processes, you can run Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx).
We have to find out who keeps putting the files back. It may be the server or it may be another desktop.
Have you looked at the processes running? Have you run msconfig to see if there is anything in the Startup tap that's suspicious? If you need more info about the processes, you can run Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx).
ASKER
I tried looking at the properties as notacomputergeek suggested and it does not show who the owner is. The user shows local host.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi notacomputergeek,
The suggestions you made in your last comment were very close to resolving the problem. It turned out that the viruses were in a compressed *.ecq file format that is quarantined by Gateway Security. All I had to do was have SEP 11 ignore the CA quarantine folder. There was no infection at all since the virus contained emails were in fact quarantined. Thanks for your help and great suggestions.
The suggestions you made in your last comment were very close to resolving the problem. It turned out that the viruses were in a compressed *.ecq file format that is quarantined by Gateway Security. All I had to do was have SEP 11 ignore the CA quarantine folder. There was no infection at all since the virus contained emails were in fact quarantined. Thanks for your help and great suggestions.
Disable System Restore (Windows Me/XP).
Restart the computer using the Windows Recovery Console.
Remove all the entries that the risk added to the hosts file.
Update the virus definitions.
Run a full system scan.
Delete any values added to the registry.