I can't believe that I can't correct a trojan but unless someone can help, I have lost the battle I think.
A guy at work told me his up to date Sophos virus software had found a virus. I thought I'd be able to correct it quick but 3 hours down the line I'm no further forward. The virus is Troj/Dloader-AB. If you go to Sophos website you will see its aliases are Agent.2, Agent.al, Agent.an, Downloader-LO,Backdoor-BDD
. The virus software detects it mostly in system 32 folder and the root of Windows folder (the OS is XP home). I would literally have to click about 60 Sophos virus boxes about files it has found infested in these folders.
Symptoms of my Dloader-AB virus. Homepage in IE changed to some awful search engine. A load of popups. A pornographic search engine appears occassionally.
What have I done to try to correct? Totally updated Sophos and ran full system scan twice. It finds a load of Dloader_AB and deletes them so you think you are on top. But its not enough. On a reboot the Sophos messages comes up again. Could some files be lingering in memory so not being deletable?
I have also run totally uptodate Spybot & adaware and its not helped.
I have of course followed Syphos's advice. It said to remove the registry key
HKLM\Software\Microsoft\Wi
ndows\Curr
entVersion
\Run\
<filename> = <filename>
However that doesn't exist. i did rename one though. It was a registry entry for crd032.exe in that folder. I've no idea if this is a virus or not. However on reboot it is fine and the Sophos messages doesn't come up. So when does it come up? I go online and everything is fine. I do a search in Google and bang there it goes again! The homepage is back to the search engine, a load of advertising popups and of course Sophos giving me about 80 dialog boxes telling me about infected files it has discovered. Great (not).
Looking in windows task mamager I see alg.exe running and csrcss.exe (I'm not sure if the last is a virus or not, in fact I think i've read not).
Sophos claimed atlrc32.exe was infected so I renamed it. It then keeps on saying that atlrc32.exe is infected yet I can't see it in Windows Explorer (and I am showing all hidden files etc).
What to do?
Unfortunately I can't find any info on this trojan from say symantec or mcafee. I'm disappointed as symantec normally kicks ass and gives you a tool or such which gets rid of your problem nice and easy.
So I'm looking for help!!!
