[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 908
  • Last Modified:

toughy trojan msdirectx just wont go away!

client has a fairly new dell with XP/sp2.
using free addition of avg and spybot 1.3/adaware se/hijackthis to keep it clean.
AVG keeps detecting a trojan(dont remember exact name) but file is msdirectx.
cannot open regedit/msconfig etc unless i do the rename. also effecting broadband internet although it works but slow.
I run hijackthis and see entries for bitdefenderx/IPOT...compaq.exe. about 6 entries in all.
i remove them but when i run hijack scan again they reappear.
what else i have done:
booted in safe mode
removed all entries in reg with IPOT/compaq/bitdefenderx/msdirectx
searched hd for all entries above also(i am showing hidden files) and deleted
ran cleanmgr. also restore util is turned off

but when i reboot it all comes back?
searched internet but not much in the way of help is out there.
this is a tough one!
0
pdadddino
Asked:
pdadddino
  • 4
  • 3
  • 2
  • +1
1 Solution
 
InteractiveMindCommented:
Yeah, these things are bitches.
Boot up into Safe Mode  ->  then try scanning, and then removing this trojan from there (and anything else you find)
0
 
InteractiveMindCommented:
Also, you may want to download and install 'Ad-Aware Personal' from: http://www.lavasoftusa.com/
That's a great and FREE scanner!

Run that and your other scanners in Safe Mode, one at a time.

Also, do you have a firewall installed (excluding the XP firewall) ? If not, then get one!!!!!

I recommend:

   ZoneAlarm  ->  http://www.zonelabs.com/   (for single machine use)
   Sygate Personal Firewall  ->  http://www.sygate.com/   (if on a network)

Regards;
0
 
pdadddinoAuthor Commented:
i have run avg/spybot/adaware SE all in normal boot mode not in safe mode. did do what i said above in safe mode, but did not help.
personally i love zone alarm...but cannot use it here. too many prompts for very novice users. their head will start spinning.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
InteractiveMindCommented:
> i love zone alarm...but cannot use it here. too many prompts for very novice users. their head will start spinning.
I appreciate this. But don't you think that it's better for them to learn how to use ZoneAlarm (which isn't *toooo* difficult), rather than having to tackle viruses and all sorts of malicious problems all the time? Because that's certainly going to happen without a good firewall.

Perhaps this will also help convince you (and them) to give in to installing a firewall:

My little brother was using the internet, he turned his firewall off for less than 5 minutes to play a multiplayer game -- after these five minutes, his computer was acting up. He ran Ad-Aware, and found over 350 "Critical bugs". As opposed to the '0' bugs found shortly before playing online!! He had his XP firewall on, and some AV stuff installed.. but this didn't stop them!

Anyways, these scans can find most malware, however, sometimes they can't remove them, because the viruses are being used, or something such as another virus just recreates the virus straight after it's removed! It happens! (They work in pairs).

However, if you boot up into safe mode, then these viruses can't startup, allowing you to successfully remove them with the scans.

Also, do they have a "System Restore Point" from some time before these problems? If so, then if the scan in Safe Mode doesn't do much (which I doubt will be the case), then try restoring to a previous point.

Regards;
0
 
TolomirAdministratorCommented:
Maybe here is a good solution:

http://forums.spywareinfo.com/lofiversion/index.php/t44236.html

Check this entry:

WinHelp2002 Mar 31 2005, 06:50 AM


Tolomir
0
 
EnigmaticFractalCommented:
Hi  pdadddino.

Try disabling system restore and then booting into safe mode.  Afterwards, run the cleaners all over again (avg, spybot, adaware, HJT, etc.) That might prevent them from coming back after you have supposedly cleaned them.

~Fractal

0
 
EnigmaticFractalCommented:
>>"also restore util is turned off"
Oops, I'm guessing that this means that you did turn it off before scanning...sorry.
0
 
pdadddinoAuthor Commented:
Think i have made some progress on this nasty! Need to monitor for a few more cycles to be sure. PC's is running much better and internet is much faster!
What i did was:
- booted in safe mode with networking
- completed install of ZoneAlarm - this would not startup in normal mode due to virus interference. kept getting vector failures.
- ran online trendmicro system scan - it detected 4 viruses and fixed
- updated and ran spybot 1.3 - found 5 bad entries and cleaned
- update and ran adaware SE - was clean
- ran HijackThis - deleted 2 entries for compaq.exe. these are the ones that keep coming back.
- reran HijackThis - no bad entries!
- rebooted normal
- ran hijackthis - no bad entries
- left PC on and ran a scheduled overnight AVG antivirus - it did come up with a few viruses and cleaned up! Some of the same ones. This has me worried a little.
- ran HijackThis - it was clean

to do:
- will leave pc on for a few days except for some restarts
- ran another AVG virus scan before leaving the house today.
- have another AVG scheduled run for this afternoon and want to see it clean for few cycles!
- will check results tonight
0
 
pdadddinoAuthor Commented:
pc seems to be working fine now!
BUT
if i leave it on for a couple of days, AVG scheduled scan keeps detecting i-worm bofra in one of the users dir "document and setings..."
i ran another online trendmicro scan in safe mode. It detected 1 virus (dont remember name, but it was in another users doc..and.sett dir). It removed.
I ran avg in safe mode it was clean...ran trend micro again it was clean. Left PC on overnight. Scan ran at 2am and it found the 1-worm bofra again!
0
 
InteractiveMindCommented:
Make sure that you have a decent firewall installed and configured to prevent this worm spreading, then download Symantecs "Bofra Removal Tool": http://securityresponse.symantec.com/avcenter/venc/data/w32.bofra@mm.removal.tool.html  (completely free).

Regards;
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now