[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6833
  • Last Modified:

Trojan.Anserin - Can't remove infected dll files

My father has managed to get himself infected with the Anserin Trojan:

http://www.sarc.com/avcenter/venc/data/trojan.anserin.html

He has Symantec Corporate 10.0 running on his laptop.

I have talked him through booting into safe mode, scanning and fixing, but the two files (ibm0004.exe and ibm00003.exe) will not delete - comes up saying that the file has been left alone as it could not be cleaned or removed.

If I get him to go through windows and try, he gets: "cannot delete ibm0004.exe access is denied"

I don't understand how it can still be locked in Safe Mode. I have had him delete the registry keys, so the virus shouldn't be launching anymore.

Any suggestions as to how to get rid of these files?

SB
0
arrowtech
Asked:
arrowtech
  • 3
  • 2
  • 2
  • +1
1 Solution
 
rpggamergirlCommented:
1. Please download SmitfraudFix:
 http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.
 
Once in Safe Mode, open the SmitfraudFix folder again and double-click
smitfraudfix.cmd
 
Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.
 
You will be prompted : "Registry cleaning - Do you want to clean the
registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.
 
The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".
 
The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.
 
2. If problem persist, download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log at;
http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.

3. Or try:
Download and install the free version of Ewido anti-malware.
http://www.ewido.net/en/download/
Update first then scan in safe mode.


-------------------------------------------------------------------------------
0
 
arrowtechAuthor Commented:
If the OS still has the files locked in safe mode, how are these tools going to help that?
0
 
rpggamergirlCommented:
the file is locked even in safe mode because it loads even before windows loads, so it will always be locked.
Another way to do it is to use a tool that will delete it before windows loads.
That file is in fact part of smitfraud infection which smitrem used to be able to remove but since smitrem is no longer updated by its creator I suggested Smitfraudfix.exe.

If you post a hijackthis log I'm fairly sure that the entry in F2 line or 02 line will be there.
Try Smitfraudfix first, then if its still there, post a hijackthis log so we'll see the entry.

 Can you post the exact path and filename of those 2 files?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
r-kCommented:
Here is what I suggest:

First locate the files named ibm0004.exe and ibm00003.exe (probably in c:\windows or c:\windows\system32)

Then:

(0) If running XP Home, boot in safe mode, if XP Pro, then start with step (1)

(1) Right click on the file (e.g. ibm0004.exe) in Windows Explorer or My Computer, select Properties

(2) Click on the Security tab.

(3) Click on the Advanced button.

(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"

(5) Repeat steps (1) to (4) for the other file

(6) Close all windows.

(7) Reboot.

After reboot the file(s) will be unable to run (because no one can access them any more). The symptoms should be gone.

At this point you can clean up with a standard anti-spyware program. I would recommend the ones suggested by rpggamergirl above.

When all seems OK please still do run HiJackThis and anayze the log, and if anything bad is still there then send us the link to the analyzed log (see item (2) in the post by rpggamergirl above).

0
 
knuthfCommented:
You have TWO option:
You are not allowed to delete a file that is used. This is how things should be - it is not always the case.

You may use the registry entry: "RUNONCE" - not "RUN"!
(HKEY-LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce)
Specify a new "Key Value" - give it a nasty name - any name.
Here you enter "DEL C:\WINNT\System32\<yourfile>.dll" as in
silly REG_SZ DEL c:\winnt\System32\ogb00023.dll

exit regedit and reboot.

The alternative is to enter the same commend in c:\AUTOEXEC.BAT - this still exists and is used... and may be used to delete the file before your computer has started and the virus reinstalled itself.

Howver - this seems to be adware - that re-installs itself. Check yout Host file for multiple entries of 127.0.0.1 - should only be "localhost". One of these installs iteself and plays around with your network definitions, uses multiple hosts and you need both a poper firewall and virus removal tool to get rid of it...
Good luck ! - Zonelab is an OK firewall, that also contains a scanner (better are around but..) it is "free" for 2-3 weeks, enough to get rid of your problem.
But beware: Some adware are no so mean that the easiest way out is to remove all temporary browser files, all files that you are not 100% certain should be there, and reinstall the os. I keep W2KAS on drive D - with MS Office.
0
 
arrowtechAuthor Commented:
r-k had what I needed to just get rid of those files - the scans can wait for now - it was phone support for my father so I just wanted to make sure the exe and dlls were removed, and stop the Symantec pop-up notifications.

One thing - your steps forgot to put permissions back on the files again after the reboot - somone who didn't know what they were doing and were just following steps wouldn't know to do that and would just get Access Denied again.

Thanks everyone for the help - I enjoyed knuthf's suggestions as well, but they came to late to try.

A
0
 
r-kCommented:
"your steps forgot to put permissions back on the files again after the reboot"

Good point, and glad you raised it. In most cases, it is OK to change permissions back after the reboot and then delete the files. However, there are cases where it may be better to leave the files alone. For example, there might be a hidden program that may re-create the files if you delete them. Then again, even if deleting the files is OK, it does no harm to leave them there - so long as permissions stay removed, they can't run, and even the AV programs will ignore them.

It was with this reasoning that I omitted the final step of deleting the files. In your case, if you deleted them and they did not appear, then that is a good thing.

Thanks.
0
 
arrowtechAuthor Commented:
No problems, all makes sense.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now