arrowtech
asked on
Trojan.Anserin - Can't remove infected dll files
My father has managed to get himself infected with the Anserin Trojan:
http://www.sarc.com/avcenter/venc/data/trojan.anserin.html
He has Symantec Corporate 10.0 running on his laptop.
I have talked him through booting into safe mode, scanning and fixing, but the two files (ibm0004.exe and ibm00003.exe) will not delete - comes up saying that the file has been left alone as it could not be cleaned or removed.
If I get him to go through windows and try, he gets: "cannot delete ibm0004.exe access is denied"
I don't understand how it can still be locked in Safe Mode. I have had him delete the registry keys, so the virus shouldn't be launching anymore.
Any suggestions as to how to get rid of these files?
SB
http://www.sarc.com/avcenter/venc/data/trojan.anserin.html
He has Symantec Corporate 10.0 running on his laptop.
I have talked him through booting into safe mode, scanning and fixing, but the two files (ibm0004.exe and ibm00003.exe) will not delete - comes up saying that the file has been left alone as it could not be cleaned or removed.
If I get him to go through windows and try, he gets: "cannot delete ibm0004.exe access is denied"
I don't understand how it can still be locked in Safe Mode. I have had him delete the registry keys, so the virus shouldn't be launching anymore.
Any suggestions as to how to get rid of these files?
SB
ASKER
If the OS still has the files locked in safe mode, how are these tools going to help that?
the file is locked even in safe mode because it loads even before windows loads, so it will always be locked.
Another way to do it is to use a tool that will delete it before windows loads.
That file is in fact part of smitfraud infection which smitrem used to be able to remove but since smitrem is no longer updated by its creator I suggested Smitfraudfix.exe.
If you post a hijackthis log I'm fairly sure that the entry in F2 line or 02 line will be there.
Try Smitfraudfix first, then if its still there, post a hijackthis log so we'll see the entry.
Can you post the exact path and filename of those 2 files?
Another way to do it is to use a tool that will delete it before windows loads.
That file is in fact part of smitfraud infection which smitrem used to be able to remove but since smitrem is no longer updated by its creator I suggested Smitfraudfix.exe.
If you post a hijackthis log I'm fairly sure that the entry in F2 line or 02 line will be there.
Try Smitfraudfix first, then if its still there, post a hijackthis log so we'll see the entry.
Can you post the exact path and filename of those 2 files?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You have TWO option:
You are not allowed to delete a file that is used. This is how things should be - it is not always the case.
You may use the registry entry: "RUNONCE" - not "RUN"!
(HKEY-LOCAL_MACHINE\SOFTWA
Specify a new "Key Value" - give it a nasty name - any name.
Here you enter "DEL C:\WINNT\System32\<yourfil
silly REG_SZ DEL c:\winnt\System32\ogb00023
exit regedit and reboot.
The alternative is to enter the same commend in c:\AUTOEXEC.BAT - this still exists and is used... and may be used to delete the file before your computer has started and the virus reinstalled itself.
Howver - this seems to be adware - that re-installs itself. Check yout Host file for multiple entries of 127.0.0.1 - should only be "localhost". One of these installs iteself and plays around with your network definitions, uses multiple hosts and you need both a poper firewall and virus removal tool to get rid of it...
Good luck ! - Zonelab is an OK firewall, that also contains a scanner (better are around but..) it is "free" for 2-3 weeks, enough to get rid of your problem.
But beware: Some adware are no so mean that the easiest way out is to remove all temporary browser files, all files that you are not 100% certain should be there, and reinstall the os. I keep W2KAS on drive D - with MS Office.
You are not allowed to delete a file that is used. This is how things should be - it is not always the case.
You may use the registry entry: "RUNONCE" - not "RUN"!
(HKEY-LOCAL_MACHINE\SOFTWA
Specify a new "Key Value" - give it a nasty name - any name.
Here you enter "DEL C:\WINNT\System32\<yourfil
silly REG_SZ DEL c:\winnt\System32\ogb00023
exit regedit and reboot.
The alternative is to enter the same commend in c:\AUTOEXEC.BAT - this still exists and is used... and may be used to delete the file before your computer has started and the virus reinstalled itself.
Howver - this seems to be adware - that re-installs itself. Check yout Host file for multiple entries of 127.0.0.1 - should only be "localhost". One of these installs iteself and plays around with your network definitions, uses multiple hosts and you need both a poper firewall and virus removal tool to get rid of it...
Good luck ! - Zonelab is an OK firewall, that also contains a scanner (better are around but..) it is "free" for 2-3 weeks, enough to get rid of your problem.
But beware: Some adware are no so mean that the easiest way out is to remove all temporary browser files, all files that you are not 100% certain should be there, and reinstall the os. I keep W2KAS on drive D - with MS Office.
ASKER
r-k had what I needed to just get rid of those files - the scans can wait for now - it was phone support for my father so I just wanted to make sure the exe and dlls were removed, and stop the Symantec pop-up notifications.
One thing - your steps forgot to put permissions back on the files again after the reboot - somone who didn't know what they were doing and were just following steps wouldn't know to do that and would just get Access Denied again.
Thanks everyone for the help - I enjoyed knuthf's suggestions as well, but they came to late to try.
A
One thing - your steps forgot to put permissions back on the files again after the reboot - somone who didn't know what they were doing and were just following steps wouldn't know to do that and would just get Access Denied again.
Thanks everyone for the help - I enjoyed knuthf's suggestions as well, but they came to late to try.
A
"your steps forgot to put permissions back on the files again after the reboot"
Good point, and glad you raised it. In most cases, it is OK to change permissions back after the reboot and then delete the files. However, there are cases where it may be better to leave the files alone. For example, there might be a hidden program that may re-create the files if you delete them. Then again, even if deleting the files is OK, it does no harm to leave them there - so long as permissions stay removed, they can't run, and even the AV programs will ignore them.
It was with this reasoning that I omitted the final step of deleting the files. In your case, if you deleted them and they did not appear, then that is a good thing.
Thanks.
Good point, and glad you raised it. In most cases, it is OK to change permissions back after the reboot and then delete the files. However, there are cases where it may be better to leave the files alone. For example, there might be a hidden program that may re-create the files if you delete them. Then again, even if deleting the files is OK, it does no harm to leave them there - so long as permissions stay removed, they can't run, and even the AV programs will ignore them.
It was with this reasoning that I omitted the final step of deleting the files. In your case, if you deleted them and they did not appear, then that is a good thing.
Thanks.
ASKER
No problems, all makes sense.
http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.
Once in Safe Mode, open the SmitfraudFix folder again and double-click
smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.
You will be prompted : "Registry cleaning - Do you want to clean the
registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.
The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".
The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.
2. If problem persist, download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:
Or copy and paste the log at;
http://www.hijackthis.de/
and click "Analyse", click "Save". Post the link to the saved list here.
3. Or try:
Download and install the free version of Ewido anti-malware.
http://www.ewido.net/en/download/
Update first then scan in safe mode.
--------------------------