Trojan horse won't let me use antivirus scan



Duane
07-09-2005, 10:49 PM
My Dell Computer alert informed me I have download.ject trojan horse.
However, since I got it, I cannot open my Norton Antivirus program to scan
for it. It also will not let me go to Norton's service web site for
help--the page will not open. Can I safely uninstall and reinstall my Norton
software, or is that going to cause more problems? Any tips?? Its causing
lots of freeze-ups, and it's making eveything run REALLY slow.
Duane

David H. Lipman
07-09-2005, 10:49 PM
From: "Duane" <Duane@discussions.microsoft.com>

| My Dell Computer alert informed me I have download.ject trojan horse.
| However, since I got it, I cannot open my Norton Antivirus program to scan
| for it. It also will not let me go to Norton's service web site for
| help--the page will not open. Can I safely uninstall and reinstall my Norton
| software, or is that going to cause more problems? Any tips?? Its causing
| lots of freeze-ups, and it's making eveything run REALLY slow.
| Duane

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendorís web site.
On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot the PC
On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos, Trend, McAfee, Exit the
menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Crouchie1998
07-09-2005, 10:49 PM
Also search for your 'hosts' file (C:\WINNT\System32\Drivers\etc on windows
2000

Open it with notepad & after the '#' (hashes) make sure there is only one
line:

127.0.0.1 localhost

If you find any others delete them, save the file & close the directory.

Viruses/adware/spyware... attack the above file

I hope this is of some help

Crouchie1998
BA (HONS) MCP MCSE

David H. Lipman
07-09-2005, 10:49 PM
From: "Crouchie1998" <crouchie1998@spamcop.net>

| Also search for your 'hosts' file (C:\WINNT\System32\Drivers\etc on windows
| 2000
|
| Open it with notepad & after the '#' (hashes) make sure there is only one
| line:
|
| 127.0.0.1 localhost
|
| If you find any others delete them, save the file & close the directory.
|
| Viruses/adware/spyware... attack the above file
|
| I hope this is of some help
|
| Crouchie1998
| BA (HONS) MCP MCSE
|


A few notes about my scripted front ends to AV Command Line Scanners (CLS)...

Since they are written in a 32bit interpreted language, they can be easily modified for new
threats. Before downloading the needed files, the scripts will; make sure the there is no
hosts file, make sure the "DataBasePath" hasn't been altered from
%SystemRoot%\System32\drivers\etc and they will flush then DNS cache. They will also make
sure there
is no malware chaining off Explorer.exe in the Registry "shell" location. Additionally, the
scripts will
also detect if they are being executed in Safe Mode or in Normal Mode.

In Win9x/ME they will perform similar checks and process WIN.INI and SYSTEM.INI.

Finally, each script has a "kill process" procedure. Each script version has a file
called "killproc.txt". The objective is to append the list with the name of an executable
file like; RUNDLL32.EXE. Before a scan is performed in each script, "killproc.txt" will
be parsed for the list of EXE files and successively kill each running process providing the
scanners greater efficacy.

My latest version provides a menu driven front end to; the Sophos CLS, the McAfee CLS and
Trend Micro's Sysclean utility. This way not only will the script make corrections made to
the OS by malware to block access to AV vendor web sites but the script will provide three
scanners such that one may catch what another may miss.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Crouchie1998
07-09-2005, 10:49 PM
Hi Duane,

You can also download the Download.Ject Removal Tool from here:

Page:
------

http://www.microsoft.com/downloads/details.aspx?FamilyId=FC84B8B5-A64D-4837-B65F-96925A514F71&displaylang=en

Direct Link to Tool:
---------------------

http://download.microsoft.com/download/0/9/f/09ff9e2a-14d4-43b2-82b6-7f41104e9aa1/Windows-KB873018-ENU-V1.exe

You will also need to view this page:

http://www.microsoft.com/security/incident/download_ject.mspx

Regards Norton Antivirus:
--------------------------

http://securityresponse.symantec.com/avcenter/venc/data/download.ject.html

I hope this is also some help

Crouchie1998
BA (HONS) MCP MCSE

cquirke (MVP Windows shell/user)
07-09-2005, 10:49 PM
On Mon, 20 Jun 2005 16:12:03 -0700, "Duane"

>My Dell Computer alert informed me I have download.ject trojan horse.
>However, since I got it, I cannot open my Norton Antivirus program to scan
>for it. It also will not let me go to Norton's service web site for
>help--the page will not open.

Sure; malware will do that. Just as surely as bank robbers shoot
cops, so malware will smite your av. What did you expect?

>Can I safely uninstall and reinstall my Norton software

Almost certainly not. The malware's active, and has already clobbered
your tallest-poppy-in-the-stack Norton. Do you really expect it to
sit around and let you install it again?

> or is that going to cause more problems?

Ayup.

>Any tips??

Yes, but you won't like it...

> Its causing lots of freeze-ups, and it's making eveything run REALLY slow.

Of course - your PC's now owned, and you are left to feed on the
scraps of what's left over when the new owners have done what they
want. As the quality of malware coding is generally flaky (who cares
if someone else's PC crashes?) it's not surprising it's slow.

What you have to do is tackle the malware while it is not running -
and as you have no idea where in the system it is (that's what your av
scan has to find out) that means no code on the HD is running at all.

Simply start up your Microsoft Bootable Maintenance CD and run your av
from your write-protected USB stick.

Oh... there's no such thing as a Microsoft Bootable Maintenance CD.

That's the part you aren't going to like.

You'll dislike this slightly less, though; it's possible, no thanks to
MS, to download something called "Bart's PE Builder" from a clean PC
(i.e. not your infested wreck) and from there, build a bootable CDR
that can run some Windows programs to act on your HD installation
without running any ?infected code from it at all.

Then you'd have your write-protected USB stick with things like:
- Trend SysClean and extracted data file
- McAfee Stinger (renamed s-t-i-n-g-e-r.exe or something)
- Avast killer
- F-Secure BlackLight root kit killer
- F-Secure F-Bot bot killer
- F-Secure F-SDbot bot killer

Once again, download these and prepare your USB stick from a clean PC.

Boot your stricken PC into CMOS setup, and set boot order to CD-ROM,
period (do NOT allow the HD to boot).

Write protect your USB stick, and insert it. Bart can't read a USB
stick that isn't present at boot time, and you don't want anything to
write to that stick from an infected PC.

Place the Bart's PE CDR in the (bootable) CD-ROM drive.

Exit CMOS setup and save changes (when all is done, set boot order
back to HD before anything else; infected bootable removable disks
constitute an uncommon but effective infection vector).

Bart's will boot; then press Alt+M or click the Go (Start) button and
run a command (Cmd) prompt. Enter these commands:

C:
MD \STUFF
CD \STUFF
COPY D:\*.*

(where D: is the drive letter for your USB stick that's full of lovely
fresh antimalware goodies).

Then run each of these goodies in turn, starting with SysClean.
SysClean will take the longest to run, but covers the widest range of
malware out of the bunch I listed. Save logs where this has to be
done manually, e.g. Stinger.


Having got the PC as clean as possible <cough>, set boot order back to
HD first, boot, and bang furiously away at the F8 key so you can
choose Safe Mode Command Prompt Only. This is the boot option least
likely to run malware that's integrated into the startup axis, IE, or
Windows Explorer. It still runs the ?infected OS code, though, plus
several integration opportunities that a truly "Safe" mode wouldn't.

Repeat all of the above tools from C:\STUFF, because while you were in
Bart's, the wrong registry was in effect, and some detection methods
would not have been able to work.

From Safe Mode Command Only, you can also install and run scanners for
commercial malware (cm), such as AdAware and SpyBot. Alas,
Microsoft's otherwise-excellent AntiSpyware Beta can't install from
Safe Mode, though if it's already installed (and hasn't been eaten by
malware) you can run it from Safe Mode.


Having done what you can without running the whole steaming Windows
ediface, boot into the whole steaming Windows ediface and run all or
most of these tools again - especially the anti-cm stuff, and now you
can use MS AntiSpyware Beta as well. Some popular integration points
may be account-specific, and not as visible from Safe Mode, y'see.


Hey, maybe you're in luck! If your file system is FATxx instead of
NTFS, and your HD is less than 137G in size, you can boot a Win98 EBD
(diskette) and run any of several DOS-based av to formally scan the
PC, such as from F-Prot, NOD32 or Sophos. But not if you're NTFS.


You're going to get advice that is "easier" than this, e.g.:
- try an online scanning site
- assumes the DNS used to reach this site isn't malware-spoofed
- assumes the active malware will allow itself to be removed
- install some or other Windows-based av
- assumes the active malware will allow itself to be removed
- scan the system from Safe Mode
- assumes malware will not be active in Safe Mode
- give up and wipe the PC because "you can never be sure"
- sure, with no decent tools, you "can't be sure"

Now then, MS: About that "Microsoft Bootable Maintenance CD" you
haven't been promising us, even after years of XP-on-NTFS pain...





>-- Risk Management is the clue that asks:
"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"
>----------------------- ------ ---- --- -- - - - -


Trojan horse won't let me use antivirus scan