Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Have A Trojan


  • Please log in to reply
7 replies to this topic

#1 deem2347

deem2347

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 23 January 2008 - 06:12 PM

When I turn on my system, it takes me to my wallpaper and gives me the following message:

"Downloader.gen.a (Trojan). Filepath:C:windows\system32\ldcore.dll"

I can open my system in SAFE mode with internet access. My dilema is with this being a downloader trojan, can I safely download and run spyware in SAFE Mode; or, should I go to the filepath (again in SAFE mode) and try to delete. The later function would require some guidance as I am not comfortable doing this on my own.
I found all of the downloads on "bleepingcomputer" and would run them on my system if it is safe to do in SAFE mode. Can someone please help me? At the present time I am using a laptop to converse.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:19 PM

Posted 24 January 2008 - 11:16 AM

"How to reboot in Safe Mode".

Why use safe mode? The Windows operating system protects files when they are being accessed by an application or a program. Malware writers create programs that can insert itself and hide in these protected areas when the files are being used. Using "Safe Mode" reduces the number of modules requesting files to only the essentials to make your computer functional. This in turn reduces the number of hiding places for malware, making it easier to find and delete the offending files when performing scans with anti-virus and anti-malware tools. In most cases, performing your scans in "Safe Mode" speeds up the scanning process.

Please download SDFix by AndyManchesta and save it to your desktop.
alternate zipped version
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive.
  • Disconnect from the Internet before running SDFix.
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load, the SDFix report will open on screen and also save a copy into the SDFix folder as Report.txt.
  • Copy and paste the contents of Report.txt in your next reply.
  • Be sure to re-enable your anti-virus and other security programs before connecting to the Internet.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 deem2347

deem2347
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 24 January 2008 - 07:18 PM

thank you...thank you!! Will let you know when I'm done.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:19 PM

Posted 25 January 2008 - 07:53 AM

Ok. Don't forget to post the report.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 deem2347

deem2347
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 06 February 2008 - 07:07 PM

I am still not able to get on system other than through SAFE mode. However, I do not get a desktop or START menu. The only way I can get into anything is with CNTL/ALT/DEL,TASK MANAGER/NEW TASK/BROWSE.....However, when I try to open anything other than Internet Explorer, I get error message

"Exeption Processing Message c0000013 Parameters 75b6bf9c4 75b6bf9c 75b6bf9c".

I went ahead and downloaded PCFIX and followed your instructions. When the system rebooted PCFIX ran for an hour and when it rebooted I still have the Trojan. McAfee has it locked out and me as well, even in SAFE MODE

#6 deem2347

deem2347
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 10 February 2008 - 04:33 PM

I have been searching through SAFE MODE and I stumbled onto something I think may be of importance in locating my root problem. However, as I’ve said before I am no expert, so have done nothing but “LOOK” and note what I’ve found. So here goes…

As previously noted I have no desktop access in SAFE MODE. I have to CNTL/ALT/DEL to TASK MANAGER\NEW TASK\BROWSE

Under BROWSE I found… “\SDFIX\regedit”, from there I found

“MyComputer\HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VSCore\Quarantine”

Details for this show…
first line: (default) REG_SZ
Second line: REG_SZ MoveFolder C:\Documentsandsettings\AllUsers\ApplicationData\McAfee\VitrusScan\Quatantine

Is this telling me that due to not being able to disable McAfee, PCFIX picked up the Trojan Quarantine that has me locked up? Also, in searching the register I found REGCURE and ADAWARE. I right clicked on all, as directed, and had no option to disable or uninstall….only a standard submenu “Expand..New..Find…Delete..Rename..Export..Permissions..CopyKeyName”

I was unable to locate any report under PCFIX to send you after I ran it.

I have no START menu in SAFE MODE where I can uninstall or disable anything. If there is a way to do it through DOS it is out of my realm of expertise. Any help or advice will be greatly appreciated. I am to a point of just reformatting my whole system and starting over from scratch. Can this be done without removing the Trojan first?

Is there anyway you could walk me through DOS to either uninstall/disable virus software so I can try PCFIX again? And/or track and delete this monster through DOS using the file path given by McAfee’s warning? “Filepath:C:windows\system32\ldcore.dll"

#7 deem2347

deem2347
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 25 February 2008 - 06:39 PM

Hi I will close this now Finally gave up and got professional help. Thanks for your help.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:19 PM

Posted 26 February 2008 - 09:18 AM

Sorry but I did not receive any email notification since you said thank you and your last post yesterday. There are no shortcuts or guarantees when it comes to malware removal. Sometimes it takes several efforts with different tools to do the job. Even then, with some types of malware infections, the task can be arduous.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users