trojan horse backdoor

Topic

New Reply

hi
for last one week i am trying to remove trojan horse backdoor.agent.LTR ..it has infected this file … c:windowssystem32driversfdwmayz.sys … i use AVG 7.5.516 version ..it has quarantined this file for me..but i cant repair it or heal it….if i delete the file then the flle comes back again and avg quarantines it again… my firewall is Zonealarm 7.0.462 ..so i am stuck ..can anyone give some suggestions how to get rid of that trojan horse..i searched in google for it found 4 results 1 was in chinese and other 3 did not help much .

Reply | Quote

Replies

I would wait for more informed loungers than me to answer but….I seem to remember having trouble getting rid of a nastie and the solution was to clear all the restore points in windows restore and then run your anti virus again. What about the AVG forums? might be worth asking for advice there.

Reply | Quote

If you have SYSTEM RESTORE ACTIVE, I’d turn it off, remove the virus, and turn it back on later.

Reply | Quote

Since I sometimes comment on issues related to SR (here in the Lounge) I could maybe be seen as its advocate, but I have not used it so many times and see it as one of several layers of protection (in broad sense) in Windows XP. However one should know its do’s and don’ts.

As Jefferson says (and puts it very well); if a file (or anything) keeps re-appearing something, yet not detected and removed, is responsible for putting it there. In this case it isn’t SR.

It has been mentioned so many times on the webb that you should disable SR in the process of cleaning out viruses and other malware, that it is almost on the standard list of tasks to do, but very few think about the consequences or why it should or shouldn’t be done during the cleaning process.

The reason SR is mentioned, obviously (for those who knows what SR is), is that if you don’t remove old restore points (RP) you could maybe get re-infected in the future when using SR to go back in time to an earlier RP. But until the time you chose to use SR, there is no risk to get re-infected (via SR).

In a, sometimes, complicated cleaning process it is possible that something goes wrong and the situation is worse than when you started to clean the PC. Given this possibility, it is obvious why one should wait with purging old RP’s. You could then use SR in the cleaning process and go back to where you started. But when the PC is clean (confirmed by different types of programs) it is a good time to start fresh, by removing old RP’s (turn off and turn on SR, and maybe adjust settings; size & what drive to monitor).

Then of course one has to have a little knowledge about what the AV reports as a virus etc. If at last in the process it only reports a virus in the RP area, purging the RP’s can be seen as the last step, since some AV programs have problems with working in that area.

The recommendation to leave SR and its RP’s in place until the PC is clean has been mentioned by some, most known maybe MS-MVP Bert Kinney, who probably knows most about SR of any outside MSFT.

He has a site about SR, which also mention a little about virus and spyware removal programs: http://bertk.mvps.org/html/spyware.html%5B/url%5D The page also links to an IE community article by MS-MVP Sandi Hardmeier about getting rid of spyware.
He also participates In the AUMHA FORUMS, which mention the above about SR in a thread: Purging old System Restore points

Jefferosn an Bob have mentioned some good programs, since it could be needed to broaden the approach beyond AV programs.

Reply | Quote

i always keep windows system restore disabled..when i had installed win xp 6 months back..i had disabled system restore …i even disabled it from services back then …so i don’t have any restore point…i will look in the avg forums also

Reply | Quote

If a file keeps re-appearing, you should suspect that an undetected program keeps “dropping” the trojan after it is removed. Or, depending on how it spreads, a web site you visit regularly (or chat or P2P file sharing software) may be dropping the trojan. Try some other clean-up tools to detect and remove any malware. And shut down all nonessential programs that start up with Windows and Internet Explorer to try to arrive at a stable configuration where the trojan does not reappear.

Trend Micro HouseCall – Free Online Virus and Spyware Scan

AutoRuns for Windows 9.12

Reply | Quote

Another well thought of and recommended program is SPYBOT S&D

Reply | Quote

Hi, unfortunately I can’t offer help with the problem of removing the trojan but I strongly recommend getting some kind of disc imaging system. Eg Acronis True Image 8 may now be available free. Personally, I just don’t think it is worth the time and anxiety trying to remove a Trojan. Rootkits are so horrendous these days one can never be completely sure of having got rid of one. A better approach, in my opinion, is to install the operating system with programs from scratch and then make an image as a fail safe. I make a back-up image of my system every month. At the first sign of a problem I just go back to a known clean image. This approach does mean having a partition and putting your data on another drive. The images can be stored on the data partition – or for added security on a removable hard disc that is usually not connected to the system.

Best wishes,

Chris (Hunt)

Reply | Quote

ok ..i use spybot search and destroy also….i did a scan with it and found nothing…then i went to the free avg forums ….searched there for the trojan horse ..did not find it there..then i did a free online scan of my full system from —http://housecall.trendmicro.com/ …it detected some windows updates i needed to do rest it did not find anything…as i mentioned earlier i dont use windows system restore ..and i had disabled the serive from services.msc 6 months back and its off in my computer also from the beginning. Right now the trojan is quarantined by avg …i have a software called hijackthis …but i dont know how to use it .i use Process xp ..to see the process which are running all the time ..all of them looked the regular ones although i am not a expert in that . i have a 157 GB hdd …3 partitions… c ,d ,e …i have never made a image of the system ..but to make the image the system should be clean ..so if i could somehow get rid of the trojan ..then i could probably make the image also .

Reply | Quote

Get your HijackThis Tutorial do a scan & post your log in their forum. I’m afraid you will be needing their help with this thing.

Reply | Quote

The purpose of using AutoRuns is to determine the programs and services that start up with Windows and with IE. Because such programs might do their dirty work and quickly exit, you may not see them running in Process Explorer.

Reply | Quote