Tech: My first virus with MS XP 'Trojan.KillAV

To Thread - Forum Home

The Mudcat Café ^TM
https://mudcat.org/thread.cfm?threadid=120061
28 messages

Tech: My first virus with MS XP 'Trojan.KillAV

09 Apr 09 - 09:41 AM (#2607995)
Subject: BS: My first virus with MS XP 'Trojan.KillAV
From: gnu

In case anyone gets this problem and doesn't know the ropes with XP....

Norton told me Trojan.KillAV was in C:\WINDOWS\ppypon.bnd and could not be deleted by Norton. I rebooted and hit F8. Nothing happened. Could not get into dos. I was ticked off. Tried a few more times, different ways.

Then, I went looking. All programs, accessories... there it was... C:\ Command Prompt. I deleted the file. It was not gone. Same thing next attempt.

Then, I deleted it twice in a row, and when I tried to delete it again... file not found... success!

09 Apr 09 - 09:57 AM (#2608005)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: number 6

thanks gnu!

How does wone 'catch' this virus?

biLL

09 Apr 09 - 10:40 AM (#2608027)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: gnu

I have no idea. I turned my PC on for the second time yesterday and the Norton alert came up on my screen before the PC was fully booted. Seems kinda strange to me that Norton found it either during shut down or starting... I have no idea.

09 Apr 09 - 01:33 PM (#2608159)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: JohnInKansas

A common reason why a file cannot be deleted is that it is open when the delete is attempted. You can't delete an open file. Norton can attempt to stop the file, and then delete it; but if the "process" can't be terminated the file can't be deleted.

This suggests that sometimes Norton (or other AV programs) might set a notice to appear at reboot - before even Norton restarts - to inform you of the problem, and is why sometimes a "Safe Boot" or even a DOS Boot may be needed, so that the offending process doesn't start and the file isn't "open" and can be deleted.

Additionally, when you shut down the computer changes to the Registry are updated and archived in System Restore, so deleting the file in a Safe/DOS boot after shutting down may cause a system restore at the next normal boot to restore the malware, and a second (or third, or .... etc) Safe/DOS boot may be needed to delete it again. This can be an endless process if there have been a few restarts after the virus arrived, so you may have to turn off System Restore (which deletes all prior restore points), Safe Boot, delete, and then turn System Restore back on after the malware has been completely removed.

The "archive" of restore points where System Restore keeps prior Registry information is strongly protected (for recent Win versions) and probably even Norton can't penetrate it to delete a malware file that's saved there to prevent it from coming back at the next boot. (The message from Norton - a note left on the front door 'cause nobody was home - might have been because Norton had deleted it, but it was coming back via Restore.(?))

They don't tell mere mortals like those of us here a whole lot about how all these arcane processes really work, so the details may be a little ... ... (?).

John

09 Apr 09 - 01:52 PM (#2608168)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: JohnInKansas

Norton indicates that it should easily remove the virus "killAV" if definitions have been updated since October 2006, but there is a "trojan" form using the same name that may be more difficult, and definition files for it were updated fairly recently.

You might want to take a look at Trojan.killAV Removal to see whether there might be some Registry cleanup you need to do, in addition to just deleting the file.

The technical details suggest that this is spread by someone looking for, and finding, an open port on your computer through which they can download it without your participation. You might want to try Norton's "Security Scan" which will probe your computer to see how "visible" it is, and will tell you if you've got something hanging out, and what you could zip up to avoid exposing yourself.

John

09 Apr 09 - 01:58 PM (#2608174)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: gnu

JIK... what is "Safe Boot"?

09 Apr 09 - 02:06 PM (#2608181)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: number 6

"The technical details suggest that this is spread by someone looking for, and finding, an open port on your computer through which they can download it without your participation"

I firewall should prevent this (i.e. without your participation) ... shouldn't it?

biLL

09 Apr 09 - 02:19 PM (#2608190)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: gnu

If not, it should.

10 Apr 09 - 01:42 AM (#2608495)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: JohnInKansas

gnu -

The "standard procedure" varies with the computer, but on many of them if you hold down a key (usually Tab, Exc, F8, or F3, or F2, or ...) while the computer is cranking up, you'll get a DOS screen asking how you want to boot just before Windows starts.

You can generally choose "Safe Boot" which starts the computer but doesn't run the Startup folder, and omits starting many of the "services" that normally load during bootup.

There's usually also an option for "Safe with network connection" which may be handy some times. In some older OS versions you might have the option whether or not to connect Optical Drives (CD/DVD etc) which "back then" required loading software before you could read from them.

The same screen occasionally appears automatically if there was an error during computer shutdown.

You can also go into Control Panel (in some Win versions) or use a command line startup-config command (I'd have to look up the command) to tell it to boot "clean" in a number of configurations the next time it's started.

Norton gives the command line setup in the instructions for removal of many malware types where a "Safe Boot" is required; and using the command is the "cleanest" way with the most control over how the computer starts the next time; but it's been quite a while since I've looked at one of them.

A simple boot from a "DOS disk" usually gives you some ability to delete files, but may not let you do some other cleanups that may be needed, since some Windows functions have to be "started" before you can modify them.

John

10 Apr 09 - 05:26 AM (#2608544)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: gnu

JIK. Like I said in my first post, that is what I tried to do using F8... no go.

10 Apr 09 - 06:57 AM (#2608577)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: bobad

F8 doesn't work on my Win XP Home either.

Try this gnu:

START / RUN / type in "msconfig" / OK / click BOOT.INI tab / check /SAFEBOOT then reboot your computer, it will boot into safe mode.

10 Apr 09 - 07:25 AM (#2608586)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: JohnInKansas

msconfig is the command line thing I wasn't sure I remembered. Note that there are some settings you can change there that will make the computer continue to boot to safe mode until you go back and re-run msconfig and turn them back off.

Many computers will flash a message that says "Press XX to YY" just before Windows begins its startup. ("Press" means hold it down until something happens.) The key you need (XX) can vary from one computer to the next, and the message/terminology (YY) also varies some from one machine to the next.

There actually is (according to folk mythology) a "Windows standard key" for this, and Windows Help (search for "Safe Boot") might tell you what it is for your machine. An OEM builder can modify Windows, and if yours was good the Help file might have been edited to agree with any change made. Otherwise your last resort is probably to find the "Operators Manual" that came with the machine (or download one from the builder's website).

John

10 Apr 09 - 08:46 AM (#2608619)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: gnu

All very good info.

Next time this happens, I won't reboot... I'll head straight for the dos prompt under all programs, accessories.

10 Apr 09 - 12:20 PM (#2608723)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: JohnInKansas

The "DOS prompt" at Programs|Accessories may not do you a lot of good. It allows you to use command line functions, but it doesn't turn off Windows, and a file that's open and running in the "Windows Interface" still can't be deleted, even if you're using the "Command Interface" to try to do it.

You can use that window (it's actually called the "Command Window" since bronze became more popular than stone) to type msconfig, hit enter, and click on "Safe Boot" so that the next time your computer is restarted it will start without opening anything except "essential services" (i.e. in Safe Mode) where you're more likely to be able to delete something that Norton couldn't delete.

MSCONFIG has several tabs, and you can "configure" how the computer will start up at the next restart by "deselecting" individual things so that just those things are omitted during the next start.

My Vista Help file, searching for "Safe Boot," does - after poking around a bit - claim that F8 should work to get a Safe Boot, but says that a better search term is "Advanced Startup." This is because Vista designers believed in never using the same names for things as people have known for the last five decades, on the apparent theory that those are "old and scare people."

For the F8 (or whatever key your computer builder thought was better) to work, the key has to be pressed before the Windows Logo appears and must be held down until the Startup options screen appears. If you see a "Windows" logo, or "Windows is Starting," or "Starting Windows," you'll have to let it finish starting, then restart and try again.

John

10 Apr 09 - 05:45 PM (#2608903)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: Art Thieme

I just spotted this thread and only looked in because I have Multiple Sclerosis-------"MS"---and getting a "virus" when one has MS is a rather tough go. The virus symptoms are worse, and so are the MS symptoms. ------- But that's not what this thread turned out to be about.

And, once again, I thought Trojan was referring to a thing for birth control-------but no!

So-----Never mind!!!

Art

10 Apr 09 - 06:26 PM (#2608924)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: gnu

Jeepers creepers...I just posted this to tell people what I experienced and how I got it fixed. Whatever. It worked for me. It might work for others. If you benefit, great. If it totally fucked you around, whatever.

Good luck with whatever.

10 Apr 09 - 10:30 PM (#2609005)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: JohnInKansas

For sure gnu, it's always the "innocent guy"^** that gets the shovel full dumped on him and ends up taking the blame.

^** An aphorism so old that the story is told that when Art was a youngster and objected to being called (What do you call a folkie who doesn't have a girlfriend?) "Homeless" - - for a while his buddies called hime "Blameless" 'cause he'd not likely ever be accused of bein' inno... ..

John

11 Apr 09 - 07:37 PM (#2609447)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: Art Thieme

shameless maybe.

12 Apr 09 - 02:07 PM (#2609757)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: gnu

Well, if you don't use a Trojan, a virus can result. Swelling, nausea... lasts nine months... and the after-effects never go away.

13 Apr 09 - 04:16 PM (#2610392)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: gnu

Gosh! My ISP, Rogers.com, just launched a new security suite... Norton is "gone". Installation included an initial scan. Found a virus and a whack of spyware Norton had no clue about. ??? Is is a sales pitch?

13 Apr 09 - 05:49 PM (#2610465)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: JohnInKansas

A recently reported "trend" is a very great increase in popup warnings that "your computer may be infected," offering a free scan that always finds vast amounts of infection, with an offer to let you purchase the full program to have it removed.

The "report" of vast amounts of infection are a lie. The "scan" usually installs malware. If you "subscribe" to get the phony "viruses" removed, you get a download of the full program which includes additonal malware.

Distributors of this junk have been capitalizing on the paranoia about the Conficker worm that has been in the news recently. Since the only ones vulnerable to Conficker are those with unpatched Windows and without good AV protection, the assumption by the distributors that they are ignorant and vulnerable has been demonstrated to be correct.

The critera used to remove or reject "malware" vary quite a lot between the various reputable AV providers. Norton ignores a lot of stuff that may be mildly annoying, but is quite reliable with respect to detecting, stopping and/or removing anything that is legitimately harmful. Anyone who chooses to niggle about the non-critical stuff can easily claim to report "stuff that Norton missed." That is just advertising blather.

An ISP can use any AV filters on their website, and the good ones don't tell you what they use, since this is just an aid to attackers. Your ISP may suggest a program you can use on your own computer, but should not be insisting that you use a particular one on your own machine.

A malware distributor can fake your ISP's page, and/or can "arrange" to have phony stuff posted on the real page.

Make your own evaluation of how and why your "Norton has disappeared;" but I'd be a bit doubtful about the intentions of who/whatever caused something like that.

John

14 Apr 09 - 05:26 PM (#2611249)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: McGrath of Harlow

"The "standard procedure" varies with the computer"

Which is a really really stupid way for people to build computers.

14 Apr 09 - 05:38 PM (#2611254)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: gnu

Oh crap. Norton used to do 1.03M files for virus and spyware in about 40 minutes. Rogers security does about 15% of that and takes over FIVE HOURS.

And... it reported I have a virus. Did not remove it as per instructions. Told me the name, but not the location. A search found no such file.

Just lovely!

14 Apr 09 - 06:58 PM (#2611305)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: JohnInKansas

A new Conficker variant has arrived.

It comes in a server version and a user version. (If your server is infected, the server infection could try to tell you your machine is infected.)

Both attempt to tell you that you have lots of virus infections, and need to buy their program to remove them. $49.95 (US).

(The program probably is "advanced malware" rather than an antivirus, although analysts are still working on it.)

gnu: My Norton used to take about 7 hours to do 270 GB of files full scan. With the new version of Norton, it runs in the background and is completely unseen, scans all the files on all my drives, including the mapped drives actually on the other three computers, finishes about 6 or 8 quick-scans and one full scan every week. Never interferes with what I'm doing, and only pops up a report (that I don't have to look at) if it finds and removes something.

Maybe you meant 1.03GB of files? I've got individual files that are larger than 40 MB, and more than 2 million files that get full scans weekly.

John

15 Apr 09 - 05:43 AM (#2611526)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: gnu

Slight error, but it was sommat like 1103000 files.

Just looked at the log in the virus dialogue box of the new suite for the heck of it. THAT said the virus named above is in a file with a different name. Searched that name... not found.

If I succeed, I will post how.

15 Apr 09 - 06:04 AM (#2611533)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: gnu

Maybe.... I did the same thing, but clicked "View Log as a Web Page". It had the complete path for the file. Went to dos, changed directory to the location and deleted the file.

We'll see what happens next virus scan.

15 Apr 09 - 06:42 AM (#2611542)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: JohnInKansas

Hopefully your new suite isn't called "SpywareProtect2009"????

That's the (so far) scam program that the latest Conficker is pushing.

John

15 Apr 09 - 01:29 PM (#2611802)
Subject: RE: BS: My first virus with MS XP 'Trojan.KillAV
From: gnu

It's gone. And, the scan (not Spyware) of 134,000 files took 1h30m... perhaps the "initial" scan took so long because it was the initial scan.