Trojan/adware info, cannot remove no matter what I try...assistance needed

[bozack]

Ok here is the deal, My wife's dumbass brother lets his roomate use his computer all of the time, well something happened where this kid got the system infected with an AIM trojan/Adware issue, if someone looks at your profile they will see:

"HA HA HA HA I cannot believe I found %'s picture here"...

Well my wife was checking up on her brother, saw that in his profile, didn't know any better and clicked on the link..so now I have to deal with Two PC's infected with this garbage....

I have removed almost everything from her pc with the exception of two issues that I just cannot resolve, seems as if there are two programs that keep loading one another and there is nothing I can do to make it stop....

First is commonname, I can find this one easy enough, disable it and remove it however whenever I do this it seems that winfavorites.exe is picked up and quarantined by Norton but when this happens commonname is automatically reinstalled thus the cycle....

I have ran adware, sybot search and destroy, killed all processes, deleted files in dos, safe mode...you name it..but it keeps comming back

I have tried looking for everything I can think of in the registry yet find nothing....

hers is a win98 machine and his is a xp but I haven't been able to even look at his since he is in DC.

Any thoughts on how to kill this thing would be appreciated, I am about ready to throw in the towel get her a new drive and load up XP and then blast this thing out of the water but I haven't been defeated by a virus/trojan yet and I am not yet ready to throw in the towel....

Also the commonname uninstaller is a joke, there is a strange bridge.dll running but I don't know what that is?

thanks again

 

[mechBgon]

Tell Norton to delete infected files, no questions asked. Quarantine is for sissies 😉 Make sure it's got the most-recent virus-definition files and have it do a no-holds-barred scan of the system, with heuristics enabled, kill on sight, scan within compressed files, etc.

I did look up Commonname at McAfee's site: McAfee/NAI info on this threat They show a couple of Registry keys you might delete.

Beyond that, if you want to hunt for these files and their secret base manually, you might get clues by doing a Search for All Files / Folders that have been modified within the last day, since the files probably are being reinstalled from some sort of zip file. Make sure that "Show All Files" is enabled in My Computer > Tools > Folder Options and make all folders appear like that, or you aren't going to find hidden files.

If it were a WinXP or Win2000 system then I'd suggest finding the folder where it wants to live, and remove all Permissions to it so that nothing, not even Administrators or System, has permission to enter the folder. Sort of a "scorched-earth" policy :evil:

For that WinXP system, do make sure to disable System Restore and delete all the SR files, so WindowsXP can't helpfully restore the viruses after they're deleted

 

[mechBgon]

Oh, and another thing: If you get WinXP, get WinXP Pro and set it up so that peoples' regular accounts are Restricted Users. Reserve the Administrator powers for yourself. This will prevent people from installing spyware, or almost anything else, either accidentally or intentionally. Same goes for Win2000 Pro. Make sure to use the NTFS file system.

I would also suggest getting the free ZoneAlarm firewall installed ASAP on your Win98 box. You can download it from here. If your Norton AV turns out to be expired and you can't get any recent virus-definition files for it, try Grisoft's free AVG software from here or pick up some new AV software of your choice.

 

[lucky9]

I run a lean system and if it looks like a puzzle that I'm interested in I try. But really, nowadays it's not worth my time past a fresh install. I keep two Ghost images if I'm in a hurry. HD to HD is about 35 minutes after booting into Ghost.

 

[Swampster]

With respect to previous a responder, the Quarntine option is there for a very useful purpose. It allows you to see the exact name and location of the offending file, plus it tells you what Norton AntiVirus calls it.

Go to their online Response section and look it up by name. Locate "Printable Version" (usually at the top of the report page), and select it and print out the entire report. THEN you can go into the Quarantine section and delete the file. The report will tell you about any other changes it makes to your system and give you information on how to manually remove it. Follow these instructions even if Norton reports that it has resolved the problem as it may be missing something. Pay particular attention to the section of the report that tells if you neet to turn off System Restore (in WinME and above) as it can be stored in there and reinfect the system when you reboot.

The suggestion for a second hard drive to be used as a mirror is an excellent suggestion. BUT . . . it doesn't do you any good until you get the system cleaned of this virus and stabilized. I have my second hard drive mounted in a removable hard drive tray (they go for $15 to $30 at newegg.com), because this allows me to have it turned off under normal operation and only be switched on when I am running Drive Copy to make my mirror image or to copy it back to the primary hard drive in a recovery situation.

 

[mechBgon]

Originally posted by: Swampster
With respect to previous a responder, the Quarntine option is there for a very useful purpose. It allows you to see the exact name and location of the offending file, plus it tells you what Norton AntiVirus calls it.

I manage about 80 PCs that run McAfee VirusScan Enterprise. If I want to know what files VirusScan found infected, I just view VirusScan's log file. 😀 Norton has a log file too, unless I'm mistaken. But I see your point about being able to interrogate the prisoners before execution 😉

 

[Swampster]

Yes, you can look at the Activity.log in the Norton SystemWorks folder and get the same information, but it tends to be in a format that only us IT guys could love <G>. Besides, it gives you everything it has ever found, which means you can waste a lot of time checking things that were successfully corrected when what you need to concentrate on is the current one. If you still have symptoms after that, THEN I go to the log and work from the bottom up.

 

[bozack]

Hey thanks all, I actually just ended up buying her a new 80 gig drive and installing winxp...now she is happier with the performance.