• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

WinVNC on my mom's computer! = deloder worm (trojan) = Worm.Dvldr / WORM_DELODER.A

D

duuuma

Senior member
I just started getting popup property settings for WinVNC. This computer hasn't been touched in weeks and I've never dl'd WinVNC on here (I'm not even that familiar with it).

It doesn't show up on the uninstall programs list either, so did someone leave me an unwelcomed present (trojan) on my computer? :|
 
Most likly someone is hacking and put there. Run a virus scan in safe mode, i think you should log onto ADMIN account also.
 
VNC doesn't use an install routine, that's why it's not on the uninstall list. Just find the directory and delete it, and check the startup folder for the shortcut, as well as the "run" and "runonce" settings in the registry, and run= and load= in win.ini.

Then do a virus scan. The only way for it to appear is if it was downloaded, which would require physical access to the machine (or a backdoor virus/trojan, in which case VNC wouldn't be needed).
 
Lord - Thanks for the tip. I found the stand alone file hiding in c://winnt/fonts and I deleted it. Then I ran trend's housecall and detected nothing.

I wonder who in the heck could've put it there? This computer is rarely used and is on a 56k modem.
 
Actually VNC does use an install routine IF you run it from the actual setup.exe.
You can install it as a service the old fashioned way which will not give you an object in ADD/REMOVE programs.

 
I thought I deleted the file (named explorer.exe, but icon clearly says VNC), upon restarting, it's back again! Housecall didn't pick up anything and I tried SwatIt by Lockdown Corp. (found off of a link from a securityfocus thread) and still nothing was found.

I might just format this drive since there's nothing on here...unless someone else can shed light here.
 
Originally posted by: duuuma
Lord - Thanks for the tip. I found the stand alone file hiding in c://winnt/fonts and I deleted it. Then I ran trend's housecall and detected nothing.

I wonder who in the heck could've put it there? This computer is rarely used and is on a 56k modem.
Click to expand...

I ran into this same problem! I posted a thread here about it.


http://forums.anandtech.com/messageview.cfm?catid=34&threadid=995035

I had vnc in the fonts folder as well, and yes deleting it there still didn't help.

try some of these trojan scanners.

http://www.agnitum.com/products/tauscan/

good luck

Text


http://www.anti-trojan.net/

EDIT: yes i ended up reformatting that box
 
oh great...well i guess if those trojan removers don't work, i'll be formatting my mom's computer...thanks all. I wonder how it got here in the first place?
 
well I found this whitepaper that tells you how to manually remove the components of this worm. It takes a few searches, but I found every file the worm's suppose to unload and deleted them.

Thanks Lord for all the info. Forum msgs from the zdnet article led me to this site eventually.

I believe WinVNC was trying to open up my computer by requesting me to set its properties (everytime Windows loaded). I guess it's was actually hiding in the systray. however, dvldr32.exe was never running on my computer, though it was sitting in the location the whitepaper expected it to. I deleted all the files and hopefully it'll save me the trouble of formatting.

I couldn't figure out why this happened to me b/c this computer has a strong password. Then I realized that even though the pw'd log-in is my mom's name, the Administrator account still existed with NO PASSWORD. doh....

Text
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top