Problems Removing Trojan.pws.onlinegames

Hi


I've just installed Bitdefender Antivirus plus v10 - build 247


It has detected a virus called trojan.pws.onlinegames on both my c: drive and my usb drive.


It says it cannot delete the file (autorun.inf?) but it has blocked it.


This isn't really what I need as I will be using the usb drive at uni, etc. :unsure:


I have done a deep scan and it moves it rather than deleting...but it appears to be self propogating so appears again.


I have done an aggressive scan in safe mode and it deletes it from my C drive but not my USB...it then reappears on my C drive.


It've tried deleting autorun.inf manually but it won't let me


Has anyone any idea how to remove this from both my drives?


Thanks in anticipation


Mike

Comments

  • Usually these worms have two components: an executable and an autorun.inf file (the second file launches the first when a given drive is inserted / accessed). Probably we detect only one of the two components. What you should do is to (temporarily!) disable the real-time protection, open the autorun.inf file (by launching notepad.exe, going to file->open and typing in the full file name including the path - for example "C:\autorun.inf"). In the autorun.inf file you should see the name of an executable. Please upload the given executable to the forum so that we can take a look at it / add detection for it.


    PS. You should see something like this when you open autorun.inf:


    [autorun]


    open=evilfile.exe


    ....


    In this case you should upload (attach to a post) evilfile.exe.

  • Hi Cd-MaN


    Thanks for your assistance. This is really frustrating! :unsure:


    The autorun.inf file contains:


    [AutoRun]


    open=ntdelect.com


    ;shell\open=Open(&O)


    shell\open\Command=ntdelect.com


    shell\open\Default=1


    ;shell\explore=Manager(&X)


    shell\explore\Command=ntdelect.com


    This forum doesn't let me upload the file. I also tried first renaming it to a .DAT file, then zipped it using WinRAR to a passworded .ZIP file, but still received the message: 'Upload failed. You are not permitted to upload this type of file'


    Please advise


    Mike


    Usually these worms have two components: an executable and an autorun.inf file (the second file launches the first when a given drive is inserted / accessed). Probably we detect only one of the two components. What you should do is to (temporarily!) disable the real-time protection, open the autorun.inf file (by launching notepad.exe, going to file->open and typing in the full file name including the path - for example "C:\autorun.inf"). In the autorun.inf file you should see the name of an executable. Please upload the given executable to the forum so that we can take a look at it / add detection for it.


    PS. You should see something like this when you open autorun.inf:


    [autorun]


    open=evilfile.exe


    ....


    In this case you should upload (attach to a post) evilfile.exe.

  • Hi Cd-MaN


    Thanks for your assistance. This is really frustrating! :unsure:


    The autorun.inf file contains:


    [AutoRun]


    open=ntdelect.com


    ;shell\open=Open(&O)


    shell\open\Command=ntdelect.com


    shell\open\Default=1


    ;shell\explore=Manager(&X)


    shell\explore\Command=ntdelect.com


    This forum doesn't let me upload the file. I also tried first renaming it to a .DAT file, then zipped it using WinRAR to a passworded .ZIP file, but still received the message: 'Upload failed. You are not permitted to upload this type of file'


    Please advise


    Mike


    Hi l1velife,


    Put the file in a zip file protected by the password infected, then attach the zip file to your next post. It has to work this way, because you're not the firts one who tries.


    Cris.

  • Hi Cris


    I tried to put the file in a zip file protected by the password 'infected', and attach the zip file to a post but it wouldn't let me. i eventaully emailed it to CD-Man to pass to the lab.


    CD-Man has been trying to help me but we have had no success and he now suggests that I reinstall.


    As I understand it the virus is of the 'kavo' type - a worm and a trojan?


    Basically it consists of at least 2 components:


    1. An 'ntdelect.com' file that contains a password stealing virus.


    2. An 'autorun.inf' file that recreates the 'ntdelect.com' file if ever it is deleted.


    The virus messes with the registry to ensure that the files are hidden.


    They cannot be deleted in safe mode with the most aggressive options of BDC.


    BitDefender deletes the 'ntdelect.com' file in safe mode but not the 'autorun.inf' file so it just gets created again. Bitdefender also detects other viruses such as 'kavo.exe' but labels them 'suspected' rather than 'infected' - this means that you do not get the chance to delete them!


    'Kavo', 'autorun.inf', and 'ntdelect' are not found via regedit.


    Ironically McAfee detects and deletes the 'autorun.inf' but not the 'ntdelect.com'.


    I am about to uninstall BitDefender, take out a 30 day free trial of McAfee and use it to delete the 'autorun.inf' file...then reinstall BitDefender and hopefully it will delete the rest of the virus.


    Hope that helps


    Mike

  • Have you also tried this solution: http://forum.bitdefender.com/index.php?showtopic=1054 ?


    It has to work, because it doesn't require starting Windows, so the files are not used by anything (and are unlocked)


    Cris.

  • Hi Cris. I think BitDefender has not completly detected this malware. I sent this malware to you, in here :


    http://forum.bitdefender.com/index.php?showtopic=2271


    BitDefender only detect it on computer be not infected. On computer infected this malware, i see that BitDefender don't show any alert when i copy 2 file kavo0.dll and kavo.exe in Windows/system32 to other dir. BitDefender also don't alert with file ntdelect.com in partitions. BitDefender only detect file autorun.inf and alert that Trojan.pws.onlinegames while this malware is Autorun.CD as Bit Labs named convention

  • Hi Cris


    Yes, I tried that but it returned a 'file not found' message on a DEL command (even though I knew it was there because it would let me rename a file to 'autorun.inf')


    Mike


    Have you also tried this solution: http://forum.bitdefender.com/index.php?showtopic=1054 ?


    It has to work, because it doesn't require starting Windows, so the files are not used by anything (and are unlocked)


    Cris.