Finding The Culprit?

fartzalot
edited July 2007 in Malware talk

Ok my freind uses AVG pro, I personally use bit defender. Anyway he was having problems with large numbers of trojan.danmec.??? appearing on his system AVG pro found large numbers but of course was not clearing up the source. As his most knowledgeable friend he asked me to help. I thought another AV might find the source so I used bitdefender online scan on his system we found 30 instances of various objects. But after the scan we ran AVG pro again and found 78 trojan.danmec.??? again. So we totally nuked his system as I did not know how to track down the source of the recurring infection. His system is now clean. But just wondering how I would go about tracking down the source. Because nuking a system is dodgy as we have to remember where all his data is stored, if we miss some its gone forever. I personally lost lots of data in several similar incidents when I was naive on the net. I rarely get a virus these days, and can clean up fast. I also know where all my data is as I finally decided to standardise where I keep my data, I convinced my friend to do the same so going forward he faces a little less risk.


This is not just a selfish request as if I could find the source I could submit it so bitdefender can find it and its brothers. I would like to give back to bitdefender as it has rid me of many virii over the years.

Comments

  • Hello fartzalot


    Where did AVG pro find trojan.danmec? Sometimes it could be that AVG detects the files that BitDefender has quarantained on the hard disc.


    It could be that the trojan is located in system restore : go to start,my computer,rightclick on my computer choose properties,system restore,check disable system restore on all stations confirm by pressing on apply and ok. After that uncheck it again. You should always also take a look at the follow locations: go to start,run,at the run dialog box type msconfig go to the latest tab (boot/start up) and check for any suspecious entries to check that use this website: http://castlecops.com/StartupList.html If you see a N or X than it's unknown or malware. The other locations are: start,all programs,start up and in the register: start,run,at the run dialog box type regedit press enter open the follow keys and folders: hkey_local_machine,software,Microsoft,Windows,CurrentVersion,run on the right side you will find all items that start together with windows. Just delete the ab-icons. So you will prevent that the infection will start.


    Regards


    Niels

  • Thanks Niels,


    I knew about sys restore and the vault and was reassuring my friend over repeatedly finding files in those places.


    They were popping up in open space so were a legit worry. It was like one of those browser hijacks that have multiple restore systems so killing it was just not possible running an antivirus.


    But I will try to remember to shut them down via msconfig, regedit.

  • Hello fartzalot


    I just wanted to give you the locations where malware hides itself. Because I didn't know how knowledgeable you were. For some hijacks and other malware you have to use hijackthis (you should be[ b]very[/b] carefull because also legit items are displayed because hijackthis logs everything that differs from a normal os installation) in conjuction with specific removal tools. Superantispyware is also very good in removing difficult malware. There is a free version available which you can download here: http://downloads2.superantispyware.com/dow...AntiSpyware.exe The best thing is updating it first in normal mode after that boot your pc into safe mode and perform a complete scan. Glad that I could assist you.


    Regards


    Niels

  • Hello.


    I posted a short tutorial on how to find the process which drops / executes a piece of malware. Hopefully you find it useful.