Virus Removal proving unsucessful...

Discussion in 'Windows & Other OS Discussion & Support' started by Data1232, Feb 27, 2005.

  1. Data1232

    Data1232 New Member

    Joined:
    Jul 8, 2002
    Messages:
    180
    Likes Received:
    0
    Trophy Points:
    0
    Hi guys,

    I formatted the other day and made the mistake of not dumping my virus software on my computer before I went online to grab drivers, and have ended up with a nasty trojan that's called PWSteal.LDPinch. When I got Norton Systemworks 2003 on, I was told that it could remove it, but after 3 system scans it's only been able to identify it and says that it can't do anything further. I don't have any other antivirus programs, and I've tried the online version of Trend MicroVirus, and Panda AntiVirus, but those pulled up nothing. Currently there is an MS-DOS executable file sitting in my Documents and Settings Folder under my account name titled "crss.exe." I have adminstrator priviliges, but I can't delete the file, and Norton is picking that file up as the source of the problem. If I boot into Safe Mode, i get two files both titled "crss.exe" but now there is a MS-DOS shortcut icon as well. I have also searched for the registry entires that the Symantec case file cites but I haven't seen any of the entries that it discusses in my registry. If anyone's had any experience or any tips on removing this nasty bug I would greatly apprecitate it.
     
  2. Tipstaff

    Tipstaff Well-Known Member

    Joined:
    Jul 22, 2002
    Messages:
    9,770
    Likes Received:
    1,445
    Trophy Points:
    123
    First, to Symantec.. you guys need to get things together. Bad instructions.

    Now, Data, it looks like you got infected by a damn password stealer, so here's what you do: Check out THIS SITE , and THIS SITE . The second site tells you how you got the trojan/virus, the 1rst tells you in MORE detail about what files it's made, and where.

    Before you do any cleaning though make sure you disable all unnecessary apps that startup. First, disconnect your ethernet cable. Then, click Start, Run, and type in msconfig.exe. On the far right you will see a tab called "Starup". Click it. Go through the list, and disable everything that looks suspicious. Things to leave would be your AV software, ati software, ctfmon and updreg if they are listed too (they are both legit Windows proggies). Reboot, do whatever needs to be done cleaning wise, and reboot. Double check things, and rerun the AV scan. Make sure to delete files like this too: %Windir%\sysw.dll, %Windir%\csrss.exe, %Windir%\system.exe, %Windir%\var.txt.exe, and %Windir%\upss.exe.

    Now what I'm about to say may piss you off: If you cannot get this puppy cleaned in a day... screw it! Seriously, you may not completely get rid of it, and infact it may come back as soon as you get back on the net. It sounds like you just reinstalled your system too, but believe me, it may just be better to reformat, and start again.

    Hope that helps.

    - Tip
     
  3. Data1232

    Data1232 New Member

    Joined:
    Jul 8, 2002
    Messages:
    180
    Likes Received:
    0
    Trophy Points:
    0
    Well, thanks for the help, but I had to resort to the format in order to get rid of it, as it just wouldn't come out. Definitely going to make sure the antivirus is up before I open a browser.
     
  4. Tipstaff

    Tipstaff Well-Known Member

    Joined:
    Jul 22, 2002
    Messages:
    9,770
    Likes Received:
    1,445
    Trophy Points:
    123
    Actually, just follow this simple rule: foreplay (install), condom (protection), real fun (um.. inser.. ok.. that's rude)... Same rules apply though ;).

    What I usually do is disconnect any ethernet cable before I install. After installation I install the drivers that are critical (chipset, ide, sound, video, ethernet), then install the AV software, plus any protection I need (firewall, spyware blockers, manually download MS patches). Then I reconnect the ethernet, and do the rest. Even if you don't open a browser XP tries to talk on the net right from bootup. If your using a router or cable modem, well, then your PC is on the net. Already XP will have gotten listings of updates to install, and if your on a network that is infected.. say hi to your little friend again. At least this way your AV software, even in it's basic form, can give you some protection while you do the rest of the updates.

    Hope you get things back up and running Data.

    - Tip
     
  5. Matth

    Matth Flash Banner Hater

    Joined:
    Jun 22, 2002
    Messages:
    3,560
    Likes Received:
    49
    Trophy Points:
    58
    If you have broadband, use a NAT router, even if you have only one machine!

    Most routers will server very well as an "incoming firewall", stopping all the incoming port compromise attempts - in fact, it's about as good as the windows firewall, but without the inherent vulnerabilities of Windows.

    You should still use a good firewall for application control, and a good antivirus, and most importantly, a dose of caution with email and websites.
     

Share This Page

visited