|
|||||||
 |
|
|
LinkBack | Thread Tools | Search this Thread | Rate Thread | Display Modes |
12-11-2004, 09:03 PM
|
#1 |
|
Member (3 bit)
Join Date: Dec 2004
Posts: 5
|
Can't run NAV in Safe Mode
Ran a free scan on BitDefender & it found Trojan.Dropper. Went to Symantec & found removal insructions for XP but NAV won't run in safe mode. Any ideas on what's going wrong???
|
|
|
|
12-11-2004, 09:33 PM
|
#2 |
|
Lest we forget
Join Date: Jun 2003
Location: Ontario, Canada
Posts: 1,870
|
Do you mean the resident scanner wont start or you cant open the program at all? When you boot in safemode nothing runs on starup.
__________________
redqueen: Antec Sonata, Pentium-D 2.5GHz, MSI G31M3-L, 2GB ram, 320 GB HDD, OpenBSD hal9000: Lenovo T61, 2GB ram, 120 GB HDD, FreeBSD |
|
|
|
|
12-11-2004, 10:17 PM
|
#3 |
|
Forum Administrator
Staff
Premium Member
Join Date: May 2000
Location: Joplin MO
Posts: 37,776
|
Trojan.dropper is a very generic thing. You need to do a scan with something that can ID it better than that. Update your NAV definitions and scan in normal mode.
|
|
|
|
|
12-12-2004, 12:28 AM
|
#4 |
|
Member (3 bit)
Join Date: Dec 2004
Posts: 5
|
ghost2003 & glc
Here is a link to the procedure I tried from Symantec - neither NAV nor NIS would start in safe mode with system restore disabled. BTW, I am running WinXP Home upgraded from WinME and Symantec NIS 2005 as my AV program. http://securityresponse.symantec.com...n.dropper.html Here is the result of the BitDefender scan - forgot to say that I re-scanned at Trend Micro after BitDefender and the Trend scan showed clean  BitDefender Scan Results C:\WINDOWS\OPTIONS\CABS\EPSON\STC777\EB5ST000.DA_=>(MS-Compress 5)=>(CAB Sfx o)=>\EBAPISET.dll: bad crc C:\WINDOWS\OPTIONS\CABS\EPSON\Stc880\EB3ST000.DA_=>(MS-Compress 5)=>(CAB Sfx o)=>\IPX_t\NWCALLS.DLL: bad crc C:\WINDOWS\OPTIONS\CABS\EPSON\Stc980\EB3ST000.DA_=>(MS-Compress 5)=>(CAB Sfx o)=>\IPX_t\NWCALLS.DLL: bad crc C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>arrow1.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>arrow2.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bck1.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bck2.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt11.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt12.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt13.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt21.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt22.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt23.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt31.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt32.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt33.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt41.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt42.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt43.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt51.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt52.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt53.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt61.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt62.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox1.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox2.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox3.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox4.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>default.skn: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn1.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn2.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn3.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph1.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph2.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph3.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph4.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph5.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph6.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph7.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>main.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>preview.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>sprite1.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>tab1.bmp: password protected C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>tab2.bmp: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>related.htm: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip=>sbRecovery.reg: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip=>sbRecovery.reg: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip=>sbRecovery.reg: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip=>sbRecovery.reg: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip=>sbRecovery.reg: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCA.zip=>Best Buy.url: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCA.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit5.zip=>sbRecovery.reg: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit5.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit6.zip=>sbRecovery.reg: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit6.zip=>sbRecovery.ini: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit7.zip=>sbRecovery.reg: password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit7.zip=>sbRecovery.ini: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>arrow1.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>arrow2.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>bck1.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>bck2.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>bt11.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>bt12.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>bt13.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>bt21.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>bt22.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>bt23.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>bt31.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>bt32.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>bt33.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>bt41.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>bt42.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>bt43.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>bt51.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>bt52.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>bt53.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>bt61.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>bt62.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>checkbox1.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>checkbox2.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>checkbox3.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>checkbox4.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>default.skn: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>defbtn1.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>defbtn2.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>defbtn3.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>glyph1.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>glyph2.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>glyph3.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>glyph4.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>glyph5.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>glyph6.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>glyph7.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>main.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>preview.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>sprite1.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>tab1.bmp: password protected C:\System Volume Information\_restore{7E4F8162-FDBC-41FE-9C83-403F13618E93}\RP14\A0001103.exe=>wise0023=>tab2.bmp: password protected C:\command.exe=>(PECompact 2.38): infected with Trojan.Dropper.Delf.EV C:\command.exe=>(PECompact 2.38): disinfection failed |
|
|
|
|
12-12-2004, 01:48 PM
|
#5 |
|
Forum Administrator
Staff
Premium Member
Join Date: May 2000
Location: Joplin MO
Posts: 37,776
|
Did you scan with Norton in normal mode as I suggested?
I bet it will be ID'd as this: http://securityresponse.symantec.com....qqpass.e.html Norton can fix this without using safe mode, but it will require some registry editing. It may also be this one: http://www.trendmicro.com/vinfo/viru...UDDY.E&VSect=T |
|
|
|
|
12-12-2004, 08:08 PM
|
#6 |
|
Member (3 bit)
Join Date: Dec 2004
Posts: 5
|
I downloaded current virus defs from Symantec via Intelligent Updater and applied them. Ran scan in normal mode & it found this and I manually deleted it.
Category: Threat alerts 12/12/2004 1:23:27 PM,Virus scanner,Download.Adware,Manually deleted,File,N/A,N/A,200412120008,11.0.2.4,Gateway User,COMPUTER,"Threat category: AdwareSource: C:\command.exe,Description: The file C:\command.exe is a Adware threat." I re-scanned with BitDefender & it showed clean - I'm confused though as to why BD said it was Trojan.Dropper & NAV found Download.Adware. Am re-scanning with NAV right now & will post results. Sent Symantec a description of the error I listed about not being able to start or scan in safe mode - should have a reply in about 5 days 
Last edited by Sonoma Dave; 12-12-2004 at 08:15 PM. |
|
|
|
|
12-13-2004, 07:16 AM
|
#7 |
|
Forum Administrator
Staff
Premium Member
Join Date: May 2000
Location: Joplin MO
Posts: 37,776
|
Different antivirus vendors have different names for the same thing - and a particular file (command.EXE is NOT a legitimate Windows file) can be carried by a multitude of different viruses/trojans/spywares. You did right by just deleting it.
Post a HijackThis log - you may not be done yet, there may still be some stuff hanging around your registry Run keys that has to be removed. |
|
|
|
|
| Bookmarks |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
Linear Mode
