War of the Trojans

Discussion in 'Blogs' started by andrew jenery, Apr 6, 2011.

  1. andrew jenery

    andrew jenery from Entropia Star

    Trojans; which open doors for viruses and other malware, have been on the increase over recent months, and a few days ago I was hit by a fairly bad one when attempting to watch a clip on YouTube.
    Within seconds of the MSSE 'warning' flashing up on the screen saying that malicious files had been detected, I knew that it was bogus; that it wasn't a genuine MSSE warning, mainly because of the fairly obvious spelling mistakes and the way in which the message was worded. I didn't do anything that you shouldn't do, such as, and most importantly, clicking on the x-box to close it down. I knew from past experience that doing this would have generated 'please use our free spyware/virus detection software' messages, that in turn would have generated 'please buy our spyware/virus removal software' pop-ups adinfinitum.
    Instead, I ran Task Manager and looked at 'processes' and instantly noticed the offending file that shouldn't have been there, called pya.exe, and attempted to close it down that way; which is what many technicians recommend doing. This simply generated three or four more of them, and on closing them down, they would simply reduplicate themselves again - catch22! Next I used Windows XP Search tool to locate the folder that this pya.exe (pya is of course an anagram of 'pay' ha,ha!) was in and managed to delete it from the Windows 'system32' folder, only to find out that this hadn't helped - the process was still running and taking over one systems function after another. The display properties; the control panel; Windows Explorer, even I.E wouldn't run... So I checked system32 again, and the same folder was still there. In the end I tried the only other thing I could think of, which was to reinstall Windows-XP, except that when ever I loaded the cd-rom into the drive and attempted to perform the reinstallation, pya.exe would pop-up again and so prevent me from seeing anything and from doing anything.
    So, of course I had to stop using my main modus-operandi, after of course backing up all data and software onto a USB backup drive. Not all is lost though, as I had a replacement system that I could transfer the data, etc, to, but the main defecit is that I can't play EU with this one as the gfx-card isn't up to it - but I can do everything else, so that's something...
    My maion issue now, is how to either reinstall Windows or to somehow get MSSE to run so thta it could maybe dtect this pya.exe and remove it.
    I'm thinking of booting into safe-mode via F8 on startup, but not sure if this would help... Whatever, I'm sure that I'll have the machine fixed in a few days...
     
  2. andrew jenery

    andrew jenery from Entropia Star

    Thanks Lykke; I found out about Microsoft Answers (a help forum) via Google, and basically there was a choice of either a clean-install of Windows, or to try something like the following to get rid of the virus.

    Start your pc in safe mode (And do all the following in safe mode, unless mentioned to start in normal mode), search your hdd for pya.exe delete all the instance. Open registry (Start -> Run & Type -> regedit -> Ok), search for this file and delete all. Now navigate to:
    HKLocal Machine -> Software -> Microsoft -> Windows -> Current Version -> Run.
    Select run -> Right click and click export -> anyname and save on desktop.
    Delete all unwanted entries from Run.
    Check under RunOnce for any entries -> Delete all
    Check under RunOnceEx for any entries -> Delete all

    Now come to
    HK_Current_User -> Software -> Microsoft -> Windows -> Current Version -> Run.
    Right click and export -> anyname and save on desktop.
    Only required is ctfmon.exe. Can delete all.
    Check under RunOnce for any entries -> Delete all.

    Delete all temp files under C:\windows\temp.
    Clear your internet Cache.
    Download MSSE from other pc (dont use this pc to open internet explorer now).
    Delete Temp Files under C:\Documents and Settings\<Your Login name>\Local Settings, and also delete temp internet folder from here.

    Now boot your pc normal, Install MSSE, Update defination.
    Start your pc in safe mode again and run a full system scan.
    Once done, Start normal and again scan for any infected file.




    In the end I decided on a clean-install and I'm back to normal now :)
     
  3. Thorn

    Thorn Proud CND Baby

    Benefit of a clean install is everything runs like new again. Good to see you triumphed in the end!
     
  4. andrew jenery

    andrew jenery from Entropia Star

    Cheers! Yep, the machine really is like new again, and the alternative steps were fairly complicated anyway, so I went for the clean install option.
     
  5. khaos

    khaos DnB'addict

    If a virus manages to hijack your pc completely, you can always use a PE, to locate the faulty files.
    Because they aren't loaded in the memory when doing this, they will most likely also not reproduce.
     
  6. download malwarebytes from Malwarebytes : Free anti-malware, anti-virus and spyware removal download after starting your computer in safe mode with networking. change the executable file to winlogon.exe. Run that file and install malwarebytes. Do not try to update it. Close the program down, go into program files/malwarebytes and rename the mbam.exe to winlogon.exe

    Now run that file.

    Update.

    Close. Do the process again until updates are complete.

    Rename the final mbam.exe file to winlogon.exe

    Run a full system scan.

    If you keep getting infected and know its not your browsing habits take your drive out of your PC and install windows and security essentials on another HDD. Plug the Old in via a USB to SATA or IDE converter. Scan the drive.

    Chances are you are going to come up with a boot sector virus. MSSE does not do well vs those particular viruses if the boot sector of a particular drive is in use. You can clean your boot sector using this method, though, then swap the drives back and be fine.
     
  7. andrew jenery

    andrew jenery from Entropia Star

    Thanks Khaos and Magyar! I'll definately use these steps in future if I get a virus attack again...
     
  8. Lykke TheNun

    Lykke TheNun In Loot We Trust

    there is another program, most likely, you have to download to be able to remove the thing. it's EVIL! Had the same happening with a fake microsoft pop up telling me to upgrade my firewall because it detected a huuuge amount of spyware and troyans on my pc (and listed them all up blinking red etc.). I was stupid enough to pay and then they of course had my CC number :( When Peter came home we found out I had to install another programe to remove the troyan - because I could not remove it either ...

    Good luck - Hope you win this war
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.