TechSpot

Drowdor D Trojan Removal

By chewzall
Nov 5, 2007
  1. It appears I have a trojan lurking; XoftSpySE detects the Drowdor D Trojan each time it runs, located in C:\WINNT\System32\internat.exe. While XSSE states it quarantines it, each time I rerun it reappears.

    I'm running Win2000, NAV, AVG AntiSpy, Spybot, AdAware, and XSSE; it is detected only by XSSE.

    How do I get rid of this? I've been running the Trend Micro HouseCall for the past 5.5 hours, have no idea how long this should take.

    Thanks!
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your system may be infected with the Win32.Lydra.a information stealing Trojan.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

    Also, let me know the results of the Panda Antirootkit scan.

    Regards Howard :)

    This thread is for the use of chewzall only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. chewzall

    chewzall TS Rookie Topic Starter Posts: 22

    I have completed the 15 steps, with the following problems: House Call never completed as I got a clock which said 39 1/2. I took that as time to run and as it did not appear to change closed the program. I also had a problem where I got a blue screen and could not boot into windows after Panda was installed. Had to revert to a before Panda version to get on, and Panda came up when it booted so I ran it (found nothing).
    I think I've got logs attached. I have done nothing on HJT other than run the scan; have not removed or fixed anything.
    Where from here?
    Thanks,
    Kerri

    Log files attached
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or folders(if there).

    C:\windows\system32\blank.htm

    Reboot your system.

    Other than the above, your log files look clean.

    Are you still having problems?

    Regards Howard :)

    This thread is for the use of chewzall only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. chewzall

    chewzall TS Rookie Topic Starter Posts: 22

    Yes, still problems; it's still appearing when I run XSSE with the path of c:\WINNT\system32\internat.exe.

    If I run XSSE while I've got the directory open, the icon for the file disappears when I instruct XSSE to quarantine it, and then reappears a few seconds later. It's an ominous looking black icon with a ? in it, not that that means anything...

    I'm attaching a re-run of HJT; on your last instructions, I could not find a file called C:\windows\system32.blank.htm but I'm not sure I was looking in the right places.

    Thanks,
    Kerri
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    I think Xoftspy is giving you a false positive, which is definitely not unknown for that software.

    c:\WINNT\system32\internat.exe. is normally legit when running from that location. See HERE.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of chewzall only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. chewzall

    chewzall TS Rookie Topic Starter Posts: 22

    I'm running 2000; are there instructions re: restore for that?
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Windows 2000 doesn`t have system restore so, just forget about it.

    Regards Howard :)

    This thread is for the use of chewzall only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...