Spyware warning & reappearing file Karin.dat

By Tonymandala
Jul 31, 2008
  1. Hello,

    I am trying to fix a friends computer.
    They were running an out of date version of Norton.
    Win XP Home sp2.

    There is a popup from the system tray with big red cross "Spyware has been here and windows will download the latest antispyware program"

    I tried to install AVG but it would not install in normal or safe mode.

    I managed to install C Cleaner in safe mode, cleaned all the cookies & temp files and stopped all non essential startups.

    I Loaded some programs to a folder on C drive and tried to run them in safe mode.
    vcleaner & Sophos, detected nothing.
    Hijack this would not run
    Fix blast nothing, etc...

    After some hours of wathcing the file names flick before my eyes ;) i took the "House Call" online check and eventually it found a Trojan but stupidly i didnt write down the name (something like EULO Trojan ??) i clicked delete and re-booted, all pleased with myself, only to find the problem persisted !
    I ran another Housecall scan of the system32 folder and found a file "karin.dat"
    I deleted this but it just comes back again.
    In my frustration i then did something stupid, yes i clicked the popup !
    It installed something claiming to be windows security center, put an icon on my desktop just like a real program.
    I can now no longer connect to the internet at all or install anything.

    I am going to try TechSpot Trojan remover program but fear it won't install.

    Do any of you knowledgable folk know where the originating file might be or what it is called, don't see anything on root "C". Housecall didn't pick up anything in the Docs & Settings folder.

    Searching for "Karin Trojan " just turns up "SpyNoMore" but i'm not sure if that is good ?? Is this brand new perhaps ?

    I have seen the list of progs to try in other posts but i fear they won't install.
    I am toying with the idea of putting the drive in my computer and running them but thats a bit frightening !! Perhaps you know of another program i can run from CD in safe mode ?

    Its a Compaq and has the possibility to re-install windows but i think that doesn't delete user documents so may not solve the problem ?

    Hope someone can help, Thanks in advance, Tony
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Hard to say without some logs. See what you can do with these Preliminary removal instructions

    Attach here (if possible)
    1)MBAM log
    2)SAS log
    3)hijackthis log scanned after everything else
  3. Tonymandala

    Tonymandala TS Rookie Topic Starter

    Thanks for Replying Blind Dragon,

    I've got it now ! used your Trojan Remover (simply Super), it installed fine in safe mode and found quite a few bad-guys in a fraction of the time of the other programs i tried.

    I won't go into details (unless anyone wants them ?) i'll just mention that the bogus Windows security center was System32\ntos.exe

    The file Karina.dat (not Karin sorry chaps:blush:) was activated by the reg Key
    HKLM\Software\Microsoft\WindowsNT\Current Version\Windows "AppInit_DLLs"

    I couldn't install antivirus because (according to TR) something was hiding in System32\Beep.sys
    also in System32\Drivers\Beep.sys

    I will scan with your reccomended programs as well just to be sure its all sorted.

    Thanks a lot, great site, i'll be back :)
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    good news! I would still like the logs to make sure - also so we can check you security for weaknesses
  5. Tonymandala

    Tonymandala TS Rookie Topic Starter

    Ran Spybot and Ad-aware nothing notable...
    Hijack-this showed no nasty BHOs .

    I was doing this at a friends house and wanted to get out quick, 2 kids either screaming or asking silly questions all the time ! away run away !
    So sorry i haven't got any log-files to show you.

    I installed Avast ( best free one with French lang ?) after uninstalling Norton, i uninstalled it and windows security Center (the real one) still reported it as working and up to date although it expired months ago ! had to download the uninstaller from the symantec site...

    Anyway all seems to be well so... Thanks a lot Blind Dragon,

    cheers for now....
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Thanks for letting me know - good luck to you
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...