re: trojan and joke programs Monday, January 5, 2004 at 12:35 pm Windows Me Annoyances Discussion Forum Posted by worm (792 messages posted) Hi Jeff, Your AVG or Norton doesn't report this as a Trojan or virus because it isn't either. What you've got there is a particularly nasty adware downloader that is capable of respawning itself and creating new registry keys as it goes along. After purging the System Restore repository as Jack Gulley suggests and running Housecall AV again, you need to do some checking to ensure "Checkin.b" hasn't left anything behind. These are the steps to take. 1. Physically disconnect your computer from the Internet. This is vital because as soon as you delete a file that belongs to this program, it will try to connect to the server and download itself again. 2. Hit CTRL+ALT+DEL and look for these tasks: owmngr ttps If you find them, end task on both. 3. Go to Start > Run > type Regedit and click OK. Navigate to this key, delete the value owmngr in the right hand window and then reboot the computer immediately. HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run 4. Open regedit again and navigate to the same key and delete sysreg in the right hand window. Once again, reboot immediately. 5. Go to this key and delete owmngr and reboot immediately. HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce 6. Run regedit again and go to the same key and delete sysreg and reboot immediately. 7. Double click My Computer > click "Tools" > choose "Folder Options" from the menu. 8. Checkmark the little circle where it says "Show Hidden Files & Folders". 9. Remove the checkmark where it says "Hide file extensions for known file types". Click Apply/OK. 10. Go to Start > Search > Files & Folders > type "owmngr.exe" and delete that file. Then do a search for "ttps.exe" and delete that too. 11. Do a search for "SBSRCH_V22.DLL" and delete that as well. 12. Do a search for "WINFGNET.DAT" and delete that as well. 13. Finally, empty the Recycle Bin. Even if Housecall AV tells you your system has been cleaned, I would err on the side of caution if I were you and check the Registry for the above mentioned keys and values just in case. On Monday, January 5, 2004 at 8:00 am, Jeff wrote: >Hello and thank you for your time, >I found this site and love it. I have run Housecall AV and it says I have a trojan >called checkin.b (I think) and another possible joke program called joke russ.a. > Housecall says they cannot be accessed and they will not clean or delete. When >I run my Norton and AVG anti-virus programs they say my system is clean. If I have >these running around in my 'puter I would really like to get rid of them. I tried >starting in safe mode and searching for the files to delete them but it says they >are in use. They are _restore\temp\xxxxxxx.cpy files and _restore\temp\fsxxxx.cab >files. Any ideas? Thanks again. Written in response to: trojan and joke programs (Jeff: Monday, January 5, 2004 at 8:00 am) Responses to this message: re: trojan and joke programs (CWS: Sunday, February 8, 2004 at 11:43 am) All messages in this thread [show all] trojan and joke programs (Jeff: Mon, Jan 5, 2004, 8:00 am) re: trojan and joke programs (Steve: Mon, Jan 5, 2004, 8:35 am) re: trojan and joke programs (Jack Gulley: Mon, Jan 5, 2004, 11:04 am) re: trojan and joke programs (worm: Mon, Jan 5, 2004, 12:35 pm) re: trojan and joke programs (CWS: Sun, Feb 8, 2004, 11:43 am) Reply or follow-up to this message Search this forum Start a new thread on a different subject Report abuse of the forum Return to the Windows Me Discussion Forum