|
|
|
trojan and joke programs
Showing all messages in thread #1073318436
Windows Me Annoyances Discussion Forum
The following are all of the messages in this thread (5 in all), shown in chronological order. Click any message subject to view that message by itself or to view the thread hierarchy.
|
trojan and joke programs
Monday, January 5, 2004 at 8:00 am
Posted by Jeff
(1 messages posted)
Hello and thank you for your time,
I found this site and love it. I have run Housecall AV and it says I have a trojan
called checkin.b (I think) and another possible joke program called joke russ.a.
Housecall says they cannot be accessed and they will not clean or delete. When
I run my Norton and AVG anti-virus programs they say my system is clean. If I have
these running around in my 'puter I would really like to get rid of them. I tried
starting in safe mode and searching for the files to delete them but it says they
are in use. They are _restore\temp\xxxxxxx.cpy files and _restore\temp\fsxxxx.cab
files. Any ideas? Thanks again.
[Reply or follow-up to this message]
| |
re: trojan and joke programs
Monday, January 5, 2004 at 8:35 am
Posted by Steve
(21647 messages posted)
If you have system restore enabled turn it off. Then Reboot the computer. Then try
the online scan and removal again. I have not gone thru this, this is just
what I would try.
On Monday, January 5, 2004 at 8:00 am, Jeff wrote:
>Hello and thank you for your time,
>I found this site and love it. I have run Housecall AV and it says I have a trojan
>called checkin.b (I think) and another possible joke program called joke russ.a.
> Housecall says they cannot be accessed and they will not clean or delete. When
>I run my Norton and AVG anti-virus programs they say my system is clean. If I have
>these running around in my 'puter I would really like to get rid of them. I tried
>starting in safe mode and searching for the files to delete them but it says they
>are in use. They are _restore\temp\xxxxxxx.cpy files and _restore\temp\fsxxxx.cab
>files. Any ideas? Thanks again.
[Reply or follow-up to this message]
|
re: trojan and joke programs
Monday, January 5, 2004 at 11:04 am
Posted by Jack Gulley
(5917 messages posted)
Disable System Restore and reboot.
Then go back in and Enable it and reboot. Then run HouseCall_AV again to make sure
its gone.
Then see
Windows ME Fixes
[Reply or follow-up to this message]
|
re: trojan and joke programs
Monday, January 5, 2004 at 12:35 pm
Posted by worm
(792 messages posted)
Hi Jeff,
Your AVG or Norton doesn't report this as a Trojan or virus because it isn't either.
What you've got there is a particularly nasty adware downloader that is capable of
respawning itself and creating new registry keys as it goes along.
After purging the System Restore repository as Jack Gulley suggests and running Housecall
AV again, you need to do some checking to ensure "Checkin.b" hasn't left anything
behind. These are the steps to take.
1. Physically disconnect your computer from the Internet. This is vital because
as soon as you delete a file that belongs to this program, it will try to connect
to the server and download itself again.
2. Hit CTRL+ALT+DEL and look for these tasks:
owmngr
ttps
If you find them, end task on both.
3. Go to Start > Run > type Regedit and click OK. Navigate to this key, delete
the value owmngr in the right hand window and then reboot the computer immediately.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run
4. Open regedit again and navigate to the same key and delete sysreg in the
right hand window.
Once again, reboot immediately.
5. Go to this key and delete owmngr and reboot immediately.
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce
6. Run regedit again and go to the same key and delete sysreg and reboot immediately.
7. Double click My Computer > click "Tools" > choose "Folder Options" from the menu.
8. Checkmark the little circle where it says "Show Hidden Files & Folders".
9. Remove the checkmark where it says "Hide file extensions for known file types".
Click Apply/OK.
10. Go to Start > Search > Files & Folders > type "owmngr.exe" and delete that file.
Then do a search for "ttps.exe" and delete that too.
11. Do a search for "SBSRCH_V22.DLL" and delete that as well.
12. Do a search for "WINFGNET.DAT" and delete that as well.
13. Finally, empty the Recycle Bin.
Even if Housecall AV tells you your system has been cleaned, I would err on the side
of caution if I were you and check the Registry for the above mentioned keys and
values just in case.
On Monday, January 5, 2004 at 8:00 am, Jeff wrote:
>Hello and thank you for your time,
>I found this site and love it. I have run Housecall AV and it says I have a trojan
>called checkin.b (I think) and another possible joke program called joke russ.a.
> Housecall says they cannot be accessed and they will not clean or delete. When
>I run my Norton and AVG anti-virus programs they say my system is clean. If I have
>these running around in my 'puter I would really like to get rid of them. I tried
>starting in safe mode and searching for the files to delete them but it says they
>are in use. They are _restore\temp\xxxxxxx.cpy files and _restore\temp\fsxxxx.cab
>files. Any ideas? Thanks again.
[Reply or follow-up to this message]
|
re: trojan and joke programs
Sunday, February 8, 2004 at 11:43 am
Posted by CWS
(1 messages posted)
Does this also apply to XP?
I have the JOKR RUSS.A on my computer and want to remove!
On Monday, January 5, 2004 at 12:35 pm, worm wrote:
>Hi Jeff,
>
>Your AVG or Norton doesn't report this as a Trojan or virus because it isn't either.
>What you've got there is a particularly nasty adware downloader that is capable
of
>respawning itself and creating new registry keys as it goes along.
>
>After purging the System Restore repository as Jack Gulley suggests and running
Housecall
>AV again, you need to do some checking to ensure "Checkin.b" hasn't left anything
>behind. These are the steps to take.
>1. Physically disconnect your computer from the Internet. This is vital because
>as soon as you delete a file that belongs to this program, it will try to connect
>to the server and download itself again.
>2. Hit CTRL+ALT+DEL and look for these tasks:
>owmngr
>ttps
>If you find them, end task on both.
>3. Go to Start > Run > type Regedit and click OK. Navigate to this key, delete
>the value owmngr in the right hand window and then reboot the computer immediately.
>
>HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run
>
>4. Open regedit again and navigate to the same key and delete sysreg in the
>right hand window.
>Once again, reboot immediately.
>5. Go to this key and delete owmngr and reboot immediately.
>
>HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce
>
>6. Run regedit again and go to the same key and delete sysreg and reboot
immediately.
>
>7. Double click My Computer > click "Tools" > choose "Folder Options" from the menu.
>8. Checkmark the little circle where it says "Show Hidden Files & Folders".
>9. Remove the checkmark where it says "Hide file extensions for known file types".
>Click Apply/OK.
>10. Go to Start > Search > Files & Folders > type "owmngr.exe" and delete that file.
>Then do a search for "ttps.exe" and delete that too.
>11. Do a search for "SBSRCH_V22.DLL" and delete that as well.
>12. Do a search for "WINFGNET.DAT" and delete that as well.
>13. Finally, empty the Recycle Bin.
>
>Even if Housecall AV tells you your system has been cleaned, I would err on the
side
>of caution if I were you and check the Registry for the above mentioned keys and
>values just in case.
>
>
>
>
>
>
>
[Reply or follow-up to this message]
| |
Tip: Use one of the [Reply or follow-up to this message] links above to add a message to this thread
| |
Return to the Windows Me Discussion Forum
|
|
|
|
