I simply dialed up online last night and I have McAfee Anti-virus. It prompted me that I had a Trojan and I scanned and cleaned it, or so it said. When I finished the scan three more prompts appeared with different names of three different Trojans. I did not clean them at that particular moment. I allowed my computer to sit probably 10 more minutes at the most. I had to reboot it because it falied to respond when I tried to surf. I was not nor had I began to surf the net when the Trojan prompt showed up from McAfee. Now, I rebooted my computer and it has a blue screen stating that I have a fatal error in IE and it calls the Trojan...."Trojan-Spy smit" and some other things after it. It also says that the system cannot operate in normal mode. It also says that I need to scan and clean my PC with any available anti-virus/spyware software that I have. I close error message after error message as my computer tries to boot up to desktop. When I finally make it to see my icons on my desktop it freezes up (usually on an Explorer error message) and I can't get my start menu to even respond so that I can use McAfee to rid my PC of the Trojan. It seems the error messages are from everything attempting to boot up....Explorer,Msmsg, etc...Any help would be very appreciated because I am on my older harddrive now and it doesn't work very well. I have so many things on my newer one that I don't want to lose. Many hours of music I have written ...etc etc....

[Reply or follow-up to this message]

Try running your AV software in the safe mode.

[Reply or follow-up to this message]

It would be worth a try to restore a registry backup dated Prior to the problem, 
for starters. 

Have you tried booting to Safe mode? You can restore a registry backup in Safe mode, 
see if that solves the problem. Oddly enough, it sometimes works and would be a whole 
lot easier, than the work you have ahead of you. 
How to Start Windows in Safe Mode

If you can get into Safe more: Go to Start - Run - type: SCANREGW /RESTORE 
then hit Enter. Choose a backup with a date prior to the problem. A good backup will 
have the word "Started" before it. Then try rebooting into Windows. 



Dealing with Unwanted Spyware and Parasites

I finally got McAfee to scan it. It found Trojans called Druogna, Dialer-235, Spy-Agent.h, It found them in the RESTORE/TEMP folders. It wouldn't delete them or remove them. It said they were write protected. How do I get them out of my system? It also will not allow me to redo my desktop wallpaper. I still have a blue screen with the message, A fatal error in windows has occurred...etc etc. My computer is working properly at the moment but I have yet to try to restart it since I ran my McAfee. My research on this type of Trojan says it installs itself in the Registry? http://www.sophos.com/virusinfo/analyses/trojspyjacka.html that link has the information in which I am referring to. That is the exact description of the virus that I have.


On Wednesday, July 13, 2005 at 7:16 am, Steve wrote:
>Try running your AV software in the safe mode.

[Reply or follow-up to this message]

Hmm, I did try to start-up in safe mode when I couldn't get my system to reboot. It froze with the same message on-screen. The message was alot bigger of course. I have yet to restart my PC because I am afraid it will be difficult once again to make it to desktop. It took a virtual act-of-congress to get to where I am right now. Currently, I am looking for a downloadable trojan-remover. I was hoping Symantec or someone would have a program to remove it. McAfee recognizes it as Druogna. It seems it isn't going to be very simple to remove. I have Restore disabled at the moment, but I am still weary of restarting. I know for a fact that my McAfee said it could not delete the Trojan so therefore I assume if I restart I will run into the same exact start-up issues again.


On Wednesday, July 13, 2005 at 11:16 am, Carol J wrote:
>
>It would be worth a try to restore a registry backup dated Prior to the problem,
>for starters.
>
>Have you tried booting to Safe mode? You can restore a registry backup in Safe mode,
>see if that solves the problem. Oddly enough, it sometimes works and would be a whole
>lot easier, than the work you have ahead of you. >color="006699">
>How to Start Windows in Safe Mode
>
>If you can get into Safe more: Go to Start - Run - type: SCANREGW /RESTORE
>then hit Enter. Choose a backup with a date prior to the problem. A good backup will
>have the word "Started" before it. Then try rebooting into Windows.
>
>
>

There's no easy fix for most malware infections nowadays. There's no such thing as 
a downloader trojan remover. Those are one of the toughest things to get rid of. 
The reason is,they do exactly as the name implies. They download/install more malware 
each time you connect to the net. 

If you can't get into Safe or normal mode, how do you expect to run a removal program 
of any kind? In Windows ME, you can get to the command prompt using a ME startup 
(boot) disk. If you don't have one, you can create one on another system. If you 
don't have access to another ME machine, a 98 startup disk will work fine for this. 

To create a disk: Get a blank floppy diskette, go into Add/Remove programs. Click 
Startup Disk tab, then stick the floppy disk in drive and choose Create disk. Then 
boot with the startup disk in the floppy drive. At the A:\> prompt, type: C: scanreg 
/restore then press Enter. Choose a backup with the word Started, dated before 
this happened.

You should get a message that Windows successfully restored the registry. Then CTRL_ALT_DEL 
and see if you can get back into Windows. 

P.S you may need to consider formatting and reinstalling Win ME, if that doesn't 
work. 


Dealing with Unwanted Spyware and Parasites

"I have Restore disabled at the moment, but I am still weary of restarting."

You need to try restarting your system. Otherwise, you'll never get anywhere. I hadn't 
read your response to Steve, but if you've disabled System Restore and were able 
to run a scan, that sounds good. 

When a ME/XP system's infected, you must leave System Restore disabled, until the 
system is clean. It's actually better to delete the Restore volume at the command 
prompt, but if you're sure it's been cleared out, try booting into Windows. 

AV programs don't/can't clean trojans. They usually require some manual removal, 
especially in the case of downloaders. You do need to run some spyware scans in Safe 
mode. 

Check out Jack's suggestions and download links on his web page.
Jack Gulley's ME Fixes page



Dealing with Unwanted Spyware and Parasites

I rebooted and I'm sure the Trojan is still in my system. I can scan for it and McAfee detects it. I am going to make that start-up disk in the morning and perform the method you instructed. I don't have any error messages (on boot-up) anymore so I think I have at least disabled it's full wrath. I still have a blue background on my desktop stating the IE error message. I cannot change my wallpaper on my desktop. I assume that when I rid my PC of the trojan, it will restore that function? The display properties doesn't have the option anymore to change the desktop wallpaper. Have any clue if I will need a ME repair disk in order to restore my desktop properly? I am somewhat computer literate when they are working correctly..lol These bugs are a little out of my mental grasp though. I really appreciate your help and time.


On Wednesday, July 13, 2005 at 12:11 pm, Carol J wrote:
>
>"I have Restore disabled at the moment, but I am still weary of restarting."
>
>You need to try restarting your system. Otherwise, you'll never get anywhere. I hadn't
>read your response to Steve, but if you've disabled System Restore and were able
>to run a scan, that sounds good.
>
>When a ME/XP system's infected, you must leave System Restore disabled, until the
>system is clean. It's actually better to delete the Restore volume at the command
>prompt, but if you're sure it's been cleared out, try booting into Windows.
>
>AV programs don't/can't clean trojans. They usually require some manual removal,
>especially in the case of downloaders. You do need to run some spyware scans in Safe
>mode.
>
>Check out Jack's suggestions and download links on his web page. >color="006699">
>Jack Gulley's ME Fixes page
>
>
>

I meant to tell ya....When the Trojan was found, it was in the C:\_RESTORE\TEMP folder. When I went in manually and found where they were located, I tried deleting them and it said they couldn't be deleted that the files could be in-use. The files were numbers...such as...A0269849, A0269854 etc etc...If I remember correctly, I went into Windows Explorer, but when I found the numbers in the list of files (within RESTORE\TEMP) it wouldn't allow me to delete them from there.


On Wednesday, July 13, 2005 at 4:53 pm, Joey wrote:
>I rebooted and I'm sure the Trojan is still in my system. I can scan for it and McAfee
>detects it. I am going to make that start-up disk in the morning and perform the
>method you instructed. I don't have any error messages (on boot-up) anymore so I
>think I have at least disabled it's full wrath. I still have a blue background on
>my desktop stating the IE error message. I cannot change my wallpaper on my desktop.
>I assume that when I rid my PC of the trojan, it will restore that function? The
>display properties doesn't have the option anymore to change the desktop wallpaper.
>Have any clue if I will need a ME repair disk in order to restore my desktop properly?
>I am somewhat computer literate when they are working correctly..lol These bugs are
>a little out of my mental grasp though. I really appreciate your help and time.
>
>
>

[Reply or follow-up to this message]

Turn off system restore, and reboot the computer, empty your temp Internet files, then scan again, write down the name of the Trojan exe name, and where it resides in the computer. You can usually delete them, but sometimes only from the safe mode. It can take a few hours or longer to clean up a sick computer. Once you get the computer clean, look at how you use the computer. If you use p2p programs, software crack sites, or even use Internet Explorer, you can pick up Trojans very easily.

[Reply or follow-up to this message]

Malware infections can mess up a system enough to where a repair/reinstall of Windows 
is sometimes necessary. Let's take one thing at a time, but just cleaning your system 
likely won't put everything back to normal. 

It's just a long shot having you try restoring a good registry backup, and we shouldn't 
count on it. You can still follow my previous instructions. Then before rebooting, 
delete the Restore volume following the instructions below. (A registry restore has 
nothing to do with ME's System Restore). 

I'd read that you said the trojan was in the Restore folder. You can NOT delete that 
folder in Windows or Safe mode, because it's a protected folder. In order to delete 
the entire folder, you need to boot with the startup disk and use the DOS command 
for delete. 

Note: Deltree is a very powerful command. Anything you type after it, will be permanently 
deleted. This will delete all of the temp files in that folder. How to do it: 

Boot your system with the startup disk in the floppy drive. At the A: prompt, type 
the command below in Bold. (Note the space)
 
 DELTREE C:\_RESTORE

Once it's finished, remove the disk from the drive and Ctrl_Alt_Del to get back into 
Windows. Let us know how it goes.


Dealing with Unwanted Spyware and Parasites

I have made some progress. I went into my registry editor and I have my active desktop back now. I will soon post the steps I took in order to retrieve that function very soon for future users with my same problem. This is a learning experience for me as well. If anything, I think I have at least confined the Trojan to just being a sitting duck in my system. I haven't noticed any other malfunctions related to it at this time.


On Wednesday, July 13, 2005 at 10:00 pm, Carol J wrote:
>
>Malware infections can mess up a system enough to where a repair/reinstall of Windows
>is sometimes necessary. Let's take one thing at a time, but just cleaning your system
>likely won't put everything back to normal.
>
>It's just a long shot having you try restoring a good registry backup, and we shouldn't
>count on it. You can still follow my previous instructions. Then before rebooting,
>delete the Restore volume following the instructions below. (A registry restore has
>nothing to do with ME's System Restore).
>
>I'd read that you said the trojan was in the Restore folder. You can NOT delete that
>folder in Windows or Safe mode, because it's a protected folder. In order to delete
>the entire folder, you need to boot with the startup disk and use the DOS command
>for delete.
>
>Note: Deltree is a very powerful command. Anything you type after it, will be permanently
>deleted. This will delete all of the temp files in that folder. How to do it:
>
>Boot your system with the startup disk in the floppy drive. At the A: prompt, type
>the command below in Bold. (Note the space)
>
> DELTREE C:\_RESTORE
>
>Once it's finished, remove the disk from the drive and Ctrl_Alt_Del to get back into
>Windows. Let us know how it goes.
>
>

I stated that I could not get my computer to boot properly due to many error messages. It would freeze due to a flood of corrupt tasks (related to the trojan) attempting to boot. This is how I got it to work for those who may encounter the same problem. As my system booted, I allowed it to perform Scandisk completely. As soon as Scandisk completed (the very second that I saw my task bar appear), I was poised and ready to press cntrl+alt+delete to bring up my task menu. On this menu at various times, I noticed three things that were related to the Trojan (Druogna). One was "" one was called "msmgs" and the other was "popuper". I first assumed "Msmgs" was related to MSN messenger, but I have had a warning from my Anti-Virus program informing that "Msmgs" had been corrupted by a trojan named Shnlog.exe. Every second in the boot process I would hit cntrl+alt+delete and everytime I saw either of those three tasks I would click "end task". This process allowed my desktop to boot completely to where I was no longer freezing. Some important notes: 1.Don't press cntrl+alt+delete before task bar appears. This will only restart your PC before you get anywhere. 2.Don't press it twice before you end any of the tasks stated above. You will only restart your computer. 3.Press cntrl+alt+delete no less than two seconds after ending a corrupt task, because, I noticed when the tasks "" and "popuper" begin to appear, they will multiply in your task menu if not ended immediately and that is what makes your PC freeze. When you have a task menu full of or popuper, it's too late. You'll have to restart from square one. I realize that alot of experts on here may have already known to perform this method, I simply would like to pass on any helpful information that I acquire in this process to someone that might be on my learning level. I appreciate everyone's time and very kind and very helpful advice. It has helped me and I would be honored to do the same for others with what knowledge that I gather.

[Reply or follow-up to this message]

The first task that the forum isn't showing in my post is "unknown". It is enclosed in arrows is why I am assuming it didn't show up. Just wanted to clarify that.


On Thursday, July 14, 2005 at 12:30 pm, Joey wrote:
>I stated that I could not get my computer to boot properly due to many error messages.
>It would freeze due to a flood of corrupt tasks (related to the trojan) attempting
>to boot. This is how I got it to work for those who may encounter the same problem.
>
>As my system booted, I allowed it to perform Scandisk completely. As soon as Scandisk
>completed (the very second that I saw my task bar appear), I was poised and ready
>to press cntrl+alt+delete to bring up my task menu. On this menu at various times,
>I noticed three things that were related to the Trojan (Druogna). One was ""
>one was called "msmgs" and the other was "popuper". I first assumed "Msmgs" was related
>to MSN messenger, but I have had a warning from my Anti-Virus program informing
>that "Msmgs" had been corrupted by a trojan named Shnlog.exe. Every second in the
>boot process I would hit cntrl+alt+delete and everytime I saw either of those three
>tasks I would click "end task". This process allowed my desktop to boot completely
>to where I was no longer freezing.
>
>Some important notes:
>1.Don't press cntrl+alt+delete before task bar appears. This will only restart your
>PC before you get anywhere.
>2.Don't press it twice before you end any of the tasks stated above. You will only
>restart your computer.
>3.Press cntrl+alt+delete no less than two seconds after ending a corrupt task, because,
>I noticed when the tasks "" and "popuper" begin to appear, they will multiply
>in your task menu if not ended immediately and that is what makes your PC freeze.
>When you have a task menu full of or popuper, it's too late. You'll have
>to restart from square one.
>
>I realize that alot of experts on here may have already known to perform this method,
>I simply would like to pass on any helpful information that I acquire in this process
>to someone that might be on my learning level. I appreciate everyone's time and very
>kind and very helpful advice. It has helped me and I would be honored to do the same
>for others with what knowledge that I gather.

[Reply or follow-up to this message]

the whole Exercise would have been easier if you'd had gone with EWIDO at the first 
opportunity you were able to connect to the Web and D/L.Would have saved some time 
and sweat.   :)     werner
http://www.ewido.net/en/download/

[Reply or follow-up to this message]

Ewido can scan and clean the Druogna Trojan?


On Thursday, July 14, 2005 at 2:15 pm, werner wrote:
>the whole Exercise would have been easier if you'd had gone with EWIDO at the first
>opportunity you were able to connect to the Web and D/L.Would have saved some time
>and sweat. :) werner
>http://www.ewido.net/en/download/

[Reply or follow-up to this message]

its made to take care of this type Malware,if not you could try A-squared, which 
is a freeware Antitrojan Scanner.
http://www.emsisoft.com/en/software/free/ 
   Joe put together a whole list of Security Aplications,have a look at it
http://www.annoyances.org/exec/forum/winxp/1114737232 
   :)   werner

[Reply or follow-up to this message]

Werner, those programs don't take care of all types of trojans, so you don't know for sure how it will tackle this one.A downloader trojan downloads and installs more malware. If it were that simple, those malware support forums wouldn't be swamped!

FYI, Active Desktop is a resource hog, and it's actually recommended not to use it. 
Your choice, of course.

Glad you're making progress, but you didn't say how either of those steps I posted 
worked out? Did you get Restore cleared out? 

Regarding trojan removers. While they're helpful in cleaning up a system, they don't 
completely eliminate all types of trojans. In other words, a trojan isn't a trojan 
so to speak. There are backdoors, downloaders and others. Even Spybot S&D targets 
and cleans 'some' trojans.  



Dealing with Unwanted Spyware and Parasites

well,I am glad you're telling me.Seems those Downloaders are some Bad...s  Stuff.Sure 
glad I did not have to battle any of them.....yet.     :)    werner

[Reply or follow-up to this message]

Besides, Ewido doesn't work with ME. I just tried it. It only works with 2000 and higher it said. Was nice of you to suggest though Werner. TYVM


On Thursday, July 14, 2005 at 3:18 pm, Carol J wrote:
>
>Werner, those programs don't take care of all types of trojans, so you don't know
>for sure how it will tackle this one.A downloader trojan downloads and installs more
>malware. If it were that simple, those malware support forums wouldn't be swamped!
>
>

Those are difficult to get rid of, but some are more advanced than others. Those 
backdoors are scary...if you get a backdoor on your system, a hacker can control 
your system remotely. 

Wikipedia has a good page on trojans...
http://en.wikipedia.org/wiki/Trojan_horse_(computing)


Dealing with Unwanted Spyware and Parasites

Boy,old Billy really outdid himself with ME.   lol    werner

[Reply or follow-up to this message]

thanks,i will read up on it.   :)  werner

[Reply or follow-up to this message]

Maybe it stands for..."Malfunction Extravaganza" lol. Actually I can't say much bad about it so far. This is the first problem I have had in two years with this computer/operating system. I have still yet to remove the trojan itself, but I have it confined or so I hope. I am going to begin surgery within the next couple of days. lol I plan on performing some more scans and identifying any other names it may have taken on before I go into removal of it. McAfee recognizes it as Druogna so far. I would assume it would HAVE to have an .exe file within my computer somewhere that would require removal as well. Maybe you folks could enlighten me to that fact or not. The only one I have seen so far is one called Shnlog.exe.


On Thursday, July 14, 2005 at 3:47 pm, werner wrote:
>Boy,old Billy really outdid himself with ME. lol werner

[Reply or follow-up to this message]

seems its another one.If you paste those filenames into Google you can come up with 
all kind of Info.    :)   werner
http://www.processlibrary.com/directory/files/shnlog/
http://www.google.com/search?sourceid=mozclient&ie=utf-8&oe=utf-8&q=Shnlog.exe

[Reply or follow-up to this message]

• Search this forum
• Start a new thread on a different subject

• Report abuse of the forum