Video Screencast Help

New Trojan no removal tool

Created: 25 Apr 2009 • Updated: 21 May 2010 | 8 comments
This issue has been solved. See solution.

4/25/2009 21:36 Infostealer Pending Analysis jtmbl.piy File C:\WINDOWS\
4/25/2009 21:36 Infostealer Cleaned by deletion jtmbl.piy File C:\WINDOWS\
4/25/2009 21:35 Trojan Horse Quarantined setup_u.exe File C:\WINDOWS\system32\
4/23/2009 6:16 Tracking Cookie Deleted Unavailable Trackware Unavailable
4/22/2009 15:34 Tracking Cookie Deleted Unavailable Trackware Unavailable
4/22/2009 14:14 Trojan Horse Quarantined M9[1].exe File c:\Documents and Settings\myname\Local Settings\Temporary Internet Files\Content.IE5\OYBHGCB5\
4/22/2009 12:04 Tracking Cookie Deleted Unavailable Trackware Unavailable

This is the log it cleaned the Trojan but the infostealer keeps on recreating itself in the quarantined folder and doesn't stop please help

Comments 8 CommentsJump to latest comment

pete_4u2002's picture

hi,
the pending analysis threats needs reboot of the machine, it is recommended you scan in safe mode. Then also yu may need tp submit the file fpr SR analysis.
Update the system with the latest signature and scan in safe mode.

Cheers
Pete!!

efif's picture

Ran in safe mode was still recreating itself. Every second it delets a file by the name of  Infostealer and it created a new one. The virus scan gets hung up removing this file and doesn't stop.

How do i submit for SR analysis?

Thanks for your help.

Efi

Beppe's picture

Hi,

to submit a malware sample for the first time it is better to call the technical suppport so they will explain you the procedure (how to find the file, how submit it and how to react to the infection).

Regards,

Giuseppe

tony19's picture

Update the system with the latest signature and scan in safe mode.

Sandeep Cheema's picture

I saw your logs over there, We had a similar issue too but now Symantec has modified the Eraser and you should have them deleted in the normal mode as well. The definitions after 20090511 has this eraser. This is the excerpt from the email....
----------------------------------------------------------------------------------------------------------------------------------------------
 As I told Mr. *****  today’s certified definitions include vastly superior Eraser definitions for Qakbot which were requested because of the need to avoid reboot or safe mode. I suggested that you should test it on a client on your network to see if it will remove the virus that you are dealing with without having to re-boot or boot into SAFE MODE. PLease let me know how this test goes for you. Thank you.
----------------------------------------------------------------------------------------------------------------------------------------------

And that did the trick for us. We were fighting against a new variant of IRCBot and Harakit and with an outbreak.

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting...

"Hey!  I found a virus!  Look at me!  I'm soooo goooood!"

SOLUTION
Golenz's picture

I am having similar issue... have tried scanning in regular and safe modes, with System Restore on and off but can't seem to get rid of Infostealer.  The scan identifies 4 files to be cleaned, then reports 3 cleaned.  When I reboot and scan, 4 files to be cleaned again.  Any suggestions?

Thanks.

Grant_Hall's picture

Yes you should submit the files to Symantec, then download the rapid release that will come after you submit the sample. This is the normal routine to follow when scanning in safemode does not help. Also for future reference to safe yourself some steps you should always just scan with system restore off. The reason we say this is because a virus can put itself into the System restore files, and "restore" itself after the scan in safe mode. Again for future reference you should make a new thread when you have an issue, and link to the thread that is similar to yours. You should do this especially when the thread you are tagging onto is marked "solved" because people are more likely to ignore these threads. It also helps us not to confuse their issue with yours because often they are not exact matches.

Cheers,
Grant

Ps
If you are still having issues or want more clarification feel free to make a new post or PM me and I would be more than happy to help.

Please don't forget to mark your thread solved with whatever answer helped you : )