Virus Removal proving unsucessful...

Data1232 · Feb 27, 2005, 08:44 AM

Hi guys,

I formatted the other day and made the mistake of not dumping my virus software on my computer before I went online to grab drivers, and have ended up with a nasty trojan that's called PWSteal.LDPinch. When I got Norton Systemworks 2003 on, I was told that it could remove it, but after 3 system scans it's only been able to identify it and says that it can't do anything further. I don't have any other antivirus programs, and I've tried the online version of Trend MicroVirus, and Panda AntiVirus, but those pulled up nothing. Currently there is an MS-DOS executable file sitting in my Documents and Settings Folder under my account name titled "crss.exe." I have adminstrator priviliges, but I can't delete the file, and Norton is picking that file up as the source of the problem. If I boot into Safe Mode, i get two files both titled "crss.exe" but now there is a MS-DOS shortcut icon as well. I have also searched for the registry entires that the Symantec case file cites but I haven't seen any of the entries that it discusses in my registry. If anyone's had any experience or any tips on removing this nasty bug I would greatly apprecitate it.

Tipstaff · Feb 27, 2005, 12:12 PM

First, to Symantec.. you guys need to get things together. Bad instructions.

Now, Data, it looks like you got infected by a damn password stealer, so here's what you do: Check out THIS SITE , and THIS SITE . The second site tells you how you got the trojan/virus, the 1rst tells you in MORE detail about what files it's made, and where.

Before you do any cleaning though make sure you disable all unnecessary apps that startup. First, disconnect your ethernet cable. Then, click Start, Run, and type in msconfig.exe. On the far right you will see a tab called "Starup". Click it. Go through the list, and disable everything that looks suspicious. Things to leave would be your AV software, ati software, ctfmon and updreg if they are listed too (they are both legit Windows proggies). Reboot, do whatever needs to be done cleaning wise, and reboot. Double check things, and rerun the AV scan. Make sure to delete files like this too: %Windir%\sysw.dll, %Windir%\csrss.exe, %Windir%\system.exe, %Windir%\var.txt.exe, and %Windir%\upss.exe.

Now what I'm about to say may piss you off: If you cannot get this puppy cleaned in a day... screw it! Seriously, you may not completely get rid of it, and infact it may come back as soon as you get back on the net. It sounds like you just reinstalled your system too, but believe me, it may just be better to reformat, and start again.

Hope that helps.

- Tip

Data1232 · Feb 27, 2005, 09:18 PM

Well, thanks for the help, but I had to resort to the format in order to get rid of it, as it just wouldn't come out. Definitely going to make sure the antivirus is up before I open a browser.

Tipstaff · Feb 27, 2005, 11:27 PM

Quote:

Originally Posted by Data1232

Well, thanks for the help, but I had to resort to the format in order to get rid of it, as it just wouldn't come out. Definitely going to make sure the antivirus is up before I open a browser.

Actually, just follow this simple rule: foreplay (install), condom (protection), real fun (um.. inser.. ok.. that's rude)... Same rules apply though

.

What I usually do is disconnect any ethernet cable before I install. After installation I install the drivers that are critical (chipset, ide, sound, video, ethernet), then install the AV software, plus any protection I need (firewall, spyware blockers, manually download MS patches). Then I reconnect the ethernet, and do the rest. Even if you don't open a browser XP tries to talk on the net right from bootup. If your using a router or cable modem, well, then your PC is on the net. Already XP will have gotten listings of updates to install, and if your on a network that is infected.. say hi to your little friend again. At least this way your AV software, even in it's basic form, can give you some protection while you do the rest of the updates.

Hope you get things back up and running Data.

- Tip

Matth · Feb 28, 2005, 03:57 PM

If you have broadband, use a NAT router, even if you have only one machine!

Most routers will server very well as an "incoming firewall", stopping all the incoming port compromise attempts - in fact, it's about as good as the windows firewall, but without the inherent vulnerabilities of Windows.

You should still use a good firewall for application control, and a good antivirus, and most importantly, a dose of caution with email and websites.

Feb 27, 2005, 08:44 AM	#1
Data1232 DriverHeaven Lover Join Date: Jul 2002 Location: Right. Behind. You. Posts: 180 Rep Power: 0	Virus Removal proving unsucessful... Hi guys, I formatted the other day and made the mistake of not dumping my virus software on my computer before I went online to grab drivers, and have ended up with a nasty trojan that's called PWSteal.LDPinch. When I got Norton Systemworks 2003 on, I was told that it could remove it, but after 3 system scans it's only been able to identify it and says that it can't do anything further. I don't have any other antivirus programs, and I've tried the online version of Trend MicroVirus, and Panda AntiVirus, but those pulled up nothing. Currently there is an MS-DOS executable file sitting in my Documents and Settings Folder under my account name titled "crss.exe." I have adminstrator priviliges, but I can't delete the file, and Norton is picking that file up as the source of the problem. If I boot into Safe Mode, i get two files both titled "crss.exe" but now there is a MS-DOS shortcut icon as well. I have also searched for the registry entires that the Symantec case file cites but I haven't seen any of the entries that it discusses in my registry. If anyone's had any experience or any tips on removing this nasty bug I would greatly apprecitate it. __________________ Windows XP Pro 32-bit Intel Core 2 Duo E6850 2 GB DDR2-800 eVGA 680i XFX GeForce Ultra 8800 () Creative X-Fi Gamer

Feb 27, 2005, 12:12 PM	#2
Tipstaff HardwareHeaven Extreme Member Join Date: Jul 2002 Location: Real capital of Canada: Torauna Posts: 6,773 Rep Power: 191 System Specs	First, to Symantec.. you guys need to get things together. Bad instructions. Now, Data, it looks like you got infected by a damn password stealer, so here's what you do: Check out THIS SITE , and THIS SITE . The second site tells you how you got the trojan/virus, the 1rst tells you in MORE detail about what files it's made, and where. Before you do any cleaning though make sure you disable all unnecessary apps that startup. First, disconnect your ethernet cable. Then, click Start, Run, and type in msconfig.exe. On the far right you will see a tab called "Starup". Click it. Go through the list, and disable everything that looks suspicious. Things to leave would be your AV software, ati software, ctfmon and updreg if they are listed too (they are both legit Windows proggies). Reboot, do whatever needs to be done cleaning wise, and reboot. Double check things, and rerun the AV scan. Make sure to delete files like this too: %Windir%\sysw.dll, %Windir%\csrss.exe, %Windir%\system.exe, %Windir%\var.txt.exe, and %Windir%\upss.exe. Now what I'm about to say may piss you off: If you cannot get this puppy cleaned in a day... screw it! Seriously, you may not completely get rid of it, and infact it may come back as soon as you get back on the net. It sounds like you just reinstalled your system too, but believe me, it may just be better to reformat, and start again. Hope that helps. - Tip __________________ Portal: The Flash Version _________________________________ Brain: So, you sacked the cocky khaki Kicky Sack sock plucker? Mr. Sackett: The second cocky khaki Kicky Sack sock plucker I've sacked since the sixth sitting sheet slitter got sick.

Feb 27, 2005, 09:18 PM	Thread Starter #3
Data1232 DriverHeaven Lover Join Date: Jul 2002 Location: Right. Behind. You. Posts: 180 Rep Power: 0	Well, thanks for the help, but I had to resort to the format in order to get rid of it, as it just wouldn't come out. Definitely going to make sure the antivirus is up before I open a browser. __________________ Windows XP Pro 32-bit Intel Core 2 Duo E6850 2 GB DDR2-800 eVGA 680i XFX GeForce Ultra 8800 () Creative X-Fi Gamer

Feb 28, 2005, 03:57 PM	#5
Matth Flash Banner Hater Join Date: Jun 2002 Location: UK Posts: 3,426 Rep Power: 93 System Specs	If you have broadband, use a NAT router, even if you have only one machine! Most routers will server very well as an "incoming firewall", stopping all the incoming port compromise attempts - in fact, it's about as good as the windows firewall, but without the inherent vulnerabilities of Windows. You should still use a good firewall for application control, and a good antivirus, and most importantly, a dose of caution with email and websites.