Kymatasound Recording Studio banner

 

 

 

Animated gif of 'Peaches' winking

Home

Search
Equipment
CDs 4 Sale
Koi DVD
PSP Mixpack Review
Elemental Review
SOS Review
CD Loudness Wars
Free Videos
Surplus 4 Sale
Old Computers
Kymata Files
Trojans
Mix Tips
Electronics
VHS/ADAT Fix
Optical Drive Fix
Construction
Bass Traps
Why Bass Traps?
Mineral Wool
AMT8 RS232 Wiring
Rare Records
Floron
About Crete
Win-a-Dog!
Fly trap
Cats
ART
Photography
HDR Reviews
U Print Posters
Writing
Stones
Grapes
Olives
Artichoke Prep
House for Rent
House for Sale
Links
Contact
Site Map

 

 

 

 

Trojans

Rather than reinvent the wheel, if you don’t know what a trojan is click here for the wiki page  

This page is about a trojan called PSW.WIN32.OnLineGames.tot but it also refers to trojans in general and how to spot them. 

No anti virus application can catch 100% of problems 100% of the time.  It's therefore handy to have other ways to discover if a trojan is running on your PC. 

 

One Method

Double click My Computer and in the address bar, type C:\Autorun.inf and then hit return:

My Computer

If you then see the Microsoft Internet Explorer Cannot Find information box... 

Microsoft Internet Explorer Cannot Find information box

...the chances are your PC doesn’t have a trojan.

 

The Bad News

If there is a trojan present, instead of the above message, Notepad will open and a load of gobbledygook will appear: eg, PSW.WIN32.OnLineGames.tot, gave me the following:  

;4s5wiksiwk9olKd2AKrDikw4rr3k1a5aikKwwadr1koJjc3qLkSid6esSwi4rwe3ok2lomKZf3e5p

[AutoRun]

;klp4a3d93sowof5SJKO2a1olceA

open=b.com

;idokailDw17kl8ZwKSc21lwdDse34iDlaXlao9s7wsKjAJdAKlalZa2rrakS1ki244qkKFfpq4koJ3LLlkAqaLdA4

s30iDrisiefS2nsss8a1ds9rqpdA5Sa51a

shell\open\Command=b.com

;Zsf148pkK3JKLAodwLDrsl03cjrL32Jljksia8we2ekfkok24wkjiDs4iD3

shell\open\Default=1

;Jra5jco24KODiwaLl1K5awk5Aaskrksi4ld4fA29Dio2LsD1fjko3eesS3kwidjrA7qCd33J4ia6ow4sK0oZa283

shell\explore\Command=b.com

;aAs4wcK9rfqDe5akoiAs52j 

Ignoring the gobbledygook shows that the Autorun.inf file is running a command file called b.com.  Googling b.com (or whatever you get) will start you on the road to discovering which trojan you are dealing with.

 

Another detection method

Some trojans employ Windows Hidden Files and Folders attributes to hide their files from the user and, in a further attempt to stay hidden, a trojan can also prevent the user from changing the Hidden Files and Folders attributes.  At least it gives us a way of knowing something is wrong!  

Folder options

The Show hidden files and folders radio button is selected - located via: My Computer>Tools>Folder Options…View Tab

Clicking the Show hidden files and folders radio button appears to work but after clicking Apply, and OK, the trojan switches the selection back to the option above, ie Do not show hidden files and folders

 

Brand New PC Infected

I took delivery of a brand new Core 2 PC on 11 March and even though the free version of Avast! Anti Virus had been installed, I quickly discovered the PC was infected.  I only discovered this because I couldn’t change the hidden files and folders attribute.  FWIW coming from an Atari and working my way up from Windows 3.1/95/98/98se/Win2K... means I have become accustomed to seeing ALL files and folders, and file extensions too, so it’s one of the first things I change on a new PC. 

 

Googling on the problem suggested a trojan and since Avast! hadn’t detected the problem I uninstalled it and installed the demo version of Kaspersky Internet Security 7.0 instead.  Kaspersky reveled the problem to be  Trojan-PSW.Win32.OnLineGames.tot

 

This trojan was first detected by Kaspersky at 12:49 on 10 March 2008 and I had it on 11 March!

 

Log File

The Kaspersky log revealed the command file had also been installed to, and was being run from, ALL three partitions; I hadn't even opened E:\ let alone copied files to it.   

detected: riskware Hidden install       Running process: C:\v.cmd
 detected: riskware Trojan.generic       Running process: C:\v.cmd
 detected: riskware Hidden install        Running process: D:\v.cmd
 detected: riskware Invader                   Running process: D:\v.cmd
detected: riskware Hidden install         Running process: E:\v.cmd
detected: riskware Invader                    Running process: E:\v.cmd
detected: riskware Trojan.generic         Running process: E:\v.cmd

The rather nasty result of that meant that reformatting C drive and reinstalling Windows DID NOT solve the problem; I couldn't simply delete the v.cmd files anyway because a) they were hidden and I couldn't gain access to the hidden files and b) they would return on reboot because the Trojan had installed other .dll files and made registry entries too.   It had also created b.com and I located two other files: amv0.dll and 4keteh.dll 

 

Very Bad News

As of 12 March 2008, it appears the only way to remove this Trojan is to reformat ALL partitions and reinstall Windows from scratch.  Fortunately, being a brand new PC, I didn’t lose any data and even though the PC was connected to my network, I was doubly lucky that the problem hadn't spread. 

If you encounter the same problem, I wish you good luck resolving it!   If you are successful, I'd love to know how you resolved the problem, click here to contact me  TIA 

Disclaimer: I am not a 'computer expert', the above information is provided as is and with the intention of helping others with the same problem. I am not responsible for any action you may take, please dyor.

 

Shameless Plug:

Nishikigoi Varieties is a 90 minute visual bonanza of beautiful koi carp…read more

Nishikigoi Varieties Koi DVD banner

 

 
 
 Feedback, questions and comments welcome
Last updated:  2 January 2010
profile counter
Privacy Policy
Powered by admin©