Win32:Adan-07 & Trojano-1152

[megaman04]

I've got a predicament, .  My friend has a HP PC and uses Earthlink to connect to the World Wide Web.  A couple of days ago, while connecting to the internet via Earthlink, the normal connection changed to a Microsoft "IE My Connection."  I had to click on the "hangup" option, then the normal Earthlink connection was made.  But right after the connection, a virus popped up, the Win32:Trojano-1152 virus.  I moved it to the avast virus chest.  The strange thing about this is that everytime "after" the connection is made to the internet via Earthlink, the same Trojano virus appears and I have to move it to the chest again.  To this date, there are three of the same Trojano virus in the chest.  I scanned this virus in the chest and looked up the details.  The original file name is C:\\WINDOWS\SYSTEM\SSK3.exe.  The file name is SSK3.exe.  I am thinking that every time I connect, the virus will keep popping up and I have to move it to the chest.  There's another virus, Win32:Adan-07 in the chest also, but it's the Trojano that keeps appearing when connecting to the internet.  For some reason the Trojano virus is not being permanently removed from the C:\\WINDOW\SYSTEM thing.  I have the Microsoft IEradicator and the IE6 setup files on a CD.  I also have Earthlink's latest dial-up files on a CD, but what do I do?  Can I just delete the viruses that are in the chest and use the IEradicator and IE6 setup files and the Earthlink setup files?  Or do I need to do something else?  This situation has never happened before on my friend's computer.  Thank you for your prompt expertise, Megaman

[DavidR]

It is being moved, but it is also coming back, we have to establish why.

See this link (a google search for ssk3.exe) for some other info, etc.. [url[http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=SSK3.exe[/url]

Are you using a firewall, if so what?
What OS are you using? - if your using XP then check the DropMyRights link in my signature.

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2
For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR HiJackThis Log file - On-line Analysis 2

[polonus]

Hi megaman-04,

The Win32:Adan is an adware toolbar, see:
http://www.spywareguide.com/product_show.php?id=2128

greets,

polonus

[FreewheelinFrank]

This is SurfSideKick: it has components which protect the installation so removing the one file is ineffective.

Your first line of attack is to try the anti-spyware programs and see if they can remove it. (Preferably run them in safe mode: tap F8 while rebooting.)

Ad-Aware

http://www.lavasoft.com/

Spybot Search & Destroy

http://www.safer-networking.org/en/download/

Ewido

http://www.ewido.net/en/

[Spiritsongs]

   The BEST site to download the latest Ad-Aware is :

     www.majorgeeks.com/Ad-Aware_SE_Personal_d506.html

[megaman04]

I need some help regarding the Trojano-1152 virus.

I scanned my friend's computer using avast's home edition.  Two Trojano-1152 viruses were found.

First virus location:  c:\_RESTORE\TEMP\A0007313.CPY
Avast's recommended action:  Move to chest, so I clicked on that option, but a window popped up from avast:  Access is denied, cannot process c:\_RESTORE\TEMP\A0007313.CPY.  So I clicked on okay, then the virus alert popped up and I couldn't move the trojan to the chest.

I clicked on delete, and then clicked on delelet permanently, and the scanning resumed.

Results of the scan:  c:\WINDOWS\SYSTEM\SSK3.exe, Win32 Trojano-1152, file was successfully moved to chest.

Results of the scan:  c:\_RESTORE\TEMP\A0007313.CPY, Win32 Trojano-1152, file was marked to be deleted t.... (this part was not revealed, I don't know the rest of the info).

Two questions:  Was the virus that infected the SSK3 file deleted or is it located somewhere on the computer?

Also, do I use hijakthis, search & destroy, spyblaster, and other programs in "safe mode" to clean up the computer?  This is what I was instructed to do about a year and a half ago whenever a virus was found on the computer.

After scanning with Avast, I didn't do anymore virus, spyware "clean-up."

What else do I do?  Thanks, Megaman

[DavidR]

This is a part of the system restore C:\_Restore is windows protected storage and you cant directly delete or move items from it. You need to disable system restore.

Win XP-ME - How to disable System Restore

Once you have disabled system restore, reboot, that should automatically delete the contents of the _Restore folders. Scan your PC again and if clear enable system restore.

[FreewheelinFrank]

 Running the three programs I mention above would be a good double check-each usually finds stuff the others missed: running them is safe mode is a good idea.

HijackThis! does not remove malware, it only tells us what is running on your computer and where it starts from. Post a log when you have run the scans above and we can tell you if your computer is clean.

http://www.bleepingcomputer.com/forums/tutorial42.html

Spyware Blaster will protect against spyware infections: install it after your computer is clean.

[megaman04]

This is a part of the system restore C:\_Restore is windows protected storage and you cant directly delete or move items from it. You need to disable system restore.

Win XP-ME - How to disable System Restore

Once you have disabled system restore, reboot, that should automatically delete the contents of the _Restore folders. Scan your PC again and if clear enable system restore.

Okay, I'll do that.  Thanks, Megaman

[megaman04]

Running the three programs I mention above would be a good double check-each usually finds stuff the others missed: running them is safe mode is a good idea.

HijackThis! does not remove malware, it only tells us what is running on your computer and where it starts from. Post a log when you have run the scans above and we can tell you if your computer is clean.

http://www.bleepingcomputer.com/forums/tutorial42.html

Spyware Blaster will protect against spyware infections: install it after your computer is clean.

Okay, thanks for the info.  I'm having trouble finding the links to update:  CWShredder, Spyware Blaster, and HijackThis.  Can you post those links, if you know them, so I can update the programs?  Thanks, Megaman

[megaman04]

This is a part of the system restore C:\_Restore is windows protected storage and you cant directly delete or move items from it. You need to disable system restore.

Win XP-ME - How to disable System Restore

Once you have disabled system restore, reboot, that should automatically delete the contents of the _Restore folders. Scan your PC again and if clear enable system restore.

David, thanks for the info.  But when I got to the troubleshooting tab, the "disable system restore" box was already checked.  Do I uncheck the box, reboot, then check the box?  So is the virus still somewhere in the computer?  What do I do now?  Do I use avast to rescan again with the "disable system restore" box unchecked?  I must have scanned the system with the box checked.  Thanks for your help, Megaman

[DavidR]

Yes, uncheck means switch off/disable system restore and reboot.

The virus as you reported is in one of the restore points and can't be removed from there because it is protected storage, the only way to remove it from there is disabling system restore as I have said in the post you quoted.

Yes, leave system restore disabled and carryout an avast scan, only when your system is clear should you then enable system restore as I have said in the post you quoted.

[megaman04]

Yes, uncheck means switch off/disable system restore and reboot.

The virus as you reported is in one of the restore points and can't be removed from there because it is protected storage, the only way to remove it from there is disabling system restore as I have said in the post you quoted.

Yes, leave system restore disabled and carryout an avast scan, only when your system is clear should you then enable system restore as I have said in the post you quoted.

Okay David, so I uncheck it, rescan avast to make sure system is clean, then check it again and leave it checked.  Thanks, Megaman

[DavidR]

Uncheck it, reboot, scan, and if clear, check it again, ooh and reboot again so it takes effect.

[megaman04]

Uncheck it, reboot, scan, and if clear, check it again, ooh and reboot again so it takes effect.

Thanks David, will do that.  Megaman