Help with a trojan!

[Project86]

I need some help please. I've run out of stuff to do... My PC here at work is infected with troj_qoolaid.s as reported by trend officescan. The infected file is listed as c:\windows\system32\piqprp.exe the problem is I can't find that file to delete it! I look at all system files/hidden files, still no luck.

As far as I can tell, the trojan is installing spyware and making popups, nothing worse. But it's really annoying!

I've tried a few free online scans, they either don't find it or find it but can't clean it for some reason. The stupid software we use at work is "trend micro officescan" which keeps finding it every few minutes, but cant clean it either.

I think part of the problem is that I can't turn off "system restore" since I don't have admin rights. The helpdesk monkey has been in here twice to try and fix it with no luck...

Any other ideas?

 

[montag451]

What firewall do you use?
Can you isolate the computer - or was it on a network? If it is on a network - then it is possible that all the computers have got it now.
How did it get there?
Can you install the following:
ADAWARE
SPYBOT
TROJANHUNTER
SPYSWEEPER
KASPERSKY trial/demo
MICROSOFT Antispyware Beta
Update them all.
Make sure that they are not set to run at boot in config/options.

Reboot into Safe mode.
Run all the scans - Kaspersky first then take your pick
One at a time.
Please post back.

 

[Project86]

It seems to just be on this local computer. This computer is networked but none of the other computers in the room have the trojan. It has been on this computer (judging by the symptoms) for at least a week. So I don't think it is able to make the jump. We have hardware firewall, don't know much about it.

I have actually tried all those programs you mentioned, in safe mode, plus a few others: pestpatrol, trend micro free online scan, and A(squared). Most of them find old old stuff in quarantine from their fellow programs, but none of them find the trojan I'm reffering to. I'm still waiting for kaspersky to finish though. Trend Officescan and A(squared) pop up frequently and advise me of the infected file, but they say they can't delete it or quarantine it...

Anyways, this is what I find out: The file DOES exist, I just can't find it in windows. Using cmd, it shows up. When trying to delete it, it says "access denied". Attrib doesn't list anything special for it (ie system file, hidden file,etc) so I don't know why it won't let me delete. I tried renaming it (to delete.me) to see if that would stop it from launching itself, but when I reboot like that the system hangs. So now I'm back to safe mode, wondering what else to do.

 

[montag451]

Disable system restore, and try again.

 

[Project86]

I can't disable system restore, since I don't have admin rights (unless there is another way of doing it?)

 

[tyanni]

Originally posted by: Project86
I can't disable system restore, since I don't have admin rights (unless there is another way of doing it?)

Then your IT folks should be doing this...

 

[Project86]

My IT folks are morons, that's part of the problem. Also, the bigger issue: this is the only police dispatch center that I know of (around here) that allows employees to use internet freely. The more problems we create for IT, the more they will get sick of dealing with it and someone will decide to get rid of our access. That's what I'm trying to avoid.

Anyways, I figured out a way to disable system restore. I think I might have fixed the problem. Windows now starts up, but takes about 15 min to get rolling. But once running, it seems pretty good. So I'm gonna keep messing around and see what I can find.

 

[RebateMonger]

Originally posted by: Project86
My IT folks are morons, that's part of the problem.....

Hmmmm.....they may be morons, but you are the one that put a trojan on your system

Seriously, if the IT folks can't easily find the problem, they should know enough to level the system and rebuild it. They obviously don't have the tools or knowledge to be sure that whatever it's infected with is TRULY gone. And if it's taking 15 minutes to boot, I'd say that something's still wrong.

Today's malware, including trojans, spyware, worms, viruses, and rootkits, are getting more and more aggressive and harder to detect and remove. How much more time and money can your office afford to spend on an infected computer?

And how come your antivirus didn't pick up the trojan before it installed? Trend Micro does a prettty good job at this. It's one of the best.

Your office should:
Level and rebuild this computer.
Make sure that antivirus software is installed on your mail server to remove viruses and trojans BEFORE they reach you.
Verify that antivirus and antispyware software are installed on each PC.
Change user rights so that they are limited. Remove all users as Local Administrators and give all normal Domain users standard rights only. This will keep most infections from ever happening.

 

[talyn00]

i assume your IT people would just simply reimage the machine as it usually saves alot more time then looking for the fix

 

[mechBgon]

Originally posted by: Project86My PC here at work is infected with troj_qoolaid.s as reported by trend officescan. The infected file is listed as c:\windows\system32\piqprp.exe the problem is I can't find that file to delete it! I look at all system files/hidden files, still no luck.

Why isn't TrendMicro deleting it? What happens instead? Did you try scanning in Safe Mode when you were fighting it?

 

[Project86]

RebateMonger: I didn't get the trojan. We have 8 workstations here, and you sit wherever is available on any given day. Some of my coworkers will click on any banner that they see... they are really bad. I'm pretty much always on AT/OC forums and stuff like that, so I doubt it was me.

mechBgon: Trendmicro keeps saying that it finds the file, but cannot complete the remove action. It never mentions anything about quarantine, so it's either not trying or can't do that either.


In any case, the system seems to be decent now but it's still sluggish. I Kaspersky found one more trojan (not the same one) and deleted it. Now trend, Kaspersky, trollhunter, etc scan clean with no problems found. But the system is slow- maybe 25% slower than before. I made sure I don't have any of those AV/Troll programs running in the background taking up resources. But it's still slow... So I don't know what to do about that. Maybe that's just the way it has to be...

 

[FlyingPenguin]

An anti-virus program CAN'T remove a spyware trojan, which is what this really is. Spyware hides copies and recovery utilities in all kinds of places, and you need to check for traces in registries, BHOs, compromised HOSTS file, etc,. You need to do a thorough spyware cleaning IN SAFE MODE. Refer to my spyware removal instructions here: http://theflyingpenguin.com/spyware-removal.shtml

Then afterwards run a FULL virus scan in SAFE MODE.

Fair warning: we've been bombarded by a couple of new very nasty ones this week that there aren't any good fixes for yet. If you're unlucky enough to have one you may have to wait a week or two for new definitions or tools that handle them. This is a notoriusly bad time for virus and spyware infections because all the security companies are on holiday.

Hope this helps...

 

[RebateMonger]

Originally posted by: Project86
RebateMonger: I didn't get the trojan. We have 8 workstations here, and you sit wherever is available on any given day. Some of my coworkers will click on any banner that they see... they are really bad. I'm pretty much always on AT/OC forums and stuff like that, so I doubt it was me.

At a minimum, your office should be using this:
Microsoft's (Free) Shared Computer Toolkit for XP.

They can use this to lock down PCs so that shared users won't mess up the PC for others and to limit the damage caused by users clicking on banners.

 

[Project86]

I did everything in safe mode, that's how I got to where I am now.

RebateMonger: I have suggested this ever since I first learned about it. The problem is this: we are a city police department, so our IT handles not just us but the entire city (street dept, sewers, city hall, etc) so they have a LOT of computers to deal with. Also, like any good Gov. setup, there doesn't seem to be any 1 person who can make a decision and impliment it.

As for the computer, it seems to actually be running at normal speed now... so I don't know.