topic Re: problem with Trojan DomCom again in Operating System - Microsoft

problem with Trojan DomCom again

Joe van Raamt — Wed, 08 Jun 2005 08:16:11 GMT

I have the same problem, I followed the steps provided by Norton, but it does not show in in the right hand panel as per attachment in previous post. It is apparently hiding in Source: ipreg32.dll
Description: The compressed file ipreg32.dll within C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\666N6D4H\ipreg32[1].cab is infected with the Trojan.Domcom virus.
Click for more information about this threat : Trojan.Domcom but Norton can not delete the trojan. I have tried to remove it in safe mode as well. When I check the contents of the internet files, it comes up empty, but when I click on properties it shows five files in there (see attachment)

Re: problem with Trojan DomCom again

kcpant — Thu, 09 Jun 2005 01:23:34 GMT

Hi Joe,

as the name suggests, trojans "hide" themselves anywhere on the local system or the networked machines. removing files once from a certain location is usually not an accurate solution, you shopuld use some other pathes or trojan cleaning antiviruses, as well as some better firewall security packs/ antispywares etc to properly protect your system. you should update the OS with latest SP and security patches ( windows updates if it's a windows OS) to block the holes on your OS.

Re: problem with Trojan DomCom again

Edgar Zapata — Thu, 09 Jun 2005 01:58:38 GMT

Also, do not log on as an administrator.
Or remove the user you use to log on with from the administrators group.

See this:
www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/windows_security_whynot_admin.mspx

regards.

Re: problem with Trojan DomCom again

Edgar Zapata — Thu, 09 Jun 2005 02:23:06 GMT

Here's a guy that had a problem with same trojan couple of weeks ago.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?admit=716493758+1118301660905+28353475&threadId=888955

hope it helps.
regards.

Re: problem with Trojan DomCom again

Joe van Raamt — Thu, 09 Jun 2005 08:28:37 GMT

Hi Kcpant, I have done all that, to no avail. I have 4 different types of spy-ware detector programs and none detects the trojan. (Norton does detect, but can not delete it).
---------------------------------------------
Edgar, I am automatically logged in when I start the computer and there is no other user listed. I tried that url, but it did not work. I will try again by modifying the url. The las link was to my previous post about this. I thought that I had the system clean at that time. I believe that this trojan was re-installed from the same web site (my son forgot to clear the history log)where it came from to begin with. However, this time I could not get rid of it.

Re: problem with Trojan DomCom again

Edgar Zapata — Thu, 09 Jun 2005 09:04:19 GMT

Joe,
I would run this free on-demand AV solution:

Follow instructions here (under Recovery tab):
http://www.sophos.com/virusinfo/analyses/trojdomcomc.html
regards.

---
McAfee Stinger might also help.
http://vil.nai.com/vil/stinger
This is a very usefull tool.
DomCom is not listed under stinger though.

Re: problem with Trojan DomCom again

Joe van Raamt — Fri, 10 Jun 2005 00:59:33 GMT

I tried the sophos web site, but there does not seem to be a trial version. Would you know of any where I could get one? The stinger did not find the trojan.

Re: problem with Trojan DomCom again

kcpant — Fri, 10 Jun 2005 01:57:07 GMT

Hi Joe,

You can try cleaning registry entries following this procedure:

" To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.

1. Click Start > Run.
2. Type regedit
3. Click OK.

4. Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

5. In the right pane, delete the value:

"loader32 " = "%AppData%\SysDown\sys[5 random numbers].exe"

6. Navigate to and delete the following registry subkeys:

HKEY_CLASS_ROOT\CLSID\{031B6D43-CBC4-46A5-8E46-CF8B407C1A33}
HKEY_CLASS_ROOT\TypeLib\{4A31E565-08CB-4272-8817-7BF729B6A96F}
HKEY_CLASS_ROOT\Interface\{CC1725CD-1EFA-4D88-8987-5EBF66347856}
HKEY_CLASS_ROOT\DownCom.CDownCom.1
HKEY_CLASS_ROOT\DownCom.CDownCom

7. Exit the Registry Editor."

You should not login as administrator, make a separate standard user for normal use. If you are using WinXP, go to control panel > user accounts > change the way users log in /off, and de-select " use the welcome screen". before doing this, note down the password for current user (administrator), or reset the password if you don't know. now, create a new user, and give him " standard user" access. you can login now by typing this user name and password. you can copy the data from old user's profile to the new one by logging in as administrator.

Re: problem with Trojan DomCom again

Joe van Raamt — Fri, 10 Jun 2005 09:54:07 GMT

I tried to follow the above instructions before and again, but when I arrive at the "run" key, nothing about the loader32 shows in the right hand panel or anywhere else for that matter.

Re: problem with Trojan DomCom again

Joe van Raamt — Mon, 13 Jun 2005 23:13:19 GMT

The trojan was deleted with the Killbox program. URL was provided by Mr. Venkatesh on the "windows" page.