Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help! How to remove net-worm.perl.santy.a. trogan?


  • Please log in to reply

#1
Ferrante

Ferrante

    Member

  • Member
  • PipPipPip
  • 207 posts
I am trying to help my neighbor who has apparently been infected with the net-worm.perl.santy.a. trogan. He keeps getting pop-ups when he tries to do anything. The alerts are coming from various anti-virus programs such as RedCross AV or Security Tools AV, plus others which I believe are non-existent. Nothing can be accessed from the computer. Even in safe-mode, the pop-ups appear. Another window opens up, and I am not sure if this is part of the trogen or an actual message from the computer which says:

run,32 infected wuth net-worm.perl.santy.a. trying to send credit card info using rundll32.exe to connect to remote host.

Considering the above problems getting into the OS, what is the easiest way to eliminate this trogen, please? Is there an automatic fix that I could put either on a CD or flashdrive that could start during bootup but before the trogen could be activated? All responses are appreciated.
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,727 posts
  • MVP
There are several bootable CDs you can download and try.

F-Secure's
http://www.f-secure....ools/rescue-cd/

Avira's
http://www.avira.com...detail?kbid=230


with detailed instructions here:
http://forum.avira.c...&threadID=82163

If you understand the registry then the offline registry editor is useful:
PC Regedit. See the instructions in the BOTTOM half of
http://www.raymond.c...ing-in-windows/
Most of these infections will mess with userinit (should be c:\windows\system32\userinit.exe, ) or shell (Should be explorer.exe) in
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Usually the following registry entries are involved:

HKEY_CURRENT_USER\Software\PAV
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnPostRedirect" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "tmp"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "SelfdelNT"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%UserProfile%\Application Data\antispy.exe"

tho you sound like you may be seeing several infections at the same time so you may have more. IF the PC won't boot after running a scan it's probably because the malware was removed but the registry entry was not so you will have to go in with PC Regedit and fix it.

Ron
  • 0

#3
Ferrante

Ferrante

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 207 posts
Thank you for the detailed information. I will post in a few days and let you know how things went. I probably will not go to his apartment for a day or two despite his incessant (not to mention bothersome) phone calls! Again, thanks.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP