Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help! How to remove net-worm.perl.santy.a. trogan?

Started by Ferrante , Oct 11 2010 10:41 AM

  • Please log in to reply

#1
Ferrante
Posted 11 October 2010 - 10:41 AM

Ferrante

    Member

  • Member
  • PipPipPip
  • 207 posts
I am trying to help my neighbor who has apparently been infected with the net-worm.perl.santy.a. trogan. He keeps getting pop-ups when he tries to do anything. The alerts are coming from various anti-virus programs such as RedCross AV or Security Tools AV, plus others which I believe are non-existent. Nothing can be accessed from the computer. Even in safe-mode, the pop-ups appear. Another window opens up, and I am not sure if this is part of the trogen or an actual message from the computer which says:

run,32 infected wuth net-worm.perl.santy.a. trying to send credit card info using rundll32.exe to connect to remote host.

Considering the above problems getting into the OS, what is the easiest way to eliminate this trogen, please? Is there an automatic fix that I could put either on a CD or flashdrive that could start during bootup but before the trogen could be activated? All responses are appreciated.
  • 0

Advertisements

#2
RKinner
Posted 11 October 2010 - 11:12 AM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
There are several bootable CDs you can download and try.

F-Secure's
http://www.f-secure....ools/rescue-cd/

Avira's
http://www.avira.com...detail?kbid=230


with detailed instructions here:
http://forum.avira.c...&threadID=82163

If you understand the registry then the offline registry editor is useful:
PC Regedit. See the instructions in the BOTTOM half of
http://www.raymond.c...ing-in-windows/
Most of these infections will mess with userinit (should be c:\windows\system32\userinit.exe, ) or shell (Should be explorer.exe) in
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Usually the following registry entries are involved:

HKEY_CURRENT_USER\Software\PAV
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnPostRedirect" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "tmp"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "SelfdelNT"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%UserProfile%\Application Data\antispy.exe"

tho you sound like you may be seeing several infections at the same time so you may have more. IF the PC won't boot after running a scan it's probably because the malware was removed but the registry entry was not so you will have to go in with PC Regedit and fix it.

Ron
  • 0

#3
Ferrante
Posted 11 October 2010 - 02:14 PM

Ferrante

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 207 posts
Thank you for the detailed information. I will post in a few days and let you know how things went. I probably will not go to his apartment for a day or two despite his incessant (not to mention bothersome) phone calls! Again, thanks.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP