Detected trojan.startup.nameshift.fl

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Does anyone know of this trojan and what is the recovery - it seems to have
blocked access to various A/V websites ande otherwise manged the system.
 
Our resident "expert" Andy Manchesta says this:

The "Nameshifter" name is just used by MS Antispy which
then gets passed on to Counterspy but the name itself
doesnt show what the infection is so it's always hard to
answer nameshifter questions, Only the MS team would know
what infection this relates to all its really saying it
that it can change its name so that could be alot of
malware (Look2me,Qoologic,Aurora,Elite,CoolWebSearch
etc..)

Here's a few options

When you say it keeps coming back, MSAS should tell you
what the filename is and where it is located, If its
in "System Volume Information" let us know as you can
just flush your system restore to remove it.

This could change it's name everytime you reboot like
Aurora's entry or it could just change its name when you
delete it like Look2me,CWS & Qoologic as there may be
another part protecting the files.


Goto Jotti's site and upload the nameshifter file to find
out what it is and what infection it is conected with

http://virusscan.jotti.org/

press browse, find the file then press "Submit"

Download Ewido and Ccleaner

Ewido

http://www.ewido.net/en/

Install ewido.
During the installation, under "Additional Options"
uncheck "Install background guard" and "Install scan via
context menu".
Launch ewido
On the left side of the main screen click update
Click on Start and let it update.
DO NOT run a scan yet. You will do that later in safe
mode.


Ccleaner

http://www.ccleaner.com/ccdownload.asp

Download and Install


Reboot into safe mode (Reboot and keep tapping F8 then
choose safe mode from the list)

Run Ewido and from the main menu choose scanner then
Complete Scan
Click the Start Scan button to start the scan.
During the scan it will prompt you to clean files, click
OK
When the scan is finished, look at the bottom of the
screen and click the Save report button.
Save the report to your desktop

Run MS Antispy in safe mode on a full system scan and
remove anything found

Finally Start Ccleaner and click "Run Cleaner" to remove
temp and unused files

Then reboot back to normal mode

Let us know if you have problems and what Jotti's site
detects if you can locate the file.
 
Hey Marcus

If you have a file detected as Nameshifter.fl can you find it on your
system, right click it and choose "send to" then "compressed zipped file" and
email it to

(e-mail address removed) (Put Nameshifter in the subject)

You may need to enable hidden files and folders to find the file depending
where its being detected, Let MS Antispyware scan and then click the plus +
beside the name on the results page and find the file,

To enable Hidden files and folders :

Click Start Menu > Open My Computer > Select the Tools menu from the top bar
and click Folder Options > Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and
folders.
Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm > Click OK.

You can set this back after you find the file by opening the same page and
pressing "Restore Defaults" then click apply again

These's alot of possible fixes such as HijackThis, Hoster & Ewido but it
would be easier to help once we know what the infection is as the term
Nameshifter is being used by Microsoft on various infections.

Andy
 
What does the nameshifter trojan do? Does anyone know?

I also have it an will be reinstalling the OS. I foudn thes
startup.nameshifter issues to be nearly impossible to get rid of completely.

My question is this - Are the nameshifter trojans involved in stealing
passwords, account info, etc, or are they only taking over my browser, etc?
Does anyone know, or is this too general a question?
 
Hi Matt

It really difficult to say what this is without seeing logs from your system
such as Hijack This as the MS team seem to be calling alot of things
Nameshifter, They used to refer to part's of the Aurora infection as
Nameshifter then they called Qoologic Trojan Nameshifter and CWS variants
Nameshifter and there is probably alot of other infections being described in
the same way but uploading the file at Jotti's malware scan site or
VirusTotal should give a clear indication of what infection this file is
related to, Dave's post is worth following as I believe Ewido will also
detect the files and let you know what you have been infected with.

If its a .exe file the find it and right click it and choose to send it to a
compressed zipped folder, If you email it to me I'm happy to run it and see
what it infection it is on a test machine but if its a dll file your best
using the online virus scan sites to get results.

Ive not seen any keylogging malware being described as Nameshifter so I
would suspect its spyware/adware that is on your system but Microsoft are
making this difficult especially when they cannot remove the files by
discribing different infections as Nameshifter as the name itself doesnt mean
anything and there isnt a infection called Nameshifter, Id recommend
following the post Dave made and checking where MS Antispy is detecting the
file, if its in system volume information or recycle bin then its not a
problem but if its anywhere else then upload it at jotti's site or
virustotal, Then download Ccleaner and Ewido and run them with MS Antispy in
safe mode, If it continues let us know what the scanners are finding and in
what location. I dont think you should format your system over this as the
only problem is with it being called Nameshifter its hard to know what it is
untill we use some other scanners then it can be removed even if that takes
other tools like About Buster or Hijack This.

Good Luck

Andy
 
Back
Top