Q230903.exe Trojan? HELP

  • Thread starter Thread starter Duh!
  • Start date Start date
D

Duh!

Hi

This morning my pc would not boot up? winxp pro, i eventually got it going
booting from the cd! I
n the error log i found this
<snip>
The description for Event ID ( 1 ) in Source ( True Vector Engine ) cannot
be found.
The local computer may not have the necessary registry information or
message </snip>
after doing a ctrl alt del i found running dllhost.exe not unusual but it
should stop after java is not being used?
which made me think maybe a trojan? i found on my c drive like an iconless
file, actually in properties its an application name Q121103.exe.

With an updated bitdefender pro7 it didn't recognise it as a problem also i
ran stinger the newest version what also didint recognise it! but a google
search got this result
This Visual Basic (VB) Script malware drops the following file on the
infetected system:

a.. Q230903.exe
This dropped file is the Trojan malware by Trend Micro as TROJ_WINSHOW.A.

So its still there and im afraid to reboot my pc, any idea's?



oh and the error log might be because i recently uninstalled zonealarm and
installed bitdefender! its probably still got shrapnel in my reg? but thats
another problem i am busy with.

thanks in advance



Stephen
 
1) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
2) Please reboot your PC into Safe Mode
3) Perform a Full Scan of your platform and clean/delete any infectors found
4) Restart your PC and perform a "final" Full Scan of your platform
5) If you are using WinME or WinXP, re-enable System Restore, reboot the PC
6) If you are using WinME or WinXP, create a new Restore point
7) Please report back your results


Dave



| Hi
|
| This morning my pc would not boot up? winxp pro, i eventually got it going
| booting from the cd! I
| n the error log i found this
| <snip>
| The description for Event ID ( 1 ) in Source ( True Vector Engine ) cannot
| be found.
| The local computer may not have the necessary registry information or
| message </snip>
| after doing a ctrl alt del i found running dllhost.exe not unusual but it
| should stop after java is not being used?
| which made me think maybe a trojan? i found on my c drive like an iconless
| file, actually in properties its an application name Q121103.exe.
|
| With an updated bitdefender pro7 it didn't recognise it as a problem also i
| ran stinger the newest version what also didint recognise it! but a google
| search got this result
| This Visual Basic (VB) Script malware drops the following file on the
| infetected system:
|
| a.. Q230903.exe
| This dropped file is the Trojan malware by Trend Micro as TROJ_WINSHOW.A.
|
| So its still there and im afraid to reboot my pc, any idea's?
|
|
|
| oh and the error log might be because i recently uninstalled zonealarm and
| installed bitdefender! its probably still got shrapnel in my reg? but thats
| another problem i am busy with.
|
| thanks in advance
|
|
|
| Stephen
|
|
 
Hi Dave
you replied in 7 mins ;-) great, im still busy checking around etc! if found
this
The malware then saves the downloaded file in the following directories,
depending on the system's platform:

a.. "Documents and Settings\<user name>\Application Data\winshow\
b.. I also have these folders on my pc but they are empty, i couldnt find
the reg entries though concerning this trojan? i think it has change my reg
though as i cannot boot up!
c.. Before i follow your instructions i have another question? when you
say perform a full scan! if it doesnt detect in normal mode how would it
detect in safemode? i have already disabled sysrestore cos i thought the
prob would be stored with last restore point.
d.. if you can help me out by looking at this page! it has quite a lot of
info over what happening to my pc! let me know please.
e..
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_WINSHOW
..A&VSect=T
Rgds
Stephen
 
Stephen:

The difference is running a scan in Safe Mode vs. Normal Mode is that in Normal mode the EXE
or DLL may be loaded and the file handles will be in use thus you can not clean/delete the
file.

The Safe Mode process has limited functionality and only core OS files are loaded thus the
virus, Trojan or worm has LESS of a chance of being loaded. Thus, when the scan is
performed you will be able to clean/delete the infectors found.

Dave



| Hi Dave
| you replied in 7 mins ;-) great, im still busy checking around etc! if found
| this
| The malware then saves the downloaded file in the following directories,
| depending on the system's platform:
|
| a.. "Documents and Settings\<user name>\Application Data\winshow\
| b.. I also have these folders on my pc but they are empty, i couldnt find
| the reg entries though concerning this trojan? i think it has change my reg
| though as i cannot boot up!
| c.. Before i follow your instructions i have another question? when you
| say perform a full scan! if it doesnt detect in normal mode how would it
| detect in safemode? i have already disabled sysrestore cos i thought the
| prob would be stored with last restore point.
| d.. if you can help me out by looking at this page! it has quite a lot of
| info over what happening to my pc! let me know please.
| e..
| http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_WINSHOW
| .A&VSect=T
| Rgds
| Stephen
|
| | > 1) If you are using WinME or WinXP, disable System Restore
| > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
| > 2) Please reboot your PC into Safe Mode
| > 3) Perform a Full Scan of your platform and clean/delete any infectors
| found
| > 4) Restart your PC and perform a "final" Full Scan of your platform
| > 5) If you are using WinME or WinXP, re-enable System Restore, reboot
| the PC
| > 6) If you are using WinME or WinXP, create a new Restore point
| > 7) Please report back your results
| >
| >
| > Dave
| >
| >
| >
| | > | Hi
| > |
| > | This morning my pc would not boot up? winxp pro, i eventually got it
| going
| > | booting from the cd! I
| > | n the error log i found this
| > | <snip>
| > | The description for Event ID ( 1 ) in Source ( True Vector Engine )
| cannot
| > | be found.
| > | The local computer may not have the necessary registry information or
| > | message </snip>
| > | after doing a ctrl alt del i found running dllhost.exe not unusual but
| it
| > | should stop after java is not being used?
| > | which made me think maybe a trojan? i found on my c drive like an
| iconless
| > | file, actually in properties its an application name Q121103.exe.
| > |
| > | With an updated bitdefender pro7 it didn't recognise it as a problem
| also i
| > | ran stinger the newest version what also didint recognise it! but a
| google
| > | search got this result
| > | This Visual Basic (VB) Script malware drops the following file on the
| > | infetected system:
| > |
| > | a.. Q230903.exe
| > | This dropped file is the Trojan malware by Trend Micro as
| TROJ_WINSHOW.A.
| > |
| > | So its still there and im afraid to reboot my pc, any idea's?
| > |
| > |
| > |
| > | oh and the error log might be because i recently uninstalled zonealarm
| and
| > | installed bitdefender! its probably still got shrapnel in my reg? but
| thats
| > | another problem i am busy with.
| > |
| > | thanks in advance
| > |
| > |
| > |
| > | Stephen
| > |
| > |
| >
| >
|
|
 
Thanks dave sounds logical.

Ill give it a go tomorrow and let you know how it went!

Rgds
Stephen
 
David H. Lipman said:
Stephen:

The difference is running a scan in Safe Mode vs. Normal Mode is that in Normal mode the EXE
or DLL may be loaded and the file handles will be in use thus you can not clean/delete the
file.
Click to expand...

The same is true for many malware, in "Safe Mode".
The Safe Mode process has limited functionality and only core OS files are loaded thus the
virus, Trojan or worm has LESS of a chance of being loaded. Thus, when the scan is
performed you will be able to clean/delete the infectors found.
Click to expand...

Better is to conduct cleaning when in "safe mode with command prompt". Read in
www.invircible.com/item/80 the 'why and how'.

Regards, Zvi
 
Im back.
After my pc started to run at 100% cpu, and it told me i wasnt logged in as
admin ;-) i rebooted in safe mode, but couldnt run the virus scan! I had
stinger and i tried another few stand alone proggies but none found a
virus/trojan. so i just deleted the file on c:\ . I then downloaded registry
mechanic and got it to fix as much faults as possible with an evaluation
version! my pc boots again and doesn't run at 100% anymore. Also i
downloaded and installed the newest version of bitdefender v7.2 its much
better than the 7.0 as it has a proper firewall etc.

Will let you know if it starts up again.

Thanks again

Stephen


Even though it found no virus
 
Back
Top