Trojan.Startup.NameShifter.HN

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

MS AntiSoftware (Beta) finds this trojan but cannot remove it. Have tried to
find info on the trojan - No one seems to know about it, including Microsoft.
I can't even find info as to what damage it can do.
DHas anyone found a safe way to remove the NameShifter.HN trojan.
 
Hi Gold Chevron;
Andy Manchesta says this about MSAS and nameshifter:
It really difficult to say what this is without seeing logs from your system
such as Hijack This as the MS team seem to be calling alot of things
Nameshifter, They used to refer to part's of the Aurora infection as
Nameshifter then they called Qoologic Trojan Nameshifter and CWS variants
Nameshifter and there is probably alot of other infections being described in
the same way

My recommendation is to go to this site and follow their instructions... It's
brand new so let us know how you make out, or if you have problems come back
here... We'd all appreciate the feedback:
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
 
Can you let us know what the trojan is and where its
being detected ?

For MSAS goto "tools" on the top bar then "SpywareScan",
next goto "View Spyware Scan History", then choose the
latest scan results and click "View Full details of scan"
from the bottom right of the screen, then copy and paste
that back here (Left click and cover the text-Right click
and copy, Then right click in a response here and choose
pªste)

It will be alot easier to help you remove it once we know
what it is and where its saved intº.

Engel
 
I spent 5 hrs last night and another 3 this morning before I bit the bullet
and did a clean re-install of XP home. Couldn't use Repair Console on this
machine as no security policy, no known admin so couldn't get into directory
structure.

The resident processes were recreated in ...system32/ with random date codes
but all 89K, as fast as I ended the process. I tried terminating all other
process to see which on was 'master minding' it, but no joy. So, end
oyshnmk.exe in taskmanager and delete it in System32/ and nohnkht.exe is
created and runs as a process.

All start ups looked clean using HiJackThis.

MS Beta reported both Name Shifter GS and Name Shifter Something else. This
is first time in 3 years of cleaning that I have given up and done a clean
install for someone.

Hopefully someone will come up with a cleaner soon. Norton site is blank on
the subject.
 
Thanks to all of you who took the time to answer. I will try those
suggestions and let you know how things turn out.
 
Hi Dave M and all you others,

Went to wiki.castlecops.com as you suggested. Program looks promising.
Only one problem for me, they suggest I print the instrustions, lol, my
printer died last week and I'm waiting for HP to replace it under warranty.
Should get a new one Monday or Tuesday if their promises hold true. I'll try
the URL as soon as I plug in my new printer. I'll let you know my results
right away - positive removal of Nameshifter, I hope.
 
Sorry about that printer. You could spend the intervening time getting the
downloads they recommend, ADaware, HijackThis, Edwido, CCleaner, and since you
already have MSAS... you're part way there already. You can be sure CastleCops
is a super trustworthy site... any regular on this forum is familiar with it.
And since they just set up this self guided facility with a follow on expert
guided HijackThis should you need it, I think it's going to work well for you
with this nasty problem Nameshifter. I would avoid going to any sensitive sites
(like banks/credit card purchases) until you learn exactly what it is and get it
removed. Some of these things can grab that sort of information as you're
transmitting it over the net. Nameshifter by the way refers to it's ability to
change names to hide... so your dealing with perhaps a bit of a Chameleon.
 
I tried the Malware Removal technique from wiki.castlecops.com only to have
more problems. 1st, I ran cleanup. 2nd, I bought Spyware Doctor. 3rd, I
used the trial download of TrojanHunter. Now I have more problems. Adwares
keep popping up, especially Winfixer 2005. I hopefully got rid of Winfixer,
but other ads continue. I'll muddle through until I solve the problem, but I
shall not visit CastleCops again. I'm afraid to. I can only handle so many
problems at once and they seem to have dumped a lot on me, probably from
those sites they recommended.
 
Gold Chevron said:
I tried the Malware Removal technique from wiki.castlecops.com only to have
more problems. 1st, I ran cleanup. 2nd, I bought Spyware Doctor. 3rd, I
used the trial download of TrojanHunter. Now I have more problems. Adwares
keep popping up, especially Winfixer 2005. I hopefully got rid of Winfixer,
but other ads continue. I'll muddle through until I solve the problem, but I
shall not visit CastleCops again. I'm afraid to. I can only handle so many
problems at once and they seem to have dumped a lot on me, probably from
those sites they recommended.
Click to expand...

CastleCops are the good guys and you would do well to follow their
recommendations.

Bob Vanderveen
 
Hi Gold Chevron;
Sorry to hear that you had those problems with the CastleCops instructions.
Although I do have to wonder how Spyware Doctor came into the picture, since the
instructions on that site ask that you run two anti-spyware utilities from this
short and entirely free of cost list:

Ad-Aware
Spybot S&D
Microsoft AntiSpyware

Sounds like you decided to forge ahead on your own which is fine of course, it
is your computer, but in hindsight maybe not the best choice if your still
inundated with ads? I'm sure other forum regulars will be glad to supply links
to additional tools, but you have to realize that the programs your fighting
were not written by some guy in his basement like many virus infections.
Adware suppliers are major companies with significant capital and a very
talented programming staff, there's no quick fix to that sort of situation. If
you feel you can't or don't want to handle that challenge, then the best
recommendation I can offer at this point is to bring it to a professional shop
for removal. Sorry again, but I assure you that the CastleCops tool
recommendations are all unquestionably trustworthy, though extensive.
 
Hi Dave,
I clicked on Spybot S&D and got Spyware Doctor. I thought that was the
program recommended by that site. Should I get rid of the Doctor? I
downloaded TrojanHunter and it did not find NameShifter, nor did it find any
other Trojans. Registru Mechanic did find other items in my Registry and
removed some and repaired others. I am not finding NameShifter with MS
AntiSpyware Beta, so I guess it may be gone. Now I'm having other problems.
My f1503 keeps going black at various times after flickering. All my virus,
spyware and trojan programs cannot find anything to help me. I let my
granddaughter use my computer while she spent time with us. Guess her
friends sent me something via AIM Express. Anyone can help me?
 
Hi again Gold Chevron;
I really don't personally have any experience with SpywareDoctor so all I can
give you here is hearsay, but since you asked, and I know more than a few in
here will disagree, here's the hearsay I've heard:

SpywareDoctor has a reputation for false positives. It doesn't use a very well
updated database and actually depends more on heuristics for detection. Using
heuristics means that it looks for resemblances to spyware activity and only
serves as a guide. The concept of using heuristics for detection is great, it
means the product should be able to detect as yet un-written spyware, it's the
implementation that seems less than perfect. We have seen a large number of
these false positives reported even in this non-SpywareDoctor forum, although to
be fair ALL anti-spyware applications do produce some false positives.

But you asked "should you get rid of it?", and I'd say no need. Like a visit to
your family Doctor, sometimes it's good to have a second and even a third
opinion. At the same time I think you should get Ad-Aware and run a scan with
it. The reasoning is as follows,
I suspect that you've managed to partially remove some spyware on your system,
perhaps with MSAS, perhaps some more with Reg Mechanic and at this point MSAS no
longer detects the specific signature pieces it's removed. Ad-aware could and
undoubtedly does have different signatures than MSAS and thus may be able to
remove other portions of the malware. I also think that, unless you're very
lucky, you're eventually going to have to use HijackThis with human guidance to
totally clean up your system, and the guide will ask... "what have you done so
far?" That's why I sent you to CastleCops originally... to prepare you for
that, but you have to be willing to follow their procedures and recommendations
exactly, or you'll be wasting your time and theirs. Sorry to be blunt about
this, please understand these people are totally swamped with help requests in
these times and their very serious about malware removal.

And as to the granddaughter... make sure you don't let her use an administrator
account while she plays. Set up a limited user account for her if you haven't
already, and if you have the courage to let her back online. Maybe a talk about
internet dangers would help too along with some parental controls from an
Internet Security Suite (like Norton's or McAfee) if you have one available. If
you ever spent any time in un-moderated AIM chat with teens present, there's a
constant flow of download solicitations both obvious and not-so, and usually
socially engineered to appeal to young people. I think your probably right
about where the malware originated.
 
Merry Christmas Dave M,

Please understand that I was frustrated and never meant to be unkind.
Thanks for your patience with me.

I did follow the malware removal procedures as you instructed. However,
when I went to SpyBot S&D I got a pop-up for Spyware Doctor and thought this
was the correct program, so I downloaded. Thanks to you, I found out this
was incorrect. I subsequently found that WinFixer 2005 was in my computer.
I deleted SpyWare Doctor.

After you told me of my need to visit CastleCops again, I did so, following
the instructions exactly, disregarding the WinFixer pop-ups. I did not
uncover any other viruses, trojans or spy-ware. I finally tracked down
WinFixer and was able to delete it, I think - because I no longer experience
its pop-ups.

MSAS detected the trojan "Vundo" (which I suspect as NameShifter in another
life) but was unable to delete it so I visited Symantec and found a tool for
removal of this trojan. I was sucessful in removing it, thanks to Symantec.
I downloaded the tool and saved it in my documents folder so I can run it
every day to ensure no more infection.

I appreciate all you've done to help me because now I do not have any of my
detectors finding NameShifter, ADTMT, Vundo or any other infections.

Again, thanks.
 
Super... Thanks for getting back to us with your success. I know it wasn't
easy, but now your toolbox is full, and I think your better off in the long run
for having gone through it this time.

One more thing I recommend you do is look at SpywareBlaster for protection
before you get infected. Most of the other A-S products described here work
after you get infected. Figuring your granddaughter is still at it... ha-ha

From Andy Manchesta:
Consider installing SpywareBlaster from Javacool software as that will add
hundreds of malicious sites to your restricted zone which would prevent them
downloading files to your system if you visit them, Spyware Blaster will also
block alot of malicious ActiveX components so again it would prevent the site
downloading malicious files to your pc, Its free and doesn't need to run on
your system, it just needs updating every couple of weeks,

http://www.javacoolsoftware.com/spywareblaster.html

Note: SpywareBlaster additions to the restricted sites list will incorrectly be
reported in MSAS Beta1 as additions to your trusted sites list. The solution is
to allow the additions, following the SB installation.
 
I have a similar trojan BHO.NameShifter.IJ which is probably the author. It
allows pop ups and redirects you to ads.
 
Back
Top