trojans Folder 1024

  • Thread starter Thread starter Monsifer
  • Start date Start date
M

Monsifer

Hello everyone,
I got a little irritating problem. I have MacAfee anti virus software
and I always get a message a trojan horse in folder 1024, exact location
is C:\WINDOWS\system32\1024. It is a temp folder as far as I know, and
the obvious file extension *.tmp. The trojan horse keeps popping-up.
The Q is, How it got there? Which program do I have to screen? Is there
a way to disable the folder itself? Any suggestion is very much welcome.
Thank you.
Monsifer
 
From: "Monsifer" <[email protected]>

| Hello everyone,
| I got a little irritating problem. I have MacAfee anti virus software
| and I always get a message a trojan horse in folder 1024, exact location
| is C:\WINDOWS\system32\1024. It is a temp folder as far as I know, and
| the obvious file extension *.tmp. The trojan horse keeps popping-up.
| The Q is, How it got there? Which program do I have to screen? Is there
| a way to disable the folder itself? Any suggestion is very much welcome.
| Thank you.
| Monsifer


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal
Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the
PC.

You can choose to go to each menu item and just download the needed files or you
can
download the files and perform a scan in Normal Mode. Once you have downloaded
the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode
[F8 key
during boot] and re-run the menu again and choose which scanner you want to run
in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive
PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://harrisonrj.home.comcast.net/step_by_step_pc_cleaning_process.htm#Step_3_%96_Getting_Help


* * * Please report back your results * * *
 
My reply is at the bottom of your message :


Monsifer said:
Hello everyone,
I got a little irritating problem. I have MacAfee anti virus software
and I always get a message a trojan horse in folder 1024, exact location
is C:\WINDOWS\system32\1024. It is a temp folder as far as I know, and
the obvious file extension *.tmp. The trojan horse keeps popping-up.
The Q is, How it got there? Which program do I have to screen? Is there
a way to disable the folder itself? Any suggestion is very much welcome.
Thank you.
Monsifer
Click to expand...


Q: How it got there?
A: Trojans are viral malware (malicious software) which doesn't not appear
itself but you install with another program , for example . Or you can aslo
visit site with ^bad^ content which infected your PC.
The things that a trojan can do varies from silly to extremely dangerous .

I recommend you scan with your McAfee in Safe Mode and then do an free
online scan with Panda Software's free online scanner
http://www.activescan.com

If this doesn't fix the problem ,
http://pandaman.my.contact.bg
is my web-site.When you visit it , you'll be able to perform the malware
removal instructions I have written so the computer will be clean.Don't
forget to read the "Protect your PC" section there so you'll learn your self
how to acurately use your pc.


Regards!

Panda_man
 
Monsifer said:
Hello everyone,
I got a little irritating problem. I have MacAfee anti virus
software and I always get a message a trojan horse in folder 1024, exact
location is C:\WINDOWS\system32\1024. It is a temp folder as far as I
know, and the obvious file extension *.tmp. The trojan horse keeps
popping-up.
The Q is, How it got there? Which program do I have to screen? Is there
a way to disable the folder itself? Any suggestion is very much welcome.
Thank you.
Monsifer
Click to expand...


The trojans name is FakeAlertB
 
From: "Monsifer" <[email protected]>

| Consider this case solved and closed
|


Why ?

You didn't reply to any of the posts nor provided anything other than it was the
FakeAlert.B -- http://vil.nai.com/vil/content/v_139058.htm

Did you scan the computer using the Multi AV Scanning Tool ? Do you relaize that there are
sisters and peer infections related to the FakeAlert.B so if you ar infected with this
Trojan you *may* have additional infections.
 
David, thankyou for the very informative answer and links. I got the same
trojan w/many variant names on 4/14 also, and I thought I solved my problems
mostly with a very thorough regedit session or 2, working also with the
culprit names that came from McAfee, MS Antispyware beta, and Spybot S&D, but
unfortunately the name nvctrl just reared its ugliness again.

So, the CLEAN software I just downloaded and your hints ought be more useful
than I wanted them to be. Problems are always fun for programmers...
 
Hello

I did do you suggestions, scanning the computer in safe mode as well as
online scan. I also reviewed which programs that i have which has
permission to access the internet. The thing is, the same trojan
FakeAlertB keeps popping up even if the only application accessing the
internet is the my Guild wars game. The only good thing is that my
antivirus software catches and deletes the file automatically.
I also deleted folder 1024 in system32, but it was there again.
It always was the same folder with the same trojan.

Monsifer
 
From: "Giabaree" <[email protected]>

| David, thankyou for the very informative answer and links. I got the same
| trojan w/many variant names on 4/14 also, and I thought I solved my problems
| mostly with a very thorough regedit session or 2, working also with the
| culprit names that came from McAfee, MS Antispyware beta, and Spybot S&D, but
| unfortunately the name nvctrl just reared its ugliness again.
|
| So, the CLEAN software I just downloaded and your hints ought be more useful
| than I wanted them to be. Problems are always fun for programmers...
|

nvctrl.exe is a ZLob Trojan.



Two part reply..

Perform Part 1 then perform Part 2.

If the first two parts don't work, perform the alternate utility.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.

If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.

http://www.java.com/en/download/manual.jsp



Part 1
-----------

Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic43659.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser
but your PC will automatically be shutdown. It is suggested that you move the report out of
c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


ALTERNATE:

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072


Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.

* * * Please report back your results * * *
 
From: "Monsifer" <[email protected]>

| Hello
|
| I did do you suggestions, scanning the computer in safe mode as well as
| online scan. I also reviewed which programs that i have which has
| permission to access the internet. The thing is, the same trojan
| FakeAlertB keeps popping up even if the only application accessing the
| internet is the my Guild wars game. The only good thing is that my
| antivirus software catches and deletes the file automatically.
| I also deleted folder 1024 in system32, but it was there again.
| It always was the same folder with the same trojan.
|
| Monsifer



Two part reply..

Perform Part 1 then perform Part 2.

If the first two parts don't work, perform the alternate utility.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.

If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.

http://www.java.com/en/download/manual.jsp



Part 1
-----------

Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic43659.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser
but your PC will automatically be shutdown. It is suggested that you move the report out of
c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


ALTERNATE:

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072



Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.

* * * Please report back your results * * *
 
Back
Top