Hello all.
I have a very nasty worm.
I have no clue where it came but I try to explain.
Worm is called Win32:Trojano-2873 [Trj] and avast says it is in “Temporary internet files”.
I use Firefox browser.
I have Windows XP pro.
I use Avast and Kerio firewall
I cant remove it with Avast.
Any help would be appreciate.
Thanks in advance
Jarkko
Purge your temporary internet folder, should clear the problem. Use crap cleaner which I find very good
No luck. :-\
Can you see the suspect file on your system? If so it might be worth trying move on boot to delete the file before windows starts protecting it http://www.softwarepatch.com/software/moveonboot.html This is a small clean pice of software, not needed often but when it is it works.
Welcome to the forums, higge! 
Another free program can be found at the link below. Internet Sweeper can be set to automatically (at computer start-up) delete temp files, cookies, history, and other things that junk up your computer. You can also manually start the program to “sweep” at anytime but in-use files will not be deleted in this case. I’ve used this program for several years and it works with XP.
http://www.geocities.com/Internet_Sweeper/
Trojans etc running from temp files prevent programs like CCleaner from deleting the temp files.
With unsophisticated malware, it is often possible just to kill the malware process using Process Explorer -look for processes starting from temp files- and then delete the temp files.
For cleverer malware, try Ewido, which can remove process injecting Trojans which are often difficult to kill.
Hello higge,
My program of choice for these nasties is replacer, get it from here: http://www3.telus.net/_/replacer/
Now you will find you can remove this nasty devil.
greets,
polonus
Unlocker http://ccollomb.free.fr/unlocker/ is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.
Thank you guys for replies.
I will try those ofcourse, but one thing.
I am now in condition that Avast do not give me trojan info anymore (like its gone now), but when I am in the web, only few minutes example this site and then it just jumps to another site automatically.
I am sure that I don’t need new tires to my car ;D as those sites tells me…
I always put them to Kerio black list but nothing happens.
So something is not right, and worst is that I don’t know where it came from?
Hi higge,
Sounds like you have a spyware infection: I recommend the following programs:
Ewido http://www.ewido.net/en/ (Requires Win2000/XP)
and/or a-Squared [url]http://www.emsisoft.com/en/[/url]
Ad-Aware http://www.majorgeeks.com/download506.html
Spybot Search & Destroy http://www.safer-networking.org/
Hi Higge :
If the programs suggested by FreewheelinFrank do NOT
solve "it jumping to another site", I suggest you ask for
help on an antiSPYWARE forum; if you know of none,
I recommend www.landzdown.com .
Thanks again all of you.
Unfortunately I have to say none of those worked in my case.
I am ready to believe I have to reformat HD.
But yet that have to come I am more and more willing to here if any suggestion comes to your mind.
And I really have to say this forum is very helpful and very very fast to get any help.
Cheers
Hi higge,
I hestitate to ask but did you follow all the instructions for worm cleaning as given for your particular OS. Read here:
http://www-jerry.oit.duke.edu/community/pc_swat.html
& http://www.jmu.edu/computing/security/info/dcomxp.shtml
This is the general guideline for clearing out worms. If you do this according the book, rename the process and use killbox.exe (http://process.networktechs.com/KillBox.exe.php)
, maybe this could save you from a reinstall. The decision whether you make a reinstall depends of course if this is the only malware on board, how long it has been there (considering further compromise and backdoors to be found there). Give it another try before you plan the inevitable. And before that backup all that is worth to back up there.
polonus
Since you’re using Win XP, did you deactivate System Restore first?
did you deactivate System Restore first?
No I didn’t at first but until now yes.
This is getting quite bad now.
I want to ask one more thing from you all.
Could someone give me step by step guide how I really should scan my machine.
I think there is a way I do not right.
Should I be offline while scanning etc…
Thanks in advance
A SOLUTION!!!
I found it was in “temp” file.
I have six user accounts and didn’t cleaned all those temp files.
I deleted them and now it seems to be away.
It was called WINSYSBAN8
Thanks again all for your help.
Hi higge,
I am glad you found the solution. Using a program to clean up all those temp files might help you in the future.
Please come back often, learn more, and maybe help others.
Hi higge and CharleyO,
WINSYSBAN.EXE is a malware threat trojan component in the Windows folders, that appears under various names all starting with WINSYSBAN (here WINSYSBAN8).
This application is downloaded and installed by another application, in this case added by the Troj/Clicker-CD Trojan, see:
http://sophos.com/virusinfo/analyses/trojclickercd.html
User may complain of “too much ware” “popups”.
04 - HKLM..\Run: [winsysban] C:\windows\winsysban.exe
Threat level 7
Good you got rid of it, because it is definitely not required on your pc.
Yours faithfully,
polonus
Thanks for the info, Polonus!
Thank you Polonus.
This forum now belongs to my favourites…