View Full Version : Insidious "TrojanDownloader.exe" * help!
February 5th, 2011, 03:34 AM
Yes, I'm ready to scream! Wanted to look something up and then go back to sleep. Instead, something somehow got into this computer. At first MS Security Essentials worked(?), told me it had cleaned up what was found, and then I realized that it had been closed down by what it was supposed to have cleaned up.
AND that thing (title above) would not let MS remain open, or reopen after it had shut it down. It keeps popping up, telling me I can choose to either buy it, or "continue unprotected/infected." It has also shut it down a couple of times, & then a note comes up from windows saying it has an infected NTSF.sys file (not sure of ltrs, but close).
Decided that since MS was having trouble, I'd go ahead & go back to AVG, after all, in spite of its seeming to use a lot of RAM. Well, I DL'd it, and this thing won't let it open/install. I've deleted it from everyplace I can possibly find it, and it's still there when I restart the computer.
Tried in safe mode to get rid of the "shadow" deal that the note was talking about, tho' not sure what I was doing. Found in "admin" mode that there were some control files (too many!) that included a couple that were re shadowing" (perhaps the note said to disable to not have a "shadow" of the file on here after it was supposedly deleted?? [this doggone bad file keeps popping up!]
Was going to put here a screen shot or two that I managed to grab while it was doing weird things, but it crashed on me for trying to put a picture on here. This is the third time for writing this note, so I may have forgotten (in frustration) things by now, too.
Bottom line, what do I do other than just do another "recovery." Did not want to do that, as it loses many things. Yes, there's what's supposed to be "old data" (forget what it's called now), but sometimes that's inaccessible. :(
[oh yeah, will try the reverting to a former date, but not sure that will work, b/c this thing pops up no matter what you try to do with the computer ... it's as if I never told it to delete the file! UGH!! ... and thanks.
[will post w/o pics, as it could crash instead ... again]
February 5th, 2011, 03:40 AM
*PS* [& I wanted to just go to bed again after looking something up -- re water filtration (w/heavy pipe-related sediment) this time, tiring of carrying heavy water]
Just remembered something else this thing may have done, when looking in Control Panel for where I can try to go back to a former date ... some files names in the system area seem to be reading in Spanish now, such as "sssss 'para' (instead of 'for')" ... wondered if it had told it to use another language, even. Very odd .............
Better stop, or I might have to cry about this mess! :(
February 5th, 2011, 03:48 AM
Looking for and can't find -- since I can't remember where it's found -- the place that tells the computer to revert back to an earlier time in its set-up, hopefully then not recognizing/allowing files such as these that were on it just today/tonight.
Was editing this to add that when I saw system recovery in the program line-up, I tho't, "Oh, yeah, that's where you go to change the date" re info used to get this thing to work right." (learned it's not, but the whole "recovery" thing) HOWEVER, never got to post it, b/c it crashed on me about the 4th time now, while trying to post this! :(
So, where do I go to find the "work from earlier date set-up" ... just can't quite recall. Thanks.
Also tried the F8 key to let me tell it there, before fully loading up, to go back to where it was working right. Well, it didn't. This thing has to be one of the worst I've encountered, closing down MS Security Essentials -- managed to get it started before everything was loaded, figuring it could then CLEAN the horrid file out, but it popped open and CLOSED DOWN the MSSE so it couldn't even work ... again.
A big, bad HELP!
[oh, yeah ... another thing this crazy bad file does is keep saying there's some "update" to get, as if we'd already consented to paying for the crazy thing that I can't get rid of in the first place!]
February 5th, 2011, 11:19 AM
So sorry to hear about these problems.
If you go to your start button and click "help" or "search" (can't remember which one) and type in "system restore" it will probably take you to where you want to go (that is, to give you options of restore points).
However, sometimes the only way to deal with a real nasty virus is to use a good computer and create a virus scanning/removing disk that you START the computer with - that way regardless of what is on your computer, it won't be able to "do it's thing". I know both AVG and Kaspersky offer such downloadable files.
Here is the link to AVG's "rescue disk": http://www.avg.com/us-en/avg-rescue-cd
And here is the link to Kaspersky's rescue disk: http://support.kaspersky.com/viruses/rescuedisk
February 5th, 2011, 11:46 AM
Just called someone and asked them to read this when they had time and then call me back to tell me what the answer said, as it wasn't letting me on here. Decided to try "reboot" again, and saw that there was not only "safe mode" [which does not let you even connect], but also a "debugging" mode [tho' not sure how to do even that!], and it let me get on here. Now that I'm here, and the bad file keeps popping up while I'm trying to post, I'll post this, then look around for something to tell me how to "debug," since I'm in that mode.
Well, just got a call back while I was in the kitchen a couple of minutes or so. ;)
Will go try a search & hope that it will work! Thank you.
[Crazy thing won't/would not even let me -- before I found this "debugging" mode -- write a note in wordpad, telling me it could not execute, as it was infected. It tells me to DL the "latest windows security whatever" ... will see if it will work now in "debug" mode, but better post this first before it crashes, as it's also now prone to do, & then needs rebooting.]
Thank you, will try to find "restore," rather than "recovery." Also -- not sure where that would be -- I'll try to get these recovery disks, too. Now I have to figure where I could go [still nasty here]
February 5th, 2011, 11:50 AM
Nope, it still will not let me into Word Pad to write a note. What on earth!?
OK, to "search" now, tho' earlier it would not let me do that, either ...
OK, it did let me into the search box. However, once "system restore" popped up, I tried opening it, and it then told me:
"Application cannot be executed. The file rstrui.exe is infected. Please activate your antivirus software."
Yeah, right. The only "antivirus (actually *VIRUS*!) software" it will allow to open is itself ... does this mean I have to do "recovery," wiping out a lot, because it won't even let "restore" work!?
Or, maybe ... will it open and restore it from "safe mode," if I reboot again into that mode, since it won't let it open in this "debugging mode"???
February 5th, 2011, 11:56 AM
You need to access a non-infected computer and create a disk that you can use to start your infected computer and clean the trojan. At least, that's what I think.
February 5th, 2011, 11:59 AM
Found this online. Haven't tried it so can't say if it works:
Trojan downloader.xs is a spyware that I unfortunately got on my pc. It took about 2 days to figure out how to get rid of it, so I am writing this to help others get rid of it sooner. This spyware took over my desktop background, disabled my task manager and kept making ads pop up to try and sell programs to get rid of it.
The first thing you need to do is make sure your task manager is working. To check this press ctrl/alt/del . If a box pops up and says your task bar has been disabled by administrator, you need to re enable it. Please see my article on how to do this, get it back enabled then move on to step 2 of this article. http://www.ehow.com/how_2354300_enable-task-manager-windows.html
Go to the website www.download.com and find the free version of spyware terminator 22.214.171.1248 . Download it to your computer. It is free. I tried many that said free but after they scanned they wanted money to fix the problem.
Run the spyware terminator program and have it remove the spyware it finds.
Restart your computer again.
Click start, then control panel, then appearances and themes, then change the desktop background.
Choose a background and save it.
Just for good measure I ran ccleaner, then defragmented my computer before I went back on the internet. This rid me of my problem.
Read more: How to get rid of Trojan Downloader.xs | eHow.com http://www.ehow.com/how_2354307_rid-trojan-downloaderxs.html#ixzz1D6mkN7BP
February 5th, 2011, 12:00 PM
This link is a lot more technical:
February 5th, 2011, 01:36 PM
Hallelujah! (not prematurely, I hope! ;)) Right now I managed to get into "RESTORE" via "directory services restore mode" ... which told me for three different restoration points I tried [2 days, 4 days, & 1 wk ago] that it could not be restored.
I wasn't about to do a recovery yet [think it could've been avoided awhile back, too, had I realized about these modes other than only regular & "safe"], so decided to try another mode again, since that dir svcs one did not work. Back into regular old "safe," I was surprised it let me on-line; didn't earlier. Maybe it's b/c I clicked "administrator" this time instead of my usual entry way?
So, I first went to AVG to get that going, and then saw your note here re the free spyware that actually works. So, have that DL'ing now, too.
Thanks much for looking it up; didn't dare go anywhere but NazNet with that thing on here, in case this spyware would pick up other P/W's, etc ... tho' it wouldn't be good to even have this one, as someone could post some bizarre stuff under my name!
[so, in view of the previous paragraph, if anything that sounds totally unlike me appears here, it just may not be me!!]
February 5th, 2011, 02:08 PM
OK, they're both DL'd ... running the scan right now. Going to take awhile. So far, at 35% done, the only "critical item" it notes is "click potato." Sooo, I'm wondering if this crazy spyware uses various names and TrojanDownloader is only one of them, and ClickPotato is yet another of its names??? Will see when it's done. In the meantime, it's gone long enough to get to 35% that for the 2nd 2/3 I have to get out of here and to a couple stores [refill water bottles, etc] again, before days & days of a snow forecast get here later. Michigan ... winter ... UGH!
Thanks for your help, anyway, Norayr ... hopefully this spyware terminator [can you say "Ahhh-nold"??? no, I don't watch those movies! ;) ] will do the trick. Hasta luego, folks.
February 5th, 2011, 04:11 PM
Well, Norayr, you were right ... that Spyware Terminator didn't do the trick. It found that "click.potato" but that apparently wasn't another alias, as the doggone thing was still there, once I shut the 'puter down & rebooted.
But I did manage, while in "safe" mode again, to get AVG installed, and that is exactly what finally cleared the doggone thing outa here! Good old AVG! ;)
Strangely, now that I've also got AVG's PC TuneUp (you can get just one free, or pay for a year's worth, so since it said the registry was messed up, too, I went for it -- the free one, that is), a silly box popped up in the corner telling me that "Security Essentials" (you know, that one from MS that let the other one in!?) had detected something dangerous on here, so I clicked "clean computer" and it told me a couple minutes later that it had cleaned up the computer. Ahhh ... with some help, I'd say, from AVG! [never even told the silly thing to open up, & don't see it where it used to be in the tray ... but, oh well]
But whatever, it seems back to normal now! ;) But the Crawler Toolbar keeps trying to get in on things ... a part of Spyware Terminator that I UNchecked so it would not install; it does it, anyway, I guess. [idiotic software programs, anyway, that ask you a question, then ignore your preferences]
Thanks for all the help, tho'. At least I now know I can use other than "normal" & "safe" modes and that helps some, so I won't feel so quickly that I have to do "recovery," not "restore" --- which I nearly even did today, its having been about 24 hrs now since this thing was messed up!
Ahhhhhhhhhhhh .......................... ;)
February 5th, 2011, 04:15 PM
Wow. Glad you are on track.
If you are satisfied with AVG (which it sounds like you are) you should uninstall Microsoft Security Essentials since. I've always been told that running two anti-virus programs gets them messed up.
February 5th, 2011, 04:23 PM
Thanks for the reminder. Guess I'd better dump it quickly ... but after i go to a couple stores. Last I went anywhere was Monday, and then it had been the Wednesday before that.
~ winter wimp ~
February 13th, 2011, 03:38 PM
Many of the current viruses, like the Trojan, get into the registry on your computer.
Doing a system restore will not necessarily affect your registry, just what's installed on the unit. So if a trojan has changed your registry, and is generating from there, then your fix needs to be something that can run outside of windows. Since most Windows machines have removed the dos prompt as something you can access before windows, this can be sticky. Having something that you can run from a bootable disk will often allow you to work around this.
February 13th, 2011, 07:01 PM
Oh, so what someone was telling me about going to a "good/clean machine" and DL'ing some fixes -- CD's to boot from -- is what needs to be tried to make sure?
OK, so if we can get to the dos prompt [I can], what do we want to write there to check/fix things? I used to love DOS prompt, and did a lot via it, until Windows got to where it does most things for you.
Thanks, if you can tell me what to do at the > ................
Powered by vBulletin™ Version 4.0.8 Copyright © 2013 vBulletin Solutions, Inc. All rights reserved.