# Can't Delete Trojan Virus - Help!



## songwritingguy (Sep 26, 2004)

Greetings.
I've just installed Norton Antivirus 2005 on my new custom PC.  Apparently though, I downloaded a virus before I had this software.  Norton keeps finding the virus but cannot delete it.  I tried the manual process - went to msconfig, safemode, explored out to the infected file and tried to delete it, and no such luck. 

How do I get rid of this thing?  Norton keeps giving me the message that it exists.  It's a 'download.trojan', and it's in:
C:\WINDOWS\SYSTEM32\KE32PC8GNDE.dll
I have no idea how to proceed.  Appreciate the help.....

Here's my system info:
Windows XP Home
AMD 64 3000
1 Gig Ram
60 Gig HD
160 Gig HD


----------



## Ace1627 (Sep 26, 2004)

What I would suggest. Dump Norton and get McAfee. McAfee is 10 times better then Norton. That should do the trick. Hope this helps.


----------



## ZER0X (Sep 26, 2004)

> What I would suggest. Dump Norton and get McAfee. McAfee is 10 times better then Norton. That should do the trick. Hope this helps



Umm....Na I don't think so, it still wont get rid of it



> How do I get rid of this thing? Norton keeps giving me the message that it exists. It's a 'download.trojan', and it's in:
> C:\WINDOWS\SYSTEM32\KE32PC8GNDE.dll



Try using windows recovery console


----------



## Lorand (Sep 26, 2004)

It's simpler with a dos window. Start/Run "command", then type in:
cd\
cd windows\system32
del KE32PC8GNDE.dll


----------



## songwritingguy (Sep 26, 2004)

Ace - I tried McAfee first.  I wouldn't even load!! It kept crashing, so I returned it an got Norton which loaded with no problem and found this virus.

Lorand - are these 3 separate commands that I should type in, one after the other?  Sorry - I've not got much DOS experience.

Thanks.


----------



## Lorand (Sep 26, 2004)

3 separate ones. Hit enter between them.


----------



## ZER0X (Sep 26, 2004)

Lorand said:
			
		

> It's simpler with a dos window



Yer I forgot about that


----------



## songwritingguy (Sep 26, 2004)

Lorand,

I tried to delete through dos, and when I ran the delete statement I got "access is denied".  This is the same message I got when I explored out to the file and tried to delete it.  Am I going to have to reformat?
What do you think?


----------



## Lorand (Sep 26, 2004)

First stop that process. Hit ctr_alt_del, look for that dll at the processes and kill it. Then you could delete it.


----------



## ZER0X (Sep 26, 2004)

http://securityresponse.symantec.com/avcenter/venc/data/download.trojan.html 

Try that  
That virus you have is not a huge deal, no use formatting it yet..... Plus norton should of Quarantined it so your sorta safe from it's harm


----------



## songwritingguy (Sep 26, 2004)

Lorand,

There are no '.dll' processes running in task manager.  All processes listed are '.exe' and none of them look like this system32 virus. ???


----------



## Lorand (Sep 26, 2004)

Sorry, it was a mess in my head when I wrote that...  
You can delete that file after restarting in safe mode.


----------



## songwritingguy (Sep 26, 2004)

Thanks Zerox.  I've already tried the removal steps that norton suggested.  Couldn't remove it. I'm not even sure that Norton quarantined it becuase Norton returned a message box that says "Cannot delete - access denied".
I'm going to try to delete in safe mode.


----------



## ZER0X (Sep 26, 2004)

songwritingguy said:
			
		

> Thanks Zerox.  I've already tried the removal steps that norton suggested.  Couldn't remove it. I'm not even sure that Norton quarantined it becuase Norton returned a message box that says "Cannot delete - access denied".
> I'm going to try to delete in safe mode.



No worry's  I thought you tried deleting it in safemode already....oh well if you havn't give it a go


----------



## songwritingguy (Sep 26, 2004)

You're right.  I already tried deleting in safe mode.  Just tried it again - and same old "access denied".  How do I get rid of this thing?  I usually have great success with  PC TOOLS "Registry Mechanic".  This thing just won't go away!  Is there anything else I can try?


----------



## ZER0X (Sep 26, 2004)

Does it say acces is denied the source or file may be in use???


----------



## Lorand (Sep 26, 2004)

You can try MoveOnBoot.


----------



## ZER0X (Sep 26, 2004)

Have you tried this site, it has a variety of things that might help you

http://www.docsdownloads.com/


----------



## Lorand (Sep 26, 2004)

Now you are posting links?


----------



## ZER0X (Sep 26, 2004)

http://www.docsdownloads.com/Tier1/trojan.htm 


Thats a Trojan/bot remover... it was on that site aswell, try it out


----------



## ZER0X (Sep 26, 2004)

Lorand said:
			
		

> Now you are posting links?



I knew you were going to say that Lorand    LOL


----------



## songwritingguy (Sep 26, 2004)

Zerox, Lorand,

You guys have been so helpful!!!!  Thank you.
I downloaded MOVEONBOOT and it rocked the house!
No more virus!!!
Thank you guys.
This site is invaluable.
Best regards.


----------



## ZER0X (Sep 26, 2004)

songwritingguy said:
			
		

> Zerox, Lorand,
> 
> You guys have been so helpful!!!!  Thank you.
> I downloaded MOVEONBOOT and it rocked the house!
> ...



Hey glad I could help


----------



## ZER0X (Sep 26, 2004)

I might even use that site myself, Has some pretty nifty programs and stuff on it


----------



## Lorand (Sep 26, 2004)

Glad it worked.  


> This site is invaluable.


Yeah, we are linking the Universe...


----------



## ZER0X (Sep 26, 2004)

> Yeah, we are linking the Universe...



You and those jokes Lorand   LOL


----------



## songwritingguy (Sep 26, 2004)

Ok Guys, one last question....
I've run SpyBot to make sure I've got no crap out there, and I get this result:  

Data source object exploit
HKEY_USERS/DEFAULT\Software\Microsoft\\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

Should I be concerned with this, or is this nothing to worry about?


----------



## songwritingguy (Sep 26, 2004)

Forgot to add...here's what it's saying about this Registry change

Description
There's a security hole in IE allowing websites to execute code without asking you first. You can find more information at http://security.greymagic.com/adv/gm001-ie/


----------



## Lorand (Sep 26, 2004)

Just fix it, no need to worry.
That hole will exist forever in IE...


----------



## songwritingguy (Sep 26, 2004)

Will do.  Thanks again!


----------



## ZER0X (Sep 27, 2004)

Lorand said:
			
		

> Just fix it, no need to worry.
> That hole will exist forever in IE...



Yup no need to worry....just get rid of it


----------

