deaday.exe

I just found this while looking in my windows folder:

1. does anyone know what kind of virus it is ?

2. why did my norton anti virus not pick it up sooner ?

3. i have deleted it now is there anything else i need to do ?

 

That's the name of the infected file, but not the virus. What virus did Norton say it was?

The file itself doesn't seem to belong to anything.

 

THANK'S for replying,

it was something like javakiller or words to that effect
i know that probably aint much help.

i have since stopped norton from just scanning program files
and found seven other viruses in there all the same as the first
one in the they were all called javakiller ???

but i have bigger problems now i think i found a trojan called
backdoor trojan. Norton can not seem to do anything with it
it won't repair quarantine or delete it.

it does say that i should delete this file and replace it with a new one nut when i try to locate the file i can't seem to find it the only info i could copy from norton was this:

The file \Device\Harddisk0\Partition1\WINDOWS\system\winload.exe in compressed file C:\UNDO\BACKUP.CAB.


please help as im totaly in a panic now

 

Download and unzip the rx-pack from the site below to a convenient folder.

Run the Startuplog.com file. It will place a Startuplog.txt file on the desktop. Copy the full text and paste it to your next reply. The stubbpaths.txt is not needed.

If as a result of running Norton or any other action you have problems running exe files (which can happen after trojan cleaning), run the exefix08 file which is a part of the rx-pack.

http://home.earthlink.net/~rmbox/Reticulated/Toys.html


http://securityresponse.symantec.com/avcenter/venc/data/w32.javakiller.trojan.html

Also, there are many "backdoor" trojans, if Norton identified it, give the exact name.

I think you probably don't have to worry about this if it was all Norton found of the "backdoor trojan" -- it was not executed but somehow got placed in a backup cab archive.

The file \Device\Harddisk0\Partition1\WINDOWS\system\winloa
d.exe in compressed file C:\UNDO\BACKUP.CAB.

Had you run something like Partition magic, maybe a "cracked" version? I would just delete the backup.cab file which contains winload.exe, the trojan. Or if you feel that cab is something you need to preserve, you can try unzipping it and deleting winload.exe -- just be careful not to run it.

 

in your reply you said:

I would just delete the backup.cab file which contains winload.exe, the trojan. Or if you feel that cab is something you need to preserve, you can try unzipping it and deleting winload.exe -- just be careful not to run it.

Can you tell me how to locate this file as i have tried to do a search for the undo folder and i cant seem to find it. i have
even told windows to show hidden files and folders.

but i still cant find it

 

HERE IS THE OTHER INFO YOU ASKED FOR:

 

I don't see any evidence of javakiller there. Did you follow the instructions on the symantec link, or did Norton clean it? You might want to check the registry for the mirc keys indicated, they wouldn't come up on the startup log.

@="exefile" (.dl trojan executable file - RegPath = HKCR\.dl

Also if you run regedit and look at the Hkey Current Root key you should find an entry for

.dl Note the one L; you do not want to delete .dll

This is something that can be exploited by trojans and should be deleted. (right click, delete)

For the mysterious folder, if you enter:

c:\undo

in your address bar, it should come up if it is there.

Does Norton have it in a "quarantine" folder?

Are you scanning clean now, other than that?

 

Thanks again for the response.

i have followed all the instructions on the pages you linked to
for dealing with the javakiller virus. and i think that has been
taken care of.

in relation to the winload .exe i have completely deleted the
C:\undo\backup.cab file, is there any more i need do im checking
with norton again at the moment to see if my c drive comes up clean this time.

i will post again to let you know.

I have one further question do i need to replace the backup file
and if so how?

 

also im sorry but call me thick i did not understand the part of your post that went as follows:

@="exefile" (.dl trojan executable file - RegPath = HKCR\.dl

Also if you run regedit and look at the Hkey Current Root key you should find an entry for

.dl Note the one L; you do not want to delete .dll


i ran regedit but was unable to find that particular location
if possible could you please explain it a little more as you are
dealing with a bit of a idiot when it comes to regedit

 

OOPS!?

still running norton but it now says i have two backdoor viruses
in C:\incinerate c1.cab and C:\ incinerate c2.cab is this because i used system mechanics incinerator to get rid of the back up cab file and will i now have to delete those also through recycle bin ?

 

About the backup file, It is not a "Windows" component, I don't know what created it, but I don't think there is any way to restore it, and I doub't you will have any call for it.

On the .dl entry

What you need to do is run regedit and click on

+ HKEy_Classes_Root

Then scroll down to the 'd' entries look for

.dl

I can show you an attached picture, but you will not see that entry, just .dll which you do NOT want to delete.

.dl (with one L) should be right next to it. It may look like this:

.dl_

Possibly the underline was not displayed in the attached text copy of the startup log, but that is usually the way it is found

If you can't find it. I wouldn't worry too much about it. Legitimate programs will sometimes place that as a part of the install process for their dlls but not really use it after the install.

 

LOL, I don't know, but it sure sounds that way. I would just delete them in the normal manner and empty your recycle bin afterwards or they will show up there in the next scan.

 

hey guess what ?

now i cant find the incinerate file either.

it says in norton reports:
C:\INCINERATE\C2.CAB is infected with backdoor.trojan this cannot be deleted.

it also says the same for C:\INCINERATE\C1.CAB

 

Doesn't Norton place these things in a special Quarantine folder when it finds them?

What happens when you enter c:\incinerate in your address bar?

Did you rename your recycle bin "incinerate" ?

 

Norton can't repair quarantine or delete these files :

my comp takes me to the system mechanic incinerator bin:

NO !