Has anyone had problems removing the Pandex trojan from a PC which is 
infected? This trojan sends spam via a variety of SMTP servers.

A customer has Norton 360 which successfully identifies that it has found 
Pandex, even during its boot-up checks, and during a virus scan it claims to 
have removed it and needs a reboot to finalise the process. But after the 
boot the thing is still there: you can see Norton trapping some of the 
emails and displaying suitable error messages.

I've scanned in Safe Mode with no networking. I've temporarily installed AVG 
Free and scanned with that in Safe Mode: it claimed to find and disinfect a 
trojan in winlogon.exe. But still the virus is present.

I've also scanned with Spybot 1.6 and removed the threats that it found.

I can't see any rogue programs being started in Start | Programs | Startup 
or HKCU/HKLM | Software | Microsoft | Windows | Current Version | Run.

Any suggestions? The various "How do I remove Pandex" articles found from a 
Google search seem to imply that Norton, AVG, Panda and Kaspersky will find 
and remove Pandex successfully.

It's getting to the stage where a rebuild might be quicker than 
investigating further...

Mortimer wrote:
> Has anyone had problems removing the Pandex trojan from a PC which is 
> infected? This trojan sends spam via a variety of SMTP servers.
> 
> A customer has Norton 360 which successfully identifies that it has found 
> Pandex, even during its boot-up checks, and during a virus scan it claims to 
> have removed it and needs a reboot to finalise the process. But after the 
> boot the thing is still there: you can see Norton trapping some of the 
> emails and displaying suitable error messages.

See
<http://www.symantec.com/security_response/writeup.jsp?docid=2007-042001-1448-99&tabid=1>

Or enter 'pandex' in symantec's search page on
<http://www.symantec.com/security_response/>

The technical details page shows the name of files and settings that 
have been added or changed by the trojan. Do these changes exist?

Click the removals tab for removal details - Yes, Symantec products will 
remove it but you have to disable system restore first.

When the time comes, don't renew a subscription to Norton 360. Although 
it has 'caught' the virus, the dumbing down of vital information and 
sense of false security that is given to casual PC users, is IMO 
dangerous. Norton do better products and so do the competition.

Resources here : http://www.getsafeonline.org/

-- 
Adrian C

"Adrian C" <email@here.invalid> wrote in message 
news:6eoco1F85s77U1@mid.individual.net...
> Mortimer wrote:
>> Has anyone had problems removing the Pandex trojan from a PC which is 
>> infected? This trojan sends spam via a variety of SMTP servers.
>>
>> A customer has Norton 360 which successfully identifies that it has found 
>> Pandex, even during its boot-up checks, and during a virus scan it claims 
>> to have removed it and needs a reboot to finalise the process. But after 
>> the boot the thing is still there: you can see Norton trapping some of 
>> the emails and displaying suitable error messages.
>
> See
> <http://www.symantec.com/security_response/writeup.jsp?docid=2007-042001-1448-99&tabid=1>
>
> Or enter 'pandex' in symantec's search page on
> <http://www.symantec.com/security_response/>
>
> The technical details page shows the name of files and settings that have 
> been added or changed by the trojan. Do these changes exist?
>
> Click the removals tab for removal details - Yes, Symantec products will 
> remove it but you have to disable system restore first.

Yes I disabled System Restore. I also checked for the various tell-tale 
signs that the virus had been there (files created, registry values 
created), as described on the Technical Details tabsheet of the page that 
you mention. All of these except 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ip6fw did not exist 
(and so maybe had already been cleaned up); I deleted ip6fw manually. 
However it came back on the next boot and Norton still displayed a pop-up 
about Pandex and the PC still tried to send messages to various SMTP 
servers, as shown in one of Norton's logs.

In their description, does their use of the word "drops" (as in "The Trojan 
also drops one of following files: %System%\drivers\ip6fw.sys / 
%System%\drivers\netdtect.sys") mean "creates the file it does not already 
exist and modifies/infects if it does already exist"?

Mortimer wrote:
> 
> In their description, does their use of the word "drops" (as in "The Trojan 
> also drops one of following files: %System%\drivers\ip6fw.sys / 
> %System%\drivers\netdtect.sys") mean "creates the file it does not already 
> exist and modifies/infects if it does already exist"?
> 

A "drop" will be a file replacement or creation. Some virus writers have 
been known to go to war with other virus writers and replace each others 
files. Sometimes this crashes PCs :-(

Googing "virus forums pandex" or "virus forums Cutwail" might give some 
insight to fixes. This virus unfortunatley download its own updates and 
has rootkit hooks into the compromised machine.

-- 
Adrian C

"Mortimer"  wrote in message 
news:mY2dnbj9HPJ1chvVnZ2dnUVZ8tXinZ2d@posted.plusnet...
> Has anyone had problems removing the Pandex trojan from a PC which is 
> infected? This trojan sends spam via a variety of SMTP servers.
>
> A customer

Pass his details on to me and I'll contact him directly.  If he knew you 
were charging to
pass on information you got for free on a newsgroup he might be annoyed.
What's your company called so we can spread the word to avoid it!
Best leaving it to the experts, people like you that play about without 
knowing what
you're doing often cause far more problems - and you will look silly when 
you have
to hand it back!

Paul P wrote:
> Pass his details on to me and I'll contact him directly. 

You forgot, your email address doesn't work!!!!

-- 
Adrian C