Re: Pandex trojan - Norton and AVG fail to remove it

["Mortimer" <me@xxxxxxxxxxx>]

"Adrian C" <email@xxxxxxxxxxxx> wrote in message 
news:6eoco1F85s77U1@xxxxxxxxxxxxxxxxxxxxx
> Mortimer wrote:
>> Has anyone had problems removing the Pandex trojan from a PC which is 
>> infected? This trojan sends spam via a variety of SMTP servers.
>>
>> A customer has Norton 360 which successfully identifies that it has found 
>> Pandex, even during its boot-up checks, and during a virus scan it claims 
>> to have removed it and needs a reboot to finalise the process. But after 
>> the boot the thing is still there: you can see Norton trapping some of 
>> the emails and displaying suitable error messages.
>
> See
> <http://www.symantec.com/security_response/writeup.jsp?docid=2007-042001-1448-99&tabid=1>
>
> Or enter 'pandex' in symantec's search page on
> <http://www.symantec.com/security_response/>
>
> The technical details page shows the name of files and settings that have 
> been added or changed by the trojan. Do these changes exist?
>
> Click the removals tab for removal details - Yes, Symantec products will 
> remove it but you have to disable system restore first.

Yes I disabled System Restore. I also checked for the various tell-tale 
signs that the virus had been there (files created, registry values 
created), as described on the Technical Details tabsheet of the page that 
you mention. All of these except 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ip6fw did not exist 
(and so maybe had already been cleaned up); I deleted ip6fw manually. 
However it came back on the next boot and Norton still displayed a pop-up 
about Pandex and the PC still tried to send messages to various SMTP 
servers, as shown in one of Norton's logs.

In their description, does their use of the word "drops" (as in "The Trojan 
also drops one of following files: %System%\drivers\ip6fw.sys / 
%System%\drivers\netdtect.sys") mean "creates the file it does not already 
exist and modifies/infects if it does already exist"?