Narrator Trojan Headaches

Recently I encountered the Narrator trojan for the first time. This baby was really challenging to my nerves, as it used some techniques that I hadn’t seen before. All the usual tricks of showing up in the Windows registry, or hiding out in the start menu were there, but I could have sworn that I cleaned them out. Yet every time the computer restarted, there they were – two instances of the trojan that I just couldn’t kill.

The first problem was that the filenames (one .dll and one .exe) were random. You’d see something like yknkoj.exe or ituked.dll. So I couldn’t just search on those names to find help on the internet. So I turned to Trend Micro, whose software I use in a number of places. Their virus encyclopedia is generally pretty good. But the search function on their site turned up nothing – even though the trojan was named in their software!

Finally I ran across this article by entering “narrator trojan” into Google. Strangely, in that article I found a link to Trend’s site for more details. Odd.

Anyway, that simply told me the regular stuff about hiding out in the registry – and I had already found those entries. Yet the blasted thing was still coming back! So then I took another tactic, and tried to delete the files myself. Didn’t work. They weren’t there. Even though they were listed as being found in particular locations, and I checked those locations after seeing that Trend couldn’t handle them, nothing. I ran spyware removal tools. I tried Trend’s online solution on the thought that the local version was out-of-date. Nothing.

I was about to scream, when I decided for some reason (divine inspiration, perhaps) to try to find the files myself. So I fired up the Windows search tool, which I don’t typically use because it’s slow and on a customer’s computer I often end up having to deal with that blasted dog, and entered the current name of the files. Bingo. It turns out that there was a file in the Windows prefetch folder that I hadn’t been able to find previously. I deleted this.

Then I searched for the name in the registry, and found another instance where the file was being loaded. It wasn’t in any of the typical run locations (and, in fact, I don’t recall where it was – sorry), and moreover it wasn’t even what I’d expect to see, as there was information appended to the end of the filename. For instance, instead of ukidoek.exe, it was ukidoek.exeCommonStartup or something similar. Probably a play on the ever-popular extension overloading issues suffered by Microsoft products.

Sure enough, after disabling these two instances by using msconfig, they stopped loading. I was unable to disable them myself because the entries weren’t in the normal locations, and it seems that the prefetch folder can actually load things even if they aren’t being called anywhere – as if these files are preloaded for you. A trojan or virus in there simply loads itself at boot time, no startup entry or registry entry or anything.

Once disabled, I was able to remove the files, and search again through the registry for the particular names that I deleted, and finally, wonder of wonders, everything cleared up. But it wasn’t easy. Seems that at least one trojan/virus writer has found some pretty nifty hooks into the Windows system. Hooks that aren’t among those usually found, and hooks that aren’t checked by at least Trend Micro. It detected the virus once running, but even an online scan with their latest product couldn’t remove the prefetch entries that were causing it to return over and over.


Posted

in

Comments

10 responses to “Narrator Trojan Headaches”

  1. david Avatar
    david

    Narrator keeps starting on my XP Pro SP2 with an update Trend Micro 2005. Scanning shows no Trojans.

    Process Explorer likewise shows no unknown processes.

    Is there some new Trojan.

    My Narrator settings are off using Windows-U.

  2. Jon Hulka Avatar
    Jon Hulka

    Thanks. I’ve been trying for a couple of days to get rid of a virus. I haven’t found this information anywhere else.

  3. Chad Everett Avatar

    Generally this is a problem because the file is actually running. Launch task manager and delete the process first, then try deleting the file. Alternatively, you could try safe mode, in the hope that it wouldn’t load prior to trying to delete the file. Another option may be to boot to a command console so that it doesn’t run the file.

  4. Patricia Avatar
    Patricia

    I too have found narrator on my system and managed to delete in in the run registry folder but as you say there are other random entries that I cannot find and when I try to delete the funny named exe file it won;t let me as it says its in use. I did delte one file with a funny name only to be in the position where I had obviously deleted an important windows file and I couldnt start my computer. I had to go into dos and start through there, my computer is clever enough to re install the deleted file and now its ok- although this blasted trojan is still around and hiding and causing my browser to suddently go to sites that I have never heard of and to my knowlege don’t exist – any suggetions would be gratefully received.

  5. Dp Comp Avatar
    Dp Comp

    I would like to thank the person who started this thread. I have been trying to delete Narrator for several hours now.this was the toughest trojan/nsty i have ever seen. like a boomerang, it just keeps coming back.

  6. AB Avatar
    AB

    Nice work with the semi-walkthrough.. I had this stuff up the wazoo, and your clues helped me out of it. The following steps worked for me:
    1) Get rid of all of the “randomly” named files in the prefetch directory mentioned above, that you, by now, know very well (my nemesis was “VIVROU”).. lots of these prefetch files seem random, but if you’ve battled this trojan, you know the filenames you are looking for.. write down the strange ones, and punch them into Yahoo.. if you get no hits, it’s probably one you want to attack..
    2) Search, as noted above, in the registry for that string, and look for any others in the registry while you’re at it.. most of them hide out together so when it stops on the one you searched for, check above and below it in the registry folder that you are in, as there may be others.
    3) Get ride of the .EXE file with the same name in the C:WindowsSystem32 folder.
    4) Next, disable the file in msconfig.exe (startup tab)
    5) Finally restart the machine.

    I don’t know if this will work for others, but those are the basic places (registry, prefetch, system32 folder, msconfig) that you need to keep deleting these files from, eventually I did it in the correct order.. and if you’re not quick about getting to the .exe file in system32 before you get all of the registry entries, or vice versa, it will regenerate itself and will be there when you reboot, even though you thought you got rid of it. This is a tough sucker, but I won, thanks to this column.. good luck!

  7. anon Avatar
    anon

    My goodness – such contempt for someone who was just trying his best to be informative!

    How about you use what he told you – well, that would require using your brain – but use what he told you and THINK through some of this. I had no idea what a prefetch folder was either, but you know what? I looked in Windows and there it was….gee….real hard, huh? And look and search the registry for the files the trojan is making. I’m finding that it renames them something different each time I restart! How can he tell you something he doesn’t know.

    At least he gave me a starting point and some ideas to check. For this I want to say thank you!

  8. anon Avatar
    anon

    Thanks for nothing. You have the solution and forgot everything. Why bother writing an article when you don’t provide any information? What is a “prefetch” folder? Where were the registry entries??!!!!! What the @#$%?

  9. L.B. Avatar
    L.B.

    Same problem on my end. What files were you referring to? I found the notorious vmss in the prefetch folder.

  10. Ted Avatar

    Good work! The local hardware/network guy I partner with on projects likes NOD32 for antivirus work.