1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HOW do these KEEP getting in??

Discussion in 'Virus & Other Malware Removal' started by unstresst, Apr 27, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. unstresst

    unstresst Thread Starter

    Joined:
    Jan 3, 2003
    Messages:
    772
    for the third time in two weeks ..hit with trojans again.
    Spybot didn't detect them.
    I'm using free version of AVG.....It notified me that it-[trojan]- arrived.....I ran a full scan--[free version of AVG]- and the trojans didn't show up they're still there.
    I'm up to date on my windows updates.
    ..HOW THE heck are these freegin things getting in?
    Where do they come from?
     
  2. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Note: Anyone running Windows XP and ME should turn off system restore
    to avoid reinfection while deletion of spyware, viruses etc is being
    enacted by spybot's search and destroy and adaware etc.!

    go to this site and download these tools and once you get both
    adaware and spybot, update both of them.Set adaware to deep scan and
    Delete everything adaware finds and delete what spybot finds marked in red.

    adaware6.181
    CWShreddder
    hijack this.

    run the first three, but with cwshredder, close all programs
    and browsers and click the fix button.

    then do a hijack this log, click save the log and post it on
    here so we can have a look at it for ya.

    All programmes can be downloaded here at this link!

    http://www.majorgeeks.com/downloads31.html

    cwshredder can be got here

    http://www.merijn.org/downloads.html

    khaz

    to stop reinfection get these two tools, spywareguard and spywareblaster from

    www.javacoolsoftware.com
     
  3. unstresst

    unstresst Thread Starter

    Joined:
    Jan 3, 2003
    Messages:
    772
    one more question....
    There's three user accounts on this machine.
    If a trojan hits--[appears] while I'm on my account, could it end up in the files of another account?
     
  4. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    ihm, good question but if you do the clean up hopefully it shouldn't matter?

    khaz
     
  5. unstresst

    unstresst Thread Starter

    Joined:
    Jan 3, 2003
    Messages:
    772
    done with the suggested manuvers...scan log below
    ================================================
    Logfile of HijackThis v1.97.7
    Scan saved at 10:40:50 PM, on 4/27/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\mHotkey.exe
    C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
    C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\NEWMIK~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Control Pad (HKLM)
    O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab
    O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://63.102.226.240:8000/Java/cfs40301.cab
    O16 - DPF: ConferenceRoom Java Client - http://216.152.65.174:8000/java/cr.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
    O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/virusinfo/webscan.cab
    O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_2us.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4346/mcfscan.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by8fd.bay8.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
     
  6. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
  7. unstresst

    unstresst Thread Starter

    Joined:
    Jan 3, 2003
    Messages:
    772
    I will post results of those on-line scans later.

    For now.....Is it possible that one of those on-line scan sites could be feeding people
    a trojan horse?
    When I started running those scans AVG's resident shield informed me it found this:
    Trojan horse PSW.Bispy.B
    and a few minutes later:
    Trojan horse PSW.Bispy.A
     
  8. unstresst

    unstresst Thread Starter

    Joined:
    Jan 3, 2003
    Messages:
    772
    Trojan horse PSW.Bispy.B

    ravantivirus finds these:

    Scan started at 4/28/2004 5:12:33 AM

    Scanning memory...
    Scanning boot sectors...
    Scanning files...
    C:\Documents and Settings\Heather\Local Settings\Temp\bi4.cab->biprep.exe - TrojanSpy/Win32.BiSpy.A -> Infected
    C:\Documents and Settings\NEW MIKES\Local Settings\Temporary Internet Files\Content.IE5\3I1J9LOM\icq_help.tripod[2]->(SCRIPT0014) - JS/Loding.B* -> Infected
    C:\Documents and Settings\NEW MIKES\Local Settings\Temporary Internet Files\Content.IE5\DRBO2WH7\icq_help.tripod[2]->(SCRIPT0014) - JS/Loding.B* -> Infected
    C:\RECYCLER\S-1-5-21-889127505-756921068-3962847104-1009\Dc149.cab->biprep.exe - TrojanSpy/Win32.BiSpy.A -> Infected

    Scanned
    ============================
    Objects: 77156
    Directories: 2972
    Archives: 6562
    Size(Kb): 1051367
    Infected files: 4

    Found
    ============================
    Viruses found: 2
    Suspicious files: 0
    Disinfected files: 0
    Mail files: 1617
    +++++++++++++++++++++++++++++++
    ++++++++++++++++++++++++++++++++
    +++++++++++++++++

    ..House call found none
    +++++++++++++++++++
    ++++++++++++++
    +++++++++++
    ...Pandascan found none
     
  9. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    ok, they all seem to be in temp files and in possibly in system restore? Did you disable system restore?

    Download AVG6 from

    www.grisoft.com

    update it and run it, if it finds any viruses use the option to heal, delete, or quarantine into virus vault.

    Also, clean out your temp files, open a web page in IE6, click tools/internet options/
    clear cookies and delete files.

    Then go to windows explorer/tools/folder options/view/choose the option view all hiiden files.

    then go to your documents folder/local settings/temp folders and delete them all!

    repost another log .

    khaz
     
  10. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    oops, sorry, you have AVG, try updating it and running again, and as I said delete all those temp files

    i'm reading too many logs!

    khaz
     
  11. unstresst

    unstresst Thread Starter

    Joined:
    Jan 3, 2003
    Messages:
    772
    rav free scan ...done.

    found two instead of four

    C:\Documents and Settings\Heather\Local Settings\Temp\bi4.cab->biprep.exe - TrojanSpy/Win32.BiSpy.A -> Infected

    C:\RECYCLER\S-1-5-21-889127505-756921068-3962847104-1009\Dc149.cab->biprep.exe - TrojanSpy/Win32.BiSpy.A -> Infected

    I think I've eliminated the first one.

    I can't find hide nor hair of any thing called C: RECYCLER anywhere
     
  12. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    C:\Recyclers is the Recycle Bin.

    Restart to safe mode.

    How to start your computer in safe mode

    First in safe mode click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    In safe mode empty the Recycle Bin.

    Also in safe mode navigate to the C:\Documents and Settings\Heather\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Also go to Control Panel > Internet Options. On the General tab under Temporary Internet files click "Delete Files" then click OK.
     
  13. unstresst

    unstresst Thread Starter

    Joined:
    Jan 3, 2003
    Messages:
    772
    ...While in safe mode I had acces to two different places related to recycle bin

    the "RECYCLE" bin was already empty......BUT C:/ RECYCLER had some files in it.

    should this C:/ RECYCLER have been emptied also??

     
  14. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    C:\RECYCLER is the recycle bin.
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/224417

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice