I have a trojan

[WWPierre]

I was downloading dirty movies last week and I got a trojan. A red screen comes up and stays for 10 seconds. I took the computer down to the guy down the street, and he worked on it for an hour and a half. He said it was fixed and he loaded Adaware and Spybot search and destroy. Now it is worse: I keep getting popups. I don't have to be in Explorer, even. They throw me out of the game, even in SP.

I keep scanning with Adaware and if the popups don't make Adaware freeze up, there are always things to nuke.

The worst thing is, most of these popups are trying to sell me anti-popup programs.

Maybe I should have posted this in the rant section.

Pierre

[WWSensei]

Pierre, it's probably just using Messenger to do the pop-ups. Here is a completely free way to turn it off.

Start->Control Panel->Adminstrative Tools->Services

In the list of services look for the one named "Messenger" with a description of "Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start."

Double click it. Hit the Stop button if it isn't already greyed out.

In the Startup type: filed change the drop down to "Disabled".

You don't need this service. Ever. It's used to broadcast messages over large networks.

If you are using IE stop and switch to Mozilla. If you don't want to then at least install a pop-up blocker like the one from Google.

[WWPlague]

Hijackthis is a program that will id everything running on your computer. Download it here:

http://64.233.167.104/search?q=cache:PdkOrx3vA_EJ:www.majorgeeks.com/download3155.html+hijackthis+1.98.2&hl=en

and install it and hit the "scan" button. Save the log. DO NOT delete anything without getting some advice. A couple of free help sites on the 'net will allow you to post your log, and they will tell what is infecting your computer, and what you can safely delete or which remover to run, to remove it. So far, nothing nasty out there that cant be cleaned up. Unfortunately, this wont last too long. More sh*theads producing new variants of nastys, than good guys writting removal programs.

For those of you who are not having problems, you should have the latest Spybot SD 1.3 updated to latest detection rules, and let it immunize you, set to "block bad pages silently." SPybot SD, teatimer has to do with your hosts file, but I dont use it, and I recommend you dont use it, until it gets some more work on whats ok for the hosts file, dont bother with updates for it either.

You also need Adaware SE. First, update your Adaware and run it. Get rid of all cookies. (Makes first SE run easier to deal with). Download SE and install it, and let it uninstall your old Adaware. Run ADAWARE SE in deep search mode, takes much longer, and then after removing any nasties, you can change it to "smart scan" for normal maintence. Every once in a while, run it on deep scan mode, just to check it all. Of course, you need AV of some kind. Some free AV out there, but Norton is good, if you are buying. I like "CleanmyPC" popup blocker, but be aware, its too good, you will never see popups, but will need to check for PM's on our forum manually, no big deal to me, I'm used to it, second nature now.

Edited October 14, 2004 by Guest

[WWPlague]

Heres a group that will help when you are having problems. Usually they ask for a Hijackthis 1.98.2 log, or people just put it in the first post asking for help and describing the problem.
http://forums.spywareinfo.com/index.php?showforum=18

Heres my log for example, it wont show other things on your HD, just what is running.

Logfile of HijackThis v1.98.2
Scan saved at 10:29:35 AM, on 10/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSSystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:Program FilesCommon FilesSymantec SharedccApp.exe
C:Program FilesSaitekSoftwareProfiler.exe
C:Program FilesSaitekSoftwareSaiSmart.exe
C:Program FilesISSBlackICEblackice.exe
C:Program FilesISSBlackICEblackd.exe
C:Program FilesNorton SystemWorksNorton AntiVirusnavapsvc.exe
C:Program FilesMessengermsmsgs.exe
C:Program FilesInternet Exploreriexplore.exe
C:1HijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: CleanMyPC Popup Blocker - {7A9BC6B1-7F27-47c6-A66D-13582E81E537} - C:Program FilesCleanMyPC Popup BlockerCleanBHO.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:Program FilesNorton SystemWorksNorton AntiVirusNavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:Program FilesNorton SystemWorksNorton AntiVirusNavShExt.dll
O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:Program FilesCleanMyPC Popup BlockerCleanBar.dll
O4 - HKLM..Run: [ccApp] C:Program FilesCommon FilesSymantec SharedccApp.exe
O4 - HKLM..Run: [ccRegVfy] C:Program FilesCommon FilesSymantec SharedccRegVfy.exe
O4 - HKLM..Run: [Profiler] C:Program FilesSaitekSoftwareProfiler.exe
O4 - HKLM..Run: [saiSmart] C:Program FilesSaitekSoftwareSaiSmart.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:Program FilesISSBlackICEblackice.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093191840625
O17 - HKLMSystemCCSServicesTcpip..{1621A2A4-5823-4CC7-9180-039C303D9BA6}: NameServer = 216.229.0.25,216.229.0.6

[WWPlague]

Yes, I am spamming our forum. :lol: Browsing the net and waiting for UPS to showup, "what canbrown do for you?" and deliver my new power supply. Anyway, I found this news article interesting. Simular to the truckers prayer: "Lord, just once before I die, let me blow the wheels off a Greyhound bus.", is the computer helper guys prayer, "Lord, just once before I die, let take a cheese grater and shave off the nuts of a nasty program writer".

WASHINGTON Oct. 13, 2004 — In what regulators are calling a first, the government has asked for a court order to shut down a spyware operation.

The Federal Trade Commission says computer users who went to certain Web sites unknowingly had the snooping software downloaded onto their computers. The agency says it secretly changed settings, caused computers' CD-ROM trays to fly open and triggered barrages of pop-up ads for anti-spyware programs called Spy Wiper and Spy Deleter.

The FTC's acting director of consumer protection, Lydia Parnes, says selling software to fix a problem that you've caused is the very definition of "online chutzpah."

The FTC says computer users can protect themselves from the growing problem of spyware by keeping their operating systems and Web browsers updated and by being cautious when downloading software.

Me again, that shows you how lame the FTC is, first states that users unkowningly got the malware by visting a site, and now says "being cautious when downloading software" wonder if FTC knows the difference, I doubt it.

[WWPierre]

S! Sensei,

I do not have administrative services in my control panel.

I am using Win98

I do have a folder called Symantic Live Update, though.

I have Norton and all that stuff, I got it for Ghost, which I have never figured out how to use, but for some reason I stayed with AVG for Virus protection.

I understand that my data is not at risk, and this is only a nuisance, but what a nuisance it is: While writing this message, I have had to Ctrl/alt/del 6 popups.

When I started the computer this morning, AVG informed me of the trojan, and told me to start my computer with a virus free disk. (btw, this does not happen every time I boot up.) Does that mean a standard start-up disk? or some (another advt for a program to fix this problem just came up, I was tempted to click on it:) that makes 7) other disk.

I am not putting you guys in danger, am I?

I looked at AVG, and I cannot find (another one, free cursors this time, #8) a way to scan my system from within the program, seems it does it only at startup. I have already spent $100 on this and am willing to spend more, if I have to. Of course, the free methods will have to be explored first:)

Plague, I will look at the stuff you suggested later. BZ today with storm sewer installation in front of my bldg before the rains come back. A few grand gets me 8 or 9 parking spots, worth 5 grand a pop on the open market:)

Pierre

[WWSensei]

Win98

Well, I think Messenger is on 98 as well but I have no idea how to turn it off. Haven't used 98 in 6 years... ;-)

A google search might find it though.

[WWWringer]

Not good news for Windows 98 users ....

http://www.itc.virginia.edu/desktop/docs/messagepopup/

However on this site:

http://www.pchell.com/support/ipmessaging.shtml it says:

What about Windows 95 or Windows 98 IP Messaging?

Although the technology for this type of IP Messaging is available in Win95/98, it was in the form of a program called WinPopUp. It can be installed or uninstalled from Add/Remove Programs. In Windows 95, it is found in the Accessories section, while in Windows 98 it is installed through System Tools.

Although the version in Win95/98 and the version in Win2K/XP are not compatible with each other, they do offer an interesting way to communicate between computers (as long as its not abused). For more information on how to use WinPopUp or Windows Messenger to send and receive emails, you may want to visit the World of Windows Networking article on PopUp Messages.

You can also go Start -> Run -> Type in "msconfig" without the quotes and then click on the "Startup" Tab and carefully checkout what is automatically starting every time your computer boots up. If you find something suspicious - or just want to know what it is go here:

http://www.processlibrary.com/

If this site identifies it as your problem then `Uncheck' the entry so that it won't start and then do a Search to find where it is installed on your computer and Delete it. OR Google the name and see if you can find information on removing it.

Good luck. (BTW the site Plague told you about is is excellent. ) Edited October 14, 2004 by Guest

[WW8Ball]

I havn't had any visable problems since my debacle of upgrading ME to XP. At that time my system was so full of crap I had to wipe my drive and reinstall everything. At that time I got and installed Norton Internet Security Suite. Then had to do it all again recently when I upgraded my MB. Also on a lark and being ever the optimist I also installed SP2 for XP. Having read about problems between Norton and SP2 I left Norton running during the installation to see what would happen. Much to my surprise at the end of the SP2 installation a Norton window popped up telling me that SP2 was trying to duplicate some of the services that Norton provided and asked if I wished to turn them off. I turned off the XP services (firewall, pop up blocker and adaware services) Leaving Norton in charge of the system. Everything still seems to be in good shape. My question is, does NIS do enough to protect me or should I also have Spybot and Adaware installed?

[WWSensei]

My question is, does NIS do enough to protect me or should I also have Spybot and Adaware installed?

NIS is enough for firewall and AV and limited spyware. Adding Adaware and Spybot are good ideas for additional protection--NIS lacks good spyware protection (it's on its way but should have been there a long time ago).

By far the biggest thing you can do to reduce the threat of spyware is stop using IE and use another browser that isn't vulnerable to ActiveX objects attaching themselves.

[WWPierre]

Update...

Finally figured out how to run AVG. It found and removed a virus, but popups still continue. I did the msconfig thing Wring recommended, no difference. Ran Spybot, found some stuff. (The thing must be replicating itself in my computer)

I have just gone to the site Plague recommended, and sent a M'aider. Will keep you informed.

Pierre

[WWPierre]

S! Guys,

The Spywareinfo site Plague directed me to is awesome. I have been at it about 4 hours and it looks like the problem is pretty much fixed. The popups have stopped, AdAware can find nothing.......(at last scan). Spybot keeps finding 1 or 2, but I am dealing with that now.

At the Malware forum, I had step-by-step personal support in almost real time.

The neat thing is that I didn't go off the deep end as I usually do when confronted with this type of bullshit :lol:

Maybe I can get to fly a bit tonight!

Merci mes freres

Pierre

[WWSandMan]

Glad to hear your current computer troubles seem to have been cured, Pierre. /applications/core/interface/imageproxy/imageproxy.php?img=%7BSMILIES_PATH%7D/icon_joy.gif&key=eacf8d5bbbccc7bf7a9dd4b8dd1050077a2cc0be1a419a3356be265aa0465c66">

One request... we need a new topic started in a public forum area in order to get this topic's title off the very top of the Portal page. It's not exactly something that visitors will find appealing... the first post-topic they see is "I've got a Trojan!" ;) /applications/core/interface/imageproxy/imageproxy.php?img=%7BSMILIES_PATH%7D/icon_rolleyes.gif&key=1e8c06ab12fb541f5359109fc2a9aa78454b8063e7aa8862e992af3163d7b4b4">

[WWPlague]

Glad you are getting it sorted out, Pierre. I would keep at it at that forum until your Hijackthis log is blessed by the guru's helping you. Spybot S&D 1.3 has the "immunize" section, and its safe and effective. I recommend people use it. Just one of the tools that helps keep the headaches down.
I use:
Spybot 1.3 "immunize"
NAV auto-protect always on
Software firewall full up unless I host, then down one notch
XP firewall unless I host- I could do better, and find out the single thing I need to adj. to host, so's to leave the rest of XP firewall on.


I run scans with Spybot and Adaware SE and NAV every 2-3 days. Or sooner, whenever I "think" somethings not right.

[WWWringer]

Glad to hear your current computer troubles seem to have been cured, Pierre. /applications/core/interface/imageproxy/imageproxy.php?img=%7BSMILIES_PATH%7D/icon_joy.gif&key=eacf8d5bbbccc7bf7a9dd4b8dd1050077a2cc0be1a419a3356be265aa0465c66">

One request... we need a new topic started in a public forum area in order to get this topic's title off the very top of the Portal page. It's not exactly something that visitors will find appealing... the first post-topic they see is "I've got a Trojan!" ;) /applications/core/interface/imageproxy/imageproxy.php?img=%7BSMILIES_PATH%7D/icon_rolleyes.gif&key=1e8c06ab12fb541f5359109fc2a9aa78454b8063e7aa8862e992af3163d7b4b4">

:D OK - I just got something that I will post - "Warning to Men" /applications/core/interface/imageproxy/imageproxy.php?img=%7BSMILIES_PATH%7D/icon_twisted.gif&key=76870aa9df6931b692ccc9ef4c7472a7834d1d9dfc6a76eccadd1fa39c0df891">

[AsRock]

Spybot 1.3 "immunize"
NAV auto-protect always on
Software firewall full up unless I host, then down one notch
XP firewall unless I host- I could do better, and find out the single thing I need to adj. to host, so's to leave the rest of XP firewall on.

Spybot 1.4 now.
Nav kinda sucks try Avast MUCH better.
XP Firewall No thanks not to bad much better would be Outpost FreePro.
Allso you could try is to download MS's Anti Spyware program to ( Beta ). But only if you legaly own WinXp

[WWChunk]

Spybot 1.3 "immunize"
NAV auto-protect always on
Software firewall full up unless I host, then down one notch
XP firewall unless I host- I could do better, and find out the single thing I need to adj. to host, so's to leave the rest of XP firewall on.

Spybot 1.4 now.
Nav kinda sucks try Avast MUCH better.
XP Firewall No thanks not to bad much better would be Outpost FreePro.
Allso you could try is to download MS's Anti Spyware program to ( Beta ). But only if you legaly own WinXp

Uh-oh... /applications/core/interface/imageproxy/imageproxy.php?img=%7BSMILIES_PATH%7D/icon_wink.gif&key=940dab18e6395dabf49383a0bb376331df53e6f1880bab3f9e4e80745a8cc9ca">

[WWDubya]

... oops; someone's cornflakes gots piss in 'em. :shock:

[WWSandMan]

I wouldn't worry... I'm sure the resident Symantec guy has heard a lot worse than that. ;) Besides... crunchy Corn Flakes suck. That's why you have to put liquid of some sort on them. I prefer beer, but that's just me...

[AsRock]

HAHAHA. sorry if i offended anyone lol.