|
Trojan Horse Viruses
|
Cathlene
lightmagic211@msn.com
12/18/03
|
I have 7 trojan horse viruses on my PC.
1 SecThought A
2 SecThought B
1 Downloader.Small.CT
2 Downloader.Mlfree.A
1 TalksStocks.A
Please tell me how I can get rid of them. I have AVG, SpyBot search & destroy and Spyblaster but none are able to take care of the viruses. Please Help.
|
Snowman
12/18/03
|
Some of these things get in by exploiting windows security holes a la realphx, byteverify.
First thing is go to windows update and get the critical updates if you haven't already.
otherwise you'll quickly be reinfected.
Trojans are handled a bit differently from viruses.
Easiest thing to do is download this 30 day version of trojan remover. It's free.
Let it clean what it can. The link is:
http://www.simplysup.com/tremover/download.html
Then scan again using an online scan such as Housecall:
http://housecall.trendmicro.com/
|
Cathlene
12/19/03
|
well, Trojan Remover says there are no trojan viruses and AVG says there are. Could someone please give me some more ideas because either AVG is unreliable or T.R. is unreliable.
|
snowman
12/19/03
|
Cathlene:
Part of the problem is how various companies identify and name malware. Googling shows the frst three are pretty much AVG specific.
So, either every one else has a different name or they don't consider them true trojans.
There has been lately a mix of spyware or adware identified as trojans by one company but not by another.
Occasionally one company will detect a non dangerous component as a trojan.
I think something of the sort is occurring here.
Especially since you've run spybot, trojan remover etc.
I could mention that you can scan individual files on line at Kaspersky, probably the most thorough antivirus available, here;
http://www.kaspersky.com/remoteviruschk.html
But I think you may still have ambiguous results.
I'd recommend that you post your question at this forum:
http://www.dslreports.com/forum/security,1
Click start new topic, include your operating system XP etc in your post.
I think they'll probably have you run a Hijack this log, but wait till someone asks. That trojan remover found nothing would be of interest to them . Matter of fact mention that in your post title. Something like Trojan remover finds nothing AVG does.
I think you've done all you can here., and that forum has some trojan speciallists who could tell if it's a false alarm or not.
Good Luck.
BTW: that forum moves quite quickly.You'll have to monitor it closely.
|
Snowman
12/19/03
|
Ok searched a bit on that forum I gave you.found this about talkstocks:
Trojan.Sinkin.B virus (Talkstocks.net)
November 14, 2003
Many users at Virginia Tech have noticed a problem with a certain website (talkstocks dot com). At this time, we do not know enough about this virus to provide assistance removing it from your computer. Please continue to check this site for more details.
Basically people believe it to be a realphx variant. Some question as to whether or not it's a proper trojan. also being spoken of as an AIM virus. (AOL messenger)
Link to relevant thread(which contains many links) is:
http://www.dslreports.com/forum/remark,8720231~mode=flat
Removal instructions for talkstocks:
http://www.ncsu.edu/resnet/pages/security/realphx.php
Like I said earlier part of the problem is different vendors names, and their inablity, in some cases to agree on what constitutes a real trojan.
I'll check back in a day.
|
Kim
Kbrookmad4you@wmconnect.com
12/30/03
|
I need help removing the Secthought.b trojan horse from my computer. I have ran AVG and it says I have 2 viruses that can't be deleted and then I ran adaware and it found the viruses again ...which I quarantened them ..but they still haven't been removed...I need to know how to get these off my computer! Please help! :o)
|
Kim
01/02/04
|
I got the same trojan tonight while searching the web for a DLL file. The trojan came up as install.exe and I thought it was the dll file I was downloading. The site I went to was www.2think.org/dll/vbrun.shtml it jusy popped up and started downloading but thank goodness AVG detected it and healed it. So I was safe. I have no idea how to inform this website of this so maybe someone can help me there.
|
JB
01/03/04
|
My Avg pulled up the secthought A & B trojans as well a few days ago. It quarrantined them & healed or removed them. I still have this window that keeps coming up every once in a while now on its own & it's just blank. I immediately close it when it tries & pops up, too. I have Spybot as well, & I can't seem to get the updated definitions either, & I've read up on Spybot's forum that the sownlload site is so busy that you should try a mirror, which I;ve done, & I still can't get the definitions downloaded. The secthought A & B came with an exe. file called stcloader.exe, at least I think so. I've also tried a few other a/v programs while uninstalling AVG & tried other anti-trojan software as well. I'll just have to see here if this damn window keeps coming up. I've also tried d/l-ing Google's toolbar, which I used to have B4 this secthought, & I know my BHO needs to be enabled or whatever. I also have SpywareGuard program (Wilders security.net or org, or something) & enabled browser Hijack prothection, because I kept getting my browser homepage reset (Hijacked) to www.popnav.com (or .net or something). This function is nice, because it grays out the homepage setting on IE tools (internet option). I also know there's Bitdefender out there, or whatever that is, to defend against a keystroke detector trojan/virus, or whatever detects one's keystrokes. Also, make sure your user accounts are only you & you alone, unless you have more than one profile (in control panel), & your guestaccount is off, & you are the administrator. I'm still learning stuff about these damn viruses/trojans/etc., & I have not even scratched the surface of this crap. I know, also, that you can look into downloading a list of restricted sites to install in your restricted zones under tools/privacy menu, which I've done tonight as well. Last but not least, if this window keeps popping up on me, I've had enough of this crap this past week & I will try & save whatever data I need on CD/DVD & delete my user profile & everything else & delete/reinstall my OS (WIn XP). I've done it twice at least last year, so hello 2004. Oh---good luck, Kim, BTW!!happy new year to ya as well.
|
JB
01/05/04
|
Okies here goes--I was (& still am, almost) about to erase my HD (hard drive) & reformat it until I found "Bazooka", which finally found the spyware BS I was looking for on my system. I was able to Regedit the 3 of the 4 programs off my system with this Bazooka, which all turned out to be parasites, installed somehow or another on my pc (imagine that). But, after rebooting & searching for this last one, "NavHelper" & not finding any more .dll's or anything in registry (so far) for this, it (Bazooka) still says I have it, & yeah, I still keep getting this 1 popup, trying to get me over to www.popnav.com (or net, whatever), which it can't, because I've removed the files it needs to take me there. So I contacted the Bazooka dude & hopefully he can steer me the right way to remove it, but he (Bazooka) gives the website for this company who makes this NavHelper BS, which it is a spyware/parasite/"marketing" adware crap. Anyway---one way or another I'll get it off for good, which I'm saving all my important info on disk, which I'm long overdue for a data backup. Anywayz---I'm out---JB
|
ellie
ice_queen_2005@hotmail.com
01/07/04
|
Can someone please help me I have been working on my putter for 24 hours straight and still I cant get it to run properly!
I have scanned with avg and it says I have 5 viruses! but they are in a file that says c:\windows\staRtrwin I have removed this file so many times it is sick and still it comes back . Avg says the viruses are healed but still the viruses return with this file. the file contains 427.exe files I have never seen befor including free porn.exe game .exe and still 425 other .exe files it is causing my putter to do strange things. Can some one please tell me what to do! I love the web and winmx (where the file came from) but i am ready to call it quits with computting. my children love to do reasherch and with project dead lines approaching and no money for a repair man in sight. there muat be an easier way. Please help I no nothing about the computer except how to start and do basic things.
|
snowman
01/07/04
|
Ellie:
Seems like Hijacking. Try this first. You'll need to download and run a tool called CWSredder. It's free and may solve your problem. Go to this page:
http://www.merijn.org/cwschronicles.html#CW-shredder
Try that first.
|
H
01/07/04
|
Trojan Hunter is the best thing for that! If that doesn't get rid of them then I don't know what will. http://www.trojanhunter.com/ .. If you have AVG or any other..shut them down first.. download updates and do a full scan!
H :->
|
KR
01/10/04
|
Just had this SecThought.B virus. It is the nastiest little bug my PC guy has seen. None of the repair or removal tools worked. End result is to wipe your pc clean!! I lost everything!! Do NOT burn programs and drivers off of your pc to reinstall. Junk it all.
I had to reinstall my Windows, virus protection, drivers, ext.
Its sucks but is the best way.
|
me
01/12/04
|
help! I've got a trojan horse called BackDoor.Apdoor.B but nothing will fix it! I've tried AVG twice and Trojan Hunter but nothing works.
|
Frank
01/12/04
|
Consider this information from Symantec website:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.apdoor.html
1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.
Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
|
Wesley
01/13/04
|
i've got that SecThought.B right now.. has anybody figured out a way to get rid of it?
|
Laura
ice64queen@hotmail.com
01/13/04
|
I have that nasty lil trojan secthought.b it has so far infected two files in my restore area of my computer.
The files C:\restore\temp\a0091400.cpy
C:\restore\temp\a0091716.cpy
now it has effected my resident sheild so it is no longer operating and after running avg again it is saying I have no virus's and I know I do.
HELP
|
snowman
01/15/04
|
Laura it's in your restore folder.
Read this :
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
|
me
01/16/04
|
Going into safe-mode and deleting the file manually did the trick for me.
Thanks
|
KLM
01/16/04
|
popnav
I'm techno-disabled and I've recently started getting all of these microsoft popups on my comp. never had them before in a year just last 2 wks or so. ran spybot and Adaware on sugg. of aol tech support (took their word 'cuz ireally don't understand what is going on, college educated but techno disadvantaged) bot programs found lots of crap, which was "fixed", but popnav has taken over my internet explorer home page, and still gett ing some offline popups (saying that the web page I'm looking ofr is not available offline and do I want to connect to internet)
|
WESLEY
01/22/04
|
help me please, i have the secthougth.b im my program files, i dont not for remove, i try in avg, but dont remove.
|
WESLEY
01/22/04
|
help me please, i have the secthougth.b im my program files, i dont not for remove, i try in avg, but dont remove.
WINDOWS XP
C:\Program Files\Common Files
SLMSS-SLMSS.EXE
|
L
01/22/04
|
1. Right-click My Computer.
2. Click Properties.
3. Click the System Restore tab.
4. Check Turn off System Restore.
5. Click Apply, and then click OK.
6. Restart the computer.
7. Run your antivirus once more.
After rebooting, go back to System Restore and uncheck the turn off System Restore again.
This should work
Good Luck!
|
Faster23
01/22/04
|
After running Adaware6.0 I could remove the virus. AVG still says that there is part of the virus at this location which I have no way of accessing.
Location: E:\System Volume Information\_restore{2638028C-EOA6-4C2A-BO1E-DAB6A679B7F7}\RP65\A000911.EXE
Where the heck is that lol... yep the kids were using AIM.
|
snowman
01/22/04
|
Faster
it's in your restore folder.
Windows ME and XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and an antivirus will be unable to delete these files. You must disable the System Restore Utility to remove the infected files from the C:\_Restore folder.
Look above you at L's post or get screenshots instructions here:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
|
Faster23
01/22/04
|
Thx, yes I had to turn off system restore which dumps the restore info and waaalaa it's gone. Whew... Maybe the new security update from microsoft will fix the problem with AIM and not allow these sort of viruses.
|
hingabo
01/24/04
|
don't have a system restore tab (win98se). how do I do this?
|
me
01/25/04
|
Either try going to Start > Programs > Accessories > System Tools > System Restore..then click System Restore Settings on the left hand side
OR
Start > Run > type MSCONFIG > press OK > Click Launch System Restore
|
tim
01/25/04
|
win98se doesn't have system restore.
So it doesn't apply.
|
me
01/25/04
|
I didn't know that
|
confused
llr1371_2@yahoo.com
01/28/04
|
I got secthought b virus,I have tried avg,trojan hunter,trojan grabber,and ad-aware to try to get rid of it with no sucess,its putting icons on my desktop,and not allowing certain files to open.It is moving my mouse all over the page.Will someone please help me fast!!
|
Mark
01/28/04
|
Confused : I don't know which version of Windows you have, but if it's XP or ME, have you read the previous posts about disabling System Restore before clean-up?
|
Rhonda
02/01/04
|
I also have SecThought.B trojan horse on my computer. I'm also running AVG. If Windows 98 second edition doesn't have a system restore, how do I remove this crap off my computer? Can someone please help me!!
|
Mark
02/01/04
|
Rhonda, you need to download Ad-Aware (from Lavasoft) or SpyBot Search and Destroy, install and update it, then run and fix all items found. We'll see after that...
|
snowman
02/01/04
|
They're both free
Ad-aware:
http://www.lavasoftusa.com/
or
spybot s&d:
http://www.safer-networking.org/
|
Rhonda
02/01/04
|
Hi Mark, thank you for your help. I downloaded spybot and removed 132 threats. However, the folder STc ( tojan horse SecThought.B)is still in my program files, as well as, in my temp folder. AVG will not remove them and they are the problem. Do you have any more suggestions?
|
snowman
02/01/04
|
Rhonda: 'Till mark gets back
If the files are in use the av won't be able to clean. You can boot into safe mode and then scan with AVG to get rid of them. that's Probablly the best option.
safe mode:
http://service4.symantec.com/SUPPORT/tsgeninfo.nsf/docid/20010606080039
Or run an online scan at panda:
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
or at ca:
http://www3.ca.com/virusinfo/virusscan.aspx
Both have good cleaning abilities.
You should temporarily disable avg while running the online scans to speed them up.
Btw: Ive noticed this secthought and AIM occuring together at times . Do you use AIM( AOL instant messenger?
|
Mark
02/01/04
|
Nothing more to add... you're in good hands with the Snowman !!
|
Rhonda
02/01/04
|
Hi Snowman,
No, I'm not using AOL any more and never used instant messenger. Hmmm, I guess I'll try the online scan first and see what happens. Thanks for you help guys :)
|
Mark
02/01/04
|
If the on-line scan, and safe mode AVG scan fail, it'll be a job for Hi Jack This! Hopefully, the scans will be successful.
|
Rhonda
02/01/04
|
Hi Mark/Smowman,
I ran the the online scan and it seems to have removed the 2 files that were causing the problem. Since then, when I opened my browser it was redirected to www.popnav.crap...do either of you know why this happens?
|
Rhonda
02/01/04
|
Sorry Snowman,
for misspelling your name...I also wanted to know if anybody knows anything about popup stopper and if its a good idea to keep it.
Thanks
|
Mark
02/01/04
|
Ok Rhonda... you have a lot of spyware on your box, and Popnav is a known nasty. Not easy to remove either. You'll need to graduate to a more powerful tool called Hi Jack This!. This tool is powerful and needs to be handled with a lot of care. You can get it here :
http://www.spywareinfo.com/~merijn/downloads.html
Scroll down to "Official Downloads", and you can get Hi Jack This! from there. Read the paragraph, there's a tutorial for the tool, as well as a link to take you to a specialized forum where you can have experts look at your Hi Jack This! log for proper clean-up. This may sound horribly difficult, but it's not. You do not want to delete anything yourself using this tool, let the experts guide you. Here at Newbie, we can look at logs and spot the obvious baddies, but for complete success you need security experts...
|
Mark
02/01/04
|
And Popup Stopper appears to be legit. My suggestion : get rid of it and get the Google Toolbar. Less software on your box, and the Google bar is excellent for popups.
|
snowman
02/01/04
|
Found info on popnav
but first The online virus scams I gave you are legitimate. no nasties
ok Mcafee calls it popmonster.
"This program is detected as Adware-PopMonster application. It is not a virus nor a trojan. "
and as a result "The detection of this type of file is not automatically activated."
Of some interest this adds:
# [windows directory]\Desktop\Eliminate Popups.url
[windows directory]\Favorites\Stop Popups.url
[windows directory]\Favorites\Internet Tools\Popup Blocker.url
Notice the similarity to the legitimate popstopper from panicware
link to mcafee here:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100987
But better at trendmicro who call it TROJ_POPMON.A
They give REMOVAL INSTRUCTIONS here at this link:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_POPMON.A#solution
unlike Mcafee they detect this , read the removal instructions.
They'll ask you to run their online scan and write down all files detected as trojan popmon.
Then folow the rest of the instructions
The key file appears to be MSrdk.xml to get rid of.
Someone posted a quick and dirty here at newbie ( no guarantees)and no response so far:
Run Find all Files Containing Text either the words "popnav" or "redirect". You will probalbly find a file in your browser labeled msrdk (file) cwindows\ xml document. click on, right click "delete"
Try trendmicros description to remove this. THIS IS popnav. and we finally have a name for it.
to prevent this stuff use spywareblaster. its FREE and pretty good:
http://www.javacoolsoftware.com/spywareblaster.html
"SpywareBlaster doesn't scan and clean for spyware - it prevents it from ever being installed."
Good luck please post back if you still have problems or questions
|
Mark
02/01/04
|
Snowman is on fire !!! And he ain't melting anytime soon !!!
Great work, you spyware squashing machine...
|
M
02/01/04
|
where to find virus removal tool for horse trojan dialer?
|
Rhonda
02/01/04
|
Thanks guys!!
|
Mark
02/01/04
|
Rhonda...don't leave us hanging !! Did you solve your Popnav problem ?
|
Liana
02/03/04
|
Hi guys,
I'm not sure how but I have SecThougth.B and n-CASE on my computer thanks to my brother. I wonder if they are related? I ran AVG, it moved 2 files to the virus vault but when I reboot they're still there and the trojan still exists.
I read the above posts.
1)I run ME but I don't have the System Restore Tab on My Computer properties. What now? I went to Accesories>System Tools>System Restore but no Disable, only 2 options to Restore OR Create Restore Point.
2)My AVG Resident Shield pop-up reads:
Virus
Trojan SecThought.B is found in file
C:\PROGRAM FILES\STC\SLMSS.EXE
To remove, please run AVG
(but that didn't work did it?)
--
3)I have 2 progs by N-CASE in my install/uninstall menu.
-Instertitial Ad Delivery by n-CASE
-PAD Lookups by n-CASE
But when I click Add/Remove, I get a dialogue box which reads:
You must be connected to the internet to uninstall. If you are already connected click OK.
So I did, but I get to this page
http://www.n-case.com/ncaseuninstall.html and the Uninstaller wouldn't even download.
I found instruction on n-CASE removal on this page http://www.pchell.com/support/ncase.shtml but I'm not sure if I should get rid of the trojan first?
Thanks for all the help!
|
Liana
02/03/04
|
I just want to update with this:
I removed nCASE successfully using the instructions on PC Hell.
But that trojan SecThought.B is still here.
|
snowman
02/03/04
|
Great Liana.
You don't have to worry about the stuff in the virus vault. They can't do any harm there. That's similar to Norton's quarrantine. There's usually an option somewhere to delete later from quarrantine.
"The AVG Virus Vault is a special directory where the deleted files are stored for a defined period of time. They are encrypted so viruses cannot spread from them. But if you will find you really need a file you deleted several days before, you can go to the AVG Virus Vault and restore it."
You can try this as well:
run an online scan at panda:
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
or at ca:
http://www3.ca.com/virusinfo/virusscan.aspx
Both have good cleaning abilities.
You should temporarily disable avg while running the online scans to speed them up.
|
Rhonda
02/03/04
|
Hi Mark,
I actually didn't solve the problem. I removed the folder (msrdk) but, folder came back. AVG is not recognizing any virus. So, do you still think I should worry about this.
|
Mark
02/03/04
|
Hey Rhonda. Did you try Trendmicro's removal technique suggested by Snowman ? That thing doesn't appear to be life threatening to your machine, but it would be nice to clean it up !
|
Mark
02/03/04
|
Liana : to disable System Restore in ME :
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239?OpenDocument&src=sec_doc_nam
Disable it, then do the scan(s) that Snowman suggests. Good luck.
|
Liana
02/03/04
|
Thanks Snowman and Mark! I finally removed SecThought.B but Ad-ware and Spybot wouldn't remove Popnav.
This is my HijackThis logfile.
Logfile of HijackThis v1.97.7
Scan saved at 12:31:28 PM, on 2/4/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\IEFEATURES.EXE
C:\PROGRAM FILES\NOADS\NOADS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\BDCZ2K.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HijackThis.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E7188-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\SYSTEM\INTERNETFEATURES.exe
O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\SYSTEM\IEFEATURES.exe
O4 - HKLM\..\Run: [BDCZ2K] C:\WINDOWS\SYSTEM\BDCZ2K.exe
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Check Spelling - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4445535400} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4445535400} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {CAFEEFAC-0014-00-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37588.1495833
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f2.pg.photos.yahoo.com/ocx/us/yexplorer1_9us.cab
|
Mark
02/03/04
|
Hey Liana. There are some beauties in that log !! I am very tempted to get you to "fix" a few of them, but my conscience is holding me back... I don't have enough knowledge to be 100% sure of what I'm doing. Hi Jack This! needs to be handled with extreme care, and I'd be an idiot to pretend being an expert. I'm sure you see the badies as well... I will refer you to specialized security forums, where people examine Hi Jack This! logs all the time (for free) and would help you get rid of that pest in a flash. So here they are :
There are numerous security forums out there that do this. You need to register first, but it's all free. I've never used them myself, but have visited often. Here are a few that I know :
http://forums.tomcoyote.org/index.php?showtopic=3270 (click on "Register")
http://forums.techguy.org/t195064/s02911f059afa36edfc3c41d2659d06b7.html (click on "Register" above the banner)
http://www.computing.net/security/wwwboard/wwwboard.html (go to the bottom of the page)
http://www.computercops.biz/modules.php?name=Forums&file=viewtopic&p=61251 (click on "Login", then "New registration")
Good luck! BTW, Tom Coyote has a tutorial on Hi Jack This! if you're interested :
http://mjc1.com/mirror/hjt/
|
Mark
02/03/04
|
This is driving me insane !!! I have to do something... Ok Liana, you've gone to all this trouble to post a Hi Jack This! log, so I will do a little something. I notice you have Messenger Plus! If you installed it with the "sponsor" program, then it loaded tons of nasty spyware. The secret with Messenger Plus! is to not accept the sponsor, therefore no spyware ! But they make it appealing to people, so most click "Yes" to the sponsor. The trick here is to uninstall Messenger Plus! (with its uninstaller) and then download and install it again WITHOUT the sponsor. That could be your first step to removing stuff. If you want more help here, post a new Hi Jack This! log after. My conscience is pushing me to do a little more for you ; if I suspect that you may use Hi Jack This! yourself to fix things, then I am obligated to guide you... We can remove many known nasties in confidence. Your call ! I'm going to bed, so I'll check back tomorrow. If you decided to go to a specialized forum, tell me how it went !!
|
Liana
02/04/04
|
Mark, I have been using Plus for almost 1 1/2 years now and have never had any problems with it, maybe because I have never opted to install the sponsor with it. But as a precaution, I reinstalled it again anyway.
I'll try posting my log on one of the forums you listed and see what they have to say about that. Thanks again :)
|
jason
02/04/04
|
Usually running AVG, CW-shredder, and AdAware in safe-mode will take care of most of the problems, then restart the computer and run again in normal mode.
|
Rhonda
02/04/04
|
Hi Guys,
I tried Snowmans suggestion and did Trendmicro's removal technique. Their online scan didn't pick up popnav or another file that I found Clearsearch. I followed their instructions anyway. I removed a couple of files in the Registry Editor and now we're good to go. How exactly do these things end up on our computer? Is this the only safe site to visit?
This is my son computer that I'm fixing. He also damaged my computer beyond repair about a month ago. He keeps going to sites like runescape, cheatcc etc...Is this the problem? I also wanted to know if there is a firewall online that I can download, and will a firewall protect us from Spyware/Adware?
One other question. I downloaded Spybot Search and Destroy and, I am unable to get updates in easy mode. Does this sound right. I'm thinking I need to buy the program or something.
Thanks a lot for your help.
|
Mark
02/04/04
|
Liana : it is safer to post there, rather than have me fix you up here. But a few of us here could look at your Hi Jack This! log and fix the obvious. That could be enough. Go with your gut on this one. Like you mention, your Mesenger Plus! install was probably clean. People reading this thread may think twice about accepting the sponsor though...
Good luck, and tell us how things go !
|
Mark
02/04/04
|
Hey Rhonda. I'm happy to see you've taken this mess head-on !! To answer your questions (as best I can) :
How does spyware get on your computer : mostly through Active-X popups. Go to Newbie homepage and have a look at Peter's article (Common answers) on ways to control Active-X from your browser. You can also download SpywareGuard (from JavaCool), which is a real-time spyware blocker (much like your antivirus program). If you go to JavaCool, get SpywareBlaster as well (it prevents spyware from installing). They're both free tools. You must update them frequently to get the best protection.
Your son : that's a toughy... Crack and hacker sites are known baddies. With the above tools and precautions, you'll have a better chance, but he can still find ways to mess things up ! Safer surfing is the first line of defence. Firewalls, to my knowledge, are useless against spyware, but they are good against trojan virii and hacker attacks. There are some great free ones (Zone Alarm and Sygate come to mind). A cheap NAT router (35$) also provides an excellent layer of security against certain virii and hackers (some people call them "hardware firewalls").
SpyBot : I get that all the time !! Look closely at the SpyBot interface, up top, you'll see a big button for server location. SpyBots' default is "SpyBot Europe". That's fine if you do your updates in the evening, when Europe sleeps... If you like to do them in the morning or early afternoon, manually select the "USA" server (I forget its name, but there's only one). You should be good to go. You can't buy SpyBot, but you can make a donation. God bless 'em !!
|
snowman
02/04/04
|
Rhonda: Glad it's fixed.
spybot S&D is free. There isn't any better pay version. Asto updating , it seems virtually no one can update using the default location.
Where it says download uodates: To the right is the default location, usually UniDo europe. Scroll down using the arrow beside it to another location. USA works well.
Example here;
http://www.safer-networking.org/index.php?page=howto&detail=update
"He keeps going to sites like runescape, cheatcc etc...Is this the problem? "
Yeah that would be definitely be a big part of it.
But Kids are kids. They're invulnerable at a certain age.
I'd install spywareblaster and/or spywareguard: They're both free
"SpywareBlaster doesn't scan and clean for spyware - it prevents it from ever being installed."
http://www.javacoolsoftware.com/spywareblaster.html
A pay antispyware product is spysweeper from webroot:
http://www.webroot.com/wb/products/spysweeper/index.php
Some people like it. Think it's worth paying for. Others think it's a good product, but you can accomplish the same for free.
At least it's reputable and you can download a trial. Saw cd's for sale at staples.
Since its kid related,they tend to think that mozilla firebird is cool. It's also a safer browser. Also has it's own popup blocker, ad blocker built in.
It's free and you keep your internet explorer as well. I recommend you try it.
http://www.mozilla.org/products/firebird/
A free easy to use firewall would be zonelabs zonealarm:
http://www.zonelabs.com/store/content/home.jsp
Also there is a free offer from microsoft /ca:
A package which includes firewall,antivirus etc:
http://www.zonelabs.com/store/content/home.jsp
Their firewall is zonealarm professional.
Kids hate firewalls though, and will find a way to turn them off.
A popup blocker is very good to have.
Google toolbar has a good one and it's free:
http://toolbar.google.com/
|
snowman
02/04/04
|
I keep posting at the same time as you Mark.
Yes there are ways to really increase the security of explorer. Activex is the biggie. But you lose at least some functionality. Kids hate that. Just like they turn off firewalls "because it gets in the way"
That's why I'd recommend a browser that's good for them "firebird" No activex . no popups, ads blocked etc. and it looks cool.
Forgot to mention Windows update. Get the critical updates.
|
Mark
02/04/04
|
Snowman, you must be my evil twin !!
:)
|
snowman
02/04/04
|
HaHa!
Rhonda: I gave a bad link to the free offer from microsoft and computer associates,should be:
http://www.my-etrust.com/microsoft/
That's an anti virus plus firewall (zonealarm pro).
Though I think you can insyall components seperately.
|
Rhonda
02/04/04
|
You guys are the best...If I had of wrote to both of you before I took my computer to the shop, it would probably still work. Thanks again for all the info...I'll be in touch with more problems I'm sure.
|
Mark
02/04/04
|
The Firebird browser idea, from Snowman, is probably the most "doable" prevention for spyware. Don't hesitate to come back ; we, the spyware killer twins, can't get enough of this stuff...
|
Liana
02/07/04
|
Mark I never did post on the forums, I ran Ad-ware and Spybot instead and ran the Symantec online scan. I hope it's alright to post the last 3 of my logs here. Sorry for the loong post.
LOG 2
Logfile of HijackThis v1.97.7
Scan saved at 11:08:40 PM, on 2/4/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\IEFEATURES.EXE
C:\PROGRAM FILES\NOADS\NOADS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ORPOLC.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MY DOCUMENTS\HijackThis.EXE
O3 - Toolbar: &Radio - {8E7188-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ORPOLC] C:\WINDOWS\SYSTEM\ORPOLC.exe
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Check Spelling - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4445535400} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4445535400} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {CAFEEFAC-0014-00-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37588.1495833
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f2.pg.photos.yahoo.com/ocx/us/yexplorer1_9us.cab
LOG 3
Logfile of HijackThis v1.97.7
Scan saved at 11:16:48 PM, on 2/4/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\MIXER.EXE
C:\PROGRAM FILES\NOADS\NOADS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SRTEDITM.EXE
C:\MY DOCUMENTS\HijackThis.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
O3 - Toolbar: &Radio - {8E7188-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SRTEDITM] C:\WINDOWS\SYSTEM\SRTEDITM.exe
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Check Spelling - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4445535400} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4445535400} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {CAFEEFAC-0014-00-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37588.1495833
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f2.pg.photos.yahoo.com/ocx/us/yexplorer1_9us.cab
LOG 4
Logfile of HijackThis v1.97.7
Scan saved at 1:56:30 AM, on 2/5/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\MIXER.EXE
C:\PROGRAM FILES\NOADS\NOADS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SRTEDITM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HijackThis.EXE
O3 - Toolbar: &Radio - {8E7188-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SRTEDITM] C:\WINDOWS\SYSTEM\SRTEDITM.exe
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Check Spelling - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4445535400} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4445535400} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {CAFEEFAC-0014-00-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37588.1495833
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f2.pg.photos.yahoo.com/ocx/us/yexplorer1_9us.cab
I googled extensively to make sure I got rid of the correct files. So far Popnav hasn't made an appearance and my computer seems to be running fine. But I have a backup for O4 - HKLM\..\Run: [SRTEDITM] C:\WINDOWS\SYSTEM\SRTEDITM.exe
(This entry keeps changing with every log)
|
Mark
02/07/04
|
Well, Liana !! You seem to know what you are doing ! Your last logs do look good, but I'm not enough of an expert to confirm you're 100% clean. Time will tell. You seem to have been very careful with the tool, and that's imperative. Going to a security forum would have validated your efforts, and made the process much safer. I don't want newbies out there thinking "Hey, Liana did it, why not me"... You have skills and like to research what you do, which isn't the case for a lot of newbies.
Nice work, and safe surfing !
|
gary
02/15/04
|
hey i have this virus called trojan horse SecThought B and trojan horse StartPage.EJ can someone out there pleease help me so i can remove these virus's
|
gotz lot of virus'
02/16/04
|
i was wondering if its possible 2 have more than 6000+ virus'
|
Mark
02/16/04
|
Why not !! Could be a Guiness record...
I'm guessing (going out on a limb here...) that you don't have a full time antivirus running.
If you haven't done it already, do an online scan. There's a good one here :
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
(click on "Scan your PC")
(make a big pot of coffee)
|
Marcy
MJones41@aol.com
02/18/04
|
SecThought.B
I get a pop up message when my system is idle only, that says I have this SecThought.B Trojan Virus. I have scanned with Housecall, Norton's, AVG, Spysweeper, Ad-adware 6.0 & Noadware, they all say my system is clear, yet this annoying thing pops up. How can I remove it! Also, I have a pop up at start up that says...Invalid Backweb application id 19405676, how do I get rid of that thing too?
Thanks
|
Mark
02/18/04
|
Hey Marcy. Do you have Windows XP or ME ? If so, you need to disable System Restore before you do your next scan. I suggest you try another scan, using Panda this time. Here's the link (don't forget to disable Restore first) :
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
(click on "Scan your PC")
Then, have AVG scan your computer again. Post back with results.
|
Marcy
02/19/04
|
Mark...I have XP..and no clue how to disable System restore, how do I do that? I've only had the system about 2 weeks and for the most part, I have spent more time, trying to keep viruses and spyware off of it than anything else!
|
Marcy
02/19/04
|
Mark..located the system restore diable...thanks..will scan now...let you know how it comes out
|
Mark
02/19/04
|
You have good research skills, I like that...
Awaiting results...
|
Marcy
02/19/04
|
Followed through with all the suggestions on removing that blasted pop up warning to no avail though. It is still popping up. It only does this when my machine is idle. The invalid backweb id pop up is still coming up too. Does it make any difference in where is says the visus is? About the virus..It says:Virus SecThought.B is found in C:\System Volume Information\_restore then there is a SLEW of letters, slashes and numbers within brackets...then .exe
Thanks
Marcy
|
Mark
02/19/04
|
Hey Marcy. We'll eventually get this pest, don't worry...
About the Backweb thing, don't worry about it just yet ; it's just annoying, not a threat !
Ok. The virus/trojan is hiding in "Restore", where it cannot be deleted (Windows protects everything in Restore). You said you disabled System Restore ? Let's make sure : if using "Classic View", right-click the "My Computer" icon on your desktop and select "Properties". If using "Normal XP" view, click on "Start", then right-click on "My Computer", and select "Properties" ; then, click on the "System Restore" tab. Now put a "check" next to "Deactivate System Restore".
With Restore deactivated, run another AVG scan, but this time do it in Safe Mode (restart your computer : while restarting, tap the F8 key continously until you hear a "Beep" (I think) and you should see a page with options to start in safe mode (select "Safe Mode"), then run AVG. Once done, restart your computer and you'll be back in regular mode. Post back...
|
Marcy
02/20/04
|
:) hi ho hi ho off to safe mode I go, i'll try this test, give it my best. to make the trojan go! OK, seriously, gonna give this a shot, thanks for your time and effort on this Mark, I do appreciate ut
|
Marcy
02/20/04
|
Mark..while in safe mode, I could not get AVG to open and scan, something about a driver not being found..grr what now?
|
Mark
02/20/04
|
That's weird... Ok, time for the big guns... Marcy, I will get you to download a tool called "Hi Jack This!". This one is powerful, and needs to be handled with care. Once you get it, run it, then click on "Save log". DON'T FIX ANYTHING with it just yet !!! Copy and paste your log in a new post here so we can look at it. Depending on the severity, we may need to send you over to a more specialized forum, so that experts can help you further. Here's a link for that tool :
http://www.majorgeeks.com/download.php?det=3155
(click on the US flag)
|
Marcy
02/21/04
|
Mark...for whatever reason, even though I was unable to run AVG while in safe mode, I DID run the spyware proggies, and they said they did not find anything, now the pop up is gone, at least it seems to be...so odd..anyway, thank you SO much for your help, now if I can just make the invalid backweb id popup go away!
|
M
02/25/04
|
hey mark i followed all the steps u gave Marcy from everything till i got 2 safe mode n i scanned it wut do i do now??
|
Mark
02/25/04
|
Hi M. I'm not sure I understand where you are with this... You've scanned with AVG in safe mode ? Was the scan successful (did it run all the way, did it find and fix anything) ??
|
M
02/26/04
|
yes u i ran AVG in safe mode and it did pick up my virus' and it says it healed them ..now wut do i do?
|
Mark
02/26/04
|
Well M., if I understand correctly, you have followed instructions (meaning you disabled System Restore if you have XP or ME) and successfully ran AVG in safe mode, which corrected the problems ? If this is the case, you should be clean and good to go !!! (restarting your computer brings you back in "Normal" mode). Don't forget to re-activate System Restore. Since I have absolutely no information on your system, we'll leave it at that.
|
M
02/26/04
|
wow mark...i think u've done it ...i greatly appreciate your help...THANK YOU
|
Mark
02/26/04
|
Glad to help, M.
For safety :
Always have an antivirus running full-time on your system (there is a good free one available, called AVG).
Use Mozilla "Firefox" (free browser) instead of Internet Explorer for much added safety against spyware.
Use SpyBot and/or Ad-Aware regularly (update first).
Download and run SpywareBlaster (from JavaCool) ; it's great prevention against spyware.
Never, EVER, download free stuff without researching first. There are a lot of imposters out there... Stop by Newbie for advice, if necessary.
|
Cedric
03/01/04
|
I have the same C:\Program Files\STC\SLMSS.exe Trojan horse that was mentioned above and I did the system restore thing that was mentioned and it worked, but when I turned it back on again to create a new restore point, the virus came back and I can't delete them again! I need a system restore point but these viruses keep stopping me. I have downloaded several Anti-Virus programs of the ones mentioned above but they all just seem to crash. My AV guard is the only one that works and that can't get rid of it.
Please help !!!
|
Mark
03/06/04
|
Hey Cedric. I've been away for a while, so I hope you read this. You seem to have misread instructions given above. What you need to do is DISABLE System Restore, instead of doing a Restore like you've mentionned... Ok, in simple terms : you cannot restore your system to a previous point in time if it has been infected by a virus. You need to disable Restore, because the virus can hide in restore points and would then be protected by Windows (it cannot be fixed by antivirus programs when hiding in Restore). Once System Restore is disabled, you run your virus scan which should find and fix the problem. Once clean, you can reactivate System Restore.
|
Liana
03/21/04
|
Hi guys, I'm back (probably not a good thing!)
Last I was here, I had managed to get rid of the trojan on my computer, and my hijackThis! Log proved that I was indeed clean. I even posted in a few forums to get 2nd,3rd,4th,5th opinions. I'm paranoid I know.
However this morning, AVG informed me it found the trojan in my restore folder. C:\_RESTORE\TEMP\A0176019.CPY and about 4 other similar entries.
My system restore isn't even enabled! I disabled it a long time ago even before I was infected so I'm not sure how the trojan got backed up there.
My question is, how do I empty that restore folder?
Note: This is an old computer given to me by someone so I have no restore disk or whatever.
Anti-SpyWare: Ad-Aware and SpyBot
Anti-Virus: AVG
OS: WinME
|
|
