Spyware, Viruses, & Security forum

General discussion

QUESTIONS ABOUT TROJAN VIRUS

by binatog / December 1, 2004 1:47 AM PST

My PC-CILLIN alert showed three Trojan viruses in my files:

TROJ DYFUCA.R
TROJ DYFICA
Trojan Back Door.2.H (i'm not sure i remembered this one correctly)

I downloaded AVG7 to remove them.

Did i do enough? Please help.

Discussion is locked
You are posting a reply to: QUESTIONS ABOUT TROJAN VIRUS
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: QUESTIONS ABOUT TROJAN VIRUS
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Re: QUESTIONS ABOUT TROJAN VIRUS
by Marianna Schmudlach / December 1, 2004 1:55 AM PST

IF you have winme or XP:

browse to the C:\documents and settings\\User Name (repeat for all users)\local settings\temp folder and delete all files and folders in it.
Then browse to the C:\Windows\Temp folder and delete all files in it.
Then in internet explorer click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

Then Disable system restore: Instructions here.

Reboot

Finally, do an online scan using Trend Micro Housecall. It is available here.

Enable system restore.

Collapse -
Re: QUESTIONS ABOUT TROJAN VIRUS
by binatog / December 1, 2004 2:29 AM PST

thanx. appreciate the prompt help. this place is great!

Collapse -
You're Welcome ;)
by Marianna Schmudlach / December 1, 2004 2:40 AM PST

.

Collapse -
Re: QUESTIONS ABOUT TROJAN VIRUS
by krisrao / December 1, 2004 4:39 AM PST

I just used Trend Micro's Housecall for the first time this week. It found a lot of Trojan Horses - a real shocker since my patches are up-to-date, I use NAV, work behind a firewall and do not go to unreputable web sites (or so I thought).

Anyway, Housecall finds Trojans and says they cannot be removed. How do I remove the Trojan Horses? Effectively and cheaply.

Thanks.

Collapse -
Re: QUESTIONS ABOUT TROJAN VIRUS
by Marianna Schmudlach / December 1, 2004 5:05 AM PST

Please download a free evaluation copy of a trojan scanner and perform a trojan scan. Be sure to update first. This program should be used in conjunction with an AV as it is a dedicated trojan removal program.
http://www.TrojanHunter.com

Collapse -
Re: QUESTIONS ABOUT TROJAN VIRUS
by roddy32 / December 1, 2004 5:15 AM PST

Hi Kris
After you take Marianna's advice as for getting rid of them, to help prevent the problem the next time these programs are free and help to block SOME malware. Most AV's block SOME but not all trojans.They are more geared towards viruses. These programs won't make you totally secure either but they WILL help. They are blockers so once you get them downloaded, setup, and updated, you can forget about them except for checking for updates once a week or so on the first one but not as often on the second because it works in a different way.

SpywareBlaster
http://www.javacoolsoftware.com/spywareblaster.html

SpywareGuard
http://www.javacoolsoftware.com/spywareguard.html

Collapse -
Re: QUESTIONS ABOUT TROJAN VIRUS
by krisrao / December 1, 2004 9:01 AM PST

Thanks Roddy and Marianna,

I have run Trend Micro's HouseCall and "The Cleaner" available at CNET Downloads.

HouseCall found Trojans but the Scan Result was "Non Cleanable" on all of them - what does this mean?

The Cleaner found 20 Trojan Horses. Do I just let the program clean them or do I risk deleting files the OS or some other program needs? I have Windows 2000 as the OS but a filename C:\winnt\polmx3.exe was quarantined. I would be happy to post the results of the detection programs.

I forgot to mention I use Spybot's Search and Destroy and am happy with it. I do have a problem with popups. I have used Popup Cop and Google's pop-up blocker - should I re-install? And/or install the two programs Roddy suggested? My concern is that there are so many programs something will conflict. And this will only get some malware (or most malware?)
Is there no better way?

Collapse -
Re: QUESTIONS ABOUT TROJAN VIRUS
by Marianna Schmudlach / December 1, 2004 9:14 AM PST

HI krisrao

I would let the Cleaner put the trojans in quarantine first - then wait a couple of days and if everything is running fine - then delete everything you had in quarantine -

You CAN delete:

C:\winnt\polmx3.exe !

I would be happy to post the results of the detection programs.

o.k. Happy

Roddy is correct - you should download both programs he mentioned. SpywareBlaster works together with SpybotS&D (immunize) there are NO conflicts running these 2 additional programs.

Collapse -
Re: QUESTIONS ABOUT TROJAN VIRUS
by krisrao / December 1, 2004 10:06 AM PST

Hi Marianna and Roddy,

I will let the 20 Trojans from "The Cleaner" sit in quarantine for a couple of days. I found it hard to analyze the 7 Trojan Horses found by HouseCall and displayed in the tiny window but they seem to be different from "The Cleaner" detected ones - I have not deleted them yet. SOunds like I should just delete them. Trojans are separate files independent of program files - right?

I will load the two programs Roddy suggested. I am thinking a new browser (Firefox) and a software firewall (ZoneAlarm) will also help. I am backing up my system now - will let you know tomorrow how it goes. G'night.

Collapse -
Re: QUESTIONS ABOUT TROJAN VIRUS
by Marianna Schmudlach / December 1, 2004 10:15 AM PST
Trojans are separate files independent of program files - right?

Right - trojans are also "easier" to remove than worms or viruses.

Yep, Firefox is a good choice - you will never look back Happy But you have to keep IE for downloading patches and updates !

Did you already delete the 'stuff" Housecall found?? If yes, if you have winme or XP - you have to flush your system restore points!

Like this: Disable system restore: Instructions here
Reboot

Enable System Restore.

Good Night Happy
Collapse -
Re: QUESTIONS ABOUT TROJAN VIRUS
by krisrao / December 1, 2004 8:38 PM PST

Hi Marianna,

Yes I deleted the 7 Trojan's HouseCall found. Then I did the delete process at the very beginning of this thread with the noted differences:
1> Docs&Settings\rao\Local Settings\Temp - deleted all folders and files including Temporary Internet Files, Cookies and History (though it warned me that these are System Folder files and that a program may not work correctly. Why are these 3 files in so many places? ALso in going back in I notice that many files are created again - from The Cleaner perhaps

2>C:\WINNT\Temp - deleleted all files including Cookies, History and Temporary Internet Files (I have Windows 2000 as an OS on an IBM T23 laptop). Again complaint of System Folder Files

3>IE>Tools>Options>General - Deleted all files incl offline content, history, cookies etc

4>Also Docs&Settings\rao\Cookies

4>Did not disable System Restore since I do not have XP

5>Emptied Recycle Bin

6>Rebooted

Unfortunately I got a Registry Editor dialog box "Cannot import C:\Docume~\rao\locals~1\Temp\cetec.reg:Error opening the file. There may be a disk or file system error." The next three reboots did not have this error.

I have The Cleaner running and it complained about unexpected activity. In the registry I deleted a Web rebates entry. Cleaned everything again and rebooted. No registry problems or The Cleaner alarms.

Collapse -
Re: QUESTIONS ABOUT TROJAN VIRUS
by Marianna Schmudlach / December 1, 2004 11:34 PM PST

This is also a temp file:

C:\Docume~\rao\locals~1\Temp\cetec.reg

How are you doing - everything o.k. ??

May I assume you have Win2000?? Then browse to the C:\documents and settings\\User Name (repeat for all users)\local settings\temp folder and delete all files and folders in it.

Repeat ALL users !!!

Collapse -
Re: QUESTIONS ABOUT TROJAN VIRUS
by krisrao / December 2, 2004 2:45 AM PST

Hi Marianna,

I am fine - just frustrated with this time waste. I still have to do 2 more personal computers - XP machines with SP2 - but I am going to leave it 'till this platform is stable and proven.

I have just loaded 4 new pieces of software (SpywareBlaster, SpywareGuard, ZoneAlarms and Firefox) with reboots in-between. Ran NAV once. You get the idea.

It is cool to be using Firefox now. Still need to check out the connection to the company via VPN etc.

Appreciate the help - couldn't have done without you and Roddy's help.

Can you give me a lesson on these temp files? I swear have deleted them thrice today and they are still coming back:

1- C:\documents and settings\\rao\local settings\temp folder has files and folder again - where are they coming from?

2- One of the files is an application randreco.exe that I deleted off my desktop (it was in a folder)

3-Two of the files will not delete (Sharing violation - the source or destination folder may be in use). Files are ~DFC9D8.tmp and ~DFA2E8.tmp - any idea where they come from ?

4 - Where does firefox put the equivalent of temp, history, cookies etc

5 - Cleaned out C:\documents and settings\\rao\local settings\History and Temporary INternet folders as well. Also one level up cookies deleted.

6- Did all the above for default user, Administrator. All users had no local settings folder. INdex.dat files did not delete from History, Temp Internet, cookie folders etc

7- emptied recyle bin

Thanks for the help.

Collapse -
Re: QUESTIONS ABOUT TROJAN VIRUS
by Marianna Schmudlach / December 2, 2004 3:21 AM PST

Hi Kris

yep, I get the idea Happy

You will never get rid of all the temp. files - as soon as you do something on your computer - temp. files are generated - that's how I "feel" it.

Well, I found a long time ago Internet Sweeper and I am still using it - oh, is still there - is the FREE version: http://www.majorgeeks.com/download264.html

.......

then there is a "tweak" to clear the temporary internet files each time you close internet explorer.

1. Launch Internet Explorer.
2. Select the Tools from the menu bar.
3. Then select Internet Options... from the drop down menu.
4. Once the internet options has loaded click on the advanced tab.
5. Under security find where it says Empty Temporary internet files folder when browser is closed and check it.
6.Click OK
.....

Firefox - open Firefox -> tools > Privacy

.........

INDEX.DAT is a hidden index of the Web sites you visit and the E-mail you send. It is not deleted when you use Windows to clean out temporary Internet files and so is generally available for investigative work even if you think you have cleaned out your browsing history.

Under Windows XP INDEX.DAT files are found in a much larger number of locations...

\Documents and Settings\<Username>\Cookies\
\Documents and Settings\<Username>\Local Settings\History\History.IE5\
\Documents and Settings\<Username>\Local Settings\History\History.IE5\MSHist<Long String of Numbers>\
\Documents and Settings\<Username>\Local Internet Files\Content.IE5\
...and more depending on software installed/used (e.g., Office, Outlook)

How can I manage the INDEX.DAT files? While you can find these files and delete them (if you are worried about them being used to track browsing or E-mail history) the easiest way to manage these files (and other such tracking data) is to use a utility designed for this purpose. In particular, take a look at...

Read more here:
http://filext.com/faq/idx/0/027/article/

Note: Browsers such as Mozilla Firefox and others generally store their history information in different formats and do not make use of the INDEX.DAT file.

...........

You also can clean your Prefetch folder regularly ! (C:\Windows\Prefetch}

.........

You also could use:

[Quote]
When in Safe Mode, open notepad and paste in the following lines:

del c:\ *.tmp
del %temp%\*.tmp /f
del %windir%\prefetch\*.*
del %windir%\temp\*.* /f
del C:\documents and settings\*\local settings\temp\*.* /f

Save to desktop as 'clean.bat'. Make sure before you save to set 'file types' to all types. ( *.*) [/quote]

DoubleClick on the icon, and say Yes when prompted.

...........

You also could use the Disk Cleanup Utility to empty all your Temp folders

......

I hope you didn't get a "headache" reading this "stuff" Wink

Collapse -
Trojan Horses - Hopefully final stages
by krisrao / December 2, 2004 5:06 AM PST

Hi Marianna,

Thanks for the detailed reply - I like them because I feel I am going to get this problem resolved faster.

The only reason I asked about the temp files is because they might be Traojan Horses. This is my objective to get rid of them from my machine. I will worry about privacy another day.

I do not feel safe yet. Again only concerned about Trojans...

1 - On boot up ZoneAlarm alerts me that "LSA Executable and Server DLL (Export Version) is trying to access the Internet"

2 - WebRebates0 was a process running (Task Manager)

3 - Temp files are created and do not delete in spite of me shutting down every application

Going through the above three issues in more detail:

1 - My search on LSA turns up your advice from October. You mention W32/Rbot-BZ. I saw HKLM earlier from The Cleaner - this is what took me into the registry where I deleted it - I think. Can you help me confirm it is out of my registry and completely off my machine?

1A - on this particular file "LSA Executable and Server DLL (Export Version)" Zone Alarm says it is a normal Windows 2000 file.


2 - WebRebates0.exe is caught by ZOneALarm asking to go to the internet. This is after I reran The CLeaner and never launched IE. I feel that after all the work I have not killed all Trojans. How do I kill this one?

2A - After a reboot and denying web access I see I have two processes WebRebates1.exe and WebRebates0.exe - how do I kill these?

2B - Do I need a better diagnostic tool - Hijack This?

2C - I see that there are others who have Webrebates showing up in their HIjack This logs

Thanks

Collapse -
Re: Trojan Horses - Hopefully final stages
by Marianna Schmudlach / December 2, 2004 5:28 AM PST

HI Kris,

you are doing great Wink

2 - WebRebates0.exe is caught by ZOneALarm asking to go to the internet. This is after I reran The CLeaner and never launched IE. I feel that after all the work I have not killed all Trojans. How do I kill this one?

Use Taskmanager (Ctrl-Alt-Del) to end these running processes if you can (or use Process Explorer)

WebRebates1.exe
WebRebates0.exe

Go to Add/Remove Programs (START, settings, control Panel) and uninstall these apps (all may not be listed)
anything with a name similar to MyWay, MySearch, MyWebSearch, etc

WebRebates

Reboot

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Go to
C:\Program Files|Webrebates and DELETE the folder !

Reboot

Run Ad-Aware with the latest update.

Download the latest version of Ad-Aware (Ad-Aware SE Build 1.05) from Major Geeks.

If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.

After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.

Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".

Once the definitions have been updated:

Reconfigure Ad-Aware for Full Scan as per the following instructions:

-Launch the program, and click on the Gear at the top of the start screen.

-Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)

- Automatically save logfile"
- Automatically quarantine objects prior to removal"
- Safe Mode (always request confirmation)
- Prompt to update outdated confirmation) - Change to 7 days.
- Click the "Scanning" button (On the left side).
- Under Drives & Folders, select "Scan within Archives"
- Click "Click here to select Drives + folders" and select your installed hard drives.
- Under Memory & Registry, select all options.
- Click the "Advanced" button (On the left hand side).
- Under "Shell Integration", select "Move deleted files to Recycle Bin".
- Under "Log-file detail", select all options.
- Click on the "Defaults" button on the left.
- Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
- Click the "Tweak" button (Again, on the left hand side).
- Expand "Scanning Engine" by clicking on the "+" (Plus) symbol) and select the following:
- "Unload recognized processes during scanning."
- "Obtain command line of scanned processes"
- "Scan registry for all users instead of current user only"
- Under "Cleaning Engine", select the following:
-"Automatically try to unregister objects prior to deletion."
-"During removal, unload explorer and IE if necessary"
-"Let Windows remove files in use at next reboot."
- "Delete quarrantined objects after restoring"
- Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
- Click on "Proceed" to save these Preferences.
- Click on the "Scan Now" button on the left.
- Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".

- Close all programs except ad-aware.
- Click on "Next" in the bottom right corner to start the scan.
- Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
- After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

Plug-Ins for Ad-Aware (VX2 Cleaner)
Download the free VX2 Cleaner here

Close Ad-Aware SE build 1.05 and Ad-Watch (if running)
Install the VX2 Cleaner
Start Ad-Aware SE build 1.05
Go to ?Plug-ins?
Select the VX2 Cleaner plug-in and click ?Run Plugin?
If your computer isn?t infected, click ?Close?.

If your computer is infected:

Select ?Clean System?
Reboot your computer
Scan your computer with Ad-Aware
Remove any VX2 objects detected
Reboot your computer again
Run a second scan to make sure the files have been removed from your computer

Virus warnings while performing a scan with Ad-Aware

While performing a scan with Ad-Aware, a background antivirus monitor may issue an alert, stating that a virus has been found in the temporary directory (%temp%) for the current user. This does not necessarily mean your computer has been infected with an active virus. Most antivirus resident scanners will not scan compressed files and only monitor your memory for the sign of an active viral process.

During a scan, Ad-Aware will temporarily decompress files to scan their contents without activating the content, but in doing so, the file is noticed by the antivirus' resident scanner.

Also, some antivirus applications include an option to quarantine infected files, and when Ad-Aware decompresses these quarantined files, the antivirus background scanner detects the virus moving outside the quarantine area. To avoid this you can either remove the quarantined files via your antivirus application, or have Ad-Aware ignore the antivirus program's quarantine folders/files during a scan.
Then,

Download SPYBOT Search and Destroy here if it is not already installed on your computer. Also download the DSO Exploit Fix - HOTFIX here
Install the program and then start it. Once the program has started make sure you are in the Spybot-S&D section. Click on the "Search for Updates" button. Download all updates. In some cases the program will restart after an update. When updated, click on the "Check for Problems" button. When the Check is over All problems displayed in red are regarded as real threats and should be dealt with. Make sure they are all selected and click the "Fix selected problems" button.

Finally, do an online scan using Trend Micro Housecall. It is available here.

IF you problems are gone -

Then Disable system restore: Instructions here
Reboot

Enable System Restore.

Collapse -
(NT) (NT) Good luck Kris
by roddy32 / December 1, 2004 11:10 AM PST
Collapse -
About the popups Kris
by roddy32 / December 1, 2004 9:32 AM PST

I wouldn't wory about that until you have your system clean. If the popups are coming from the trojans, the popup blockers won't help much. Once you are done getting everything cleaned out, then reinstall whatever popup blocker that you like. I am not familiar with Popup Cop, it may or may not be good. I know that Google's is safe but so are a lot of others. The Malware/trojans are your most important thing now.

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

Does BMW or Volvo do it best?

Pint-size luxury and funky style

Shopping for a new car this weekend? See how the BMW X2 stacks up against the Volvo XC40 in our side-by-side comparison.