Tip: Run a free scan for common Windows errors ad

re: Trojan Horse Dialer Monday, February 17, 2003 at 3:35 pm Posted by Mac (2831 messages posted) Free on-line Anti-Virus check: HouseCall Anti Virus & Panda On-Line And another from Symantec: Norton-Symantec On-line security check from: Symantec Security Check Configure your connection to protect your bios, etc. SpyBot is a VERY revealing program! Click on Language flag. Automatic Deletion of all TIF, TEMP & index.dat files. Delindex & EmpTemp USE YOUR Windows Start-up diskette (bootdisk) to get to the A:\prompt and type: A:\>DEL C:\_RESTORE to delete the _RESTORE file and make sure that this file is not listed in any A-V "exclusions". PerformanceImprovement AlwaysUnloadDll 9x/ME NTFS/FAT Iain Uninstall PCHealth, System Restore, Windows Help, msinfo32.exe, etc: rundll.exe setupx.dll,InstallHinfSection Uninstall 132 C:\WINDOWS\INF\PCHealth.inf [Reply or follow-up to this message] re: Trojan Horse Dialer Monday, February 17, 2003 at 3:35 pm Posted by Ms. Eagle (33507 messages posted) Probably because it's not a trojan virus, so AV programs won't get rid of it. It's a spybot application, so download and run SpyBot Search and Destroy: SpyBot S&D It looks for spyware, but also targets dialers, keyloggers and much more, and it's freeware. After installing, go to the Online tab, and search for and install all updates. Next, go to the Settings tab > File Sets, and uncheck 'System Internals' and 'Tracks.' You can always experiment with them later on. Just scan for the spybots for now. After closing your browser (signing off), run the scan, then click 'Check All', and have SpyBot remove all it finds. Note: SSD will sometimes not be able to remove all active components on the first 'fix'. You will then get a dialog asking you to run SSD at next start. Click yes and reboot. SSD will then come up before the system puts these components 'in use'. You will then be able to 'fix' everything. [Reply or follow-up to this message] re: Trojan Horse Dialer Monday, February 17, 2003 at 3:42 pm Posted by Ms. Eagle (33507 messages posted) Good idea....delete the System Restore garbage! [Reply or follow-up to this message] re: Trojan Horse Dialer Monday, February 17, 2003 at 3:46 pm Posted by Mac (2831 messages posted) Yes it is, and it saves a great deal of trouble too! ;- ) [Reply or follow-up to this message] re: Trojan Horse Dialer Monday, February 17, 2003 at 3:49 pm Posted by Ms. Eagle (33507 messages posted) Like Iain said, delete those System Restore files. Btw, those dialers ring up very large phone bills! Be sure to run Spybot S&D too. [Reply or follow-up to this message] re: Trojan Horse Dialer Monday, February 17, 2003 at 3:51 pm Posted by Ms. Eagle (33507 messages posted) Iain, this is a better address to use for Spybot S&D download. http://security.kolla.de/ That other one has a popup come up. Plus, it isn't "Spybot", remember the S&D! :) It's a spybot destroyer. [Reply or follow-up to this message] re: Trojan Horse Dialer Monday, February 17, 2003 at 4:17 pm Posted by Ray (5 messages posted) I JUST INSTALLED SPYPOT S&D AND IT HAS RECORDED OVER ONE HUNDRED POSSIBITIES. I AM A RESEARCHER OF GENEALOGY AND I'M AFRIAD TO ERASE ALL THEY HAVE. BASTARD AND MANY OTHER PHRASES ARE IN MY RESEARCH ETC.! NEED HELP! rAY On Monday, February 17, 2003 at 3:49 pm, Carol wrote: > >Like Iain said, delete those System Restore files. Btw, those dialers ring up very >large phone bills! Be sure to run Spybot S&D too. > > > > [Reply or follow-up to this message] re: Trojan Horse Dialer Monday, February 17, 2003 at 4:22 pm Posted by Ms. Eagle (33507 messages posted) Firstly, please don't shout! Typing in all caps is considered yelling on the net... What are you talking about, re: afraid to erase?? What's the B**** word got to do with this?! lol Anything that Spybot S&D has checked after you run the scan can safely be removed. Either that, or...keep you dialer then! Just follow the instructions I posted. [Reply or follow-up to this message] re: Trojan Horse Dialer Monday, February 17, 2003 at 10:26 pm Posted by zygoteXY :o' (379 messages posted) What Carol means is that you only need to Fix the ones that were checked in RED. RED items are checked by default. If you make a mistake use the Recovery tool, but I do not reccommend deleting those that are not marked in red, or checking those others. Spybot are in RED, and usage tracks are not, leave those, they are yours and you need them. Spybot lists usage tracks as a courtesy to you to help you protect your privacy, but they are a feature you need. On Monday, February 17, 2003 at 4:17 pm, Ray wrote: >I JUST INSTALLED SPYPOT S&D AND IT HAS RECORDED OVER ONE HUNDRED POSSIBITIES. I AM >A RESEARCHER OF GENEALOGY AND I'M AFRIAD TO ERASE ALL THEY HAVE. BASTARD AND MANY >OTHER PHRASES ARE IN MY RESEARCH ETC.! >NEED HELP! >rAY > > [Reply or follow-up to this message] re: Trojan Horse Dialer Tuesday, February 18, 2003 at 3:31 am Posted by jmb (844 messages posted) If you use AOL read this article http://1rw.freewebspace.com/AOLTrojan.htm This other site details some aspects of where trojans may reside. http://www.tlsecurity.net/auto.html On Monday, February 17, 2003 at 3:11 pm, Ray wrote: >I have just received this Virus. I don't know how or why I have it. I have AVG 6.0 >Windows antivirus installed on my computer. It detects it but can't remove it. It >appears to be in the following file C:\SYSTEM VOLUME INFORMATION\_RESTORE-(3EB9FF84-3515-40AE-9B03-14A9EB553DB9)-RP204\A0139088.EXE > >CAN ANYONE HELP? >RAY [Reply or follow-up to this message] re: Trojan Horse Dialer Tuesday, February 18, 2003 at 6:13 am Posted by Ray (5 messages posted) Should I delete everything Spybot pick up? Ray On Monday, February 17, 2003 at 3:35 pm, Carol wrote: > >Probably because it's not a trojan virus, so AV programs won't get rid of it. It's >a spybot application, so download and run SpyBot Search and Destroy: > >SpyBot S&D > >It looks for spyware, but also targets dialers, keyloggers and much more, and it's >freeware. After installing, go to the Online tab, and search for and install all >updates. > >Next, go to the Settings tab > File Sets, and uncheck 'System Internals' and 'Tracks.' >You can always experiment with them later on. Just scan for the spybots for now. >After closing your browser (signing off), run the scan, then click 'Check All', and >have SpyBot remove all it finds. > >Note: SSD will sometimes not be able to remove all active components on the first >'fix'. You will then get a dialog asking you to run SSD at next start. Click yes >and reboot. SSD will then come up before the system puts these components 'in use'. >You will then be able to 'fix' everything. > [Reply or follow-up to this message] re: Trojan Horse Dialer Tuesday, February 18, 2003 at 6:55 am Posted by Ms. Eagle (33507 messages posted) You sure can, Ray. I assume you did it this way? That way everything that comes up is just the spybots and, yes, you'd want to remove them all. My instructions: Go to the Settings tab File Sets, and uncheck 'System Internals' and 'Tracks.' You can always experiment with them later on. Just scan for the spybots for now. Carol [Reply or follow-up to this message] re: Trojan Horse Dialer Tuesday, February 18, 2003 at 7:07 am Posted by Ms. Eagle (33507 messages posted) Btw, let me know, if by chance this doesn't take care of that dialer. Spybot S&D is the best app of this type, but it doesn't target all dialers. You should check in Add/Remove programs to make sure it's not listed there. If so, remove it. FYI, those dialers can be picked up anywhere on the net, with no intervention from the user. [Reply or follow-up to this message] re: Trojan Horse Dialer Wednesday, February 19, 2003 at 8:31 am Posted by Ray (5 messages posted) Carol please review. Ray StartupList report, 2/19/2003, 11:22:51 AM StartupList version: 1.51 Started from : C:\Documents and Settings\Neil Baker.NEIL-FDJOF46K2I\Local Settings\Temp\Temporary Directory 1 for startuplist[1].zip\StartupList.EXE Detected: Windows XP SP1 (WinNT 5.01.2600) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\wuauclt.exe C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Neil Baker.NEIL-FDJOF46K2I\Local Settings\Temp\Temporary Directory 1 for startuplist[1].zip\StartupList.exe -------------------------------------------------- Listing of startup folders: Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime NeroCheck = C:\WINDOWS\system32\NeroCheck.exe AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" SpyBotSnD = "C:\Program Files\Spybot - Search & Destroy 1.1\SpybotSD.exe" -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_6.dll - {02478D28-C3F9-4efb-9B51-7695ECA05670} (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -------------------------------------------------- Enumerating Download Program Files: [QuickTime Object] InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab [MetaStreamCtl Class] InProcServer32 = C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll CODEBASE = https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/vet_install_popup.pl?2 [{41F17733-B041-4099-A042-B518BB6A408C}] CODEBASE = http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe [MrSIDI Control] InProcServer32 = C:\WINDOWS\MrSIDI.ocx CODEBASE = http://images.myfamily.net/isfiles/downloads/MrSIDI.cab [Update Class] InProcServer32 = C:\WINDOWS\System32\iuctl.dll CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37597.2070601852 [ContentAuditX Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\CONTEN~1.OCX CODEBASE = http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab [Yahoo! Companion] InProcServer32 = C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_6.dll CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_6.cab -------------------------------------------------- End of report, 5,067 bytes Report generated in 0.110 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only [Reply or follow-up to this message] re: Trojan Horse Dialer Wednesday, February 19, 2003 at 9:29 am Posted by Ms. Eagle (33507 messages posted) You should have posted in your new thread, since that's where my suggestion was. Plus, I'd asked you to do this: "Check this box to preserve your spacing, or leave it unchecked to have your text wrapped automatically. Don't use this option unless you really need it. If you're not sure, use the Preview feature below before posting." It's one long paragraph. Please repost the startup list in your other thread and use the formatting. Did you see your message after you posted? Btw, you're running XP, but this is the ME forum. I see nothing there referring to a dialer. What is the name of it? [Reply or follow-up to this message] re: Trojan Horse Dialer Thursday, February 20, 2003 at 5:33 am Posted by Fred (1 messages posted) For what it's worth I removed the dialer by going in and "Disabling System Restore". Ran AVG and Ad-Aware. Enabled System Restore ran AVG and Ad-Aware again...no dialer found! On Tuesday, February 18, 2003 at 3:31 am, jmb wrote: >If you use AOL read this article >http://1rw.freewebspace.com/AOLTrojan.htm >This other site details some aspects of where trojans may reside. >http://www.tlsecurity.net/auto.html > > [Reply or follow-up to this message] re: Trojan Horse Dialer Thursday, February 20, 2003 at 3:00 pm Posted by Phil (1 messages posted) I got the same macro on Feb 13th, my virus program AVG V.6.0 detected it. I asked it to remove and repair and as far as I can tell it is gone. The file name is : goinuninstall.exe and path is: C:\WINNT\system32\goinuninstall.exe AVG shows the file as healed....I am running Win 2000 Prof. and have found AVG to be very good at its job. On Monday, February 17, 2003 at 3:11 pm, Ray wrote: >I have just received this Virus. I don't know how or why I have it. I have AVG 6.0 >Windows antivirus installed on my computer. It detects it but can't remove it. It >appears to be in the following file C:\SYSTEM VOLUME INFORMATION\_RESTORE-(3EB9FF84-3515-40AE-9B03-14A9EB553DB9)-RP204\A0139088.EXE > >CAN ANYONE HELP? >RAY [Reply or follow-up to this message] re: Trojan Horse Dialer Friday, February 21, 2003 at 8:27 am Posted by tato (13 messages posted) I have almost the same complaint - Trojan Horse Dialer - identified by AVG [files: bodystudio[installer].exe and body_st.exe in a Shareaza/Downloads dir] and it can't move them. I've tried various things - on advice above. Trend house-scan identified 5 of what were originally 7 files and deleted them - but not the above 2. Symantec on-line check didnt find them. Panda check is still running. [There's only so much life and time to run these long checks ]. I perhaps stupidly tried to move the 2 files to a floppy, at which the system crashed. But there appear to be no obvious ill-effects at moment. No signs of this Trojan except from the AVG scan and the above crash. I also tried Moosoft's The Cleaner but it found nothing. I didn't understand all Iain's advice about dealing with the system files - and don't think I have a boot disk. For some reason I haven't been able to get my system (Athlon XP 1800 - just a few months old) to boot from a CD. And it also wouldn't boot from an AVG Rescue Disk floppy which I made a few days ago. (You're supposed to use them for emergencies like these). So what can I do now? perhaps you, Iain, could explain all those deletions, system operations which looked v. frightening. Presumably I couldn't delete the whole folder with the offending files? Or do a system restore to a few days back? (I'm Win XP). I need something really powerful and focussed! Many thanks for any help. On Monday, February 17, 2003 at 3:35 pm, Iain wrote: >Free on-line Anti-Virus check: HouseCall Anti Virus & HREF="http://www.pandasoftware.com">Panda On-Line > >And another from Symantec: Norton-Symantec > >On-line security check from: Symantec Security Check > >Configure your connection to protect your bios, etc. > >SpyBot is a VERY revealing program! Click on Language flag. >Automatic Deletion of all TIF, TEMP & index.dat files. Delindex & HREF="http://www.danish-shareware.dk/soft/emptemp">EmpTemp > >USE YOUR Windows Start-up diskette (bootdisk) to get to the A:\prompt and type: > >A:\>DEL C:\_RESTORE > >to delete the _RESTORE file and make sure that this file is not listed in any A-V >"exclusions". > >PerformanceImprovement > >AlwaysUnloadDll 9x/ME > >NTFS/FAT > > Iain > >Uninstall PCHealth, System Restore, Windows Help, msinfo32.exe, etc: >rundll.exe setupx.dll,InstallHinfSection Uninstall 132 C:\WINDOWS\INF\PCHealth.inf [Reply or follow-up to this message] P.S. re: Trojan Horse Dialer Friday, February 21, 2003 at 8:46 am Posted by tato (13 messages posted) P.S> I also tried SPybot but it failed to come up with anything. [I havent found Trojan Horse dialer listed on any Trojans list] On Monday, February 17, 2003 at 3:35 pm, Iain wrote: >Free on-line Anti-Virus check: HouseCall Anti Virus & HREF="http://www.pandasoftware.com">Panda On-Line > >And another from Symantec: Norton-Symantec > >On-line security check from: Symantec Security Check > >Configure your connection to protect your bios, etc. > >SpyBot is a VERY revealing program! Click on Language flag. >Automatic Deletion of all TIF, TEMP & index.dat files. Delindex & HREF="http://www.danish-shareware.dk/soft/emptemp">EmpTemp > >USE YOUR Windows Start-up diskette (bootdisk) to get to the A:\prompt and type: > >A:\>DEL C:\_RESTORE > >to delete the _RESTORE file and make sure that this file is not listed in any A-V >"exclusions". > >PerformanceImprovement > >AlwaysUnloadDll 9x/ME > >NTFS/FAT > > Iain > >Uninstall PCHealth, System Restore, Windows Help, msinfo32.exe, etc: >rundll.exe setupx.dll,InstallHinfSection Uninstall 132 C:\WINDOWS\INF\PCHealth.inf [Reply or follow-up to this message] re: Trojan Horse Dialer Monday, February 24, 2003 at 1:38 am Posted by Mac (2831 messages posted) Tato, you MUST post on the XP forum please as the system is completely diffetrent from ME. Thank you. Iain. [Reply or follow-up to this message] re: P.S. re: Trojan Horse Dialer Monday, February 24, 2003 at 1:40 am Posted by Mac (2831 messages posted) As per previous post. Sorry! Iain. [Reply or follow-up to this message] Tip: Use one of the [Reply or follow-up to this message] links above to add a message to this thread Search this forum Start a new thread on a different subject Report abuse of the forum Return to the Windows Me Discussion Forum