Author Topic: Trojan horse (Read 7706 times)

Caryl · « **on:** May 26, 2008, 05:31:24 AM »

My weekly scan showed that I have two Trojan horses. There are two different file names, but the malware name for both of them is the same: win32Agent XQS[trJ]. Avast suggested that I put both of them in the chest, which I have done. Is there anything else that I should do?

Thank you.
Caryl

ardvark · « **Reply #1 on:** May 26, 2008, 06:19:27 AM »

Hi...

Can you tell us what files they infected?

Depending on what was actually infected, Applications and/or processes could be affected.

Best regards...

Caryl · « **Reply #2 on:** May 26, 2008, 03:12:59 PM »

Quote

Can you tell us what files they infected?

C:\Program Files\InstallShieldInstallationInformation\D{D14E3D40-2

C:\System Volume Information\-restore {3141675-6CBE-4639-8F67

ardvark · « **Reply #3 on:** May 27, 2008, 12:42:14 AM »

Quote from: Caryl on May 26, 2008, 03:12:59 PM

Quote
Can you tell us what files they infected?

C:\Program Files\InstallShieldInstallationInformation\D{D14E3D40-2

C:\System Volume Information\-restore {3141675-6CBE-4639-8F67

Hi...

Please turn off the System Restore function in case there are any malware still hanging around in this section of Windows.

Also, using Internet Explorer, go to Ewido and perform an online scan to make sure there is nothing left on your drive...

http://www.ewido.net/en/onlinescan/

Delete any entries that comes up, particularly those that have a red circle to the left.

After the scan is finished, (if you're using Windows XP, Vista uses a different route,) click on "Start"---->"Run" and then type in "chkdsk /r" (without the quotation marks.) It will probably tell you that it needs to perform the scan next bootup, enter "yes."

Please post back with the results.

Best Regards...

Lisandro · « **Reply #4 on:** May 27, 2008, 03:24:37 AM »

I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

Caryl · « **Reply #5 on:** May 27, 2008, 08:16:38 AM »

Quote from: ardvark on May 27, 2008, 12:42:14 AM

Also, using Internet Explorer, go to Ewido and perform an online scan to make sure there is nothing left on your drive...
http://www.ewido.net/en/onlinescan/
Delete any entries that comes up, particularly those that have a red circle to the left.

I have done this and deleted all items. There was only one with a red circle. Attached is the ewido-report.

Quote

After the scan is finished, (if you're using Windows XP, Vista uses a different route,) click on "Start"---->"Run" and then type in "chkdsk /r" (without the quotation marks.) It will probably tell you that it needs to perform the scan next bootup, enter "yes."

I did this and there were no problems.

Thank you for your help.

Frank1 · « **Reply #6 on:** May 27, 2008, 09:35:48 AM »

Hello,
Tried to do an online scan using Ewido. Unfortunately, the link shown by ardvark has a picture (I think) under the "When a dialog box appears ...." that just has a little red cross at its top left.

I think that maybe a setting in my Internet Explorer is preventing it being shown. Does anyone know what this setting might be?
Thanks
Frank1

ardvark · « **Reply #7 on:** May 27, 2008, 09:58:04 AM »

Quote from: Frank1 on May 27, 2008, 09:35:48 AM

Hello,
Tried to do an online scan using Ewido. Unfortunately, the link shown by ardvark has a picture (I think) under the "When a dialog box appears ...." that just has a little red cross at its top left.

I think that maybe a setting in my Internet Explorer is preventing it being shown. Does anyone know what this setting might be?
Thanks
Frank1

Hi Frank...

You have to install the ActiveX control.

A yellow bar should come down from the top of the browser to prompt you to install it, does this show up at all for you?

Best Regards...

ardvark · « **Reply #8 on:** May 27, 2008, 10:19:10 AM »

Quote from: Caryl on May 27, 2008, 08:16:38 AM

Thank you for your help.

Hi...

Your welcome!

And thank you for posting the log.

Just as a helpful pointer, To reduce the number of cookies coming into your system, download and install (and update) SpywareBlaster located here...

http://www.download.com/SpywareBlaster/3000-8022_4-10196637.html?part=dl-SpywareBl&subj=dl&tag=button&cdlPid=10814511

Also, modify your Internet Explorer Privacy settings to block third party cookies. This option will be in the "Advanced" button.

Best Regards...

FreewheelinFrank · « **Reply #9 on:** May 27, 2008, 10:32:21 AM »

Quote

Also, modify your Internet Explorer Privacy settings to block third party cookies. This option will be in the "Advanced" button.

Instructions for all browsers with screenshots here:

http://www.geocities.com/dontsurfinthenude/cookies.htm

Frank1 · « **Reply #10 on:** May 27, 2008, 10:39:03 AM »

ardvark, I am not shown a yellow bar at the top of Internet Explorer.
Not sure which settings about ActiveX I need to turn on in the Internet Options/Advanced tab.
Frank1

Frank1 · « **Reply #11 on:** May 27, 2008, 11:17:21 AM »

ardvark, found the problem with Internet Explorer. I launched IE as an Admin user and got the popup to download the ActiveX.
Now runing Ewido.
Thanks a lot.
Frank1

Caryl · « **Reply #12 on:** May 27, 2008, 03:14:17 PM »

Quote from: Tech on May 27, 2008, 03:24:37 AM

I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

After following Ardwark's suggestions I followed yours from number 4 on.
4. I installed SUPERantispyware and found 157 adware tracking cookies. I put them in quarantine.
5. I used avast! antirootkit and no rootkits were found.
6. Attached is the Hijack This log.
7. I installed SpywareBlaster.
8. I tried checking with Secunia Software Inspector but got this message: "There might be problems loading the Java Applet in your browser. If you are sure that Java is installed and functional, then please press OK to proceed anyway." I pressed OK and got the first sentence again and nothing happened.

Thank you for your help. Hopefully everything will work correctly from now on.

Caryl · « **Reply #13 on:** May 27, 2008, 03:26:14 PM »

Quote from: ardvark on May 27, 2008, 10:19:10 AM

Just as a helpful pointer, To reduce the number of cookies coming into your system, download and install (and update) SpywareBlaster

Thanks. I already downloaded this at Tech's suggestion and will keep it updated.

Quote

Also, modify your Internet Explorer Privacy settings to block third party cookies. This option will be in the "Advanced" button.

My setting was medium, so I changed it to medium high as per the site recommended by Freewheeling Frank.

Hopefully my next weekly scan will not show any problem areas.

Caryl · « **Reply #14 on:** May 27, 2008, 03:29:39 PM »

Quote from: FreewheelinFrank on May 27, 2008, 10:32:21 AM

Quote
Also, modify your Internet Explorer Privacy settings to block third party cookies. This option will be in the "Advanced" button.

Instructions for all browsers with screenshots here:

http://www.geocities.com/dontsurfinthenude/cookies.htm

Thanks for this website. I changed my setting from medium to medium high as shown in the screenshot.

I appreciate all the help I have received from everyone.

Author Topic: Trojan horse (Read 7706 times)

Caryl

Trojan horse

ardvark

Re: Trojan horse

Caryl

Re: Trojan horse

ardvark

Re: Trojan horse

Lisandro

Re: Trojan horse

Caryl

Re: Trojan horse

Frank1

Re: Trojan horse

ardvark

Re: Trojan horse

ardvark

Re: Trojan horse

FreewheelinFrank

Re: Trojan horse

Frank1

Re: Trojan horse

Frank1

Re: Trojan horse

Caryl

Re: Trojan horse

Caryl

Re: Trojan horse

Caryl

Re: Trojan horse