Re: Virus? Or malware?

From: PA Bear (PABearMVP_at_gmail.com)
Date: 01/11/05

• Next message: PA Bear: "Re: I'm being cyberstalked by my Exhusband"
• Previous message: Steven L Umbach: "Re: PCANYWHERE can not access server"
• In reply to: O.B.: "Virus? Or malware?"
• Next in thread: O.B.: "Re: Virus? Or malware?"
• Reply: O.B.: "Re: Virus? Or malware?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 11 Jan 2005 00:40:10 -0500

Split the difference and call it Trojanware.

Dealing with Trojans & Hijackware (Do parts A and B)

A. Removing Trojans and Trojanware with Sysclean

Create a new folder named Sysclean (e.g., C:\Program files\Sysclean or just
a desktop folder). Download 'Sysclean.com' from
http://www.trendmicro.com/download/dcs.asp to this folder. Download the
latest 'Trend Pattern File' zip (e.g., lpt123.zip) from
http://www.trendmicro.com/download/pattern.asp and extract its contents to
the same folder; see the Readme text file for instructions.

Delete Temporary Internet Files (IE Tools>Internet Options>General)
accepting the option to delete all offline content. Reboot and delete
contents of TEMP folders and Recycle Bin.

Close all running programs including your anti-virus application, go
offline, and run Sysclean. For best results, do nothing with the machine
until the scan completes.

Win XP only (WinME similar): If the scan shows any infections in System
Restore files:

   (1) create a new Restore Point (Start>Programs>Accessories>System
Tools>System Restore), then

   (2) delete all but the most recent Restore Point
(Start>Programs>Accessories>System Tools>Disk Cleanup>More options [tab]).

Afterwards, update your own anti-virus application and perform another full
system scan.

B. Hijackware

Help with Hijackware (all are MS MVP sites)
http://aumha.org/a/parasite.htm
   http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm
http://www.mvps.org/sramesh2k/Malware_Defence.htm

Run the following tools in this order with nothing else running in
background:

1. CWShredder v2.0 (no updates available currently; choose Fix, not Scan)

2. Ad-Aware SE (Reconfigure per http://aumha.org/forum/viewtopic.php?t=5877;
Fix all found)

3. Spybot (RTFM; Immunize first and then scan; Generally, fix everything in
red)

Important: You must seek updates for Ad-Aware, Spybot, etc., before each and
every use, even "right out of the box". But even they can't catch
everything, 24/7.

When all else fails, HijackThis
(http://forum.aumha.org/downloads/hijackthis.zip) is the preferred tool to
use. It will help you to both identify and remove any hijackware/spyware.
**Post your files to http://forums.spywareinfo.com/,
http://castlecops.com/forum67.html or
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.**

[Alternate download pages for many of the above tools may be found at
http://aumha.org/a/parasite.htm.]

So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=957

-- 
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE)
O.B. wrote:
> I've been trying to help my neighbor get their computer running again.
> They have Windows XP SP2 and a dial-up connection.  Every attempt to
> connect to the net to download McAfee antivirus fails due to timeouts.
> There is something using up all the bandwidth but I'm not sure what.  I
> have run both AdAwareSE and SpyBot with latest updates multiple times in
> Windows Safe mode until they reported nothing.
>
> What else can I do?  McAfee doesn't appear to have a way to download the
> virus program from the net from a separate computer (as IT professionals
> do).  And I'm not sure else to try.  Help?
>
> The following processes are running in task manager:
> ADSLPC9.exe
> alg.exe
> csrss.exe
> DLG.exe
> DSentry.exe
> explorer.exe
> GhsPf.exe
> hkcmd.exe
> HOTSYNC.EXE
> iexplore.exe
> lsass.exe
> mm_tray.exe
> mmtask.exe
> navprotect.exe
> NotifyAlert.exe
> PCMService.exe
> Pzj6w.exe
> qedest.exe
> quekmgr.exe
> realsched.exe
> rundll32.exe
> rundll32.exe
> scvhost.exe
> services.exe
> sgtray.exe
> smss.exe
> SndMon32.exe
> spoolsv.exe
> svchost.exe
> svchost.exe
> svchost.exe
> svchost.exe
> svchost.exe
> System
> System Idle Process
> taskmgr.exe
> tfswctrl.exe
> tyygcpa.exe
> wscntfy.exe
> wuauclt.exe 

---

• Next message: PA Bear: "Re: I'm being cyberstalked by my Exhusband"
• Previous message: Steven L Umbach: "Re: PCANYWHERE can not access server"
• In reply to: O.B.: "Virus? Or malware?"
• Next in thread: O.B.: "Re: Virus? Or malware?"
• Reply: O.B.: "Re: Virus? Or malware?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: mshtml.dll Error! (Win XP SP2) ... Dealing with Trojans & Hijackware ... a desktop folder). ... Download 'Sysclean.com' from ... CWShredder v2.0 (no updates available currently; choose Fix, ... (microsoft.public.windows.inetexplorer.ie6.browser) Re: IE Stops Responding ... Dealing with Trojans & Hijackware ... Removing Trojans and Trojanware with Sysclean ... a desktop folder). ... Download 'Sysclean.com' from ... (microsoft.public.windows.inetexplorer.ie6.browser) Re: IE will not open ... restore points I don't think.. ... > Dealing with Trojans & Hijackware ... > a desktop folder). ... Download 'Sysclean.com' from ... (microsoft.public.windows.inetexplorer.ie6.browser) Still No Fix 2 problem Re: IE Stops Responding ... It gets about 1/4 of the page and just stops. ... > a desktop folder). ... Download 'Sysclean.com' from ... > Help with Hijackware ... (microsoft.public.windows.inetexplorer.ie6.browser) Re: Application Error 0x7c918fea ... Dealing with Trojans & Hijackware ... Removing Trojans and Trojanware with Sysclean ... a desktop folder). ... Download 'Sysclean.com' from ... (microsoft.public.windows.inetexplorer.ie6.browser)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)