Constant attacks by Trojans and viruses when no programs are running

LABachlr

Member
Jun 4, 2004
165
0
0
This system that I am working on is being constantly attacked by Trojans and viruses, even when the email client and browser are not open. Norton Antivirus keeps on blocking their entrance, but what could possibly be causing this? I have never seen this happen before. This system is on a home network with only one other PC on the network, and that PC does not have this problem. They are located in an apt. and are connected to the net via a broadband connection and a Linksys router.

Any ideas?
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Something's wrong. Can you provide more specifics about what trojans and viruses it's being attacked by?

Also, try this: unplug the Linksys from the modem so the systems are isolated from the Internet. Does the problem cease? If so, then maybe the affected computer is in the unprotected "DMZ" of the router (this is a setting in the router's configuration menus and can be changed).

If unplugging the Linksys from the modem doesn't cause the problem to stop, then unplug the other computer as well. Does it stop now?
 

LABachlr

Member
Jun 4, 2004
165
0
0
Thanks for the tips. Will be going back over there within an hour or two. I will try your suggestions. Just so you know, there was a period of time yesterday when only the infected computer was hooked up to the Linksys router (which was hooked up to the net). Then, I hooked up a brand new system to the Linksys router, set up a home network between the computers so they could share printers, and the new system never got notification of any Trojans and viruses. Will get you the names of the Trojans I'm over there and they pop up again, which I'm sure they will (on the infected PC).

Could this be the cause of the other problem that I am having?

See this post: http://forums.anandtech.com/messageview.cfm?catid=36&amp;threadid=1375170
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Did the new system have up-to-date antivirus definitions already, before being thrown into the shark tank? :D If it's got old ones, then it may have 50 late-model viruses dancing under its nose and never realize it.

My guess is that you need to go into the Linksys and take the affected computer out of the DMZ. If it's in the DMZ then it's swimming in the Internet unprotected, no matter if a browser or email client is open or not. Are you familiar with entering the Linksys configuration menus via a web browser? If not, it's pretty simple... go to http://192.168.0.1 (or was it 192.168.1.1, I forget which now) and enter the password "admin" (I think that's what they still use, otherwise consult its documentation) with a blank username.

A diagnostic tool you could use is the Symantec online Security Scan, which checks whether a computer is exposed to the Internet or not. Click the bottom link in my signature and go to the Resources page, and there's a link to it a couple paragraphs down. I'd also recommend:

1) enable Automatic Updates if you didn't already, and obviously give both systems a run through Windows Update and Office Update.

2) set the user accounts' passwords to something strong, even if they're not using password-based logon, to defeat share-hopping worms that look for weak/blank passwords. A strong password: p1zzA=yummy! for example :)

3) Run Microsoft Baseline Security Analyzer to look for other issues they need corrected, stuff Windows Update doesn't catch

4) Make sure the antivirus software has heuristics and compressed-file scanning enabled, this can be good for a huge head-start on the recognition of new variants of older viruses

5) Disable System Restore, since Windows can stubbornly store viruses in its System Restore archive and keep on replacing the viruses as they're deleted :p The Resources page has a link showing how to do that if you need. This right here could be one of the flies in your ointment.

Good luck, hope it all goes smooth for you :)
 

LABachlr

Member
Jun 4, 2004
165
0
0
OK. Thanks for all the info. Is finding the config for DMZ pretty self-explanatory in the Linksys config menu? If not, what would be the navigation path (at least a general path would help, even if it is not the exact path)?

Thanks for the link to Symantec's Security Scan. I'll give it a whirl. Btw, if some ports are open, how would I close them?

1. His Norton Antivirus has the latest Virus Def.'s, and also has it on AutoUpdate.

2. Good idea on the password. He does not have that set up.

3. I'll give this a whirl as well.

4. Will do.

5. OK. I'll try this as well. He has a drive that clones his other drive, so this feature is not that crucial to this system. I don't want to revert back to the clone, however, as he has received much email and created many files since the last clone. After I get this sytem fixed, I'll make another clone and make sure that he clones it at least once a week, or once a night? What do you think? How often?
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Norton's info on that threat shows that it's very old (info on it) so if it's the only one, then you could probably get rid of it by booting from the Norton CD itself and having it run a scan. Notice in Norton's info that they say to disable System Restore as part of the removal.
 

LABachlr

Member
Jun 4, 2004
165
0
0
I went into the admin section of the router, and there is no mention of DMZ Hosting. However, the WAN connection type is a Static IP. Any suggestions as to other settings that might cause this?

The router model being used is BEFSR41 v.2.
 

LABachlr

Member
Jun 4, 2004
165
0
0
OK. Thanks. The thing is, Norton Blocked the Trojan. But it keeps coming back. So, I don't think it is there to remove. It just continually tries to infect this PC. He constantly does full system scans, and nothing comes up. Would something come up if I were to boot from the Norton CD and do a scan?
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Go into the Linksys' Advanced section, it IS in there somewhere. And did you disable System Restore and bail the SR files yet? That could very well be where it's hiding and it could be Windows itself that's trying to replace it. Ahhh the irony... :D
 

dclive

Elite Member
Oct 23, 2003
5,626
2
81
Originally posted by: LABachlr
Just performed Symantec's Security Test, and it passed.

Security Status: "Safe"

Did you follow all the steps in the article mechBgon posted? Including the step of booting in safemode to run the scan?
 

LABachlr

Member
Jun 4, 2004
165
0
0
LOL. Yeah, that's irony for you alright.

Btw, should I use System Restore to go back in time to where this was not happening, and then disable System Restore?

Also, when you use System Restore, what do you actually lose when you go back in time? Installed programs, created files, settings...what?
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Originally posted by: LABachlr
LOL. Yeah, that's irony for you alright.

Btw, should I use System Restore to go back in time to where this was not happening, and then disable System Restore?

Also, when you use System Restore, what do you actually lose when you go back in time? Installed programs, created files, settings...what?
Dunno, I've never used SR. I'm a Win2000Pro guy, and if/when I move on to WinXP Pro, I'll just do an ASR Backup once it's set up the way I want it, and keep that stashed on a small partition at the end of the hard drive. ASR at 15000rpm SCSI speeds... sign me up for that :D
 

LABachlr

Member
Jun 4, 2004
165
0
0
Originally posted by: dclive
Originally posted by: LABachlr
Just performed Symantec's Security Test, and it passed.

Security Status: "Safe"

Did you follow all the steps in the article mechBgon posted? Including the step of booting in safemode to run the scan?

No, actually. Thanks for pointing that out. But you can't access the net in Safe Mode, can you?

Also, I did find the DMZ hosting. It was under Advanced. How is it enabled/disabled. Right now, it has the following setting:

DMZ Host IP Address: 192.168.1.0

The "0" is the only thing that can be changed. Does the "0" make it enabled or disabled?
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Originally posted by: LABachlr
Originally posted by: dclive
Originally posted by: LABachlr
Just performed Symantec's Security Test, and it passed.

Security Status: "Safe"

Did you follow all the steps in the article mechBgon posted? Including the step of booting in safemode to run the scan?

No, actually. Thanks for pointing that out. But you can't access the net in Safe Mode, can you?

Also, I did find the DMZ hosting. It was under Advanced. How is it enabled/disabled. Right now, it has the following setting:

DMZ Host IP Address: 192.168.1.0

The "0" is the only thing that can be changed. Does the "0" make it enabled or disabled?
The 0 is good, that's not an IP address that could be assigned. The two PCs should have IP's of 192.168.1.100 and .101, if the Linksys is behaving normally.
 

LABachlr

Member
Jun 4, 2004
165
0
0
Originally posted by: dclive
Originally posted by: LABachlr
Just performed Symantec's Security Test, and it passed.

Security Status: "Safe"

Did you follow all the steps in the article mechBgon posted? Including the step of booting in safemode to run the scan?

Ah. I guess you were referring to the removal the Download.Trojan. Well, this PC doesn't have it. It simply keeps on getting attacked by it, but Norton keeps on stopping it. Very annoying.
 

LABachlr

Member
Jun 4, 2004
165
0
0
Originally posted by: mechBgon
Originally posted by: LABachlr
Originally posted by: dclive
Originally posted by: LABachlr
Just performed Symantec's Security Test, and it passed.

Security Status: "Safe"

Did you follow all the steps in the article mechBgon posted? Including the step of booting in safemode to run the scan?

No, actually. Thanks for pointing that out. But you can't access the net in Safe Mode, can you?

Also, I did find the DMZ hosting. It was under Advanced. How is it enabled/disabled. Right now, it has the following setting:

DMZ Host IP Address: 192.168.1.0

The "0" is the only thing that can be changed. Does the "0" make it enabled or disabled?
The 0 is good, that's not an IP address that could be assigned. The two PCs should have IP's of 192.168.1.100 and .101, if the Linksys is behaving normally.

OK. Cool. How would I check what the IP's are?

I actually just went to whatismyip.com, and I got something completely different. Is that normal?
 

dclive

Elite Member
Oct 23, 2003
5,626
2
81
Originally posted by: LABachlr
Originally posted by: dclive
Originally posted by: LABachlr
Just performed Symantec's Security Test, and it passed.

Security Status: "Safe"

Did you follow all the steps in the article mechBgon posted? Including the step of booting in safemode to run the scan?

Ah. I guess you were referring to the removal the Download.Trojan. Well, this PC doesn't have it. It simply keeps on getting attacked by it, but Norton keeps on stopping it. Very annoying.

Right, so boot in safe mode and scan the entire drive to find out why you keep getting it. While you're in safe mode, run MSINFO32 and save the text file (see details in my sig) and send it to me - I'll tell you if you have any devices / services installed that shouldn't be - that's an easy way for a virus / malware to hide itself. Be sure you do this in safe mode. Hopefully it will be viewable and not stealthed in safe mode.

Where does NAV say it is finding the virus?

SR won't *infect* you, but if you were to go back to a previous restore point, and your system was infected at that time, you'd be infected after you restored to that point in time, naturally, as long as the files the infection required were copied over at the time of the restore. That's why the AV vendors tell you to disable system restore, then boot in safe mode, then scan your system.

The reason they tell you to boot in safe mode is that many viruses / malware / evil devices &amp; services won't run in safe mode. Some are made, though, that will - those are the worst. :( And if it's not running in safe mode, it can more easily be removed.

Try that, let us know how it works.
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Originally posted by: LABachlr
Originally posted by: mechBgon
Originally posted by: LABachlr
Originally posted by: dclive
Originally posted by: LABachlr
Just performed Symantec's Security Test, and it passed.

Security Status: "Safe"

Did you follow all the steps in the article mechBgon posted? Including the step of booting in safemode to run the scan?

No, actually. Thanks for pointing that out. But you can't access the net in Safe Mode, can you?

Also, I did find the DMZ hosting. It was under Advanced. How is it enabled/disabled. Right now, it has the following setting:

DMZ Host IP Address: 192.168.1.0

The "0" is the only thing that can be changed. Does the "0" make it enabled or disabled?
The 0 is good, that's not an IP address that could be assigned. The two PCs should have IP's of 192.168.1.100 and .101, if the Linksys is behaving normally.

OK. Cool. How would I check what the IP's are?

I actually just went to whatismyip.com, and I got something completely different. Is that normal?
Yes, whatsmyip.com is seeing the modem's IP, you're on a separate internal scheme. Click Start > Run, type cmd, hit the OK button and you get a command-line window. Type ipconfig and it'll tell you the main IP info. ipconfig /all gets you a little more.
 

LABachlr

Member
Jun 4, 2004
165
0
0
Originally posted by: mechBgon
Originally posted by: LABachlr
Originally posted by: mechBgon
Originally posted by: LABachlr
Originally posted by: dclive
Originally posted by: LABachlr
Just performed Symantec's Security Test, and it passed.

Security Status: "Safe"

Did you follow all the steps in the article mechBgon posted? Including the step of booting in safemode to run the scan?

No, actually. Thanks for pointing that out. But you can't access the net in Safe Mode, can you?

Also, I did find the DMZ hosting. It was under Advanced. How is it enabled/disabled. Right now, it has the following setting:

DMZ Host IP Address: 192.168.1.0

The "0" is the only thing that can be changed. Does the "0" make it enabled or disabled?
The 0 is good, that's not an IP address that could be assigned. The two PCs should have IP's of 192.168.1.100 and .101, if the Linksys is behaving normally.

OK. Cool. How would I check what the IP's are?

I actually just went to whatismyip.com, and I got something completely different. Is that normal?
Yes, whatsmyip.com is seeing the modem's IP, you're on a separate internal scheme. Click Start > Run, type cmd, hit the OK button and you get a command-line window. Type ipconfig and it'll tell you the main IP info. ipconfig /all gets you a little more.

Cool. Just did that. All is well. Behaving normally.

Will do the scan now. I assume that I will be scanning the drive with the Norton AV program on this system, but just in Safe Mode, right?

With respect to where the Norton found the Trojan, I'll have to check the next time it comes up. I do remember that the address was too long for it to list it entirely. It was broken up with "...".
 

dclive

Elite Member
Oct 23, 2003
5,626
2
81
Originally posted by: LABachlr
Will do the scan now. I assume that I will be scanning the drive with the Norton AV program on this system, but just in Safe Mode, right?

With respect to where the Norton found the Trojan, I'll have to check the next time it comes up. I do remember that the address was too long for it to list it entirely. It was broken up with "...".

Scan all drives you have after booting in safe mode. Yes, use Norton AV to do the scanning.
 

LABachlr

Member
Jun 4, 2004
165
0
0
Originally posted by: dclive
Originally posted by: LABachlr
Will do the scan now. I assume that I will be scanning the drive with the Norton AV program on this system, but just in Safe Mode, right?

With respect to where the Norton found the Trojan, I'll have to check the next time it comes up. I do remember that the address was too long for it to list it entirely. It was broken up with "...".

Scan all drives you have after booting in safe mode. Yes, use Norton AV to do the scanning.

Well, you guys were right. It found 48 viruses and Trojans!

As I right this, I just got another attempted attack from Download.Trojan. And all of those instances were deleted with the scan.

Here are the viruses that were not able to be deleted. I assume that I simply go to Symantec.com to get the instructions on how to remove them?

There are 21 that were not deleted.

Here are the names and locations of those 21:

Adware.Winshow
The file C:\WINDOWS\system32\wpfbawjf\qecdrhvq.dll is a Adware threat.
Adware.Binet
The file C:\RECYCLER\NPROTECT\00024324.exe is a Adware threat.
Adware.IEPlugin
The file C:\Documents and Settings\User\Local Settings\Temp\wupdt.exe is a Adware threat.
Adware.Binet
The file C:\WINDOWS\preInsTT.exe is a Adware threat.
Adware Binet
The compressed file preInsTT.exe within C:\Documents and Settings\User\Local Settings\Temp\THI425E.tmp\twaintec.cab is a Adware threat.
Adware.Binet
The compressed file twaintec.dll within C:\Documents and Settings\User\Local Settings\Temp\THI425E.tmp\twaintec.cab is a Adware threat.
Adware.Binet
The file C:\Documents and Settings\User\Local Settings\Temp\THI425E.tmp\preInsTT.exe is a Adware threat.
Adware.Binet
The file C:\Documents and Settings\User\Local Settings\Temp\THI425E.tmp\twaintec.dll is a Adware threat.
Adware.Binet
The file C:\WINDOWS\twaintec.dll is a Adware threat.
Download.Adware
The compressed file polmx.exe within C:\Documents and Settings\User\Local Settings\Temp\polmx.cab is a Adware threat.
Download.Adware
The compressed file polmx.exe within polmx.exe within C:\Documents and Settings\User\Local Settings\Temp\polmx.cab is a Adware threat.
Adware.Ezula
The file C:\RECYCLER\NPROTECT\00024359.EXE is a Adware threat.
Adware.ClickAlchemy
The compressed file alchem.exe within C:\Documents and Settings\User\Local Settings\Temp\alchem.cab is a Adware threat.
Adware.ClickAlchemy
The file C:\Documents and Settings\User\Local Settings\Temp\alchem.exe is a Adware threat.
Adware.Ezula
The file C:\RECYCLER\NPROTECT\00024871.dll is a Adware threat.
Spyware.Apropos
The file C:\Program Files\CxtPls\uninstaller.exe is a Spyware threat.
Spyware.Apropos
The file C:\RECYCLER\NPROTECT\00024191.EXE is a Spyware threat.
Spyware.Apropos
The file C:\RECYCLER\NPROTECT\00027367.EXE is a Spyware threat.
Spyware Apropos
The file C:\RECYCLER\NPROTECT\00026113.EXE is a Spyware threat.
Adware.IEPlugin
The file C:\WINDOWS\wupdt.exe is a Adware threat.
Adware.ClickAlchemy
The file C:\RECYCLER\NPROTECT\00024323.exe is a Adware threat.