Btw, since he had Norton running the whole time, how did all of these viruses and trojans get past it?
Did you do this:
While you're in safe mode, run MSINFO32 and save the text file (see details in my sig) and send it to me - I'll tell you if you have any devices / services installed that shouldn't be - that's an easy way for a virus / malware to hide itself. Be sure you do this in safe mode. Hopefully it will be viewable and not stealthed in safe mode.
?
I'd just delete all those files (in safe mode) and hope for the best, but that's just me.
Incidently, your machine is pretty badly infected....I'd think hard about somehow drastically changing your surfing / downloading habits, and the files that you happen to double-click on....
While you're in safe mode, run MSINFO32 and save the text file (see details in my sig) and send it to me - I'll tell you if you have any devices / services installed that shouldn't be - that's an easy way for a virus / malware to hide itself. Be sure you do this in safe mode. Hopefully it will be viewable and not stealthed in safe mode.
?
I'd just delete all those files (in safe mode) and hope for the best, but that's just me.
Incidently, your machine is pretty badly infected....I'd think hard about somehow drastically changing your surfing / downloading habits, and the files that you happen to double-click on....Norton's doesn't identify everything, and a lot of times viruses are stealthed well enough to get past Norton's. Also, until recently, Norton's hasn't even made an attempt to block malware-type programs, which something like Lavasoft's Ad-Aware program would try to block.
The moral of the story is -- be careful where you surf, consider switching to another internet browser, and don't 2x click on any .EXE files (or any executable format file) unless you know EXACTLY where you got it and why - and be sure to show all file extensions in Windows Explorer. If you can't do this, change your daily account to a non-administrator / restricted user account, and that will stop many (but not all) of these attacks.
How do you want me to send it to you? I can't send an attached file via PM.
Also, would a firewall help from being constantly attacked by Download.Trojan?
What AV program would you suggest? AVG?
And for a firewall, I will go with Sygate. Again, he had Norton, but it gave him problems.
Also, would a firewall help from being constantly attacked by Download.Trojan?
What AV program would you suggest? AVG?
And for a firewall, I will go with Sygate. Again, he had Norton, but it gave him problems.
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
You know, if it's so compromised that it's still trying to drag in more trashware despite Norton and all the stuff you've already been through, then I would just nuke it and start over with a fresh Windows installation. Sure, you can keep wrestling with it, but it's obviously been thoroughly subverted and is working against you. Save what you need onto the other system on the LAN, and then whip out the WinXP CD-ROM and drop the bomb on it :evil:
If the computers have Win2000Pro or WinXP Pro then I could suggest a Restricted-User setup. WinXP Pro would be really well-suited since you could enable Fast User Switching and use Group Policy Editor to force a mandatory 10-minute screensaver activation with password protection so people don't wander in and start using someone else's session too much. Even the Administrator/owner should use a RU account to make this scheme work well, or otherwise someone will eventually sneak some time on his/her session and stumble into some spyware/adware and down you go again.
If the computers have Win2000Pro or WinXP Pro then I could suggest a Restricted-User setup. WinXP Pro would be really well-suited since you could enable Fast User Switching and use Group Policy Editor to force a mandatory 10-minute screensaver activation with password protection so people don't wander in and start using someone else's session too much. Even the Administrator/owner should use a RU account to make this scheme work well, or otherwise someone will eventually sneak some time on his/her session and stumble into some spyware/adware and down you go again.
Actually, my client is the only one who uses this system. So, I believe that changing his surfing habits are in order.
There is actually a clone of this HD that I could use to bring this puppy back to working order. However, that would entail a fair amount of data backup before that could be done.
Btw, the ones that are left, do I have to go to Symantec and look up the removal instructions for each one of them. I went to the first one, and it mentioned that I should delete certain registry entries, however, I did not find the first few that I checked.
There is actually a clone of this HD that I could use to bring this puppy back to working order. However, that would entail a fair amount of data backup before that could be done.
Btw, the ones that are left, do I have to go to Symantec and look up the removal instructions for each one of them. I went to the first one, and it mentioned that I should delete certain registry entries, however, I did not find the first few that I checked.
Read my .sig for directions on where to send it.
Updating to SP2 will give you a free, basic, compatible, and good-start firewall. But since you're behind a router already it isn't something I'd worry about. You (or another admin user on the machine) is/are the one installing all of this stuff, so I'd focus on changing your surfing and double-clicking habits....
Again, I would just delete everything it finds, and do so in safe mode. Then empty your trash. Then scan again, in safe mode, and confirm nothing is found.
I don't suggest rebuilding your machine at this point until we know how it was infected. If you only have spyware/malware on there that's randomly thrown around the internet like candy these days, it isn't that big of a deal. If you have a few other services on your system that are commonly-known exploits, it's a bigger deal.
OK. Thanks. I'll check out your sig.
This is not my machine. It's a client's. I was just wondering if the firewall would stop these constant attacks from Download.Trojan, or if one of the files that I need to delete in Safe Mode will stop it. What do you think?
I assume that SP2 is not out yet, as I just went to Windows Update, and it still is not there.
This is not my machine. It's a client's. I was just wondering if the firewall would stop these constant attacks from Download.Trojan, or if one of the files that I need to delete in Safe Mode will stop it. What do you think?
I assume that SP2 is not out yet, as I just went to Windows Update, and it still is not there.
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
Considering that he has fully-armed, up-to-date antivirus software plus a hardware firewall, and some as-yet-untamed piece of adware is still pulling in more stuff despite our best efforts so far, I suggest rebuilding because it cures the disease, instead of just continuing to treat the symptoms over and over.
However, if you do want to keep doing battle with it, install the free version of ZoneAlarm and keep denying Internet access to everything you don't explicitly know should be accessing the Internet, as the popups keep asking for a Yes/No. Keep saying No, no no. The prompts may help you gain more insight on where the threat lies. Good luck!
http://www.microsoft.com/downloads/details.aspx?FamilyId=049C9DBE-3B8E-4F30-8245-9E368D3CDB5A&displaylang=en
Grab it there. Burn it to CD when done and you can use it to update all of your XP-using computers.
The firewall won't help - your machine is re-infected all the time because every time you boot up those viruses and malware programs run. Surfing / 2x clicking habits must be changed; firewalls won't help that.
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
Originally posted by: mechBgon
I see no evidence that anything new is being pulled in - I see evidence that already-existing programs are running, and Norton's is seeing/finding something as a result of that. We're not able to remove active viruses; we need to just boot in safe mode and delete them, or else we'll need to disable their device drivers. It's all doable, and much easier than a complete reinstall and rebuild. Let's give it a shot, and if it doesn't work we can always reformat later.
The disease isn't cured until the habit that led to this stops. Reformatting doesn't help that.
Great. Thanks.
I'm going into Safe Mode again to manually delete the files that I posted earlier. Hopefully that will be the cure. I will then rescan to make sure that all is gone.
I'll be back.
Originally posted by: dclive
Originally posted by: mechBgon
I see no evidence that anything new is being pulled in - I see evidence that already-existing programs are running, and Norton's is seeing/finding something as a result of that. We're not able to remove active viruses; we need to just boot in safe mode and delete them, or else we'll need to disable their device drivers. It's all doable, and much easier than a complete reinstall and rebuild. Let's give it a shot, and if it doesn't work we can always reformat later.
The disease isn't cured until the habit that led to this stops. Reformatting doesn't help that.
OK. Thanks for checking.
I'll take care of those files in Safe Mode now.
LOL. I understand about the habits being the cause. It just really amazes me how so many items can get past Norton. So, pretty much no AV program is 100%, right? If there is a better one, please do tell.
I'm going in...
Norton said that it deleted all instances of Download.Trojan, but maybe one of the files that I am about to delete keeps bringing it back.
I'll let you know soon...
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
Originally posted by: dclive
If you read Norton's description of the Download.Trojan, you'll see that that's what its job is... simply a gofer that goes and drags stuff in.Originally posted by: mechBgon
I see no evidence that anything new is being pulled in - I see evidence that already-existing programs are running, and Norton's is seeing/finding something as a result of that. We're not able to remove active viruses; we need to just boot in safe mode and delete them, or else we'll need to disable their device drivers. It's all doable, and much easier than a complete reinstall and rebuild. Let's give it a shot, and if it doesn't work we can always reformat later.
The disease isn't cured until the habit that led to this stops. Reformatting doesn't help that.
And that's why I think that the root of the weed is still not being attacked, we're just seeing the leaves. As you can see from Norton's page, the one described is also very old. If it truly is that old, then our guy here could probably eliminate it by booting from his Norton Antivirus CD-ROM and having it run its own CLI scan.
You're right, the user needs education and may even be best off with a Restricted-User account for his daily-driver work.
No AV program can know when a malware author changes a program and then distributes it - it's just allowing what looks like a new program to be installed. After all, that's all most of this stuff is.
First, boot in safe mode and scan for viruses. Remove/delete anything found.
Then:
Dkeeper.exe is installed in the root of E: - is that what you really wanted? Confirm that's actually diskkeeper in the root of e. If you don't need it (I see perfectdisk on there too!) then uninstall one or both.
I saw some unusual devices, like bc_des and bc_bfish and the like - why is a disk crypto program running on the machine? What's the fsh and moh and mhk devices? (look in c:windows:system32 and system32rivers for those files....)
Go into the registry's HKLM/Software/Microsoft/Windows/CurrentVersion/Run and rip out everything you don't know about. Then open up that NFO file you sent me, go to the Software Environment / Startup Programs section, and get find all the objects in that list with funny names. Go into the registry and rip them ALL out. Then find the associated program that goes with it and delete it. Hint: If it's got a funny name and you don't know what it is, get rid of it.
eZWO c:\progra~1\web offer\wo.exe TONY\Tony HKU\S-1-5-21-2000478354-764733703-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Webshots webshots.lnk TONY\Tony Startup
H/PC Connection Agent "e:\wcescomm.exe" TONY\Tony HKU\S-1-5-21-2000478354-764733703-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
win_upd2.exe c:\windows\system32\windirect.exe TONY\Tony HKU\S-1-5-21-2000478354-764733703-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
eZWO c:\progra~1\web offer\wo.exe TONY\Tony HKU\S-1-5-21-2000478354-764733703-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
dor7RjZ4T eseeperf.exe TONY\Tony HKU\S-1-5-21-2000478354-764733703-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
...and that's only the first part of it - get rid of ALL that crap, including all the other ones I left off. Hopefully they're not located on your disk still, since you deleted everything Norton's flagged, but get it out of those registry keys too.
Then:
Dkeeper.exe is installed in the root of E: - is that what you really wanted? Confirm that's actually diskkeeper in the root of e. If you don't need it (I see perfectdisk on there too!) then uninstall one or both.
I saw some unusual devices, like bc_des and bc_bfish and the like - why is a disk crypto program running on the machine? What's the fsh and moh and mhk devices? (look in c:windows:system32 and system32
rivers for those files....)Go into the registry's HKLM/Software/Microsoft/Windows/CurrentVersion/Run and rip out everything you don't know about. Then open up that NFO file you sent me, go to the Software Environment / Startup Programs section, and get find all the objects in that list with funny names. Go into the registry and rip them ALL out. Then find the associated program that goes with it and delete it. Hint: If it's got a funny name and you don't know what it is, get rid of it.
eZWO c:\progra~1\web offer\wo.exe TONY\Tony HKU\S-1-5-21-2000478354-764733703-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Webshots webshots.lnk TONY\Tony Startup
H/PC Connection Agent "e:\wcescomm.exe" TONY\Tony HKU\S-1-5-21-2000478354-764733703-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
win_upd2.exe c:\windows\system32\windirect.exe TONY\Tony HKU\S-1-5-21-2000478354-764733703-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
eZWO c:\progra~1\web offer\wo.exe TONY\Tony HKU\S-1-5-21-2000478354-764733703-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
dor7RjZ4T eseeperf.exe TONY\Tony HKU\S-1-5-21-2000478354-764733703-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
...and that's only the first part of it - get rid of ALL that crap, including all the other ones I left off. Hopefully they're not located on your disk still, since you deleted everything Norton's flagged, but get it out of those registry keys too.
I just deleted all of the files that I could. The files that I could not delete are the ones that are in the recycler. How do I access those? I set it to show all hidden files and folders, but it still would not show C:\recycler.
And I just got another attack from Download.Trojan even though I just deleted most of the infected files.
I want to reiterate the fact that I do have a clone of this drive that I could revert to (it was made a month or two ago). All that would be needed would be to back up the data. That definitely is an option seeing this issue does not seem to be going away.
And I just got another attack from Download.Trojan even though I just deleted most of the infected files.
I want to reiterate the fact that I do have a clone of this drive that I could revert to (it was made a month or two ago). All that would be needed would be to back up the data. That definitely is an option seeing this issue does not seem to be going away.
Originally posted by: dclive
First, boot in safe mode and scan for viruses. Remove/delete anything found.
Then:
Dkeeper.exe is installed in the root of E: - is that what you really wanted? Confirm that's actually diskkeeper in the root of e. If you don't need it (I see perfectdisk on there too!) then uninstall one or both.
I saw some unusual devices, like bc_des and bc_bfish and the like - why is a disk crypto program running on the machine? What's the fsh and moh and mhk devices? (look in c:windows:system32 and system32
Go into the registry's HKLM/Software/Microsoft/Windows/CurrentVersion/Run and rip out everything you don't know about. Then open up that NFO file you sent me, go to the Software Environment / Startup Programs section, and get find all the objects in that list with funny names. Go into the registry and rip them ALL out. Then find the associated program that goes with it and delete it. Hint: If it's got a funny name and you don't know what it is, get rid of it.
eZWO c:\progra~1\web offer\wo.exe TONY\Tony HKU\S-1-5-21-2000478354-764733703-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Webshots webshots.lnk TONY\Tony Startup
H/PC Connection Agent "e:\wcescomm.exe" TONY\Tony HKU\S-1-5-21-2000478354-764733703-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
win_upd2.exe c:\windows\system32\windirect.exe TONY\Tony HKU\S-1-5-21-2000478354-764733703-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
eZWO c:\progra~1\web offer\wo.exe TONY\Tony HKU\S-1-5-21-2000478354-764733703-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
dor7RjZ4T eseeperf.exe TONY\Tony HKU\S-1-5-21-2000478354-764733703-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
...and that's only the first part of it - get rid of ALL that crap, including all the other ones I left off. Hopefully they're not located on your disk still, since you deleted everything Norton's flagged, but get it out of those registry keys too.
My client likes all of his apps to be on the E drive. He actually installed that program on the E drive.
I believe those bc files are from Best Crypt. That can be easily uninstalled. I think I'll take care of that now.
With regards to going into the registry and just deleting things that I don't recognize, I'm a little hesitant to do that, as I do not want to delete something that is part of the OS. Just because I don't know what it is does not mean that it is not important.
I actually built the system so that he could just clone it every so often as a backup, he was always so busy that I was never able to show him how to do it.
I will definitely show him how once this system is restored.
I just purged the Norton Protected Files in the recycle bin, but I don't think that got rid of the items in question that are in the recycle bin, as I did not see them listed.
Any ideas how to access the following path?
c:\recycler\nprotect\
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 22K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
News NVIDIA and Intel to Develop AI Infrastructure and Personal Computing Products- Started by poke01
- Replies: 399
Facebook
Twitter