Trojans, Worms, Troubles, OHMY!!!

Hey,

I have'nt heard of some of the programs you mentioned but I can't imagine there would be a problem in keeping them. Likewise, there should be no problem compatibility wise, that would prevent you from running any of them together.

I think your running the program that originally alerted you would be a great idea, if it finds anything please note down as much detail as possible.

I am starting to think that the flickering may be due to a failing monitor or video card. Can you take a shot at explaining exectly what you mean by flickering or any other strange behaviour? The magistr virus has been known to sometimes shuffle your desktop icons around as you move the cursor toward them, do you see that?

As far as netscape is concerned, reinstallation should fix it but if the one you have on CD came bundled with another product you might want to consider going to netscape's homepage and downloading direct as it will less likely have any spyware bundled with it.

When you speak of "programs on my desktop" do you mean the shortcut items? (in the bottom left corner of the icon you have a small boxed arrow?)

Dan

 

Hi again.
The Antidote thing surprises me as it says on the page for the free version it only checks for viruses.
Further it recommends to get it again every 10 days as they include new databases in it. So that would not be much of a problem.

 

I ran the Antidote again and it says the exact samething.

C:\Windows\ApplicationData\Mozzila\User50\default\zvsxvii6.slt\Mail\mail.hartcom-1.net\Sent/

C:\Windows\Profiles\Teresa\ApplicationData\Mozzila\User50\default\zvsxvii6.slt\Mail\mail.hartcom-1.net\Sent/

C:Windowssp.dll Infected:Trojan.WinReg.StartPage

So I don't know what to do...Just ignore it or what

As far as the flickering. The icons don't run from the cursor. The whole screen flickers;like small white lines across the page and it flickers. Not constantly,just every now and then.

Also, how and when will I need to use the TDS and Adaware?

Again, how about the HP updates, do I need to do that too?

I know ..... I have so many QUESTIONS!!!!
Sorry!
Teresa

 

Oops!
On the first two C: files, they were the ones that were found to have the Magistr.a

Teresa

 

>>>When you speak of "programs on my desktop" do you mean the shortcut items? (in the bottom left corner of the icon you have a small boxed arrow?)<<<

I'm talking about the setup icons from when I downloaded them to desktop so that I could find them easily afterwards.

 

Does Netscape not start further at all after clicking some OK?
Could be the rest of a removed spyware program, or maybe you removed Alexa, which comes with NS, which can cause problems. So re-installing it from the website will bring the Alexa back, but several files from that can be removed with spybot and adaware.
Maybe somebody knows which has to stay to keep it running.
You might like to look for the alexa files from the recovery in stead of re-installing NS.

If those two old emails are infected, why do you keep them? If you need that text, could you just paste the text to a notepad and save in txt format? Or zip them.

Have to scroll back to see what was decided about that win..dll

 

Hi Jooske,
My Netscape is from my Internet Provider. They give you the CD to load Netscape and the Mailgroups. I just tried it again. If I try to use the internet I still get the same message. I can use the mailgroup though.
How do I get rid of the two files? Will I find them on FIND FILES?

 

Hey teachypeachy!

From your description, the video thing appears to be hardware-related. You might want to consider having a tech come out to take a look at it.

Regarding the HP updates, I wouldn't worry about it but if you have a tech take a look at the video issue you might ask him.

I'm afraid I can't help you much on Netscape as I haven't used that for years (I use Opera and, sparingly, IE). One possibility you might consider (but consider well!) is to remove Netscape via Add/Remove programs, delete the associated folders and reinstall. This will almost certainly remove any configuration problem that is preventing it from working now as well as delete the supposedly infected emails. The downside, is that you would lose ALL emails and you would need to reapply all your email settings. This might be something else to leave for a tech that is actually at the machine. On the other hand, if a tech is at the machine, it may very well be unecessary to remove and reinstall as he/she may apply more direct methods that would be hard for us to remotely guide you through.

I try to run a full scan from AdAware and TDS once a week, also, I have TDS running with execprot enabled all the time.

As for as the setup icons, as long as they are, in fact, setup files they can all be deleted. If you are the least bit unsure, what you can do is to create a folder called "To Be Deleted" and move them there. If after a week or so you see no impact from moving them there you can delete them.

As far as the windows file that supposedly has a trojan, you might want to submit a copy of it in a zip file to

submit@diamondcs.com.au

but I think it is likely a false alarm. Still, it is best to be sure

All in all, I really think you should consider having a tech look at some of these issues. Also, in order to get the most out of your money, I would recommend that you outline what is wrong, how/when it became so, etc and send it to the tech either before he/she comes out (if the service is to be done at home) or take it along with the PC when you deliver it to the service place. It might be a good idea to print out this thread for such a purpose.

Anyways, as always, please let us know if you have any questions


Dan

 

Search in any way for the emails and delete them.
Are they gold you want to keep them even though they might be infected? If you locate them, can you look into their source?
In outlook express one can click properties and details to see the whole source without opening them actually and see if there is some code attached to it.
You should have a lind of system restore or goback or ghost, imaging, anything to restore your system from a certain point when it was clear and all working well to go back to that point and not having the nasties coming back via a system restore like in win ME or XP if not taken care of that.
If you run from Start > Run > SFI (it's a Win98 function - system file check) you can ask that file to be put back from the original install cd-rom is it is part of Windows or anything HP ships their setup cd's with. In the little console check the replace file and type it's name and see what happens.
If you hunt for that file, rightclick and look at properties if it has been modified some day. For instance it says it was created on your system say 1 june 2002, modified before that it might be ok, but after that creation date or recently it could look suspicious.
If you find it, TDS can look at it, do a hunt for it on your system, rightclick on the file and scan with TDS or any of the scanners showing up,
If TDS says nothing and if you find the file send them a copy for advice.
If you can't find it look if all files are shown, all extensions, hidden files, everything.
Do a search/find on your system, if you can't replace it with the original, make a copy, zip it if possible, send to submit@diamondcs.com.au

For the screen, are all the cables tight in their places and ok? White lines i don't know, but that is tech experience like Dan says. If you are able to connect the pc to another screen does it happen then too? install, the proper driver, a videocard problem, cables, fan, power, something in your electricity, can be anything. Power down first if you're going to try the cables, just in case.

 

Hi everyone,

Yes false alarms are a possibility. If you still have any files that are detected as I-Worm.Magistr, zip and email one in just in case. I'll let you know if it REALLY is Magistr.. you could also online scan it

 

Tha panda online scan certainly is capable to look into emails as well www.pandasoftware.com

At a certain moment you asked how to get into safe mode, did you figure that out already?
At system reboot press F8 for a win98 system.
Would run that Clav tool from there too if you didn't do so yet.
And wehn you use it in windows started normal, disable all at/av scanners when using Clav.

In the meantime tried to google for your "Windowssp.dll" but can't find it; is the spelling correct?
The Trojan.WinReg.StartPage is added to most av/at products, including TDS if you look in the primaries list
TDS > Help > Primaries, type "startpage" and press Find
So you might like to send Gavin the sample anyway.

 

Hi all,
I have read the recent posts and I am sort of confused. I have a hard time really understanding what Jooske is trying to say.
I found the mozzila file and found the mail folder which had two files in it for the mail.hartcom. I deleted both. Then I went on my Outlook express, (which I never use anymore) and deleted all files from those mail folders.
Guess what
I did the scan again and both of the MAGISTR.a things are gone from the scan!!!! Hooray!!!
Okay, now for the Trojan one.....I looked on find files and searched for sp.dll, it found one file for it and I opened it with QUICK VIEW. It has info there about the file, but I do not know how to copy the info from there. There isn't any place on the Quick view to copy with and if I right-click, it does not have any copy there either. It does tell me this....
Regidit4
[HKEY_CURRENT_USERS\Software\Microsoft\Internet Explorer]
"SearchURL"="http:www.jethomepage.com/ie/"
and on and on about this jethomepage.com
Soooo....I went to that website and it is just a search engine page.
Can I just deleted that file....you think Or what should I do?
While I was trying to find those files and all, I just went to the WINDOWS file and noticed that there is just so much junk on there that are from things we downloaded and removed or ie pages, etc.... Can I delete those things? Of course, when you go to the WINDOWS folder it tells you that if you remove things it can mess things up and not run anymore, so I am very leary of deleting things. Or is there a program that I can use to get rid of all of those old ie things or old program items? And will this free up any memory by getting rid of junk like that?

Thank everyone for your ongoing dedication in helping me along!!!
Teresa

 

Jooske,
I was able to open with safe mode and also did the CLAV scan.

>>>The Trojan.WinReg.StartPage is added to most av/at products, including TDS if you look in the primaries list
TDS > Help > Primaries, type "startpage" and press Find
So you might like to send Gavin the sample anyway.<<

I wouldn't know how to send it to Gavin.

Also Gavin told me to zip and send the worm files, but I wasn't sure how to find the exact ones, so I just cleaned all email folders and it got rid of them. I don't know how to zip a file...or...online scan it. LOL

 

If you find an alarm in TDS, it is displayed in the bottom of the console
right click on the file, you get 4 menu options, one is to "submit file" press that thing and a copy of it is sent automatically to DCS lab.
Make sure before that in the TDS configuration your email address and mailserver are well configured and you might have sent yourself a test message to try.
So with that properly set the DCS guys can get back to you with an answer.

If you did not get alarms from TDS but from the other program, where it has the full pathname, you can find them.
In windows, Start > Find/Search type the filenames, press search, and they should show up in the find console; so you know they are there
I am used a right click on them and have an option to zip the file.
(i have winzip installed; if you don't get it via the internet installed on your system, one of the necessary tools and make sure you have the extract too)
Open your email client, new message to support@diamondcs.com.au and attach the three files (or if they are large in three separate messages.
If the zipping is a problem at the moment don't bother and for this time send them as they are.

An online scan:
since housecall changed something in their site and online scan software i can't get the updates to be able to do an online scan and their support is not supportive in this matter so i don't recommend them no longer to avoid more complaints and wasted time for users in great need for urgent scans and have no time to deal with those housecall matters.
So i adviced to go to www.pandasoftware.com see the free online scan, press button, allow it to install some data on your system (might be you need to have java and activeX enabled for them) the next screen tells you to select what you want to have scanned, you probably will like your whole system scanned so press that thing, but before that on the right side don't forget to check all options and if you want it all automatically cleaned (if not you get first a list of all finds after all the scanning and then a choice to have it cleansed or not) and let it go. I checked all options so it looks into every bit and byte and it can take a while.
It says if you want to do other things in the meantime open another window for that but that scanwindow needs to stay up (not necessarily on top; if you're on dialup and it does take a while you can disconnect as long as you keep that screen open and when finished get online to see your scan results and the cleaning services.
Inform us about possible finds with that.

During this scan no problem to have TDS running but keep other scanners closed.

I don't know Quick View from own experience but i read it is handy like you're doing in looking inside zips and are able to copy files and even zip files with that and lots more. So with that you should be able to locate the files the possible alarms point to.
Now you found those filesnames --hope it is possible to look at them in a safe way!-- i'm sure Gavin will like a copy of the infected dll.

For cleaning your system you might like Internet Sweeper
which last free version is still available from the free tools page here at Wilders.org http://wilders.org/free_tools.htm
You can clean a lot of garbadge with that but look what you want to clean.

I don't know what you mean with Windows file (??)
Do you mean the Windows directory?
What kind of unnecessary stuff do you see there and how do you know that?


To send Gavin the file you don't need to open it.
Just new email > attach file (you now know where it is) don't forget his email support@diamondcs.com.au and press send. so easy. Forget this time the zip till you know in a future time, the people aer trying to help to get your system clean and after we can go on to rebuild.
After you sent Gavin the trojan file you can delete it from your system.
Remember the names in it? and do you still remember what the guys had you delete and fix from the hijackthis log?
Of course Netscape is screaming for missing files, that is your trojan trying to run (the browser hijack enhancement) chances when you deleted that dll also from your recyclebin Netscape might function again without a re-install.


Did you check in the meantime if all the cables and wires to your computer are well connected, all the plugs from electricity and from the monitor to the computer?

Are the white lines from some outside influence like when a car is driving by or the fridge switches on or other electric equipment in the house or the cell phone is causing disturbance or is it not related to such things?

You might like to get to the printerfriendly version of this thread and print it out on paper.
With that you can from the first posting till now read iot all again and put checkmarks beside everything tried and done so that leaves several questions to work on in the end.

Oh and for a screenshot, if you have no specific software, just press printscreen or alt-printscreen, go to Start > Acessaoires > Paint > Edit > paste and your image is there.
With that you can do some editing and cutting till you have only the part you need. That part you can save as jpg for instance.

Are there in your environment computer courses for some basic computer knowledge? I gave such courses myself around here and people learned quite a lot in no time.

I think you have lots of "homework" now on your computer so give you back all in hands of Dan.
See you in future time in the TDS forum to work on the configuration and use of that.

 

Hi TeachyPeachy!

lol, good job! You got another crunchy karma cookie for that one!

I think the easiest way to send the file to Gavin would be through Winzip. If you do not already have that installed go to

http://download.com.com/redir?pid=10161502&merid=50220&mfgid=50220&edId=3&siteId=4&oId=3000-2250-10161502&ontId=2250&ltype=dl_elite_dlnow&lop=link&dlrs=1&destUrl=%2F3001-2250-10161502.html

Once you have it installed, you repeat your search for sp.dll. Once it appears in the search window, stop the search and then right-click on the file, then go to the "Winzip" submenu you see there and select "Zip and E-Mail sp.zip" and when your new email message window pops up just put in

submit@diamondcs.com.au

as the recipient and in the body of the message, tell Gavin that you are TeachyPeachy and this was the suspected trojan you mentioned.

Let me know how it goes