:) Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them :)

Hi all,
I'm back with more trojans. I have been running scans all day long, and this is the last one and it found trojans It's been a while since I've done this, so can someone please help me? I have Windows XP.

Here's a list of all the scans I've run today, and I run them almost everyday. Kaspersky online scanner doesn't have an option to clean them without downloading a free version copy, but I'd rather get rid of them some other way if possible .

I see some of them are in my restore. If I do a restore off virus scan, will it get rid of all of them


Ad-Aware
SpyBot
ewido
Trend Micro-anti-spyware
CCleaner
NOD32
Housecall-online
BitDefender-online
Kaspersky online

here's the list Kaspersky found:

Infected Object Name - Virus Name
C:\Documents and Settings\sonya\Local Settings\Temporary Internet Files\Content.IE5\G5UBGT2Z\ysb_prompt[1].htm Infected: Trojan-Downloader.JS.IstBar.j

C:\Program Files\ESET\infected\50IMNQDA.NQF Infected: Trojan-Downloader.Win32.Swizzor.cn

C:\Program Files\ESET\infected\F3BCZFDA.NQF Infected: Trojan-Downloader.Win32.Qoologic.at

C:\Program Files\ESET\infected\JBOQ4PBA.NQF Infected: Trojan-Downloader.Win32.Small.ayl

C:\Program Files\ESET\infected\LJBYXMBA.NQF/WISE0019.BIN Infected: Trojan-Downloader.Win32.Agent.er

C:\Program Files\ESET\infected\LJBYXMBA.NQF/WISE0021.BIN/EXE-file/data0001/EXE-file Infected: Trojan-Downloader.Win32.Agent.ic

C:\Program Files\ESET\infected\LJBYXMBA.NQF/WISE0021.BIN/EXE-file/data0001/EXE-file Infected: Trojan-Downloader.Win32.Agent.gn

C:\Program Files\ESET\infected\LJBYXMBA.NQF/WISE0021.BIN/EXE-file/data0001 Infected: Trojan-Downloader.Win32.Agent.gn

C:\Program Files\ESET\infected\LJBYXMBA.NQF/WISE0021.BIN/EXE-file Infected: Trojan-Downloader.Win32.Agent.gn

C:\Program Files\ESET\infected\LJBYXMBA.NQF/WISE0021.BIN Infected: Trojan-Downloader.Win32.Agent.gn

C:\Program Files\ESET\infected\LJBYXMBA.NQF Infected: Trojan-Downloader.Win32.Agent.gn

C:\Program Files\ESET\infected\M1FB4UAA.NQF Infected: Trojan-Downloader.Win32.Small.ayl

C:\Program Files\ESET\infected\QBJLDNCA.NQF Infected: Trojan-Downloader.Win32.Small.ayl

C:\Program Files\ESET\infected\ZQPX54AA.NQF Infected: Trojan-Downloader.Win32.Swizzor.bo

C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc13.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc13.exe Infected: Trojan-Downloader.Win32.Small.bke

C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc14.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc14.exe Infected: Trojan-Downloader.Win32.Small.bke

C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc15.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc15.exe Infected: Trojan-Downloader.Win32.Small.bke

C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc16.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc16.exe Infected: Trojan-Downloader.Win32.Small.bke

C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc17.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc17.exe Infected: Trojan-Downloader.Win32.Small.bke

C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc18.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc18.exe Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{404043AC-9D15-419E-BEE6-189397015038}\RP285\A0041472.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

C:\System Volume Information\_restore{404043AC-9D15-419E-BEE6-189397015038}\RP285\A0041472.exe Infected: Trojan-Downloader.Win32.Small.bke

C:\System Volume Information\_restore{404043AC-9D15-419E-BEE6-189397015038}\RP285\A0041473.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

C:\System Volume Information\_restore{404043AC-9D15-419E-BEE6-189397015038}\RP285\A0041473.exe Infected: Trojan-Downloader.Win32.Small.bke

C:\System VolumeInformation\_restore{404043AC-9D15-419E-BEE6-189397015038}\RP285\A0041474.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

C:\System Volume Information\_restore{404043AC-9D15-419E-BEE6-189397015038}\RP285\A0041474.exe Infected: Trojan-Downloader.Win32.Small.bke

C:\System Volume Information\_restore{404043AC-9D15-419E-BEE6-189397015038}\RP285\A0041475.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

C:\System Volume Information\_restore{404043AC-9D15-419E-BEE6-189397015038}\RP285\A0041475.exe Infected: Trojan-Downloader.Win32.Small.bke

C:\System Volume Information\_restore{404043AC-9D15-419E-BEE6-189397015038}\RP285\A0041476.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

C:\System Volume Information\_restore{404043AC-9D15-419E-BEE6-189397015038}\RP285\A0041476.exe Infected: Trojan-Downloader.Win32.Small.bke

C:\WINDOWS\system32\scenichp.exe/MyWayHomePageChangerInbuilt.exe Infected: Trojan.Win32.StartPage.ags

C:\WINDOWS\system32\scenichp.exe Infected: Trojan.Win32.StartPage.ags

Scan process completed.

 

Hi Sonya,

I see you have NOD32 but that didn't stop them ? I think you're using FF too ?

Where/how did you get infected with these anyway out of interest ?

If they are in SR then you need to lose your SR points first. After that i would recommend that you go here. It's an excellent AV on a par with Kaspersky, but will actually disinfect as well.

You will need to use IE with ActiveX enabled or set to prompt. Don't forget to reverse any changes afterwards.

Free Online Virus Scanner

BitDefender Online Scanner is a fully functional antivirus product. It features all required elements for thorough antivirus scanning and effective cleaning: it scans your system's memory, all files, folders and drives' boot sectors, providing you with the option to automatically clean the infected files.

http://www.bitdefender.com/scan8/ie.html


StevieO

 

Re: Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

Thanks!
I run NOD32 earlier today. I also run Bit-Defender today as well.

I don't really know how I got all those. I don't hardly ever go to any websites other than a few other forums I'm a member at.
My daughter does alot of Google searches for her favorite cartoon shows she watches, and she goes to ALOT of those sites. But I guess P2P might have alot to do with it

I use Mozilla, not the FireFox, just plain ol Mozilla

Can you give me the link to the "AV on a par with Kaspersky" you mentioned?

Thanks again!

 

Mozilla FF etc, what i meant was that you wern't using IE and still got caught out. So it's not only IE's fault as some people seem to think.

Yes P2P etc might indeed have a lot to do with it as well ! You might to have words with her lol.

You didn't mention that you had used BD, that's why i posted the link for you, the AV on a par with Kaspersky.

Here are lots more online scans you could have a look at.

http://www.google.co.uk/search?hl=en&q=online virus scan&meta=


StevieO

 

Hi Sonya

First you need to disable system restore:http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam.

Then you should scan with Panda and Trend-micro from my signature and see what they come up with. Did the BitDefender scan find anything?

 

I've noticed that BD was mentioned in your post, but i'm not not sure if that was due to one of your later several edits or not. If i missed it sorry about that if you had listed it.

Have you disabled your SR yet ?

I hope you manage to get it cleaned up soon.


StevieO

 

Re: Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

In many respects, there's a lot less here than it appears.

No, doing a restore will potentially reestablish them. Don't do that.

This is just in your temporary file cache. To remove, flush the cache: Do Start>Control Panel>Internet Options. It should come up with the General tab selected. In the Temporary Internet Files section, select Delete, in the dialog box that comes up check "Delete all offline content", then select OK

These are files that NOD32 has in quarantine. They are non-functional, but to eliminate then, bring up the NOD32 control center. Expand the NOD32 System Tools section. Select Quarantine. The list of files above, maybe more, should appear in the right hand panel. Click select to highlight all the files you wish to remove, then right click the selections and select Delete.

These are already deleted files in your recycle bin. To empty the recycle bin, go to the desktop, right click the Recycle Bin icon, and select Empty Recycle Bin.

These are the entries in your restore points. To eliminate them, your need to clear out your restore points. You do this by stopping/restarting system restore. To do this, Select Start>Control Panel>System. Select the System Restore tab. Check "Turn off System Restore on all drive", Select OK. This will delete the system restore points and could take a while. Once that is done, turn system restore back on by repeating the previous steps, but this time uncheck the box you previously checked.

This wouldn't happen to be a Hewlett-Packard PC, would it? Navigate to the file in question using Windows Explorer. Right click the filename entry and select Properties. Select the version tab. Any pertinent information as to the file origins shown? HP perhaps?

Blue

 

Re: Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

As usual Blue, cuts through all the BS.

 

Re: Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

Actually your signature is where I got the Kaspersky Webscanner from. Yesterday I was looking around on Wilders and saw it

Yes, BitDefender did find some things, but I shut it down late last night, and I didn't pay much attention to what all was there (maby I should from now on, lol )
Also, I scanned with Panda yesterday, but it also didn't give an option to clean the infected files, like Kaspersky didn't. But then again, I was really tired so there's no telling with me
I will do the scans you mentioned, and I'll be back to let ya know.
Thanks!

 

Re: Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

Yes, It was me editing again, lol I edited several times trying to get the scans I run in order, then I noticed I missed some on the list,(can't have that, lol) so Im pretty sure I added BD later Thanks so much!

 

Re: Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

Thanks! Just to be sure, once I turn off system restore, I will need to wait a few days to build more restore points, and then I should turn it on again?

"The file name in question" I'm not exactly sure how to find it even using Windows Explorer. But I would like to know myself. All I know is I have an eMachine computer and the OS and things like that . Can you tell me in more detail how to get to the filename and what filename I should be looking for? Thanks

Thanks again and I will do all else you mentioned.

 

Re: Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

Yes, he seems to know all this stuff, in detail

 

Re: Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

No, you can enable it after removing whatever malware you find, after having done what BlueZannetti asks of you and running some scans.

Rightclick on "Start" and choose "Explore" and follow this path: WINDOWS\system32\scenichp.exe .

 

Re: Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

Not really, no more than the usual folks here.

Don has your follow-up questions well covered (as usual ). Since you have an eMachines, unless you have an HP peripheral, I'm not sure why a potential HP app would be seen, which does raise the suspect level again. But it's always good to double check before pulling the trigger on something you're unsure of.

Blue

 

Re: Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

Thanks! Here is what it says under properties-version:
Let me know if I need to look for something else

File version- 3.0.0.106

Description- Stardust Self-Extracting EXE

Copyright- Copyright © 1997-2001 Stardust Software.

 

Re: Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

Should I look for this one too, or is it the same thing?

C:\WINDOWS\system32\scenichp.exe/MyWayHomePageChangerInbuilt.exe Infected: Trojan.Win32.StartPage.ags

 

Re: Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

Yes, it's the same thing as far as executing file is concerned. scenichp.exe is a self-extracting executable and one of the files in it is MyWayHomePageChangerInbuilt.exe

Stardust Software looks to be a valid commercial screensaver/image encoder-package/wallpaper application developer. I have no idea why this exe would be in the system32 folder. Do you have some Stardust based screensavers? As far as the detection, at this point I would strongly lean towards false positive.

Blue

 

Re: Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

I have a LOAD of screensavers And I think the name sounds familiar, so that's probably it
I've already turned off system restore, and am about to do the scans all day again

 

Re: Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

Sound good!

The scans should be clean except for the C:\WINDOWS\system32\scenichp.exe entry if all has progressed as planned. If not, just report back and we'll take it from there.

Once everything is clear, reenable system restore as indicated above, and you should be good to go!

Best of luck,

Blue

 

Re: Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

I would have crafted almost the same response, but since Blue as it covered....

I like particularly the way he explains each line, tells you which ones are harmless, then focuses on the 2 suspicious entries. Any half way decent tech would have came to the same conclusion and done the same, I'm quite surprised that responses before that didnt do so.

I give Don half credit, for noticing that some were in system restore and answering directly the question not to use the ss.

Not that these answers were bad, but they don't really hit the main points. it was easier to just say scan with x,y,z even though the original poster had already scanned with a ton of other scanners?

I like the way how Blue answers with the real answer you need, rather than the question your asked. Sometimes people don't really know what question you need to ask and ask the wrong ones.

 

Re: Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

Ok, here's the results of a new Kaspersky online scan.

Before I scanned, I turned off system restore, and went into NOD32 and deleted the quarentined files, also emptied the recycle bin and cleared internet cache.
This is only the results of the first scan I did after doing all that. I am about to run other scans. But the list is getting smaller
Don't count the last 2 on the list, those are supposed to be there

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, January 29, 2006 16:54:43
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 29/01/2006
Kaspersky Anti-Virus database records: 163196
-------------------------------------------------------------------------------





Scan Statistics:
Total number of scanned objects: 87298
Number of viruses found: 2
Number of infected objects: 14
Number of suspicious objects: 0
Duration of the scan process: 4904 sec

Infected Object Name - Virus Name
C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc13.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc13.exe Infected: Trojan-Downloader.Win32.Small.bke

C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc14.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc14.exe Infected: Trojan-Downloader.Win32.Small.bke

C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc15.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc15.exe Infected: Trojan-Downloader.Win32.Small.bke

C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc16.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc16.exe Infected: Trojan-Downloader.Win32.Small.bke

C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc17.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc17.exe Infected: Trojan-Downloader.Win32.Small.bke

C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc18.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc18.exe Infected: Trojan-Downloader.Win32.Small.bke

C:\WINDOWS\system32\scenichp.exe/MyWayHomePageChangerInbuilt.exe Infected: Trojan.Win32.StartPage.ags

C:\WINDOWS\system32\scenichp.exe Infected: Trojan.Win32.StartPage.ags

Scan process completed.

 

Re: Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

deviladvocate,

Thanks for the kind words, and you're quite right, a qualified tech would have followed the same approach - break the problem down into manageable parts and deal with each part in turn. That's what I generally try to do, and occasionally I actually succeed at it

Blue

 

Re: Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

I assume you have multiple logon users to this machine. Each logon user has there own recycle bin. Now, that could be what's happening here, or it could be another issue. In any event, see if you can navigate to the folder in question and manually delete the files in question. If you do not see C:\RECYCLER in Explorer, select the drive (C:\), go to menu bar and select Tools>Folder Options... , and select the View tab. Check the entry labeled Show Hidden Files and Folders and uncheck the box associated with Hide Protected Operating System Files. Select OK. You now should be able to see that folder.

Blue

 

Re: Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

I found the folder called recycler. It won't allow me to delete it though.

 

Re: Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

Correct. You don't delete the folder. Navigate to the userSID indicated in the scan results - S-1-5-21-2929263501-2725679378-169367564-1007. The icon shown will not be a "typical" folder icon, it should look like the recycle bin. You don't delete this folder either. Expand Recycler to reveal all the userSID's on the system and select S-1-5-21-2929263501-2725679378-169367564-1007 to reveal the files, and you should be able to delete them from that view.

Blue