:) Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them :)

Discussion in 'other anti-trojan software' started by SonyaM32, Jan 29, 2006.

Thread Status:
Not open for further replies.
  1. SonyaM32

    SonyaM32 Registered Member

    Joined:
    Dec 23, 2004
    Posts:
    718
    Hi all, :shifty:
    I'm back with more trojans. I have been running scans all day long, and this is the last one and it found trojans :mad: It's been a while since I've done this, so can someone please help me? :D I have Windows XP.

    Here's a list of all the scans I've run today, and I run them almost everyday. Kaspersky online scanner doesn't have an option to clean them without downloading a free version copy, but I'd rather get rid of them some other way if possible :D :D .

    I see some of them are in my restore. If I do a restore off virus scan, will it get rid of all of them o_O


    Ad-Aware
    SpyBot
    ewido
    Trend Micro-anti-spyware
    CCleaner
    NOD32
    Housecall-online
    BitDefender-online
    Kaspersky online

    here's the list Kaspersky found:

    Infected Object Name - Virus Name
    C:\Documents and Settings\sonya\Local Settings\Temporary Internet Files\Content.IE5\G5UBGT2Z\ysb_prompt[1].htm Infected: Trojan-Downloader.JS.IstBar.j

    C:\Program Files\ESET\infected\50IMNQDA.NQF Infected: Trojan-Downloader.Win32.Swizzor.cn

    C:\Program Files\ESET\infected\F3BCZFDA.NQF Infected: Trojan-Downloader.Win32.Qoologic.at

    C:\Program Files\ESET\infected\JBOQ4PBA.NQF Infected: Trojan-Downloader.Win32.Small.ayl

    C:\Program Files\ESET\infected\LJBYXMBA.NQF/WISE0019.BIN Infected: Trojan-Downloader.Win32.Agent.er

    C:\Program Files\ESET\infected\LJBYXMBA.NQF/WISE0021.BIN/EXE-file/data0001/EXE-file Infected: Trojan-Downloader.Win32.Agent.ic

    C:\Program Files\ESET\infected\LJBYXMBA.NQF/WISE0021.BIN/EXE-file/data0001/EXE-file Infected: Trojan-Downloader.Win32.Agent.gn

    C:\Program Files\ESET\infected\LJBYXMBA.NQF/WISE0021.BIN/EXE-file/data0001 Infected: Trojan-Downloader.Win32.Agent.gn

    C:\Program Files\ESET\infected\LJBYXMBA.NQF/WISE0021.BIN/EXE-file Infected: Trojan-Downloader.Win32.Agent.gn

    C:\Program Files\ESET\infected\LJBYXMBA.NQF/WISE0021.BIN Infected: Trojan-Downloader.Win32.Agent.gn

    C:\Program Files\ESET\infected\LJBYXMBA.NQF Infected: Trojan-Downloader.Win32.Agent.gn

    C:\Program Files\ESET\infected\M1FB4UAA.NQF Infected: Trojan-Downloader.Win32.Small.ayl

    C:\Program Files\ESET\infected\QBJLDNCA.NQF Infected: Trojan-Downloader.Win32.Small.ayl

    C:\Program Files\ESET\infected\ZQPX54AA.NQF Infected: Trojan-Downloader.Win32.Swizzor.bo

    C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc13.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

    C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc13.exe Infected: Trojan-Downloader.Win32.Small.bke

    C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc14.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

    C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc14.exe Infected: Trojan-Downloader.Win32.Small.bke

    C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc15.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

    C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc15.exe Infected: Trojan-Downloader.Win32.Small.bke

    C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc16.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

    C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc16.exe Infected: Trojan-Downloader.Win32.Small.bke

    C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc17.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

    C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc17.exe Infected: Trojan-Downloader.Win32.Small.bke

    C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc18.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

    C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc18.exe Infected: Trojan-Downloader.Win32.Small.bke
    C:\System Volume Information\_restore{404043AC-9D15-419E-BEE6-189397015038}\RP285\A0041472.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

    C:\System Volume Information\_restore{404043AC-9D15-419E-BEE6-189397015038}\RP285\A0041472.exe Infected: Trojan-Downloader.Win32.Small.bke

    C:\System Volume Information\_restore{404043AC-9D15-419E-BEE6-189397015038}\RP285\A0041473.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

    C:\System Volume Information\_restore{404043AC-9D15-419E-BEE6-189397015038}\RP285\A0041473.exe Infected: Trojan-Downloader.Win32.Small.bke

    C:\System VolumeInformation\_restore{404043AC-9D15-419E-BEE6-189397015038}\RP285\A0041474.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

    C:\System Volume Information\_restore{404043AC-9D15-419E-BEE6-189397015038}\RP285\A0041474.exe Infected: Trojan-Downloader.Win32.Small.bke

    C:\System Volume Information\_restore{404043AC-9D15-419E-BEE6-189397015038}\RP285\A0041475.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

    C:\System Volume Information\_restore{404043AC-9D15-419E-BEE6-189397015038}\RP285\A0041475.exe Infected: Trojan-Downloader.Win32.Small.bke

    C:\System Volume Information\_restore{404043AC-9D15-419E-BEE6-189397015038}\RP285\A0041476.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

    C:\System Volume Information\_restore{404043AC-9D15-419E-BEE6-189397015038}\RP285\A0041476.exe Infected: Trojan-Downloader.Win32.Small.bke

    C:\WINDOWS\system32\scenichp.exe/MyWayHomePageChangerInbuilt.exe Infected: Trojan.Win32.StartPage.ags

    C:\WINDOWS\system32\scenichp.exe Infected: Trojan.Win32.StartPage.ags

    Scan process completed.
     
    Last edited: Jan 29, 2006
  2. StevieO

    StevieO Guest

    Hi Sonya,

    I see you have NOD32 but that didn't stop them ? I think you're using FF too ?

    Where/how did you get infected with these anyway out of interest ?

    If they are in SR then you need to lose your SR points first. After that i would recommend that you go here. It's an excellent AV on a par with Kaspersky, but will actually disinfect as well.

    You will need to use IE with ActiveX enabled or set to prompt. Don't forget to reverse any changes afterwards.

    Free Online Virus Scanner

    BitDefender Online Scanner is a fully functional antivirus product. It features all required elements for thorough antivirus scanning and effective cleaning: it scans your system's memory, all files, folders and drives' boot sectors, providing you with the option to automatically clean the infected files.

    http://www.bitdefender.com/scan8/ie.html


    StevieO
     
  3. SonyaM32

    SonyaM32 Registered Member

    Joined:
    Dec 23, 2004
    Posts:
    718
    Re: :) Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

    Thanks!
    I run NOD32 earlier today. I also run Bit-Defender today as well.

    I don't really know how I got all those. I don't hardly ever go to any websites other than a few other forums I'm a member at.
    My daughter does alot of Google searches for her favorite cartoon shows she watches, and she goes to ALOT of those sites. :cautious: But I guess P2P might have alot to do with it :cautious:

    I use Mozilla, not the FireFox, just plain ol Mozilla :D

    Can you give me the link to the "AV on a par with Kaspersky" you mentioned?

    Thanks again!
     
    Last edited: Jan 29, 2006
  4. StevieO

    StevieO Guest

    Mozilla FF etc, what i meant was that you wern't using IE and still got caught out. So it's not only IE's fault as some people seem to think.

    Yes P2P etc might indeed have a lot to do with it as well ! You might to have words with her lol.

    You didn't mention that you had used BD, that's why i posted the link for you, the AV on a par with Kaspersky.

    Here are lots more online scans you could have a look at.

    http://www.google.co.uk/search?hl=en&q=online virus scan&meta=


    StevieO
     
  5. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Last edited: Jan 29, 2006
  6. StevieO

    StevieO Guest

    I've noticed that BD was mentioned in your post, but i'm not not sure if that was due to one of your later several edits or not. If i missed it sorry about that if you had listed it.

    Have you disabled your SR yet ?

    I hope you manage to get it cleaned up soon.


    StevieO
     
  7. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Re: :) Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

    In many respects, there's a lot less here than it appears.
    No, doing a restore will potentially reestablish them. Don't do that.

    This is just in your temporary file cache. To remove, flush the cache: Do Start>Control Panel>Internet Options. It should come up with the General tab selected. In the Temporary Internet Files section, select Delete, in the dialog box that comes up check "Delete all offline content", then select OK
    These are files that NOD32 has in quarantine. They are non-functional, but to eliminate then, bring up the NOD32 control center. Expand the NOD32 System Tools section. Select Quarantine. The list of files above, maybe more, should appear in the right hand panel. Click select to highlight all the files you wish to remove, then right click the selections and select Delete.
    These are already deleted files in your recycle bin. To empty the recycle bin, go to the desktop, right click the Recycle Bin icon, and select Empty Recycle Bin.
    These are the entries in your restore points. To eliminate them, your need to clear out your restore points. You do this by stopping/restarting system restore. To do this, Select Start>Control Panel>System. Select the System Restore tab. Check "Turn off System Restore on all drive", Select OK. This will delete the system restore points and could take a while. Once that is done, turn system restore back on by repeating the previous steps, but this time uncheck the box you previously checked.
    This wouldn't happen to be a Hewlett-Packard PC, would it? Navigate to the file in question using Windows Explorer. Right click the filename entry and select Properties. Select the version tab. Any pertinent information as to the file origins shown? HP perhaps?

    Blue
     
  8. Re: :) Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

    As usual Blue, cuts through all the BS.
     
  9. SonyaM32

    SonyaM32 Registered Member

    Joined:
    Dec 23, 2004
    Posts:
    718
    Re: :) Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

    Actually your signature is where I got the Kaspersky Webscanner from. :D Yesterday I was looking around on Wilders and saw it:)

    Yes, BitDefender did find some things, but I shut it down late last night, and I didn't pay much attention to what all was there (maby I should from now on, lol :) )
    Also, I scanned with Panda yesterday, but it also didn't give an option to clean the infected files, like Kaspersky didn't. But then again, I was really tired so there's no telling with me :D
    I will do the scans you mentioned, and I'll be back to let ya know.:)
    Thanks! :)
     
    Last edited: Jan 29, 2006
  10. SonyaM32

    SonyaM32 Registered Member

    Joined:
    Dec 23, 2004
    Posts:
    718
    Re: :) Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

    Yes, It was me editing again, lol :D I edited several times trying to get the scans I run in order, then I noticed I missed some on the list,(can't have that, lol) so Im pretty sure I added BD later :D Thanks so much!
     
  11. SonyaM32

    SonyaM32 Registered Member

    Joined:
    Dec 23, 2004
    Posts:
    718
    Re: :) Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

    Thanks! Just to be sure, once I turn off system restore, I will need to wait a few days to build more restore points, and then I should turn it on again?
    "The file name in question" I'm not exactly sure how to find it even using Windows Explorer. But I would like to know myself. All I know is I have an eMachine computer and the OS and things like that :D . Can you tell me in more detail how to get to the filename and what filename I should be looking for? Thanks :)

    Thanks again and I will do all else you mentioned.:)
     
    Last edited: Jan 29, 2006
  12. SonyaM32

    SonyaM32 Registered Member

    Joined:
    Dec 23, 2004
    Posts:
    718
    Re: :) Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

    Yes, he seems to know all this stuff, in detail :D
     
  13. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Re: :) Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

    No, you can enable it after removing whatever malware you find, after having done what BlueZannetti asks of you and running some scans.
    Rightclick on "Start" and choose "Explore" and follow this path: WINDOWS\system32\scenichp.exe .:)
     
  14. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Re: :) Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

    Not really, no more than the usual folks here.

    Don has your follow-up questions well covered (as usual :)). Since you have an eMachines, unless you have an HP peripheral, I'm not sure why a potential HP app would be seen, which does raise the suspect level again. But it's always good to double check before pulling the trigger on something you're unsure of.

    Blue
     
  15. SonyaM32

    SonyaM32 Registered Member

    Joined:
    Dec 23, 2004
    Posts:
    718
    Re: :) Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

    Thanks! Here is what it says under properties-version:
    Let me know if I need to look for something else :)

    File version- 3.0.0.106

    Description- Stardust Self-Extracting EXE

    Copyright- Copyright © 1997-2001 Stardust Software.
     
  16. SonyaM32

    SonyaM32 Registered Member

    Joined:
    Dec 23, 2004
    Posts:
    718
    Re: :) Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

    Should I look for this one too, or is it the same thing? o_O

    C:\WINDOWS\system32\scenichp.exe/MyWayHomePageChangerInbuilt.exe Infected: Trojan.Win32.StartPage.ags
     
  17. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Re: :) Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

    Yes, it's the same thing as far as executing file is concerned. scenichp.exe is a self-extracting executable and one of the files in it is MyWayHomePageChangerInbuilt.exe

    Stardust Software looks to be a valid commercial screensaver/image encoder-package/wallpaper application developer. I have no idea why this exe would be in the system32 folder. Do you have some Stardust based screensavers? As far as the detection, at this point I would strongly lean towards false positive.

    Blue
     
  18. SonyaM32

    SonyaM32 Registered Member

    Joined:
    Dec 23, 2004
    Posts:
    718
    Re: :) Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

    I have a LOAD of screensavers :p And I think the name sounds familiar, so that's probably it :D
    I've already turned off system restore, and am about to do the scans all day again :D
     
  19. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Re: :) Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

    Sound good!

    The scans should be clean except for the C:\WINDOWS\system32\scenichp.exe entry if all has progressed as planned. If not, just report back and we'll take it from there.

    Once everything is clear, reenable system restore as indicated above, and you should be good to go!

    Best of luck,

    Blue
     
  20. Re: :) Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

    I would have crafted almost the same response, but since Blue as it covered....

    I like particularly the way he explains each line, tells you which ones are harmless, then focuses on the 2 suspicious entries. Any half way decent tech would have came to the same conclusion and done the same, I'm quite surprised that responses before that didnt do so.

    I give Don half credit, for noticing that some were in system restore and answering directly the question not to use the ss.

    Not that these answers were bad, but they don't really hit the main points. it was easier to just say scan with x,y,z even though the original poster had already scanned with a ton of other scanners?

    I like the way how Blue answers with the real answer you need, rather than the question your asked. Sometimes people don't really know what question you need to ask and ask the wrong ones.
     
  21. SonyaM32

    SonyaM32 Registered Member

    Joined:
    Dec 23, 2004
    Posts:
    718
    Re: :) Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

    Ok, here's the results of a new Kaspersky online scan.

    Before I scanned, I turned off system restore, and went into NOD32 and deleted the quarentined files, also emptied the recycle bin and cleared internet cache. :)
    This is only the results of the first scan I did after doing all that. I am about to run other scans. But the list is getting smaller :D
    Don't count the last 2 on the list, :cool: those are supposed to be there :D :D

    -------------------------------------------------------------------------------
    KASPERSKY ON-LINE SCANNER REPORT
    Sunday, January 29, 2006 16:54:43
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky On-line Scanner version: 5.0.67.0
    Kaspersky Anti-Virus database last update: 29/01/2006
    Kaspersky Anti-Virus database records: 163196
    -------------------------------------------------------------------------------





    Scan Statistics:
    Total number of scanned objects: 87298
    Number of viruses found: 2
    Number of infected objects: 14
    Number of suspicious objects: 0
    Duration of the scan process: 4904 sec

    Infected Object Name - Virus Name
    C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc13.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

    C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc13.exe Infected: Trojan-Downloader.Win32.Small.bke

    C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc14.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

    C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc14.exe Infected: Trojan-Downloader.Win32.Small.bke

    C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc15.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

    C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc15.exe Infected: Trojan-Downloader.Win32.Small.bke

    C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc16.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

    C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc16.exe Infected: Trojan-Downloader.Win32.Small.bke

    C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc17.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

    C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc17.exe Infected: Trojan-Downloader.Win32.Small.bke

    C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc18.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke

    C:\RECYCLER\S-1-5-21-2929263501-2725679378-169367564-1007\Dc18.exe Infected: Trojan-Downloader.Win32.Small.bke

    C:\WINDOWS\system32\scenichp.exe/MyWayHomePageChangerInbuilt.exe Infected: Trojan.Win32.StartPage.ags

    C:\WINDOWS\system32\scenichp.exe Infected: Trojan.Win32.StartPage.ags

    Scan process completed.
     
  22. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Re: :) Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

    deviladvocate,

    Thanks for the kind words, and you're quite right, a qualified tech would have followed the same approach - break the problem down into manageable parts and deal with each part in turn. That's what I generally try to do, and occasionally I actually succeed at it :)

    Blue
     
  23. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Re: :) Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

    I assume you have multiple logon users to this machine. Each logon user has there own recycle bin. Now, that could be what's happening here, or it could be another issue. In any event, see if you can navigate to the folder in question and manually delete the files in question. If you do not see C:\RECYCLER in Explorer, select the drive (C:\), go to menu bar and select Tools>Folder Options... , and select the View tab. Check the entry labeled Show Hidden Files and Folders and uncheck the box associated with Hide Protected Operating System Files. Select OK. You now should be able to see that folder.

    Blue
     
  24. SonyaM32

    SonyaM32 Registered Member

    Joined:
    Dec 23, 2004
    Posts:
    718
    Re: :) Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

    I found the folder called recycler. It won't allow me to delete it though. o_O
     
  25. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Re: :) Kaspersky on-line scan found LOTS of trojans. I need help getting rid of them

    Correct. You don't delete the folder. Navigate to the userSID indicated in the scan results - S-1-5-21-2929263501-2725679378-169367564-1007. The icon shown will not be a "typical" folder icon, it should look like the recycle bin. You don't delete this folder either. Expand Recycler to reveal all the userSID's on the system and select S-1-5-21-2929263501-2725679378-169367564-1007 to reveal the files, and you should be able to delete them from that view.

    Blue
     
Thread Status:
Not open for further replies.