New Here - Computer Idiot - Have Trojan - Cant get rid of - HELP, pleeze

Hi KathyL,

Great job!

If I were in your shoes, I would do one more scan with KAV to make sure everything is deleted and gone. I would also, for peace of mind, get a "second opinion" from another top-rated anti-trojan product to make sure everything is O.K.. My own favorites are TDS-3 (http://diamondcs.com.au/) which I have found to be the most comprehensive on-demand scan (though a bit complicated for the novice) and Ewido (http://www.ewido.net/en/download/ which is also excellent. Both have free trial offers. This is just a suggestion. It is certainly something I would do if it were my machine. Others may have a different idea.

After that, you may want to take a look at your overall configuration and maybe get some suggestions of how to "tighten up" your system. You could probably start by maybe listing the security programs that you are currently using including your firewall. If you like KAV, I would recommend it very highly since I have found it to be an anti-virus, anti-trojan, anti-spyware par excellence.

Rich

 

I'll speak for everyone that contributed, it's our pleasure. This was a team effort.

The messages that appear are generally related to the now deleted malware. Nope, we don't want to reinstall those. We'll walk you through how to get rid of those pesky registry entries once all seems fine.

Rich's idea is a good one. Second opinions are valuable, especially in circumstances like these.

Blue

 

thank you, all, again.

i ran the KAV scan again last night and it came up clean but this morning at 5 AM (PST), i had a screen saying it had detected a trojan downloader WIN32.agent virus on C\...\RP735\A0083532.exe. i deleted it.

when i got home from the gym, i had the same box but now the virus detected is trojan.win32.agent.bi - on C\...\RP735\A0083544.exe. again, i deleted it.

so it looks like i'm not out of the woods yet...

kids have SAT testing this morning, so i wont be around much till later today.

 

Hi KathyL,

Are you running KAV in Safe Mode or in Standard Mode? Do you have System Restore On or OFF? Just questions. Do not do anything for now until a Pro gets back on.

Rich

 

i am in standard mode. the reason is when i was in safe mode, KAV only scanned one file and i never did get an answer on how to change that.

i have not done anything w/system restore so it is whatever it was when this all started.

 

Kathy, try to disable system restore (you can always enable it again if necessary) and do a scan, to disable it, do this:

Have you configured the settings yet (easy to miss yesterday in all those posts) if not do this:
In the main GUI (leftclick on the red "K" in the tray):

http://img85.echo.cx/img85/3205/kav50protection9se.jpg

Hit the "settings tab" and choose "configure on-demand scan" and set it like this:

http://img85.echo.cx/img85/3476/kav50ondemandscansettings0cq.jpg

Close it (click ok), now click "configure updater" and set it like this:

http://img85.echo.cx/img85/2668/kav50configureupdater0zw.jpg

If you don't have highspeed internet and use a modem, then you can lower the update frequenzy to 3/6/12 hours, it's up you and you can always update from the tray manually.

Now update from the tray and do a scan. Post back with the results.

 

thanks, don. will do the first thing in a bit - just did the KAV thing. one question - i was told yesterday on the 'updater' to choose 'standard databases' instead of extended. which should i do?

 

i have left the settings on KAV last post...

turned off system restore, am running KAV scan. (*blush* - just realized i didnt have KAV security to max, but to lowest. urg...)

its found, so far:

infected with: 'not-a-virus:adware.toolbar
file: C:\install.cab\winsrm32.add
action: deleted

we've got to go now and wont be back till lunch time (PST)

ok, i forgot to send this and i'm still here... i stopped the scan cuz i remembered i hadnt deleted the temp internet files so i went to do that (i was getting a bazillion 'not-a-virus' objects!!). and now rescanning

 

Hi KathyL,

I'll reply until Don gets back to you.

Use extended databases as Don indicated. It will detect more types of malware. However, there is a possibility that you will get a "false positive" (i.e KAV will give a warning, but the file is really good). If KAV gives such as warning, i.e. "Not a Virus - malware.name", don't delete it until you get confirmation from Don or some other KAV expert. If it is definitely the virus that you are looking for, you can go ahead and delete it (you will be prompted). If you have any questions whatsoever, ask before you perform any action. This is the safest way to go.

Rich

P.S. It looks like you are getting lots of thise warnings. They seem like malware. But since this is new for you, you may want to post some of the warnings before you delete. Don will no doubt give further advice when he gets back.

 

It's up to you, the extended will add around 5000 signatures, in these catagories:

Use them once (and then return to the standardbases) while you cleaning you computer, there is a slightly bigger risk of Kav flagging programs that you find benefial to you, but which do have the possibility to be exploited by someone remotely for exampel.

I have not had even one such flagging yet in one year of using the extendedbases, but a good exampel is mirc (a popular messengerclient), it's being flag as "not-a-virus:riskware", simply because many modified copies of it exists,which can be exploited by some of the badboys. Most people use it without any trouble though, just a reminder from Kav (Kaspersky).

This is why i instructed you to use the "prompt user for action" in the on-demand settings (this way you decide what to delete). Hope it helps and doesn't scare or even worse confuses you even more. Post back if you have questions.

 

Hi Don,

I also haven't had any problems with KAV's extended databases over the last year. It seems the database is really good. Much better than the databases that come with other products such as PestPatrol. I'm sure KathyL will post if she has any questions about any particular riskware.

Rich

 

Hi Rich

I think you are right, from the screenshots i've seen, most of it seem to be virus/trojan/adware-related, so far i have not seen any "riskware".

Kathy. If you do get a "riskware alert", post back with a screenshot or you can also try to search the Viruslist.com for for info on the file in question, it's run by Kaspersky btw.

 

the best anti trojan (or AV) is Kaspersky and F-Secure (this two companies ar cooperating betwen them self) .... If you place KAV on your computer you will never have to wory about trojans , worms,viruses....

 

i hope its all ok as i didnt read this when i got home as my screen already had the warning box up waiting for me to respond.

all of these are called: not-a-virus, adware and i deleted them...

C:\...\temp\~287130.tmp
~317576.tmp
~432661.tmp
~496668.tmp
~500664.tmp
C:\.../data0001.html
(same..........2.html
(same...........3...)
....................4
....................5
c:\windows\ODBC.INI:ajnnjg

tell me how badly i've screwed up here now...

 

Hi KathyL,

The .tmp files are of no consequence and the .html files are probably OK. The ODBC.ini file - I don't know what it is or how it got there. I'll leave it for others to figure out if they can.

Were you able to restart the system (with System Restore off) and re-run the scan? If not, I think it would be a good idea if you did. Also, I would possibly prepare to run another anti-trojan (probably Ewido Trial), but don't run it yet until everything is clear with your KAV scans.

Rich

 

thanks for replying, rich. even if you dont know the answers, at least i'm not alone!

 

ok - KAV is done scanning. here's a snap-shot of what it found:

scan #1

 

scan #2 (shouldnt be more than one-two lines overlapped)

 

scan #3 - lots of overlap (all the top part)

 

Kathy,

You can delete any of the temp files (*.tmp) without any problem. It would probably also be worthwhile emptying out that temp location.

You restore points are also infected, I'd recommend you disable system restore until cleaning in finalized (Start>Control Panel>System>System Restore, check box to turn off system restore, OK) This will delete those infected restore points.

Of the remaining files indicated, the only one that is problematic is ODBC.INI. This is a real file. There are a couple of ways to handle this. It's already been removed from circulation by the quarantine. One solution is to download and update your Microsoft MDAC. This will update drivers, restore missing dll's, etc. and should replace that INI file. If you have XP SP2, your copy of this file should be the same as mine, which is

Code:

[ODBC 32 bit Data Sources]
MS Access 97 Database=Microsoft Access Driver (*.mdb) (32 bit)
FoxPro Files=Microsoft FoxPro Driver (*.dbf) (32 bit)
Text Files=Microsoft Text Driver (*.txt; *.csv) (32 bit)
MS Access Database=Microsoft Access Driver (*.mdb) (32 bit)
Excel Files=Microsoft Excel Driver (*.xls) (32 bit)
dBASE Files=Microsoft dBase Driver (*.dbf) (32 bit)
Outpost Database=Microsoft Access Driver (*.mdb) (32 bit)
[MS Access 97 Database]
Driver32=C:\WINDOWS\System32\odbcjt32.dll
[FoxPro Files]
Driver32=C:\WINDOWS\System32\odbcjt32.dll
[Text Files]
Driver32=C:\WINDOWS\System32\odbcjt32.dll
[MS Access Database]
Driver32=C:\WINDOWS\System32\odbcjt32.dll
[Excel Files]
Driver32=C:\WINDOWS\System32\odbcjt32.dll
[dBASE Files]
Driver32=C:\WINDOWS\System32\odbcjt32.dll
[Outpost Database]
Driver32=C:\WINDOWS\System32\odbcjt32.dll

Just copy that text into Notepad and save the file to C:\WINDOWS\ODBC.INI. When you do the file save from Notepad, do a File>Save As, change Save as type to All Files, and save using the entire name, ODBC.INI. Although the change to All Files seems superfluous, it you don't do this you end up saving a file named ODBC.INI.TXT.

I'd recommend the first approach myself.

Blue

 

i emptied the temp internet files this morning. its like there are more someplace else? or do i need to go to each IE window i have open and clean them out?? do i also need to empty temp files? if so, how?

i disabled system restore this morning (in fact, its still disabled...). i guess i'm waiting to know what to do with all these files that KAV has quarantined till i enable system restore again.

ok, now i'm confused your very last line is "i'd recommend the first approach, myself..." is that "One solution is to download and update your Microsoft MDAC"? and what is "MDAC"?

thanks! standing by!

 

i just deleted the temp files. i see the two that are restore files. i should delete those, too?

and of those remaining, its ok to delete the "install.cab" file?

taking DD for a walk. BBL

 

Temp file folders are all over the place well, that's an exaggeration. I generally do it manually. Normally that folder is hidden. You can unhide it by opening up Windows Explorer, select Tools>Folder Options>View. Under Hidden Files and Folders select Show Hidden Files and Folders. Select Apply to All Folders. Now, I like to see everything, but this is a double edged sword. You now have access to folders that shouldn't be mucked with, as well as a number that probably should be. Just follow the path in the screen shots and delete the contents of the appropriate folder. There are a number of automated programs for this, I hesitate to recommend one since I don't use any of free ones, I do use WindowWasher

Just delete them

MDAC = Microsoft Data Access Components, short answer - these are the dll's which allow interapplication data communication.

Blue

 

Let's see. Great. The two restore files can go. Delete install.cab also.

How is your system behaving now?

Blue

 

"follow the path in the screen shots"?? is that going to be obvious to me?