Please help - downloaded virus/trojans

Discussion in 'malware problems & news' started by zonecrew, Aug 8, 2004.

Thread Status:
Not open for further replies.
  1. zonecrew

    zonecrew Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    10
    Please can anyone help me or advise me on what i can do

    i am on broadband on windows98 and clicked on a webpage that downloaded the following onto my system

    Trojan Horse Collected.Z
    Trojan Horse Dialer.9.N
    Trojan Horse Backdoor.Jeemp.A
    Trojan Horse Dialer.7.B
    Trojan Horse Downloader.Small.6.I

    I rebooted my PC and ran AVG Virus software which detected these and healed some and put the others into the vault.
    i was hoping things would be ok but my PC isnt right, it freezes a lot, my music files have gone and i cant access my recycle bin (thats the ones i know about so far!)
    also, when i boot my PC my virus shield tells me that there is a Trojan Horse Dilaer in the C/WINDOWS/TEMP/SVCHOST.EXE

    can anyone tell me whats happed and how i can sort this mess out :oops:
     
  2. zonecrew

    zonecrew Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    10
    also, could they get access to my bank details, the only place i use it online is through paypal
     
  3. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    until you get that mess out of there none of your info is secure. you should run the trial version of tds3 and see if it will clean it for you. You can get it here
     
  4. zonecrew

    zonecrew Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    10
    Ok

    I've downloaded TDS-3 and ran the Full system scan and it only found the following possible webdownloader

    c:\windows\newdial.exe

    have i got to configure this program to find the trojans?
     
  5. zonecrew

    zonecrew Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    10
    its also found this, i've deleted it after reading another site


    Scan Control Dumped @ 22:47:07 08-08-04
    RegVal Trace: RAT.ANewTrojan: HKEY_LOCAL_MACHINE
    File: SOFTWARE\Microsoft\Windows\CurrentVersion\Run [System Process=C:\WINDOWS\svchost.exe /i]


    * it comes back though when reboot TDS o_O
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
  7. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
  8. zonecrew

    zonecrew Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    10
    ok, right

    i ran adaware and it found 215 infected files! i deleted them all, mainly references to adult sites and crack sites.
    my AVG still keeps warning me about the trojan horse in the temp folder, svchost.exe but my PC freezes when i try to access this folder?? It freezes to the point of me having to reboot when i try to access My Computer, or Windows Explorer

    i've run TDS again and scanned the windows folder and its told me that it couldnt open c:\windows\temp\svchost.exe for read access, file is locked

    AMRX, i havnt tried your suggestion yet, should i go ahead and try this?
     
    Last edited: Aug 9, 2004
  9. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    download this tool
    http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
    and run it
    check the upper panel for
    c:\windows\temp\svchost.exe
    if found click on kill process

    rescan with tds

    download
    http://diamondcs.com.au/index.php?page=asviewer and run it
    search for
    HKEY_LOCAL_MACHINE\
    SOFTWARE\Microsoft\Windows\CurrentVersion\Run [System Process=C:\WINDOWS\svchost.exe
    if found. right click it and select delete...

    you can delete autostarts using tds's tools too, press ctrl+a for instance..
    i cannot assist you further with this as i haven't tds on my comp.

    edit: you have updated your tds-3?
    if not, download the radius td3 database from here:
    http://www.diamondcs.com.au/tds/radius.td3

    right click the link and select save as..
    save it into the directory where you installed tds, replace existing file if asked
    and scan again..

    there was that unknown trojan report by tds, if you did not update, ignore this.. but if an updated tds reports an unknown trojan you need to submit that file C:\WINDOWS\svchost.exe. send it (zipped) as attachment to submit@diamondcs.com.au
    i'd appreciate if you cc'd me at illukka @dslr.net ( remove the space before @)

    thanks
     
    Last edited: Aug 9, 2004
  10. zonecrew

    zonecrew Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    10
    i have windows98 so i cant download the Process Explorer from sysinternals, are there any others i can use?

    downloaded and checked the autostart, cannot find any reference to the file that you mentioned, i'll run tds
     
    Last edited: Aug 11, 2004
  11. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
  12. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    thats the badboy apparently.. can you copy that and send as attachment to the addresses i posted

    kill that process c:\windows\temp\svchost.exe
     
  13. tbpot

    tbpot Registered Member

    Joined:
    Aug 11, 2004
    Posts:
    6
    Location:
    belgium
    svchost is not always a tread, it was also used by windows itselfs and a virus program like pccellin has the same file in use as well.

    find explanation on google svchost
     
  14. tbpot

    tbpot Registered Member

    Joined:
    Aug 11, 2004
    Posts:
    6
    Location:
    belgium
    search under google for dialer remover, and you wil find a lot of good programs, i had the same problems a while ago, my kids were playing games online and i was paying the bill after a few weeks (60 euro more pffffffffff)
    i then disabled the dialer modem in the os they are using, its simple and easy and you can activate it when you want to use it again by one click.
    go to > config> system> hardware> modems.
     
  15. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    It will be CWS
     
  16. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    most likely !
     
  17. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    as far as i know, the file name svchost.exe is used by at least 700-800 viruses, trojans, backdoors, worms and spyware

    not always, that is true, but always check the path of svchost.exe..
    running in temp folder it is 100% guaranteed malware. or on xp/2000 systems when it is running from windows folder
     
  18. zonecrew

    zonecrew Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    10
    AMRX, i downloaded and ran the program you suggested and it detected and removed 7 trojans......cheers for the advice!
    i also ran the sysinternals program and it picked up nothing suspicious.

    i ran tds again and everything is clear, even the locked svchost file had gone, however i'll wait a while to see if anything comes back, is there a sure-fire way of finding out if my system is clear??

    the next problem is my PC, its still not right. ever since the trojans appeared my windows isnt right, for example when i double click on my computer, then the C Drive it brings up a blank screen with a tiny small square where the picture of the C Drive should be, inside the square is three smaller objects, a red square, a green circle and a blue triangle. this also happens when i bring up the recycle bin and my documents files.......... o_O

    however, this used to happen when i tried to access start/windows explorer but this is now working ok and i can access all my documents and music files this way.......any ideas??

    anyway, many thanks to all who have helped me so far on this, much appreciated......... ;) ;)
     
  19. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    dear zonecrew, nice to know that the baddies are now gone. well in IT security there is no sure-fire way, sorry. you can try those online scans. that Sysinternals program is for killing that svchost running from your temp folder, it won't tell you about anything being suspicious. the problem you mentioned, is it happening to you now? because again in the same post you said it is working ok now. sounds like your drive icon was changed or the DRIVES registry value was changed if i'm right. if it happens then please elaborate, someone of us will help you. take care.
     
  20. zonecrew

    zonecrew Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    10
    I'll see how it goes and let you all know

    one final thing, can anyone recommend a good free firewall, as i dont want this to happen again
     
  21. MasterComputer

    MasterComputer Registered Member

    Joined:
    Sep 16, 2004
    Posts:
    2
    Location:
    Kingsport, Tennessee
  22. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    You may want to take a look here for further discussion on security and how to make your system that much stronger

    and here for more:

    Let us know how you go…

    Cheers :D
     
Loading...
Thread Status:
Not open for further replies.