Trojans not detected?

Discussion in 'privacy problems' started by JB16907, Feb 21, 2005.

Thread Status:
Not open for further replies.
  1. JB16907

    JB16907 Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    6
    o_O I thought I had decent protection but I just picked up 9 trojans. I have Trendmicro internet security, Xoftspy, MS antispy (Giant), SpyBlaster, Spyware X-terminator, enhanced hosts file, and a few others. But Xoftspy just picked up 9 trojans(Xoftspy doesn't have realtime protection). What do I need to do to stop the tojans from being installed? Spyware is really getting out of hand! :oops:
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi JB16907, and welcome to the forum. :)

    I have moved your post from the Javacool SpywareBlaster forum as your question is more general and involves other security apps. Your thread will receive better attention for your questions in this forum (Privacy Problems).

    Could you please give us a bit more information on what the name(s) are of the 'trojan/spyware' that's being identified, along with the name of the file(s) and where they are located. Telling us your Operating System, and also if you have a firewall installed, will also help us find out what more you may need for protection.

    If it is just Xoftspy that is picking up this infection and all your other scanners are not, then there is a good change these are false/positives by Xoftspy.

    You can go through the steps in the General Cleaning thread as an added measure.

    Regards,

    snap
     
  3. Th3ChaS3r

    Th3ChaS3r Guest

    quite simple stop using interent explorer and get a decent browser like Firefox, alot of these spyware progs and stuff like wwwcoolsearch and things are developing alot of spyware and buying internet exploits from people that are currently undisclosed tospread thier software so no av program will pick it up so they can easily bundle in a rat or too with thier software.
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    A little premature in your assumption, Th3ChaS3r. Nothing wrong with using an alternative browser, but let's wait until JB16907 replies with further information. ;)

    Regards,

    snap
     
  5. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Hi, do you still have the names of the Trojans?
     
  6. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    There is as Snapdragin is saying a good chance that it's false-positive's, something Xoftspy has been known for, from the "rogue list":
    it specificly says "trojans" then try to download Ewido Anti-trojan (free for 14 days) and run that. Try couple of online-scanners more like : Bitdefender & Panda.

    Personally i would uninstall Xoftspy & Spyware X-terminator, and use MS Antispyware, Ad-Aware, Spybot with spywareblaster for spywaredetection/prevention. Just my 2 cents :)
     
    Last edited: Feb 21, 2005
  7. Th3ChaS3r

    Th3ChaS3r Guest

    @ Admin :p

    okay i wanna sportsmans bet he will be using IE ;) (jokes)

    Yeah i agree my assumptions are premature but i know too many people that complain about spyware and use internet explorer. Yeah try using an online scanner or try out ewido, the guy who made ewido knows what he was doing.
     
  8. JB16907

    JB16907 Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    6
    I pulled this from their log:
    Troj/Agent-BN">
    <REGKEYFOUND NAME = "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\search-soft.net"/>
    <REGKEY NAME = "Troj/Agent-BN
    Troj/Dloader-FC www.awmdabest.com"/>
    <HOST VALUE = "Troj/Dloader-FC www.sexfiles.nu"/>
    <HOST VALUE = "Troj/Dloader-FC awmdabest.com"/>
    <HOST VALUE = "Troj/Dloader-FC sexfiles.nu"/>
    <HOST VALUE = "Troj/Dloader-FC iframe.biz"/>
    <HOST VALUE = "Troj/Dloader-FC www.newiframe.biz"/>
    <HOST VALUE = "Troj/Dloader-FC www.vesbiz.biz"/>
    <HOST VALUE = "Troj/Dloader-FC vesbiz.biz
     
  9. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Since Don has quoted the section on XoftSpy above, to be fair, I must point out there is a Note on XoftSpy which state the concerns for false/positives were addressed in their version 4.0, though to what degree hasn't been stated as far as I can see. So there is still a possibility of these being false/positives. Also, XoftSpy has been removed from the rouge/suspect list for anti-spyware, as mentioned in that "note".

    Regards,

    snap
     
  10. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Some of those files are detected by Sophos AV under those names, so they may not be false positives. The best way to tell would be to scan the files with another AV/AS pro, or submit the samples to TrendMicro.
     
  11. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi JB16907,

    You've mentioned that you use SpywareBlaster, and if you have enabled ALL it's protection, then that would include the "Restricted Sites Protection". SpywareBlaster does enter into the registry the search-soft.net (along with a few other's you've listed above) into the Internet Explorer's Restricted sites zone, as does IE-Spyad (if you are using that one).

    This section of the registry:
    My Computer\HKEY+CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

    If you have XoftSpy fix those entries, you can check SpywareBlaster and see if those exact same entries are then disabled. That way you would know if XoftSpy is detecting the protection SpywareBlaster is entering into the registry.

    I am not familiar with XoftSpy's log's, so I'm not sure where these "HOST VALUE = " are being detected at, but you did mention using an "enhanced hosts file" ...so XoftSpy could be detecting your hosts file's entries in this case also.

    But to be on the safe side, as suggested by Sweetie(*)(*) you should do an on-line scan, and also going through the General Cleaning instructions in the link I provided above in Post #2, just to see if any other scanners are picking up an infection.

    Please let us know how the scans turn out.

    Regards,

    snap
     
  12. JB16907

    JB16907 Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    6
    Thanks for all of the help! I'm at work now so it will tonight before I can send any more info. I agree with one of the posts about Spyware X-terminator. I don't think it's very effective. I know Xoftspy has been slammed for a while, but the curent version seems to be very effective and their support was great when I was fighting some trojans a few weeks ago. I had the terrible cws virus and it took 5 days to get everything cleaned up! :oops: They were very interested in Hijackthis logs I sent them.

    Doesn't Firefox have hacker problems via the international fonts? I thought I read something about that.

    I'm sure getting an education on spyware :mad: . I blame MS for all of this.

    John
     
  13. Th3ChaS3r

    Th3ChaS3r Guest

    nope firefox is the safest browser around at the moment, i know that there is a version of mozilla and firefox prior to the newest which has xss holes in it with the way it handles news:// but that is the only thing i know about with firefox
     
  14. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi John, once your system is clean, you may want to take a look HERE, with further discussions on security and how to make your system that much stronger, see HERE and HERE.

    Hope this helps...

    Cheers :D
     
  15. hollywoodpc

    hollywoodpc Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    1,325
    Thank you BlackSpear for not stating what is not needed . The guy asked for some help . If he chooses to use IE , so be it . Not fair to tam something else down his throat . And the info on Xoftspy is precise . Thanks to you as well , Snap for helping with the problem . Nice to see there is help when needed . Keep up the great work guys
     
  16. hollywoodpc

    hollywoodpc Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    1,325
    oops . Should be " ram " . Sorry .
     
  17. JB16907

    JB16907 Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    6
    :D Wow so many requests! Sorry but I had to work until 8pm so I didn't get much done. Snapdragin you're right about where Xoftspy is finding the trojans-CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains. They could be false positives, but SpywareBlaster doesn't list any disabled protection so I can't be sure. I sent the logs to Xoftspy support so I'd like to wait to see what they have to say. They have always responded quickly. I also pointed them to this thread so they can comment if they want. I looked at the 3 levels of protection Blackspear suggested and intend to use that info to make my computers safer. I'm using Trend micro's firewall and am convinced it's not very good. Is Outpost's firewall the way to go? I used to use Zonealarm's free firewall but it drove me crazy with the silly hourly popup asking if I wanted to upgrade to the pro version. Is the pro version a resource hog?
    Th3ChaS3r you seem so convinced Firefox is the way to go you've convinced me to give it a try.
    Give me some time to get all of these tasks done. Sorry about all of the babble :D . I like this forum and will begin camping out here some(mostly just listening). Thanks again. :D
     
  18. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi JB16907,

    I'm glad you were able to contact XoftSpy about the alerts....that would be the best way to rule out any possible false/positives. No program is without a false/positive now and then and it is always best to check with the program's developers before deleting any files.

    In regards to your questions concerning firewalls and browsers... in order not to take this thread off-topic, you can do a search of our forum and you'll find many threads on both where member's have given their experience and opinions on them.

    Then if you wish to ask further questions about firewalls and browsers, you can open a new topic in the appropriate forums:

    For firewalls -> Other Firewalls fourm
    For browsers -> Software & Services forum

    Please do let us know how you make out with the reply from XoftSpy as it may help someone else who might have received similiar alerts.

    Regards,

    snap
     
  19. JB16907

    JB16907 Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    6
    Well I have an update....they (xoftspy) posted a new definition file so I updated and ran again. This time it found NUMEROUS bad guys in my host file. :oops: Only problem is they are there as 127.0.0.0 to screw up these rogue sites. I sent another logfile and my host file to help them out. The good news is they are trying hard. They bad news is they aren't watching what you guys and others are doing to combat rogueware. So I suggested they start watching this forum and majorgeeks to keep up with you! I've already paid for one year so I'm sticking with them and hopefully help fix their stuff. :D
    I know this belongs in another forum, but this is just a note to Th3ChaS3r. I downloaded firefox and had some problems with some sites I use for my business so it's still a work in progress for me. Looks ok otherwise. I'm ready to dump trendmicro's firewall (I'll keep the virus checker) and go with Kerio. Can someone point me to docs on setting up the rules? I saw a site a few days ago but can't find it again. :p

    Thanks in advance :D
     
  20. JB16907

    JB16907 Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    6
    Ok, I liked Zonealarm but the popup drove me crazy. Thanks for the way too turn it off. Yes, I'd like your method to make IE solid.
     
  21. Beefcarver

    Beefcarver Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    263
    Location:
    michigan
    Get rid of xoftspy!!! Its Junk.
     
  22. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    @ racoons13....I have split your posts into a thread of it's own in order to assist you better with your problem.

    This thread---> Trojans detected ?

    Regards,
    Bubba
     
Thread Status:
Not open for further replies.