Trojans Galore

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

In the last few days I am getting messages from my AVG virus checker that a
trojan has arrived. I have The AVG running and a host files which is updated
every week in addition to running Spybot weekly and finally I am also connected
via a D-Link Router.

The amazing thing is that I can deal with something internal which has nothing
to do with the internet and yet the trojans keep coming. The vault was emptied
this morning and in 3 hours I have recieved 3 trojans.

They arrive in Documents/Borge/Local Settings/temp and there seems to be no
stopping them. The names are today 28537.exe, 15805.exe and 21702.exe.

Fortunately they can just be emptied out of the vault and that is the finish of
them but soon enough new ones arrive.

B.Pedersen Latitude -31,48.21 Longitude115,47.40 Time=GMT+8.00
If you are curious look here http://www.mapquest.com/maps/latlong.adp

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

Any idea what the trojan's name is?

Crouchie1998
BA (HONS) MCP MCSE

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

It seems obvious that AVG fails to clean your machine properly.
I suggest an external virus scan on www.antivirus.com ("free
online scan").


"nesredep egrob" <Long. -31,48.21 Lat. 115,47.40> wrote in message
news:6v0l91h98lavrmnrpkf7oo9uaof76dm34v@4ax.com...
> In the last few days I am getting messages from my AVG virus checker that
a
> trojan has arrived. I have The AVG running and a host files which is
updated
> every week in addition to running Spybot weekly and finally I am also
connected
> via a D-Link Router.
>
> The amazing thing is that I can deal with something internal which has
nothing
> to do with the internet and yet the trojans keep coming. The vault was
emptied
> this morning and in 3 hours I have recieved 3 trojans.
>
> They arrive in Documents/Borge/Local Settings/temp and there seems to be
no
> stopping them. The names are today 28537.exe, 15805.exe and 21702.exe.
>
> Fortunately they can just be emptied out of the vault and that is the
finish of
> them but soon enough new ones arrive.
>
> B.Pedersen Latitude -31,48.21 Longitude115,47.40 Time=GMT+8.00
> If you are curious look here http://www.mapquest.com/maps/latlong.adp
>

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

From: "nesredep egrob" <Long. -31,48.21 Lat. 115,47.40>

| In the last few days I am getting messages from my AVG virus checker that a
| trojan has arrived. I have The AVG running and a host files which is updated
| every week in addition to running Spybot weekly and finally I am also connected
| via a D-Link Router.
|
| The amazing thing is that I can deal with something internal which has nothing
| to do with the internet and yet the trojans keep coming. The vault was emptied
| this morning and in 3 hours I have recieved 3 trojans.
|
| They arrive in Documents/Borge/Local Settings/temp and there seems to be no
| stopping them. The names are today 28537.exe, 15805.exe and 21702.exe.
|
| Fortunately they can just be emptied out of the vault and that is the finish of
| them but soon enough new ones arrive.
|
| B.Pedersen Latitude -31,48.21 Longitude115,47.40 Time=GMT+8.00
| If you are curious look here http://www.mapquest.com/maps/latlong.adp

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear


Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
{ http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
Scanner. You may have to disable your FireWall or allow FTP.EXE to go through your FireWall
to allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

On Mon, 30 May 2005 05:57:25 +0100, "Crouchie1998" <crouchie1998@spamcop.net>
wrote:
The names are as on the message, just numbers with an exe behind. You will see
them at the bottom of the message. This is seen on the report issued by AVG.
>Any idea what the trojan's name is?
>
>Crouchie1998
>BA (HONS) MCP MCSE
>

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

Symantec (http://www.symantec.com) also provide a FREE online scan too

Crouchie1998
BA (HONS) MCP MCSE

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

On Mon, 30 May 2005 15:10:43 +1000, "Pegasus \(MVP\)" <I.can@fly.com> wrote:

>It seems obvious that AVG fails to clean your machine properly.
>I suggest an external virus scan on www.antivirus.com ("free
>online scan").

Thanks. I have now for some time run firefox and netscape has been left behind.
It seems that Trend does need Netscape which was duly re-installed on drive
D:\Program Files, complete with the plugins folder in the netscape folder. That
plugins is what trends says it cannot find after having found it with the browse
button as is the norm for installations. Netscape is working fine.

Someone was asking for the name of the files and AVG has them down as Trojan
horse downloader. The file itself is an exe file named with just number and no
alpha chars at all.
>
>
>"nesredep egrob" <Long. -31,48.21 Lat. 115,47.40> wrote in message
>news:6v0l91h98lavrmnrpkf7oo9uaof76dm34v@4ax.com...
>> In the last few days I am getting messages from my AVG virus checker that
>a
>> trojan has arrived. I have The AVG running and a host files which is
>updated
>> every week in addition to running Spybot weekly and finally I am also
>connected
>> via a D-Link Router.
>>
>> The amazing thing is that I can deal with something internal which has
>nothing
>> to do with the internet and yet the trojans keep coming. The vault was
>emptied
>> this morning and in 3 hours I have recieved 3 trojans.
>>
>> They arrive in Documents/Borge/Local Settings/temp and there seems to be
>no
>> stopping them. The names are today 28537.exe, 15805.exe and 21702.exe.
>>
>> Fortunately they can just be emptied out of the vault and that is the
>finish of
>> them but soon enough new ones arrive.
>>
>> B.Pedersen Latitude -31,48.21 Longitude115,47.40 Time=GMT+8.00
>> If you are curious look here http://www.mapquest.com/maps/latlong.adp
>>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

Did you just copy/paste your reply?

You gave exactly the same answer with something yesterday where I mentioned
you are promoting your own website tools..

Crouchie1998
BA (HONS) MCP MCSE

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

From: "Crouchie1998" <crouchie1998@spamcop.net>

| Did you just copy/paste your reply?
|
| You gave exactly the same answer with something yesterday where I mentioned
| you are promoting your own website tools..
|
| Crouchie1998
| BA (HONS) MCP MCSE
|

I copid the concept of many MS MVPs in coming up with a boiler place set of instructions
(which does get modified based upon feedback) that are know to work.

I am not about to re-write a response to a repetitive problem each time. I see the same
problems, over and over again.

As Chek replied...

"Admittedly a lot of Dave's posts are repetitive, but only
because it's a valid procedure to follow for most posters
here with their limited knowledge. Sure, more sophisticated
tools like Process Explorer, HiJackThis and others may be
needed to actually remove the reported but undeletable files
McAfee or Trend find even in Safe Mode (Winlogon being
another current fave in the malware start-up routines), but
there’s always an invitation to report back the findings."

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

> In the last few days I am getting messages from my AVG virus checker that
> a
> trojan has arrived. I have The AVG running and a host files which is
> updated
> every week in addition to running Spybot weekly and finally I am also
> connected
> via a D-Link Router.

Your firewall may be configured incorrectly.

Andrew

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

On Wed, 1 Jun 2005 13:42:25 +0100, "Andrew Morton" <akm@in-press.co.uk.invalid>
wrote:

>> In the last few days I am getting messages from my AVG virus checker that
>> a
>> trojan has arrived. I have The AVG running and a host files which is
>> updated
>> every week in addition to running Spybot weekly and finally I am also
>> connected
>> via a D-Link Router.
>
>Your firewall may be configured incorrectly.
>
>Andrew
>
I shall have a go at that. I do not recall doing anything to upset the factory
defaults - but you never know. Did not even think of that being wrong. Thanks

B.Pedersen Latitude -31,48.21 Longitude115,47.40 Time=GMT+8.00
If you are curious look here http://www.mapquest.com/maps/latlong.adp

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

>>> In the last few days I am getting messages from my AVG virus checker
>>> that
>>> a
>>> trojan has arrived. I have The AVG running and a host files which is
>>> updated
>>> every week in addition to running Spybot weekly and finally I am also
>>> connected
>>> via a D-Link Router.
>>
>>Your firewall may be configured incorrectly.
>>
> I shall have a go at that. I do not recall doing anything to upset the
> factory
> defaults - but you never know. Did not even think of that being wrong.
> Thanks

What firewall are you using? Also, you might want to use AdAware because it
catches some things which Spybot S&D doesn't.

Andrew

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

lemme throw my $.02 in.... I haven't been on in awhile, but my "slow
pc/trojan/spyware"
routine includes the following:

1) dump the temp and temporary internet files directories
2) reset the size of the recycle bin and browser cache to mins -- and empty
them out
3) reset the swap file settings "appropriately" -- a lot of debate on that,
so I won't go into detail here
4) virus scan
a) new sigs for onboard scanner
b) housecall.antivirus.com
c) replace Symantec/Norton with AVG7 (imho)
5) ad-aware
6) ccleaner
7) spybot s&D
8) reboot
9) defrag
10) reboot

"nesredep egrob" <Long. -31,48.21 Lat. 115,47.40> wrote in message
news:6v0l91h98lavrmnrpkf7oo9uaof76dm34v@4ax.com...
> In the last few days I am getting messages from my AVG virus checker that
a
> trojan has arrived. I have The AVG running and a host files which is
updated
> every week in addition to running Spybot weekly and finally I am also
connected
> via a D-Link Router.
>
> The amazing thing is that I can deal with something internal which has
nothing
> to do with the internet and yet the trojans keep coming. The vault was
emptied
> this morning and in 3 hours I have recieved 3 trojans.
>
> They arrive in Documents/Borge/Local Settings/temp and there seems to be
no
> stopping them. The names are today 28537.exe, 15805.exe and 21702.exe.
>
> Fortunately they can just be emptied out of the vault and that is the
finish of
> them but soon enough new ones arrive.
>
> B.Pedersen Latitude -31,48.21 Longitude115,47.40 Time=GMT+8.00
> If you are curious look here http://www.mapquest.com/maps/latlong.adp
>

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

On Thu, 2 Jun 2005 13:08:33 -0600, "j9" <j9@1stamericanproperties.com> wrote:

>lemme throw my $.02 in.... I haven't been on in awhile, but my "slow
>pc/trojan/spyware"
>routine includes the following:
>
>1) dump the temp and temporary internet files directories
>2) reset the size of the recycle bin and browser cache to mins -- and empty
>them out
>3) reset the swap file settings "appropriately" -- a lot of debate on that,
>so I won't go into detail here
>4) virus scan
> a) new sigs for onboard scanner
> b) housecall.antivirus.com
> c) replace Symantec/Norton with AVG7 (imho)
>5) ad-aware
>6) ccleaner
>7) spybot s&D
>8) reboot
>9) defrag
>10) reboot
>
>"nesredep egrob" <Long. -31,48.21 Lat. 115,47.40> wrote in message
>news:6v0l91h98lavrmnrpkf7oo9uaof76dm34v@4ax.com...
>> In the last few days I am getting messages from my AVG virus checker that
>a
>> trojan has arrived. I have The AVG running and a host files which is
>updated
>> every week in addition to running Spybot weekly and finally I am also
>connected
>> via a D-Link Router.
>>
>> The amazing thing is that I can deal with something internal which has
>nothing
>> to do with the internet and yet the trojans keep coming. The vault was
>emptied
>> this morning and in 3 hours I have recieved 3 trojans.
>>
>> They arrive in Documents/Borge/Local Settings/temp and there seems to be
>no
>> stopping them. The names are today 28537.exe, 15805.exe and 21702.exe.
>>
>> Fortunately they can just be emptied out of the vault and that is the
>finish of
>> them but soon enough new ones arrive.
>>
>> B.Pedersen Latitude -31,48.21 Longitude115,47.40 Time=GMT+8.00
>> If you are curious look here http://www.mapquest.com/maps/latlong.adp
>>
>
I have saved you very good comments in notepad as "Troubleshooter". Last night I
reset the D-Link as I remembered that I had set it up to deal with eMule at
speed - to no avail as most of the items there have been fouled up either
deliberately or with people having lots of trouble on their computers.

I am hoping that the reset will set the firewall to its usual old self. Like to
do one thing at a time so I eventually can let people know which one did the
trick - but thanks.

B.Pedersen Latitude -31,48.21 Longitude115,47.40 Time=GMT+8.00
If you are curious look here http://www.mapquest.com/maps/latlong.adp

 

[Guest]

Archived from groups: microsoft.public.win2000.general (More info?)

On Fri, 03 Jun 2005 09:43:50 +0800, nesredep egrob <Long. -31,48.21 Lat.
115,47.40> wrote:

>On Thu, 2 Jun 2005 13:08:33 -0600, "j9" <j9@1stamericanproperties.com> wrote:
>
>>lemme throw my $.02 in.... I haven't been on in awhile, but my "slow
>>pc/trojan/spyware"
>>routine includes the following:
>>
>>1) dump the temp and temporary internet files directories
>>2) reset the size of the recycle bin and browser cache to mins -- and empty
>>them out
>>3) reset the swap file settings "appropriately" -- a lot of debate on that,
>>so I won't go into detail here
>>4) virus scan
>> a) new sigs for onboard scanner
>> b) housecall.antivirus.com
>> c) replace Symantec/Norton with AVG7 (imho)
>>5) ad-aware
>>6) ccleaner
>>7) spybot s&D
>>8) reboot
>>9) defrag
>>10) reboot
>>
>>"nesredep egrob" <Long. -31,48.21 Lat. 115,47.40> wrote in message
>>news:6v0l91h98lavrmnrpkf7oo9uaof76dm34v@4ax.com...
>>> In the last few days I am getting messages from my AVG virus checker that
>>a
>>> trojan has arrived. I have The AVG running and a host files which is
>>updated
>>> every week in addition to running Spybot weekly and finally I am also
>>connected
>>> via a D-Link Router.
>>>
>>> The amazing thing is that I can deal with something internal which has
>>nothing
>>> to do with the internet and yet the trojans keep coming. The vault was
>>emptied
>>> this morning and in 3 hours I have recieved 3 trojans.
>>>
>>> They arrive in Documents/Borge/Local Settings/temp and there seems to be
>>no
>>> stopping them. The names are today 28537.exe, 15805.exe and 21702.exe.
>>>
>>> Fortunately they can just be emptied out of the vault and that is the
>>finish of
>>> them but soon enough new ones arrive.
>>>
>>> B.Pedersen Latitude -31,48.21 Longitude115,47.40 Time=GMT+8.00
>>> If you are curious look here http://www.mapquest.com/maps/latlong.adp
>>>
>>
>I have saved you very good comments in notepad as "Troubleshooter". Last night I
>reset the D-Link as I remembered that I had set it up to deal with eMule at
>speed - to no avail as most of the items there have been fouled up either
>deliberately or with people having lots of trouble on their computers.
>
>I am hoping that the reset will set the firewall to its usual old self. Like to
>do one thing at a time so I eventually can let people know which one did the
>trick - but thanks.
>
>B.Pedersen Latitude -31,48.21 Longitude115,47.40 Time=GMT+8.00
>If you are curious look here http://www.mapquest.com/maps/latlong.adp

Maybe too soon to declare victory but so far today there are no entries in the
trojan vault (AVG).
I used the reset button on the back of the D-Link to save time. After that all
you have to do is to follow the directions and a few instructuion in the book.
As I said one thing at a time and it appears this might have been the answer.
the pox on trying to get back to eMule except by the slow way, maybe.

B.Pedersen Latitude -31,48.21 Longitude115,47.40 Time=GMT+8.00
If you are curious look here http://www.mapquest.com/maps/latlong.adp