Alert trojan ITBar, Pugi.PugiObj.1, Ysb. Obj, from 217.170.4.137 What to do ?

[Thierry]

Hi,

Thi friday my Pc was attacked by several trojan ITBar, Pugi.PugiObj.1, Ysb.
Obj, etc from
http://217.170.4.137/_vti_bin/index.html
It copy about 2à file on your harddisk among them c:\gr.exe or grdh.exe and
in c:\windows symantec.hmtl, update-sp3.html, symantec.css, y.bat, z.bat,
za.reg, pskill.exe, some gif, etc.

it remain present in your temporary Internet files, and thanks to an ActiveX
command it spread into 40 to 200 files, deletes and remplace entries in the
registry and ad a tolbar in IExplorer to make some publicityt for antivirus
solution from Symantec and Microsoft (it load local html pages), then
connect to some porn webiste and and the end or if you try to intrrupt the
proces it kill the shell (process) lsass.exe forcing a shutdown of your PC
in 1 minute.

It uses ftp et cmd to transfert its fiales locally

I deleted the partition, reformated in ntfs, reinstalled, nowat. 2x. The
virus is always there and appeares after the first installaiton of a driver
(cablemodem, but not infected) or when connecting to Internet

Problem:
Is it remained in the MBR ? Under XP thre is no more fdisk /mbr command.
Placing XP security too high En under System or IExplorer, even if you
rename or delete a system file (cmd or ftp.exe) , XP recreate it
Even placing the "viral IP" in the unsafe Zone (http://217.. or
ftp://217... ) it pass trhough even if the html page is hanged (blanck).
I even tried to create a factice directory c:\gr.exe or c:\grdh.exe or even
y.bat, etc, not better, the PC ended with a fine lsass error and shutdown.
This already cost me 10hr of work, in vain !
coûté 10h de travail, en vain ! (sans en restant en local, hors d'Internet

I could work in user mode but it creates some problems for my applications
accessing to ini files.

When the problem occurs there is no better way to work than switching off
your PC and work locally without Internet connexion. But Trojans are always
there.

I use as one say one of the best anbti-virus, PCTools Spyware doctor. It
only see them when ther are modified or modified your system. It cannot see
them under attack (downloading) or just after the copy on your local HD of
its files.l
Not better for AntiSpyware Bêta from Microsoft or its Anti malware and
BitDefender don't see many thing. Of course all thes eversions ran with the
latest updates.

So what to do excpeted buying a new HD and benefit of a largest capacity ?

I have always questionned PCTools support team with the hope to get a fix.
Has someone an idea how to remove these trojans ?

Merci
Thierry

-------
French verison below:

Bonjour,

Vendredi dernier mon PC tournant XP Home Ed a été attaqué par un virus
Troyen ITBar, Pugi.PugiObj.1, Ysb. Obj, etc et quelques autres venant de
http://217.170.4.137/_vti_bin/index.html
Il copie 15-20 fichiers en local dans c:\ dont gr.exe ou grdh.exe et dans
c:\windows dont symantec.hmtl, update-sp3.html, symantec.css, y.bat, z.bart,
za.reg, pskill.exe, quelques gif, etc.

Non seulement il delete des fichiers sous c:\windows, il reste présent dans
vos fichiers temporaires Internet, mais grace à des commandes ActiveX il
contamine entre 40 et 200 fichiers, il delete et remplace des entrées dans
la registry pour ajouter une barre d'outil à Iexplorer et faire un peu de
pub pour des solutions antivirus pour Symantec et Microsoft (il charge des
pages locales sauvées en c:\windows). Pire, il kill le shell (process)
lsass.exe qui force un shutdown du PC en 1 minute.

Il profite de la commande ftp et cmd pour transférer les fichiers dont il a
besoin.

J'ai deleté la partition, reformatté en ntfs, réinstallé, rien à faire. Par
2x. Le virus est toujours là et apparaît à la première installation d'un
driver modem (non verolé) ou connexion à Internet.

Problème:
Est-il resté dans le MBR ? Sous XP il n'y a plus de commande fdisk /mbr. En
placant la sécurité trop haut sous Explorer ou le système, même si vous
deletez, renommez cmd.exe et ftp.exe, XP les recrée. Même en indiquant l'IP
dans la zone interdite, (http://217.. ou ftp://217... il passe à travers.
J'ai même esayé de créer un répertoire c:\gr.exe ou c:\grdh.exe et même
y.bat, etc, pas mieux, le PC finit tout de même par être bloqué. Ca m'a déjà
coûté 10h de travail, en vain ! (sans en restant en local, hors d'Internet
ou connecté durant 1 minute max avec la main sur le fil d'alim) !
Je pourrais bien travailler en mode user mais cela me pose des problèmes ou
à mes applicationspour accéder à certains fichiers ini par exemple.

Ce troyen bloque aussi l'activité des programmes antivirus et finalement
tous les process du PC endéans 1 minute. Dans ce cas on éteint et on rallume
sans se connecter à Internet et tout remarche. Mais le virus troyen est tjs
là.

Je suis donc obligé de couper mon modem (cablemodem) dès que je vois un
accès sur http://217...
Seule méthode pour l'arrêter.

J'utilise à ce qu'on dit le meilleur propduit, PCTools Spyware doctor. Il le
voit une fois qu'il a commencé sale oeuvre mais pas en cours d'attaque (lors
du téléchargement) ou juste après la copie des 20 fichiers sur disque. Rien.
C'est pas mieux ou pire pour le produit AntiSpyware Bêta de Microsoft ou son
Anti malware et BitDefender voit un peu moins de chose que Spyware. Toutes
ces versions sont bien sur à jour avec les derniers update.

Que faire à part acheter un nouveau disque dur et profiter ainsi d'un peu
plus d'espace ?

A défaut de pouvoir le supprimer j'ai posé la question à PCTools en espérant
un fix.
Quelqu'un a-t-il une idée de la manière dont on peut le supprimer

Merci
Thierry

 

[Thierry]

Add:
Contrary to what I have told, creating a few directories with the name of
the trojans exe files stop them (no download, no execution, etc)
I creates thus c:\gr.exe, c:\grdh.exe, c:\windows\z.bat, c:\windows\za.reg)
and that work
But these trojan probably remain somewhere in the PC, invisible from my
antivirus software.
Any solution to remove them ?

Thierry

 

[Art]

Thi friday my Pc was attacked by several trojan ITBar, Pugi.PugiObj.1, Ysb.
Obj, etc from
http://217.170.4.137/_vti_bin/index.html

This site attempts to install and Run a EXE file that KAV detects as
Trojan-Downloader.Win32.lstBar.lu

IE users may take hits automatically via activex or scripting.
Alternate browser users may see a message saying a plugin is
required to view the site. Never allow web sites to install plugins.

Mozilla allowed me to either Open or Save the infested EXE file. I
downloaded (Saved) and scanned it on-demand.

It copy about 2à file on your harddisk among them c:\gr.exe or grdh.exe and
in c:\windows symantec.hmtl, update-sp3.html, symantec.css, y.bat, z.bat,
za.reg, pskill.exe, some gif, etc.

it remain present in your temporary Internet files, and thanks to an ActiveX
command it spread into 40 to 200 files, deletes and remplace entries in the
registry and ad a tolbar in IExplorer to make some publicityt for antivirus
solution from Symantec and Microsoft (it load local html pages), then
connect to some porn webiste and and the end or if you try to intrrupt the
proces it kill the shell (process) lsass.exe forcing a shutdown of your PC
in 1 minute.

It uses ftp et cmd to transfert its fiales locally

I deleted the partition, reformated in ntfs, reinstalled, nowat. 2x. The
virus is always there and appeares after the first installaiton of a driver
(cablemodem, but not infected) or when connecting to Internet

Problem:
Is it remained in the MBR ?

If you deleted and recreated the partition, there must be some other
problem. Maybe other partitions or drives are infested. Or maybe you
aren't using a firewall or external firewall/router and you're just
continually being reinfected.

Under XP thre is no more fdisk /mbr command.
Placing XP security too high En under System or IExplorer, even if you
rename or delete a system file (cmd or ftp.exe) , XP recreate it
Even placing the "viral IP" in the unsafe Zone (http://217.. or
ftp://217... ) it pass trhough even if the html page is hanged (blanck).
I even tried to create a factice directory c:\gr.exe or c:\grdh.exe or even
y.bat, etc, not better, the PC ended with a fine lsass error and shutdown.
This already cost me 10hr of work, in vain !
coûté 10h de travail, en vain ! (sans en restant en local, hors d'Internet

I could work in user mode but it creates some problems for my applications
accessing to ini files.

When the problem occurs there is no better way to work than switching off
your PC and work locally without Internet connexion. But Trojans are always
there.

I use as one say one of the best anbti-virus, PCTools Spyware doctor.

Sorry, that's not a antivirus.

It
only see them when ther are modified or modified your system. It cannot see
them under attack (downloading) or just after the copy on your local HD of
its files.l
Not better for AntiSpyware Bêta from Microsoft or its Anti malware and
BitDefender don't see many thing. Of course all thes eversions ran with the
latest updates.

Bit Defender at least is a antivirus.

So what to do excpeted buying a new HD and benefit of a largest capacity ?

I have always questionned PCTools support team with the hope to get a fix.

That's useless.

Has someone an idea how to remove these trojans ?

Do you have a external firewall/router? If not, did you keep a copy of
your favorite personal firewall on CD and install it right after
reinstalling Windows and before going on line? Do you have other
drives and/or partitions that may be infected by a virus?

Anyway, here's a link to a av scanner which uses the Kaspersky scan
engine:

http://www.claymania.com/KASFX.EXE

Art

http://home.epix.net/~artnpeg

 

[Art]

Thi friday my Pc was attacked by several trojan ITBar, Pugi.PugiObj.1, Ysb.
Obj, etc from
http://217.170.4.137/_vti_bin/index.html

Below is a Virus Total result of scanning regular_plugin.exe
file from this site:

AntiVir 6.32.0.6 09.25.2005 TR/Dldr.IstBar.IT
Avast 4.6.695.0 09.23.2005 Win32:IstBar-AJ
AVG 718 09.23.2005 no virus found
Avira 6.32.0.6 09.25.2005 TR/Dldr.IstBar.IT
BitDefender 7.2 09.25.2005 no virus found
CAT-QuickHeal 8.00 09.25.2005 no virus found
ClamAV devel-20050917 09.25.2005 no virus found
DrWeb 4.32b 09.25.2005 Trojan.Isbar.336
eTrust-Iris 09.24.2005 no virus found
eTrust-Vet 09.23.2005 no virus found
F-Prot 3.16c no virus found
Ikarus 0.2.59.0 09.23.2005 no virus found
Kaspersky Trojan-Downloader.Win32.IstBar.lu
McAfee 4589 09.23.2005 no virus found
NOD32v2 1.1231 09.23.2005 no virus found
Norman 5.70.10 09.23.2005 no virus found
Panda 8.02.00 09.25.2005 no virus found
Sophos 3.98.0 09.24.2005 no virus found
Symantec 8.0 09.24.2005 no virus found
TheHacker .2.114 09.22.2005 Trojan/Downloader.IstBar.ja
VBA32 3.10.4 09.21.2005 no virus found

Art

http://home.epix.net/~artnpeg

 

[David H. Lipman]

From: "Thierry" <->

| Hi,
|
| Thi friday my Pc was attacked by several trojan ITBar, Pugi.PugiObj.1, Ysb.
| Obj, etc from
| hxxp://217.170.4.137/_vti_bin/index.html
| It copy about 2à file on your harddisk among them c:\gr.exe or grdh.exe and
| in c:\windows symantec.hmtl, update-sp3.html, symantec.css, y.bat, z.bat,
| za.reg, pskill.exe, some gif, etc.
|
| it remain present in your temporary Internet files, and thanks to an ActiveX
| command it spread into 40 to 200 files, deletes and remplace entries in the
| registry and ad a tolbar in IExplorer to make some publicityt for antivirus
| solution from Symantec and Microsoft (it load local html pages), then
| connect to some porn webiste and and the end or if you try to intrrupt the
| proces it kill the shell (process) lsass.exe forcing a shutdown of your PC
| in 1 minute.
|
| It uses ftp et cmd to transfert its fiales locally
|
| I deleted the partition, reformated in ntfs, reinstalled, nowat. 2x. The
| virus is always there and appeares after the first installaiton of a driver
| (cablemodem, but not infected) or when connecting to Internet
|
| Problem:
| Is it remained in the MBR ? Under XP thre is no more fdisk /mbr command.
| Placing XP security too high En under System or IExplorer, even if you
| rename or delete a system file (cmd or ftp.exe) , XP recreate it
| Even placing the "viral IP" in the unsafe Zone (http://217.. or
| ftp://217... ) it pass trhough even if the html page is hanged (blanck).
| I even tried to create a factice directory c:\gr.exe or c:\grdh.exe or even
| y.bat, etc, not better, the PC ended with a fine lsass error and shutdown.
| This already cost me 10hr of work, in vain !
| coûté 10h de travail, en vain ! (sans en restant en local, hors d'Internet
|
| I could work in user mode but it creates some problems for my applications
| accessing to ini files.
|
| When the problem occurs there is no better way to work than switching off
| your PC and work locally without Internet connexion. But Trojans are always
| there.
|
| I use as one say one of the best anbti-virus, PCTools Spyware doctor. It
| only see them when ther are modified or modified your system. It cannot see
| them under attack (downloading) or just after the copy on your local HD of
| its files.l
| Not better for AntiSpyware Bêta from Microsoft or its Anti malware and
| BitDefender don't see many thing. Of course all thes eversions ran with the
| latest updates.
|
| So what to do excpeted buying a new HD and benefit of a largest capacity ?
|
| I have always questionned PCTools support team with the hope to get a fix.
| Has someone an idea how to remove these trojans ?
|
| Merci
| Thierry
|

< French snipped >

Trojans don't "attack". They only get installed based upon actions by the PC user or
software installed by a PC user. In the case of the URL you posted, it certainly was a
malware site and McAfee caught the following trying to be installed...

9/25/2005 8:19:54 AM Deleted DLIPMAN-1\lipman D:\temp\IE6\Temporary Internet
Files\Content.IE5\WCZFECUD\index[1].htm Downloader-AEH
9/25/2005 8:19:56 AM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet Files\Content.IE5\WCZFECUD\ysb_regular[1].cab\YSB_REGULAR[1].CAB Adware-ISTbar
9/25/2005 8:20:09 AM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet Files\Content.IE5\FZ4HCZOS\pcs_0002[1].exe\PCS_0002[1].EXE Downloader-AAI



Downloader-AEH, Adware-ISTbar and Downloader-AAI

That's two Downloader Trojans and adware. None of which will survive a reformat. It is
possible that one of the Downloader Trojans might download a Boot Sector Infector that will
survice a re-format but it is doubtful.

How you initially got to; hxxp://217.170.4.137/_vti_bin/index.html I don't know but you
may have accidently re-infecte yourself when re-installing software.

If you are connected to the Internet via Brooadband, I suggst a Cable/DSL Router such as the
Linksys BEFSR41. I also suggest blocking TCP and UDP ports 135 ~ 139 and 445 on said
Router.

After you install the Router, I suggest wiping the computer once more and reinstalling the
OS. pay careful attention to what you install and what site you go to and use a *batter* AV
software such as Kasperski or NOD32 and make sure it is set to an agressive mode.

BTW: PC Tools is NOT one of the best AV applications.

 

[Thierry]

I use as one say one of the best anbti-virus, PCTools Spyware doctor.

Sorry, that's not a antivirus.

Mmm... But it works, exepted this time.
Will try some others

Bit Defender at least is a antivirus.

Maybe, but it detect less viruses than PCTolls.

fix.

That's useless.

Mmm. OK. Some money spared.

Do you have a external firewall/router? If not, did you keep a copy of
your favorite personal firewall on CD and install it right after
reinstalling Windows and before going on line? Do you have other
drives and/or partitions that may be infected by a virus?

I have the problem since I installed a driver from a CD (containing a
handful drivers provided by the manufacturer, thus clean in theory, I will
recheck)

Anyway, here's a link to a av scanner which uses the Kaspersky scan
engine:

http://www.claymania.com/KASFX.EXE

I am going to try it. Seems sto work fine.
If it appears to solve the problem and is regulalry updated I will buy it.

Thanks
Thierry

 

[Art]

Mmm... But it works, exepted this time.
Will try some others

For spyware and adware I suggest Spybot and Ad-Aware. They
are free and quite good.

Maybe, but it detect less viruses than PCTolls.

No. You're confusing viruses (replicative malware) with
non-replicative malware. You got hit with a Trojan, not a virus.

I have the problem since I installed a driver from a CD (containing a
handful drivers provided by the manufacturer, thus clean in theory, I will
recheck)

Use the Kaspersky scanner I recommended. You can also upload suspect
files for scanning here:

http://www.virustotal.com/flash/index_en.html

where many antivirus products will scan the samples.

I am going to try it. Seems sto work fine.
If it appears to solve the problem and is regulalry updated I will buy it.

You can't do better than Kaspersky or one of the products that use its
scan engine. And also use the scanners I mentioned above. And avoid
using IE as much as possible.

Let us know how you make out.

Art

http://home.epix.net/~artnpeg

 

[Shane]

This site attempts to install and Run a EXE file that KAV detects as
Trojan-Downloader.Win32.lstBar.lu

IE users may take hits automatically via activex or scripting.
Alternate browser users may see a message saying a plugin is
required to view the site. Never allow web sites to install plugins.

Funny, that, Art. You wondered why I bother to use IE-Spyad and stuff to
'fix' IE. I was going to mention this with regard to another post in which
you say to use another browser to stop ads. Using IE-Spyad - which puts
known advertising and other dodgy sites in Restricted Zone - along with
setting Restricted Zone's settings to the most restrictive, does deal with
most website ads, pop-ups etc. Basically doesn't stop Flash ads (but
Spywareblaster gives a quick way to disable Flash - as does IE6 SP2 for XP
users. I keep Flash enabled in Firefox so's I can watch Weebl and Bob.

Along with the above, install the IE5 powertoys which enables a site to be
added to Restricted or Trusted Zone with two clicks. So for instance you go
to a site with annoying javascripted behaviour, do Tools | Add to Restricted
Zone, hit refresh and shazam! no more new windows opening up unbidden etc.
Of course, the best way is to also put the Internet Zone settings to maximum
restriction, then the only sites that can run javascript, activex etc are
those in Trusted Zone).

Anyhow, the reason I'm posting now is I went to
http://217.170.4.137/_vti_bin/index.html to download the trojan, only it's
already in Restricted Sites, so nothing happens. Presumably this domain is
known of and in IE-Spyad and/or Spywareblaster's database already (or Mike
Burgess's HOSTS file, which I've started using again of late).

Basically, again referring to the other thread, no real reason to use
proxomitron *if you must use IE*. Just set it up the way it can be.


Shane

 

[Shane]

Anyhow, the reason I'm posting now is I went to

http://217.170.4.137/_vti_bin/index.html to download the trojan, only
it's already in Restricted Sites, so nothing happens. Presumably this
domain is known of and in IE-Spyad and/or Spywareblaster's database
already (or Mike Burgess's HOSTS file, which I've started using again
of late).

Well, obviously it *is* in at least one of the first two. If the trojan
downloads from a different address, maybe *that* is in the HOSTS file,
though there's almost no chance of it getting that far with
http://217.170.4.137 in Restricted Zone!


Shane

 

[Art]

Funny, that, Art. You wondered why I bother to use IE-Spyad and stuff to
'fix' IE.

Yes, I continue to wonder since all that junk isn't necessary if you
use a decent browser.

was going to mention this with regard to another post in which
you say to use another browser to stop ads. Using IE-Spyad - which puts
known advertising and other dodgy sites in Restricted Zone - along with
setting Restricted Zone's settings to the most restrictive, does deal with
most website ads, pop-ups etc. Basically doesn't stop Flash ads (but
Spywareblaster gives a quick way to disable Flash - as does IE6 SP2 for XP
users. I keep Flash enabled in Firefox so's I can watch Weebl and Bob.

Along with the above, install the IE5 powertoys which enables a site to be
added to Restricted or Trusted Zone with two clicks. So for instance you go
to a site with annoying javascripted behaviour, do Tools | Add to Restricted
Zone, hit refresh and shazam! no more new windows opening up unbidden etc.
Of course, the best way is to also put the Internet Zone settings to maximum
restriction, then the only sites that can run javascript, activex etc are
those in Trusted Zone).

Consider the audience as well. Average users aren't going to go the
lengths you go to or sponge goes to with his Kerio IP blocking and all
the endless shit I quit looking at years ago and gave up on since none
of it is necessary. It's all just a bunch of shit

Anyhow, the reason I'm posting now is I went to
http://217.170.4.137/_vti_bin/index.html to download the trojan, only it's
already in Restricted Sites, so nothing happens. Presumably this domain is
known of and in IE-Spyad and/or Spywareblaster's database already (or Mike
Burgess's HOSTS file, which I've started using again of late).

Basically, again referring to the other thread, no real reason to use
proxomitron *if you must use IE*. Just set it up the way it can be.

Proxo is is one "piece of shit" that I use even with the Gecko based
browsers and Opera since it cleans out ads

Art

http://home.epix.net/~artnpeg

 

[Thierry]

I finaly had the last word with this LstBar trojan and other Alexa after...3
days of fight !
I worked XP in safe mode and ran Skybot. it had problem in several records
(hanging) and refsued to deletes some infected files due to a so called lack
of an dll.
I retried several time until I was able to delete a trojan Alexa.
But here also KAV don't see anything wrong on my PC and I was always unable
to access microsoft update site.
So I relaunch the PC in normal mode with the risk to be inbfected (KAV was
always running)
I connected for a few minutes on MS website then the Internet sessions
hanged, the virus having placed earlier some commands to prevent any
downloading. Reported by Skybot (but unable to remove them) :
Windows.Secuirty.center. followed with commands such as : FirewallOverride,
SP2Upgrade, Antivirus disable notify, update disable notify, etc.
For KAV all was safe !
So I continued to force the Windows upgrade or Microsoft upgrade or even
clicking on the small icon in my task bar until, step by step I had install
all fixes (at first 1, then it hanged, then 3 then it still hanged, then all
12 without hanging, then SP2 without hanging).
Now all security fixes are installed, I have no more lsass shut down (until
now) and I will see what cost a router cablemodem and if it is easy to
configure to prevent any future attack.

Thierry

From: "Thierry" <->

| Hi,
|
| Thi friday my Pc was attacked by several trojan ITBar, Pugi.PugiObj.1, Ysb.
| Obj, etc from
| hxxp://217.170.4.137/_vti_bin/index.html
| It copy about 2à file on your harddisk among them c:\gr.exe or grdh.exe and
| in c:\windows symantec.hmtl, update-sp3.html, symantec.css, y.bat, z.bat,
| za.reg, pskill.exe, some gif, etc.
|
| it remain present in your temporary Internet files, and thanks to an ActiveX
| command it spread into 40 to 200 files, deletes and remplace entries in the
| registry and ad a tolbar in IExplorer to make some publicityt for antivirus
| solution from Symantec and Microsoft (it load local html pages), then
| connect to some porn webiste and and the end or if you try to intrrupt the
| proces it kill the shell (process) lsass.exe forcing a shutdown of your PC
| in 1 minute.
|
| It uses ftp et cmd to transfert its fiales locally
|
| I deleted the partition, reformated in ntfs, reinstalled, nowat. 2x. The
| virus is always there and appeares after the first installaiton of a driver
| (cablemodem, but not infected) or when connecting to Internet
|
| Problem:
| Is it remained in the MBR ? Under XP thre is no more fdisk /mbr command.
| Placing XP security too high En under System or IExplorer, even if you
| rename or delete a system file (cmd or ftp.exe) , XP recreate it
| Even placing the "viral IP" in the unsafe Zone (http://217.. or
| ftp://217... ) it pass trhough even if the html page is hanged (blanck).
| I even tried to create a factice directory c:\gr.exe or c:\grdh.exe or even
| y.bat, etc, not better, the PC ended with a fine lsass error and shutdown.
| This already cost me 10hr of work, in vain !
| coûté 10h de travail, en vain ! (sans en restant en local, hors d'Internet
|
| I could work in user mode but it creates some problems for my applications
| accessing to ini files.
|
| When the problem occurs there is no better way to work than switching off
| your PC and work locally without Internet connexion. But Trojans are always
| there.
|
| I use as one say one of the best anbti-virus, PCTools Spyware doctor. It
| only see them when ther are modified or modified your system. It cannot see
| them under attack (downloading) or just after the copy on your local HD of
| its files.l
| Not better for AntiSpyware Bêta from Microsoft or its Anti malware and
| BitDefender don't see many thing. Of course all thes eversions ran with the
| latest updates.
|
| So what to do excpeted buying a new HD and benefit of a largest capacity ?
|
| I have always questionned PCTools support team with the hope to get a fix.
| Has someone an idea how to remove these trojans ?
|
| Merci
| Thierry
|

< French snipped >

Trojans don't "attack". They only get installed based upon actions by the PC user or
software installed by a PC user. In the case of the URL you posted, it certainly was a
malware site and McAfee caught the following trying to be installed...

9/25/2005 8:19:54 AM Deleted DLIPMAN-1\lipman D:\temp\IE6\Temporary Internet
Files\Content.IE5\WCZFECUD\index[1].htm Downloader-AEH
9/25/2005 8:19:56 AM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet Files\Content.IE5\WCZFECUD\ysb_regular[1].cab\YSB_REGULAR[1].CAB Adware-ISTbar
9/25/2005 8:20:09 AM Delete failed (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary
Internet Files\Content.IE5\FZ4HCZOS\pcs_0002[1].exe\PCS_0002[1].EXE Downloader-AAI



Downloader-AEH, Adware-ISTbar and Downloader-AAI

That's two Downloader Trojans and adware. None of which will survive a reformat. It is
possible that one of the Downloader Trojans might download a Boot Sector Infector that will
survice a re-format but it is doubtful.

How you initially got to; hxxp://217.170.4.137/_vti_bin/index.html I don't know but you
may have accidently re-infecte yourself when re-installing software.

If you are connected to the Internet via Brooadband, I suggst a Cable/DSL Router such as the
Linksys BEFSR41. I also suggest blocking TCP and UDP ports 135 ~ 139 and 445 on said
Router.

After you install the Router, I suggest wiping the computer once more and reinstalling the
OS. pay careful attention to what you install and what site you go to and use a *batter* AV
software such as Kasperski or NOD32 and make sure it is set to an agressive mode.

BTW: PC Tools is NOT one of the best AV applications.

 

[Thierry]

Incredible, I only get an answer from PCTools, 4 days after have under
attack by activeX trojans... and send them 2 mails (via their website and
via my email system) with "alert.." in the subject.

They answer is simply
"We sincerely apologize for not being able to respond to your request in a
more timely manner. Please be assured that your business is valued and that
we have been endeavoring to answer your questions as soon as we can.
In order to help resolve this issue I have escalated your query to a
Technical Support Representative."

But worse they can even not suggest me any operation to solve the problem :
"At this stage it is not possible to give a precise time frame regarding a
resolution for your problem. Due to the fact new variants of spyware/adware
are released to the internet everyday it may take some days to research
which variant you have and the most applicable resolution. A Technical
Support Representative will be addressing your request as a matter of high
priority".

Completely irresponsible and useless . I also took my responsabiities.

Thierry

 

[David H. Lipman]

From: "Thierry" <->

| Incredible, I only get an answer from PCTools, 4 days after have under
| attack by activeX trojans... and send them 2 mails (via their website and
| via my email system) with "alert.." in the subject.
|
| They answer is simply
| "We sincerely apologize for not being able to respond to your request in a
| more timely manner. Please be assured that your business is valued and that
| we have been endeavoring to answer your questions as soon as we can.
| In order to help resolve this issue I have escalated your query to a
| Technical Support Representative."
|
| But worse they can even not suggest me any operation to solve the problem :
| "At this stage it is not possible to give a precise time frame regarding a
| resolution for your problem. Due to the fact new variants of spyware/adware
| are released to the internet everyday it may take some days to research
| which variant you have and the most applicable resolution. A Technical
| Support Representative will be addressing your request as a matter of high
| priority".
|
| Completely irresponsible and useless . I also took my responsabiities.
|
| Thierry
|

As I have said before in other threads, PC Tools is junk.