help with 2 trojan viruses

[Mr.Vampy]

Hi,

My friend has just discovered 2 trojan viruses on his PC, "troj_small.go"
and "troj_small.x" and is unable to remove them. He said is computer was
slowing down and getting a little sluggish recently, so he used a
scanner/program called "Housecall". At first it found 14 infected files,
but he manage to remove 12 of them. The program says it cannot gain access
to the other two. The location are as follows:

c:\Program Files\Lycos\IEagent\Loader.exe
c:\Windows\system\wininet.exe

I am not sure how damaging and destructive these trojans are, but any
info/adavice on how I can help him remove them would be greatly appreciated.
BTW, his computer's OS is Windows XP.

Thanks

mr_vampy

 

[null]

Hi,

My friend has just discovered 2 trojan viruses on his PC, "troj_small.go"
and "troj_small.x" and is unable to remove them. He said is computer was
slowing down and getting a little sluggish recently, so he used a
scanner/program called "Housecall". At first it found 14 infected files,
but he manage to remove 12 of them. The program says it cannot gain access
to the other two. The location are as follows:

c:\Program Files\Lycos\IEagent\Loader.exe
c:\Windows\system\wininet.exe

I am not sure how damaging and destructive these trojans are, but any
info/adavice on how I can help him remove them would be greatly appreciated.
BTW, his computer's OS is Windows XP.

Did you try deleting them in Safe Mode?


Art
http://www.epix.net/~artnpeg

 

[snailmail(valid)222000]

Did you try deleting them in Safe Mode?


Art
http://www.epix.net/~artnpeg

Without disabling the services Windows leaves open and at least
installing a firewall before you put your computer on the Internet,
nothing you use is going to help from a Trojan Horse grabbing control of
your computer. You have to learn how to secure Windows, your browser,
e-mail, Active X and Java for starters to learn how to keep your
computer secure. Hell, my anti-virus application hasn't been updated for
a year and the hackers who would love to bust my computer have not
gotten to me yet.

Tracker

 

[Spacen Jasset]

c:\Program Files\Lycos\IEagent\Loader.exe
c:\Windows\system\wininet.exe

Cut and paste these files to another folder - like c:\temp for example. Then
reboot your pc, you will be able to delete them afterwards.

 

[FromTheRafters]

Hi,

My friend has just discovered 2 trojan viruses on his PC, "troj_small.go"
and "troj_small.x" and is unable to remove them. He said is computer was
slowing down and getting a little sluggish recently, so he used a
scanner/program called "Housecall". At first it found 14 infected files,
but he manage to remove 12 of them. The program says it cannot gain access
to the other two. The location are as follows:

c:\Program Files\Lycos\IEagent\Loader.exe
c:\Windows\system\wininet.exe

I am not sure how damaging and destructive these trojans are, but any
info/adavice on how I can help him remove them would be greatly appreciated.
BTW, his computer's OS is Windows XP.

Sorry if this isn't helpful, but are you sure it is wise to trust a single AV
to determine that certain files should be deleted? If I were you (or he),
I would get second or even third opinions before deleting files and
possibly crippling the system.

 

[Spacen Jasset]

....

Sorry if this isn't helpful, but are you sure it is wise to trust a single AV
to determine that certain files should be deleted? If I were you (or he),
I would get second or even third opinions before deleting files and
possibly crippling the system.

Yes quite so. Instead then, if you feel the need move them to c:\temp and
leave them there. wininet is usally a dll file.

I was working on the premise that the OS would still boot if you moved them,
so if they were "important" you could move them back.

kaspersky seem very quick to identify samples, perhaps submitting the files
there and wating would be best.

 

[null]

Sorry if this isn't helpful, but are you sure it is wise to trust a single AV
to determine that certain files should be deleted? If I were you (or he),
I would get second or even third opinions before deleting files and
possibly crippling the system.

Except in this case, you can Google up info on the files and find that
they are associated only with malware.


Art
http://www.epix.net/~artnpeg

 

[Gabriele Neukam]

On that special day, FromTheRafters, ([email protected]) said...

Sorry if this isn't helpful, but are you sure it is wise to trust a single AV
to determine that certain files should be deleted?

In this case, I would say yes, as this download/installer trojan seems
to be real and quite active. I saw it mentioned in this and the acv
groups already, and it seems to make use of a flaw in Windows, so that
looking at the infectious web page will put it on the hard disk and
activate it.

As Art said, the friend of the poster should try and delete it in safe
mode. And update the operating system ASAP.

http://www.microsoft.com/germany/ms/technetservicedesk/bulletin/bulletin
MS04-011.htm (one line)

I don't know exactly, but it may be that the trojan abuses this
vulnerability in the "secure" data transfer from web sites. Just a wild
guess, tho.


Gabriele Neukam

(e-mail address removed)

 

[FromTheRafters]

Except in this case, you can Google up info on the files and find that
they are associated only with malware.

I haven't read up on it yet, but does that go also for the other
twelve files that were deleted on the say-so of a single scan?

 

[FromTheRafters]

On that special day, FromTheRafters, ([email protected]) said...



In this case, I would say yes, as this download/installer trojan seems
to be real and quite active.

No argument on that score, but I think it is not a wise
practice in general.

I saw it mentioned in this and the acv
groups already, and it seems to make use of a flaw in Windows, so that
looking at the infectious web page will put it on the hard disk and
activate it.

Is it that ms-its thing?

As Art said, the friend of the poster should try and delete it in safe
mode. And update the operating system ASAP.

http://www.microsoft.com/germany/ms/technetservicedesk/bulletin/bulletinMS04-011.htm (one line)

I will check that out, thanks.

I don't know exactly, but it may be that the trojan abuses this
vulnerability in the "secure" data transfer from web sites. Just a wild
guess, tho.

Thanks for the info.

Are there always 14 files associated with it?

 

[null]

I haven't read up on it yet, but does that go also for the other
twelve files that were deleted on the say-so of a single scan?

Ok. I just Googled the two he hadn't yet been able to delete.


Art
http://www.epix.net/~artnpeg

 

[Mr.Vampy]

Thanks to all the replies. I spoke to him again this morning, and
apparently he doesn't have an antivirus program installed on his PC, though
I'm sure after we get thru this, he will. He used an online virus scanner
called "Housecall" and that's when he discover he had the 14 viruses. The
program managed to remove 12 of them, but as to what type of viruses they
were he doesn't know.
I've asked him to run a trojan scanner and see if that comes up with the
same results, before we start trying the solutions that you guys have
suggested.
I'll see how it goes and get back to you guys and let you know how will go
on.
By the way, what do you recommend to be the best antivirus software out at
the moment. I myself use AVG and beside it use Zone Alarm, and so far,
touch wood have no problems.
Thanks again

mr-vampy

 

[null]

Thanks to all the replies. I spoke to him again this morning, and
apparently he doesn't have an antivirus program installed on his PC, though
I'm sure after we get thru this, he will. He used an online virus scanner
called "Housecall" and that's when he discover he had the 14 viruses. The
program managed to remove 12 of them, but as to what type of viruses they
were he doesn't know.
I've asked him to run a trojan scanner and see if that comes up with the
same results, before we start trying the solutions that you guys have
suggested.
I'll see how it goes and get back to you guys and let you know how will go
on.
By the way, what do you recommend to be the best antivirus software out at
the moment. I myself use AVG and beside it use Zone Alarm, and so far,
touch wood have no problems.

KAV or F-Secure which uses the KAV scan engine.

Thanks again

It's a fun topic

mr-vampy

Art
http://www.epix.net/~artnpeg

 

[Mr.Vampy]

Just wanted to update you guy with the 2 trojans that was discovered on my
friends computer. I finally got the chance to look at his PC and to my
horror it had more viruse/trojans on it:

troj.small x
troj.small go
troj.downloader
troj.deepsky
troj.bispy
win.exe virus
troj.muldrop
troj.click
troj.startpage
troj.starpi
win32.hllw.raleka
vbs.startpage
worm.nachi.b
troj.stilen
troj.revop

I don't even know where to begin to help him. I tried to run the online
trojan scan, but it seems one of the viruse/trojans wouldn't allow us access
to the site.
My friend wanted to know if a fresh install of Windows XP will get rid of
them. Any advice or info would be greatly appreciated.

mr-vampy

 

[Heather]

Just wanted to update you guy with the 2 trojans that was discovered on my
friends computer. I finally got the chance to look at his PC and to my
horror it had more viruse/trojans on it:

troj.small x
troj.small go
troj.downloader
troj.deepsky
troj.bispy
win.exe virus
troj.muldrop
troj.click
troj.startpage
troj.starpi
win32.hllw.raleka
vbs.startpage
worm.nachi.b
troj.stilen
troj.revop

I don't even know where to begin to help him. I tried to run the online
trojan scan, but it seems one of the viruse/trojans wouldn't allow us access
to the site.
My friend wanted to know if a fresh install of Windows XP will get rid of
them. Any advice or info would be greatly appreciated.

I cleaned up my neighbours XP last weekend. He had about 12 trojans on it.
Download the 30 day trial of The Cleaner from Moosoft.....it found and
deleted all but one.

I also used AdAware (115), CWS, and his AVG.......and went into Startup and
Windows Explorer to get rid of junk. He had KaZaa on there as
well......removed it. In fact, I hit it with every anti-malware proggie I
could think of.

Reason he got them? I checked Startup and neither Zone Alarm or AVG (which
I put on there last summer) were ticked off. So someone was playing stupid
games with that computer. He blamed the boarder, but someone had to disable
them at Startup. I then threatened to 'break his fingers' if he changed it
(G).

But The Cleaner did a bang-up job.

Cheers....Heather

 

[James Egan]

I checked Startup and neither Zone Alarm or AVG (which
I put on there last summer) were ticked off. So someone was playing stupid
games with that computer. He blamed the boarder, but someone had to disable
them at Startup.

It's quite feasible that one of the trojans closed down the firewall
and the AV. Don't blame the boarder.


Jim.

 

[Heather]

It's quite feasible that one of the trojans closed down the firewall
and the AV. Don't blame the boarder.

True, Jim. But Dad was blaming the boarder who had by this time left.....he
said every time he came downstairs to the computer that Zone Alarm was not
on.....that the boarder said it slowed down the computer. I was going by
that assertion.

But how he found the trojan was by turning on AVG and running it (albeit, an
out of date one).....so it was working. As was Zone Alarm when I put it
back on.

Mystery, eh? I think somehow someone in that house (3 males) decided to
take it out of startup from within the program. Just guessing. So if a
trojan disables your firewall or antivirus proggie, would you be able to
double click on it and turn it on? Just wondering.

Cheers....Heather

 

[me]

True, Jim. But Dad was blaming the boarder who had by this time left.....he
said every time he came downstairs to the computer that Zone Alarm was not
on.....that the boarder said it slowed down the computer. I was going by
that assertion.

But how he found the trojan was by turning on AVG and running it (albeit, an
out of date one).....so it was working. As was Zone Alarm when I put it
back on.

Mystery, eh? I think somehow someone in that house (3 males) decided to
take it out of startup from within the program. Just guessing. So if a
trojan disables your firewall or antivirus proggie, would you be able to
double click on it and turn it on? Just wondering.

Cheers....Heather

Hi Heather,

If by "it" you mean ZA or AV, maybe yes, maybe not, depending on
the malware. A running malware might be checking active tasks
every 'x' sec's and terminate ZA / AV / whatever.

J

 

[Heather]

Hi Heather,

If by "it" you mean ZA or AV, maybe yes, maybe not, depending on
the malware. A running malware might be checking active tasks
every 'x' sec's and terminate ZA / AV / whatever.

Hi J......

Yes, that is what I was wondering. *Dad* knows nothing at all about
computers, but he repeatedly told me that someone kept turning ZA off. I
found that he had not updated AVG recently, but it wasn't all that out of
date....but AdAware was and I found 115 pests.....

AVG indicated one trojan which was why he called me. I found numerous
ones......at least 8 conservatively. So what I was asking is if these
trojans were to disable AVG or ZA....how come he and I could use these
programs?? Just wanted to clear that up. Had a devil of a time getting rid
of one particular piece of malware, but can't remember the name. The
folders were all sitting there nicely, grin.....in Windows Explorer.

I have yet another neighbour who is more computer literate....he also said
he never has ZA on because it slows his Win98SE down. I just plain don't
believe that or buy it. I have used it for some 7 years. I had to get a
trojan off his computer as well.....but he just followed my instructions and
did it himself.

Cheers.....Heather

 

[James Egan]

AVG indicated one trojan which was why he called me. I found numerous
ones......at least 8 conservatively. So what I was asking is if these
trojans were to disable AVG or ZA....how come he and I could use these
programs?? Just wanted to clear that up. Had a devil of a time getting rid
of one particular piece of malware, but can't remember the name. The
folders were all sitting there nicely, grin.....in Windows Explorer.

In a simple form, a program might just check once or occasionally for
a process called zonealarm and on finding it zap it with a wm_destroy
signal. Even I could wriite that one! lol.

You would be able to start it up again manually and the malware might
check and close it down again some time later.

I suspect most firewall zapping malware these days is a tad more
sophisticated, though.

I have yet another neighbour who is more computer literate....he also said
he never has ZA on because it slows his Win98SE down. I just plain don't
believe that or buy it. I have used it for some 7 years. I had to get a
trojan off his computer as well.....but he just followed my instructions and
did it himself.

I used to run zapro on win98se too but it became more trouble than its
(very limited) worth. I have to agree with him.


Jim.