Problem with manual removal of Cain and Keenval and other questions

S

stewbop

I posted this subject earlier today, but 9 hours later, it hasn't shown
up in the group. I'll try again.

I have a relative who is having problems with a computer. The antivirus
software detected two problems; HackTool.Win32.Cain.a and
TrojanDownloader.Win32.Keenval.e

I found what appeared to be helpful instructions at the Pest Patrol
site. I copied them down and we attempted it last night, but couldn'tget
through the first step. It said (for each pest) to Kill certain files
using Task Manager. Well, we got into Task Manager and Processes fine,
but didn't see the files they listed.

From other research, it appears that the filenames themselves won't be
listed, and you have to shut down whatever process the pest is using.
But how do we find that out? Is there something in the AV report that
would tip us off? It said the Cain pest was found in Documents and
Settings\[username]\MyDocuments\cain25b56.exe/WISE0023.BIN and Keenval
was found in web/wallpaper/APImages/[imagename]/incredfind.exe/data0003
and data0004 (some slashes in the Keenval address might be reversed).
In both cases, the AV said it couldn't disinfect the pest because it was
in an area that was closed off.


When I was there, it also found TrojanDownlaoder.Win32.IstBar.gen in
\Content.IE5\80SBC4WF\0006_regular[1].cab/istactivex.dll but it didn't
show up in the later scan which found Keenval.

Also, will we have similar trouble finding the files in the "Remove"
step of the Pest Patrol instructions?

He has Windows XP Home (I think), and has a cable connection. One other
note on this subject: while poking around last night, with the cable
modem shut off (and not in IE), I was able to find a file named cain in
the folder listed above, rightclick on it, and delete it. It wasn't
there the next time we checked. Did we get lucky and accidently remove
it? I'd still like the information on dealing with it, along with the
other pests.

The other problem he's been having is with restarts. Sometimes, when he
shuts down the computer, it will restart before it finishes. When it
does shut down, it seems to stick on the "shutting down windows/ saving
settings" (or whatever it is) screen for a bit before finishing. When it
doesn't shut down, it will often skip the windows screen entirely, going
to monitor shutdown, then restarting. I did notice when we ran AdAware
just before shutdown, it seemed to work, albeit slowly as described
above. He also reported an occasional slowdown or temporary freeze while
online.

Also, when looking through the help files (and not connected to the
net), we had problems trying to do a couple of things. A search wouldn't
work, saying a file it needed to run was missing. Coupled with the above
problems, is it a good guess that the operating system is corrupted?
What would be the best way to correct it? System restore?
Reinstall/repair from boot disk? Reformat hard drive and reinstall
altogether? And on the subject of reformatting, is it hard to do? I
thought I saw another topic where someone said you could do it from the
boot disk?

Sorry if some of these questions seem basic, but the computer owner is a
novice who has difficuty understanding some technical things, and I
don't own a computer, and rarely get access to one, so we're both in the
dark on most things until we encounter them and get a solution
somewhere. Thanks in advance for any help. I hope my message gets posted
this time, as things are getting a bit desperate. (I was hoping to be
reading solutions by now.) It's impossible for anyone to answer
questions they don't see.

Brian
 
D

David H. Lipman

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.scripting.virus.discussion
microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus


1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (personal free version)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download sysclean.com and place it in that directory.
Dowload the signature files (pattern files) by obtaining the ZIP file.
For example; lpt194.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point
10) Please report back your results

Dave






| I posted this subject earlier today, but 9 hours later, it hasn't shown
| up in the group. I'll try again.
|
| I have a relative who is having problems with a computer. The antivirus
| software detected two problems; HackTool.Win32.Cain.a and
| TrojanDownloader.Win32.Keenval.e
|
| I found what appeared to be helpful instructions at the Pest Patrol
| site. I copied them down and we attempted it last night, but couldn'tget
| through the first step. It said (for each pest) to Kill certain files
| using Task Manager. Well, we got into Task Manager and Processes fine,
| but didn't see the files they listed.
|
| From other research, it appears that the filenames themselves won't be
| listed, and you have to shut down whatever process the pest is using.
| But how do we find that out? Is there something in the AV report that
| would tip us off? It said the Cain pest was found in Documents and
| Settings\[username]\MyDocuments\cain25b56.exe/WISE0023.BIN and Keenval
| was found in web/wallpaper/APImages/[imagename]/incredfind.exe/data0003
| and data0004 (some slashes in the Keenval address might be reversed).
| In both cases, the AV said it couldn't disinfect the pest because it was
| in an area that was closed off.
|
|
| When I was there, it also found TrojanDownlaoder.Win32.IstBar.gen in
| \Content.IE5\80SBC4WF\0006_regular[1].cab/istactivex.dll but it didn't
| show up in the later scan which found Keenval.
|
| Also, will we have similar trouble finding the files in the "Remove"
| step of the Pest Patrol instructions?
|
| He has Windows XP Home (I think), and has a cable connection. One other
| note on this subject: while poking around last night, with the cable
| modem shut off (and not in IE), I was able to find a file named cain in
| the folder listed above, rightclick on it, and delete it. It wasn't
| there the next time we checked. Did we get lucky and accidently remove
| it? I'd still like the information on dealing with it, along with the
| other pests.
|
| The other problem he's been having is with restarts. Sometimes, when he
| shuts down the computer, it will restart before it finishes. When it
| does shut down, it seems to stick on the "shutting down windows/ saving
| settings" (or whatever it is) screen for a bit before finishing. When it
| doesn't shut down, it will often skip the windows screen entirely, going
| to monitor shutdown, then restarting. I did notice when we ran AdAware
| just before shutdown, it seemed to work, albeit slowly as described
| above. He also reported an occasional slowdown or temporary freeze while
| online.
|
| Also, when looking through the help files (and not connected to the
| net), we had problems trying to do a couple of things. A search wouldn't
| work, saying a file it needed to run was missing. Coupled with the above
| problems, is it a good guess that the operating system is corrupted?
| What would be the best way to correct it? System restore?
| Reinstall/repair from boot disk? Reformat hard drive and reinstall
| altogether? And on the subject of reformatting, is it hard to do? I
| thought I saw another topic where someone said you could do it from the
| boot disk?
|
| Sorry if some of these questions seem basic, but the computer owner is a
| novice who has difficuty understanding some technical things, and I
| don't own a computer, and rarely get access to one, so we're both in the
| dark on most things until we encounter them and get a solution
| somewhere. Thanks in advance for any help. I hope my message gets posted
| this time, as things are getting a bit desperate. (I was hoping to be
| reading solutions by now.) It's impossible for anyone to answer
| questions they don't see.
|
| Brian
|
 
R

Rock

I posted this subject earlier today, but 9 hours later, it hasn't shown
up in the group. I'll try again.

I have a relative who is having problems with a computer. The antivirus
software detected two problems; HackTool.Win32.Cain.a and
TrojanDownloader.Win32.Keenval.e

I found what appeared to be helpful instructions at the Pest Patrol
site. I copied them down and we attempted it last night, but couldn'tget
through the first step. It said (for each pest) to Kill certain files
using Task Manager. Well, we got into Task Manager and Processes fine,
but didn't see the files they listed.

From other research, it appears that the filenames themselves won't be
listed, and you have to shut down whatever process the pest is using.
But how do we find that out? Is there something in the AV report that
would tip us off? It said the Cain pest was found in Documents and
Settings\[username]\MyDocuments\cain25b56.exe/WISE0023.BIN and Keenval
was found in web/wallpaper/APImages/[imagename]/incredfind.exe/data0003
and data0004 (some slashes in the Keenval address might be reversed).
In both cases, the AV said it couldn't disinfect the pest because it was
in an area that was closed off.


When I was there, it also found TrojanDownlaoder.Win32.IstBar.gen in
\Content.IE5\80SBC4WF\0006_regular[1].cab/istactivex.dll but it didn't
show up in the later scan which found Keenval.

Also, will we have similar trouble finding the files in the "Remove"
step of the Pest Patrol instructions?

He has Windows XP Home (I think), and has a cable connection. One other
note on this subject: while poking around last night, with the cable
modem shut off (and not in IE), I was able to find a file named cain in
the folder listed above, rightclick on it, and delete it. It wasn't
there the next time we checked. Did we get lucky and accidently remove
it? I'd still like the information on dealing with it, along with the
other pests.

The other problem he's been having is with restarts. Sometimes, when he
shuts down the computer, it will restart before it finishes. When it
does shut down, it seems to stick on the "shutting down windows/ saving
settings" (or whatever it is) screen for a bit before finishing. When it
doesn't shut down, it will often skip the windows screen entirely, going
to monitor shutdown, then restarting. I did notice when we ran AdAware
just before shutdown, it seemed to work, albeit slowly as described
above. He also reported an occasional slowdown or temporary freeze while
online.

Also, when looking through the help files (and not connected to the
net), we had problems trying to do a couple of things. A search wouldn't
work, saying a file it needed to run was missing. Coupled with the above
problems, is it a good guess that the operating system is corrupted?
What would be the best way to correct it? System restore?
Reinstall/repair from boot disk? Reformat hard drive and reinstall
altogether? And on the subject of reformatting, is it hard to do? I
thought I saw another topic where someone said you could do it from the
boot disk?

Sorry if some of these questions seem basic, but the computer owner is a
novice who has difficuty understanding some technical things, and I
don't own a computer, and rarely get access to one, so we're both in the
dark on most things until we encounter them and get a solution
somewhere. Thanks in advance for any help. I hope my message gets posted
this time, as things are getting a bit desperate. (I was hoping to be
reading solutions by now.) It's impossible for anyone to answer
questions they don't see.

Brian
Click to expand...

Run these programs to check for spyware/malware. After installing
update them, then boot into safe mode and run them. You should update
and run them weekly.

Cwshredder
http://aumha.org/freeware/freeware.php#cwshred

Ad-aware SE
http://www.lavasoftusa.com

Spybot Search and Destroy
http://www.safer-networking.org

Bazooka Adware and Spyware Scanner
http://download.com.com/3000-2144-10247783.html

Pest Patrol Free Pest Scanner
http://www.pestscan.com/ScanOrTrial.asp

If you’re still having problems after running these then run HijackThis
and post the log to one of the specialty forums, _NOT_ this one.

HijackThis
http://www.majorgeeks.com/download.php?det=3155

Forums to Interpret HijackThis Logs:

http://www.spywareinfo.com/forums/
http://forum.aumha.org/viewforum.php?f=30
http://forums.tomcoyote.org/
http://www.wilderssecurity.com/

After your system is clean use these programs to help keep it clean:

Spywareblaster
www.javacoolsoftware.com/sbdownload.html

Spywareguard
http://www.javacoolsoftware.com/sgdownload.html

IE-SPYAD
http://www.staff.uiuc.edu/~ehowes/resource.htm
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Nook questions 7
I E 6 2
task mgr 2
annoying beep! 8
Desktop Background Problem 3
Help please with combo boxes and multiple selections. 3
Automatic configuring of a new computer 4
Computer virus knocks out NHS trust for three days 5

Top