Recovering from a Trojan

[Frog]

Windows XP SP3

Here is a long story that I hope I can keep short. On April 29, there
suddenly appeared on screen a window that indicated that some form of a
virus or malware was present on my system and wanted to know whether it
was okay to scan for this critter(s). Since I did not recognize the
window and had learned from earlier newsgroup exchanges that such could
be dangerous, I attempted to click this window of the system...it would
not let me take that action. I then from the start button turned the
system off. That seemed to make everything work as normal. The next
morning, I received a message from my CA Anti Virus software that it had
two trojan items deleted from my system. The two items were:

4/30/2009 0:08:11 AM File Infection: C:\Documents and
Settings\Frog\Local Settings\Application
Data\Mozilla\Profiles\Frog-SeaM\Cache\4160AC69d01 is Win32/FakeAlert.AHW
trojan. Deleted
4/30/2009 0:08:11 AM File Infection:
C:\Docume~1\Frog~1\Locals~1\Temp\omfa4cOp.exe is Win32/FakeAlert.AHW
trojan. Deleted

Well, as soon as this happened, I did a complete virus scan of my
system---nothing found. I next did a complete Malwarebytes' scan of my
system---nothing was found. I then did a complete Windows Defender scan
of my system---nothing was found. I next did a dis clean-up, deleting
all temp files and removed everything from the recycle bin. I also did
a sfc /scannow, CHKDSK C: /F /R, and a defrag. My system continues at
this point to be acting normal.

Today, I decided to see what if anything is being reflected in the Event
Viewer. New things are appearing in this log as follows:

Application (The same entry has appeared three times since April 30)
Type...Date...Time...Source...Category...Event...User...Computer
Error...5/1/2009...2:00:02
PM...MPSampleSubmission...None...5000...n/A...Frog-ADF6F864
Discription: Event Type mptelemetry, P1 8024400e, P2 endsearch, P3
search, P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows
defender, P8 NIL, P9 NIL, P10 NIL.

System (The same entry has appeared 31 times since April 30)
Type...Date...Time...Source...Category...Event...User...Computer
Warning...5/2/2009...9:34:47
AM...WinDefend...None...3004...N/A...Frog-ADF6F864
Description:Windows Defender Real-Time Protection agent has detectede
changes. Microsoft recommends you analyze the software that made these
changes for potential risks. You can use information about how these
programs operate to choose whether to allow them to run or remove them
from your computer. Allow changes only if you trust the program or the
software publisher. Windows Defender can't undo changes that you allow.

The bottom line---the only software change that was made to my system in
recent times involved updates...upgrading to Internet Explorer 8, CA
Anti Virus updates, Malwarebytes' software updates, and Windows Defender
updates. Thus, I don't have a clue as to what software changes were
made that caused problems with Windows Defender.

Well, there is my situation (please let me know if I need to provide any
additional information). Do I need to take any action regarding the
above? If so, in easy to understand guidance, what action should I
take? Is there something in the firewall that needs to be checked in
order to prevent unwanted things like the Trojan items from getting on
my system?

Thanks in advance for anything sent my way.


Frog

 

[db]

long story short:

infections usually
corrupt system files.

so even though the
infection has been
removed,

the corrupted system
files require replacement
with genuine ones from
a genuine xp cd or from
a backup if you had one
made.


short solution:

initiate a "repair
installation" with
a winxp cd.

you may need to
uninstall sp3 via
add/remove if you
do not have a xp
sp3 cd or a cd
streamed with xp
and sp3 on it.


--

db·´¯`·...¸><)))º>
DatabaseBen, Retired Professional
- Systems Analyst
- Database Developer
- Accountancy
- Veteran of the Armed Forces
- @hotmail.com
"share the nirvana" - dbZen

~~~~~~~~~~~~~~~~~~

 

[PA Bear [MS MVP]]

There is a very good chance that you are seeing the effects of a hijackware
infection!

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection' scan
(only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://www.dslreports.com/forum/cleanup, http://aumha.net/viewforum.php?f=30
or other appropriate forums.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.

 

[Patrick Keenan]

Windows XP SP3

Here is a long story that I hope I can keep short. On April 29, there
suddenly appeared on screen a window that indicated that some form of a
virus or malware was present on my system and wanted to know whether it
was okay to scan for this critter(s). Since I did not recognize the
window and had learned from earlier newsgroup exchanges that such could be
dangerous, I attempted to click this window of the system...it would not
let me take that action. I then from the start button turned the system
off. That seemed to make everything work as normal. The next morning, I
received a message from my CA Anti Virus software that it had two trojan
items deleted from my system. The two items were:

4/30/2009 0:08:11 AM File Infection: C:\Documents and Settings\Frog\Local
Settings\Application Data\Mozilla\Profiles\Frog-SeaM\Cache\4160AC69d01 is
Win32/FakeAlert.AHW trojan. Deleted
4/30/2009 0:08:11 AM File Infection:
C:\Docume~1\Frog~1\Locals~1\Temp\omfa4cOp.exe is Win32/FakeAlert.AHW
trojan. Deleted

Well, as soon as this happened, I did a complete virus scan of my
system---nothing found. I next did a complete Malwarebytes' scan of my
system---nothing was found. I then did a complete Windows Defender scan
of my system---nothing was found. I next did a dis clean-up, deleting all
temp files and removed everything from the recycle bin. I also did a sfc
/scannow, CHKDSK C: /F /R, and a defrag. My system continues at this
point to be acting normal.

Today, I decided to see what if anything is being reflected in the Event
Viewer. New things are appearing in this log as follows:

Application (The same entry has appeared three times since April 30)
Type...Date...Time...Source...Category...Event...User...Computer
Error...5/1/2009...2:00:02
PM...MPSampleSubmission...None...5000...n/A...Frog-ADF6F864
Discription: Event Type mptelemetry, P1 8024400e, P2 endsearch, P3 search,
P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8
NIL, P9 NIL, P10 NIL.

System (The same entry has appeared 31 times since April 30)
Type...Date...Time...Source...Category...Event...User...Computer
Warning...5/2/2009...9:34:47
AM...WinDefend...None...3004...N/A...Frog-ADF6F864
Description:Windows Defender Real-Time Protection agent has detectede
changes. Microsoft recommends you analyze the software that made these
changes for potential risks. You can use information about how these
programs operate to choose whether to allow them to run or remove them
from your computer. Allow changes only if you trust the program or the
software publisher. Windows Defender can't undo changes that you allow.

The bottom line---the only software change that was made to my system in
recent times involved updates...upgrading to Internet Explorer 8, CA Anti
Virus updates, Malwarebytes' software updates, and Windows Defender
updates. Thus, I don't have a clue as to what software changes were made
that caused problems with Windows Defender.

Well, there is my situation (please let me know if I need to provide any
additional information). Do I need to take any action regarding the
above? If so, in easy to understand guidance, what action should I take?
Is there something in the firewall that needs to be checked in order to
prevent unwanted things like the Trojan items from getting on my system?

Thanks in advance for anything sent my way.


Frog

You should clear the browser caches, temporary folders, and temporary
internet files folders more often. The free tool ccleaner can help you
significantly with this (www.ccleaner.com). Those locations, and as well
music file-sharing programs, are a main source of infections.

Note that this will also remove things like saved passwords for web sites,
but if your PC has been saving those and has been infected you should be
thinking about changing them anyway.

HTH
-pk

 

[Randem]

This little read may be helpful http://www.randem.com/virusproblems.html to
give you some ideas on how to proceed.


--
Randem Systems
Your Installation Specialist
The Top Inno Setup Script Generator
http://www.randem.com/innoscript.html
Disk Read Error Press Ctl+Alt+Del to Restart
http://www.randem.com/discus/messages/9402/9406.html?1236319938

 

[Frog]

Thanks for the responses.

This has become a very difficult time for
this novice computer technician. I attempted to perform the first two
tasks in your message PA Bear---download/run the MSRT manually and Run
the Windows Live Safety Center's 'Protection' scan---with out complete
success. I was able to accomplish the first task without difficulty(no
problems found) and was never able to download/run the second item.
This, coupled with the fact that I was receiving a message every morning
at startup that two items were removed from my system by my Anti-virus
software, was the last straw for my frustration threshold. I decided to
revert back to an external drive Casper backup of the C drive that was
made on April 15, which seems to be performing okay for the present.
Subsequent to reloading this backup, I have updated my anti-virus
software...Microsoft Windows software, and again I downloaded/run the
MSRT manually (no problems were found). I am not, however, able to
download and perform the Windows Live Safety Center's 'Protection'
scan...it indicates that I must make some change that is identified on
the lower portion of the window...nothing shows below.

I am having one problem at the present time involving the
drive letter on one partition of my hard drive. Previously the drive
was known as New Volume (E and now is known as New Volume E (E. I
have attempted to rename this partition back to it's original
identification without success. I attempted to make this change by
Right-clicking My Computer>Manage>Disk Management>right-click the
desired drive/partition>Change Drive letter. Is there some other way to
re identify this drive?

Frog

There is a very good chance that you are seeing the effects of a
hijackware infection!

NB: If you had no anti-virus application installed or the subscription
had expired *when the machine first got infected* and/or your
subscription has since expired and/or the machine's not been kept
fully-patched at Windows Update, don't waste your time with any of the
below: Format & reinstall Windows. A Repair Install will NOT help!

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection'
scan (only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the
requested logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://www.dslreports.com/forum/cleanup,
http://aumha.net/viewforum.php?f=30 or other appropriate forums.**

If the procedures look too complex - and there is no shame in admitting
this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

Windows XP SP3

Here is a long story that I hope I can keep short. On April 29, there
suddenly appeared on screen a window that indicated that some form of a
virus or malware was present on my system and wanted to know whether it
was okay to scan for this critter(s). Since I did not recognize the
window and had learned from earlier newsgroup exchanges that such could
be dangerous, I attempted to click this window of the system...it would
not let me take that action. I then from the start button turned the
system off. That seemed to make everything work as normal. The next
morning, I received a message from my CA Anti Virus software that it had
two trojan items deleted from my system. The two items were:

4/30/2009 0:08:11 AM File Infection: C:\Documents and
Settings\Frog\Local Settings\Application
Data\Mozilla\Profiles\Frog-SeaM\Cache\4160AC69d01 is Win32/FakeAlert.AHW
trojan. Deleted
4/30/2009 0:08:11 AM File Infection:
C:\Docume~1\Frog~1\Locals~1\Temp\omfa4cOp.exe is Win32/FakeAlert.AHW
trojan. Deleted

Well, as soon as this happened, I did a complete virus scan of my
system---nothing found. I next did a complete Malwarebytes' scan of my
system---nothing was found. I then did a complete Windows Defender scan
of my system---nothing was found. I next did a dis clean-up, deleting
all temp files and removed everything from the recycle bin. I also did
a sfc /scannow, CHKDSK C: /F /R, and a defrag. My system continues at
this point to be acting normal.

Today, I decided to see what if anything is being reflected in the Event
Viewer. New things are appearing in this log as follows:

Application (The same entry has appeared three times since April 30)
Type...Date...Time...Source...Category...Event...User...Computer
Error...5/1/2009...2:00:02
PM...MPSampleSubmission...None...5000...n/A...Frog-ADF6F864
Discription: Event Type mptelemetry, P1 8024400e, P2 endsearch, P3
search, P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows
defender, P8 NIL, P9 NIL, P10 NIL.

System (The same entry has appeared 31 times since April 30)
Type...Date...Time...Source...Category...Event...User...Computer
Warning...5/2/2009...9:34:47
AM...WinDefend...None...3004...N/A...Frog-ADF6F864
Description:Windows Defender Real-Time Protection agent has detectede
changes. Microsoft recommends you analyze the software that made these
changes for potential risks. You can use information about how these
programs operate to choose whether to allow them to run or remove them
from your computer. Allow changes only if you trust the program or the
software publisher. Windows Defender can't undo changes that you allow.

The bottom line---the only software change that was made to my system in
recent times involved updates...upgrading to Internet Explorer 8, CA
Anti Virus updates, Malwarebytes' software updates, and Windows Defender
updates. Thus, I don't have a clue as to what software changes were
made that caused problems with Windows Defender.

Well, there is my situation (please let me know if I need to provide any
additional information). Do I need to take any action regarding the
above? If so, in easy to understand guidance, what action should I
take? Is there something in the firewall that needs to be checked in
order to prevent unwanted things like the Trojan items from getting on
my system?

Thanks in advance for anything sent my way.


Frog