Virus in BI.CAB folder

G

Guest

Please help - my AntiViris found a trojan horse in the Bi.cab folder (called
biprep.exe?) but could not delete. I tried to erase it using Safe mode - but
failed. In desperation I eventullay deleted the whole folder. In retrospect I
guess this was not a good idea, but it seems to have cured my problem, and my
system does not seem to have suffered (yet?)
Should I attempt to reinstall the Bi.cab folder (& if so how?)
Help/advice appreciated - thanks .........
 
D

David H. Lipman

No. The CAB file and EXE are the malware.

Just to make sure... Please perform the following...

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt257.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adaware with the latest definitions.
3) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) Create a new Restore point

* * * Please report your results ! * * *

Dave




| Please help - my AntiViris found a trojan horse in the Bi.cab folder (called
| biprep.exe?) but could not delete. I tried to erase it using Safe mode - but
| failed. In desperation I eventullay deleted the whole folder. In retrospect I
| guess this was not a good idea, but it seems to have cured my problem, and my
| system does not seem to have suffered (yet?)
| Should I attempt to reinstall the Bi.cab folder (& if so how?)
| Help/advice appreciated - thanks .........
| --
| Stan
 
G

Guest

Hi David:
Thanks for your clear instructions - which I have followed to the letter.
All seems successfull.
results from 3 runs of Sysclean:

Damage Cleanup Engine (DCE) 3.8(Build 1018)
Windows XP(Build 2600: Service Pack 2)

Start time : Mon Nov 22 2004 10:32:50

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Stan
Lubner\Desktop\System clean package\tsc.ptn" (version 457) [success]
TROJ_WINSHOW[virus found]
-->delete file("C:\Documents and Settings\Stan Lubner\Application
Data\winshow\winshow.dll","","") success
-->delete folder("C:\Documents and Settings\Stan Lubner\Application
Data\winshow","","") success

Complete time : Mon Nov 22 2004 10:33:10
Execute pattern count(1455), Virus found count(1), Virus clean count(1),
Clean failed count(0)

Damage Cleanup Engine (DCE) 3.8(Build 1018)
Windows XP(Build 2600: Service Pack 2)

Start time : Mon Nov 22 2004 16:50:02

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Stan
Lubner\Desktop\System clean package\tsc.ptn" (version 457) [success]

Complete time : Mon Nov 22 2004 16:50:41
Execute pattern count(1455), Virus found count(0), Virus clean count(0),
Clean failed count(0)

Damage Cleanup Engine (DCE) 3.8(Build 1018)
Windows XP(Build 2600: Service Pack 2)

Start time : Mon Nov 22 2004 16:57:02

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Stan
Lubner\Desktop\System clean package\tsc.ptn" (version 457) [success]

Complete time : Mon Nov 22 2004 16:57:39
Execute pattern count(1455), Virus found count(0), Virus clean count(0),
Clean failed count(0)

Damage Cleanup Engine (DCE) 3.8(Build 1018)
Windows XP(Build 2600: Service Pack 2)

Start time : Mon Nov 22 2004 17:18:34

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Stan
Lubner\Desktop\System clean package\tsc.ptn" (version 457) [success]

Complete time : Mon Nov 22 2004 17:18:49
Execute pattern count(1455), Virus found count(0), Virus clean count(0),
Clean failed count(0)

-------------------------------------------------------------
Results from Ad-Aware (first run)
ArchiveData(auto-quarantine- 2004-11-22 16-46-11.bckp)
Referencefile : SE1R19 14.11.2004
======================================================

ALTNETBDE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Regkey : software\classes\appid\adm.exe
obj[1]=RegValue : software\classes\appid\adm.exe "AppID"
obj[2]=Regkey : software\classes\appid\altnet signing module.exe
obj[3]=RegValue : software\classes\appid\altnet signing module.exe "AppID"
obj[5]=Folder : C:\WINDOWS\temp\Altnet
obj[19]=File : C:\WINDOWS\Temp\Altnet\dmfiles.cab
obj[20]=File : C:\WINDOWS\Temp\Altnet\pmfiles.cab
obj[21]=File : C:\WINDOWS\temp\altnet\Atl.dll
obj[22]=File : C:\WINDOWS\temp\altnet\dmfiles.cab
obj[23]=File : C:\WINDOWS\temp\altnet\dminstall3.cab
obj[24]=File : C:\WINDOWS\temp\altnet\msvcirt.dll
obj[25]=File : C:\WINDOWS\temp\altnet\mysearch.cab
obj[26]=File : C:\WINDOWS\temp\altnet\pmexe.cab
obj[27]=File : C:\WINDOWS\temp\altnet\pmfiles.cab
obj[28]=File : C:\WINDOWS\temp\altnet\pminstall.cab
obj[29]=File : C:\WINDOWS\temp\altnet\Setup.cab

COOLWEBSEARCH
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[4]=RegValue :
S-1-5-21-150705445-4016246470-1758940850-1006\software\microsoft\internet
explorer\main "HOMEOldSP"
obj[6]=RegValue : software\microsoft\internet explorer\main "Enable Browser
Extensions"
obj[7]=RegValue : software\microsoft\internet explorer\main "Use Custom
Search URL"
obj[8]=Folder : C:\Documents and Settings\Stan Lubner\Application Data\winlink
obj[15]=File : C:\Documents and Settings\Stan Lubner\Application
Data\winlink\winlink.new

VX2
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[9]=RegValue : software\microsoft\internet explorer\toolbar\webbrowser
"{0E5CBF21-D15F-11D0-8301-00AA005B4383}"
obj[10]=RegValue : software\microsoft\internet
explorer\main\featurecontrol\feature_window_restrictions "iexplore.exe"
obj[16]=File : C:\Documents and Settings\Stan Lubner\Local
Settings\Temp\biini.cab
obj[30]=File : C:\DOCUME~1\STANLU~1\LOCALS~1\Temp\bi.inf
obj[31]=File : C:\DOCUME~1\STANLU~1\LOCALS~1\Temp\biini.cab
obj[32]=File : C:\WINDOWS\inf\bi.inf

NAVEXCEL
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[11]=Folder : C:\Program Files\NavExcel
obj[12]=Folder : C:\Program Files\navexcel\NavHelper
obj[17]=File : C:\Program Files\NavExcel\NavHelper\v2.0.4\NHUninstaller.exe
obj[18]=File : C:\Program Files\NavExcel\NavHelper\v2.0.4\v2.0.4.cab

MEMORYWATCHER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[13]=File : C:\Documents and Settings\Default User\My
Documents\Data\Data\MemWatcher.exe
obj[14]=File : C:\Documents and Settings\Default User\My
Documents\Data\MemWatcher.exe

PLEASE NOTE THE LINE IN VX2 Run 2 realise 133 issues, and run 3 = 3
Thanks again!

Stan
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

adware virus question 4
Trojan horse Downloader.Rvp.D in system info folder 2
Windows XP home edition sevice pack 2 1
unrecognised virus 1
Virus in taskmgr 2
TROJAN HORSE 7
delting a folder 2
Trojan Horse Virus 1

Top