megapossum: HELP!! Under Virus Attack!!

megapossum · 06-20-2004, 08:18 PM

I have a Trojan Horse Downloader Virus on my other computer. I have traced it to a C:\_RESTORE folder (confirmed by AVG). The properties say it has about 400 files but will not show them or permit access.
The Downloader of is Apropo D. and Keenware. I have deleted the files involved in actual adware but when I go online they will just come back. Also Ihave folders labeled pcsvc that I have removed to the recycle bin but they cannot be removed from there. Can anyone help me get rid of this Trojan Downloader? I have AVG virus which can detect it but do nothing about it. I also have Spybot, Spyware Blaster and TDS-3 Professional Radius Advanced Scanning. None of them have helped though I have run them all to help get rid of the ads the Trojan inserted. I use a DSL line and do not have a firewall. This is the second attack in two months tho I was able to remove the other after much digging around.

Parker · 06-20-2004, 10:18 PM

> I have a Trojan Horse Downloader Virus on my
> other computer. I have traced it to a
> C:\_RESTORE folder (confirmed by AVG). The
> properties say it has about 400 files but
> will not show them or permit access.
> The Downloader of is Apropo D. and Keenware.
> I have deleted the files involved in actual
> adware but when I go online they will just
> come back. Also Ihave folders labeled pcsvc
> that I have removed to the recycle bin but
> they cannot be removed from there. Can
> anyone help me get rid of this Trojan
> Downloader? I have AVG virus which can
> detect it but do nothing about it. I also
> have Spybot, Spyware Blaster and TDS-3
> Professional Radius Advanced Scanning. None
> of them have helped though I have run them
> all to help get rid of the ads the Trojan
> inserted. I use a DSL line and do not have a
> firewall. This is the second attack in two
> months tho I was able to remove the other
> after much digging around.

Sounds like you've got a bad one. I'll assume that you're not only running Spybot, but have downloaded that latest database update, as well as all the latest Windows security updates. Spywareblaster won't help you once you're infected - it is preventive, not corrective.

If you're running Windows XP or 2000, and having difficulty deleting files, try logging in as Administrator. You should then be able to open Windows Explorer and delete any file or directory you like.

Of course, this assumes that you know/remember the administrator password for your computer.

The people who make Spybot S&D have provides some forums that may be helpful. Here is a link:

http://www.wilderssecurity.com

Scroll down the page a ways, and you will find a forum called "Browser Hijacks and Spyware Problems" that may be helpful.

The moderator of that forum has his own website, which may also be helpful:

http://www.thespykiller.co.uk/

Here you can download a program called HijackThis, as well as other tools. If you use HijackThis, be sure to study the tutorial. This is a powerful program that is not particularily user-friendly, and you can screw up your system bigtime if you use it improperly.

If you aren't sure, you can post the log output of HijackThis on the aforementioned forum, and the moderator will walk you through it.

If it were my system, I would boot up a Linux Rescue CD such as SystemRescueCD (www.sysresccd.org), mount the NTFS (Windows) filesystem with full root privelege, and delete away. I don't recommend this unless you're comfortable with a Linux/Unix command line. Again, you can really screw up your system this way if you're not careful.

Of course, the last resort is to do a complete reformat and reinstall Windows. Then you get to reinstall all your applications, not to mention some 40 or so Windows Critical Updates. This is a great way to kill a weekend.

Once you get this mess straightened out, I would strongly recommend installing a hardware firewall. You can get router/firewall packages fairly inexpensively that will not only protect your system(s), but also allow you to connect up to 4 or more computers to your DSL line. You can even add wireless access if you like.

Some may consider it overkill, but I would also install a software firewall such as ZoneAlarm or BlackICE.

bfbagain · 06-21-2004, 06:47 AM

First, disable system restore. Then boot to safe mode, and run regedit. Highlight "my computer", select edit, find now, and type in "Runonce."
In the directory tree in the left window pane a folder will be shown as open, and that folder will be runonce. It may first stop in its search at runonce or regedit, in that case just look at the value and hit the F3 key again to continue the search. Once it finds the runonce folder, you'll see the "run" folder immediately above, and the runonce ex folder below. Open these folders (click the + sign) and highlight the sub folders and check what shows up in the right window pane. The runonce folder should be empty but may (likely) not, and you can safely delete those values. Then look at the run folder, and match the apps (check app paths) to see what is normally loaded, i.e., what should be there, e.g., ms messenger, video display control, virus app, etc.. Anything that looks wierd, open a search window and search for that file. In most cases you can safely delete these keys. Also, open up add and remove programs and uninstall ALL strange apps, apps that you haven't installed. Also open up taskmanager, and view what processes are running, so you can become familiar with what is loaded in safe mode, then later what is loaded normally. Most of these malware, trojans are installed silently and have their apps deeply imbedded in obscure registry keys. In addition to all of this, open up a windows explorer window, and navigate to the windows, and windows/system32 directories and look at all the "timestamps" of files/folders that are close to the dates where your problems appeared. Same with the program files and the application data folder under documents and settings.....

Continue to search (F3) to the second set of keys (local machine....) and do the same. Uninstall, delete all references to Gain/Gator/Kaaza etc. as all of these are fertile grounds for this crap.

When done, boot back into windows and go to pandasoftware.com and run their free antivirus online scanner to eliminate any viruses.

Now here's the bad news. You'll have to do all this at least one more time, if not two...to salvage this system. After the scan, download the trial version of panda's titanium virus app and install it. You can run this (in safe mode, you must manually run it from the context menu by right clicking on the "C" drive and run scan) and run your scans again. Manually delete files it finds if it can't.

This is a lot of effort, but this problem is not going away, and you might as well become familiar with the files in your windows and system32 folders, as you will see this again, probably. The easy way is to re-install windows xp, and if you do that, make "system settings" backups periodically.

Once completed, download and install mozilla's browser, and enable popup blocking. It is my absolute belief that almost all of this crap is the result of MS IE Explorer! Why MS is waiting for service pack 2 to release this update is beyond me.

For what its worth, I feel like the orkin man the past few weeks, and that's nothing to what other tech savvy people are feeling. The best defence to all of this is a linux based firewall/gateway. If you have an old used system, it's a no brainer to set up (well, maybe some brains) but when done, most of the trojans/worms will be blocked as linux gives the finger to all attempts to use port 445, whereas MS is like an open door. Yes, zonealarm can help, but not much.

Good luck
bfb

megapossum · 06-21-2004, 07:54 AM

Parker and bfg,thanks to both of you for your timely responses. In my post I neglected to mention that this computer has the Windows ME system. Don't know whether this makes any difference in the cure or not.

My infected files are in C:/_RESTORE which has grown from over 400 files to over 700 files overnight with only four visible which I'm unable to delete. All dated files have been removed and any attempts to go online results in more files being downloaded.

Have edited the registry to the best of my ability(perhaps disastrously) and culled task manager of everything not immediately recognizable. Some files which I was able to move to the recycle bin I am not able to further delete.

> First, disable system restore. Then boot to
> safe mode, and run regedit. Highlight
> "my computer", select edit, find
> now, and type in "Runonce."
> In the directory tree in the left window
> pane a folder will be shown as open, and
> that folder will be runonce. It may first
> stop in its search at runonce or regedit, in
> that case just look at the value and hit the
> F3 key again to continue the search. Once it
> finds the runonce folder, you'll see the
> "run" folder immediately above,
> and the runonce ex folder below. Open these
> folders (click the + sign) and highlight the
> sub folders and check what shows up in the
> right window pane. The runonce folder should
> be empty but may (likely) not, and you can
> safely delete those values. Then look at the
> run folder, and match the apps (check app
> paths) to see what is normally loaded, i.e.,
> what should be there, e.g., ms messenger,
> video display control, virus app, etc..
> Anything that looks wierd, open a search
> window and search for that file. In most
> cases you can safely delete these keys.
> Also, open up add and remove programs and
> uninstall ALL strange apps, apps that you
> haven't installed. Also open up taskmanager,
> and view what processes are running, so you
> can become familiar with what is loaded in
> safe mode, then later what is loaded
> normally. Most of these malware, trojans are
> installed silently and have their apps
> deeply imbedded in obscure registry keys. In
> addition to all of this, open up a windows
> explorer window, and navigate to the
> windows, and windows/system32 directories
> and look at all the "timestamps"
> of files/folders that are close to the dates
> where your problems appeared. Same with the
> program files and the application data
> folder under documents and settings.....

> Continue to search (F3) to the second set of
> keys (local machine....) and do the same.
> Uninstall, delete all references to
> Gain/Gator/Kaaza etc. as all of these are
> fertile grounds for this crap.

> When done, boot back into windows and go to
> pandasoftware.com and run their free
> antivirus online scanner to eliminate any
> viruses.

> Now here's the bad news. You'll have to do
> all this at least one more time, if not
> two...to salvage this system. After the
> scan, download the trial version of panda's
> titanium virus app and install it. You can
> run this (in safe mode, you must manually
> run it from the context menu by right
> clicking on the "C" drive and run
> scan) and run your scans again. Manually
> delete files it finds if it can't.

> This is a lot of effort, but this problem is
> not going away, and you might as well become
> familiar with the files in your windows and
> system32 folders, as you will see this
> again, probably. The easy way is to
> re-install windows xp, and if you do that,
> make "system settings" backups
> periodically.

> Once completed, download and install
> mozilla's browser, and enable popup
> blocking. It is my absolute belief that
> almost all of this crap is the result of MS
> IE Explorer! Why MS is waiting for service
> pack 2 to release this update is beyond me.

> For what its worth, I feel like the orkin
> man the past few weeks, and that's nothing
> to what other tech savvy people are feeling.
> The best defence to all of this is a linux
> based firewall/gateway. If you have an old
> used system, it's a no brainer to set up
> (well, maybe some brains) but when done,
> most of the trojans/worms will be blocked as
> linux gives the finger to all attempts to
> use port 445, whereas MS is like an open
> door. Yes, zonealarm can help, but not much.

> Good luck
> bfb

Parker · 06-21-2004, 08:30 AM

> Parker and bfg,thanks to both of you for
> your timely responses. In my post I
> neglected to mention that this computer has
> the Windows ME system. Don't know whether
> this makes any difference in the cure or
> not.

The main difference this makes in my suggestions is that logging in as Admininistrator is not applicable, since Windows ME has no such mode.

> My infected files are in C:/_RESTORE which
> has grown from over 400 files to over 700
> files overnight with only four visible which
> I'm unable to delete. All dated files have
> been removed and any attempts to go online
> results in more files being downloaded.

> Have edited the registry to the best of my
> ability(perhaps disastrously) and culled
> task manager of everything not immediately
> recognizable. Some files which I was able to
> move to the recycle bin I am not able to
> further delete.

I'm afraid we're getting close to that "worst case scenario" fix - reformat, and a complete system reinstall. This might be a good time to upgrade to Windows XP or 2000, assuming that your hardware is up to the task.

bfbagain · 06-21-2004, 09:30 AM

Parker is right about the reinstall/format etc. It's probably not necessary to upgrade to XP at this time.

You could (if space permitting) re-partition your hard drive and then install (fresh) OS into the new partition. If it's ME, you can then go in and delete all the crap, including many windows system files, and copy the new (with patches) from the new partition to the old. Now, if it doesn't matter (and you have both the time and software install disks) then I'd just reformat, and install. It'll take the least amount of time and you'll be done with it.

cheers
bfb

megapossum · 06-23-2004, 06:42 AM

Bfb and Parker thanks again for your efforts to help with my current computer problem. Truthfully my computer knowledge is minimal, Mrs. Mega and my 16yr. old son guide me over the hurdles. Both agree with you that I've got serious problems. If we(Mrs. Mega) gets close to a solution I'll post again, otherwise I guess I'll take it to the shop.> Parker is right about the reinstall/format
> etc. It's probably not necessary to upgrade
> to XP at this time.

> You could (if space permitting) re-partition
> your hard drive and then install (fresh) OS
> into the new partition. If it's ME, you can
> then go in and delete all the crap,
> including many windows system files, and
> copy the new (with patches) from the new
> partition to the old. Now, if it doesn't
> matter (and you have both the time and
> software install disks) then I'd just
> reformat, and install. It'll take the least
> amount of time and you'll be done with it.

> cheers
> bfb

MM · 06-26-2004, 07:28 PM

Anyone have any advice as to what I can do to prepare myself if I ever had a problem like his. I know about firewalls but what else.

I want it so that I wouldn't have to re-install everything and take up so much time. The fact that it infected his system restore was the major problem. Right ? I heard something about this Norton Ghost. Doesn't it make some kind of copy of your current computer configuration ? If you have problems, it just puts everything back to where it was.

Parker · 06-26-2004, 10:45 PM

> Anyone have any advice as to what I can do
> to prepare myself if I ever had a problem
> like his. I know about firewalls but what
> else.

The single most important thing is to frequently check for updates from Microsoft. If you have an always-on Internet connection (DSL or cable modem), and you usually leave your computer turned on, you can set this up to be done automatically.

In addition to the firewall, run anti-virus and anti-spyware software. These are useless if not kept up-to-date, so check for updates at least weekly. Again, many of these programs allow you to automate this.

Use some common sense. Never open any e-mail attachment that you were not expecting, even if it appears to be from a trusted source. Be wary of installing free software programs.

Use an e-mail client other than Outlook or Outlook Express. Use a browser other than Internet Explorer. If you're feeling adventurous, consider an operating system other than Windows, such as Linux (works for me). Viruses, spyware, adware, etc., that are written for Windows will not run on a Linux system. Same goes for Mac's, although switching to a Mac necessitates buying a new computer.

> I want it so that I wouldn't have to
> re-install everything and take up so much
> time. The fact that it infected his system
> restore was the major problem. Right ? I
> heard something about this Norton Ghost.
> Doesn't it make some kind of copy of your
> current computer configuration ? If you have
> problems, it just puts everything back to
> where it was.

There are several programs of this sort available. The most important thing is to frequently back up your data files. Also back up the files containing your browser preferences and favorites, your address book, and the Windows Registry files.