Solved

Trojan Detection on Any Explorer folder or program - HELP!!

Posted on 2004-11-01
412 Views
Last Modified: 2010-04-12
I have been dealing with this issue for the last 2 months....

I found that while online, I continuously began receiving a McAfee warning that a trojan has been detected and removed.  I would choose to continue what I was doing.  I then would run a virus scan and it found Backdoor-BDD on my computer.  The problem began to occur like every 10 seconds.  

I then installed the necessary windows updates, as well as office updates and the GDI tool...I ran another virus scan and this time it had found over 200 instances of the trojan and when I tried to delete them about 25 of them were no longer found.  I have and have run Spybot Search and Destroy, Stinger (latest update two weeks ago), and my McAfee virus scan and each time I delete the files. This seemed to fix the problem - for about a couple of days and then I started thinking - it was in Windows - so I turned off System Restore.  That worked for like a month....but I've still noticed only sporadic occurances of the trojan found and removed....but then I started thinking again... I noticed that I only get the messages when I open any Explorer folder or file - such as in My Computer, any navigational folders, any of my Office programs and while in Internet Explorer. Which lately I haven't used - hence the thought that it was fixed.  I need help in trying to remove the script or startup command that's running on open of Explorer items.  Doe anyone have any suggestions???
0
Question by:AxesWannabee
    25 Comments
     
    LVL 27

    Expert Comment

    by:Asta Cu
    How current is your McAfee program and Virus definition files?  Good you turned off system restore prior to the fixes (back on when clean).  Did you perform deep scanning on all drives?  Did you check the HOSTS file?  Is WindowsUpdate and ALL office updates?  http://www.officeupdate.com to ensure security patches are there?  

    More shortly.
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    Clear Browser's cache (temp internet files and offline content as well as history) ..... Clear Autocomplete items and ALL cookies you are sure you don't trust/need.

    Try AdAware, most current update and configure it to do deep scanning and include the HOSTS file.
    For Spybot S&D, most current version, be sure to include the Immunize function (last look blocks 2,344 or so malware/spyware/malicious BHO intrusions).

    Get updated HijackThis and scan your system.... then post results to the free analyzer, here:
    http://www.hijackthis.de/index.php?langselect=english
    http://www.experts-exchange.com/Web/Browser_Issues/Q_21149514.html

    Logged in as Admin?  Tried Safe Mode?  

    Other possibilities, but feedback for this will help.  There are many variants; so the problem is significant.
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    Also, please see this for many of the variants....
    http://hq.mcafeeasap.com/dispTrojan.asp?virus_k=126448
    0
     

    Author Comment

    by:AxesWannabee
    Okay, let's see if I can answer all questions:

    My McAfee is virus scan online and it installs all updates as soon as I turn on the computer.  I have installed all windows updates and office updates.  The only program I haven't run is Adaware, which we use at work - I'm in I.T.  So I can try that to include deep scanning and the HOSTS file.

    That was an excellent idea for clearing Internet cache, etc...but here's the deal I am using MSN's browser, not IE.  I am fine in the MSN browser - no trojan's detected, etc...it's when I accidently use IE (this is what we use at work) that I get the trojan detection popups.  McAfee's doing it's job, it's just embedded somewhere in my system and I can't find it.  I normally run virus scans and spyware scans once each week.  This week's scan came up completely clean.  I did not run any of the programs in safe mode though...could do that.  I am logged in as Admin - and oh, I forgot I found a few weeks ago when I was trying to download windows update I would get an access is denied....I found that my Admin rights had been altered and I ran subinacl and that fixed that problem (just offering more information to assist in a solution).  I have the Immunize set already on SS&D.  I'm running out of money here....does this Hijack this cost anything?  Hope I didn't leave anything out.
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    No, it's free (donations if you wish)...

    Did you check the link above and the potential registry keys on variants?
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    http://www.majorgeeks.com/download3155.html  HijackThis download, then past log results in the above free analyzer
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    If you're running XP SP2.... many added protections...   This is a video well worth seeing.  Also free.
    ***** This is an excellent link, very informative, and thanks to
    Fatal_Exception for showing me this! It includes a step-by-step video about XP SP2 and the new features and configuration option overview. Top Notch!
    http://65.24.134.81/KipSolutions/SP2/SP2Overview.htm *****
    Free XP SP2 Help and Support
    http://support.microsoft.com/oas/default.aspx?gprid=6794
     

    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    Re. Spybot S&D --- be sure it's fully updated and get all definition files (updated often) and re-immunize.  For AdAware SE Pro (my choice); also am sure that it's updated and not only do deep scanning and include the HOSTS file, but being overly cautious also look at the 'negligible' items and clean them.
    0
     

    Author Comment

    by:AxesWannabee
    Okay, I'm going to try to install the Hijack this and attach the log file.  I do have XP SP2 and man, that was an issue in itself...but I finally got it installed.  The SS&D is updated, but I haven't re-immunized.  I'll try that too.  Let's see how it goes....I'll let you know when all is run.
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    Please post the log results in the FREE Analyzer service first, and only post here the items that elude you.  They can be HUGE.
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    Take the time, when you can, to see the Video I noted above about XP SP2... it is time well spent.  XP SP2 can be a bear to install and understand; but the video gives you great understanding, in my humble opinion.  This can help you avoid many problems down the road.

    Back to work; will return when time permits.

    Asta
    0
     

    Author Comment

    by:AxesWannabee
    Okay, I have put the Hijack This log here:
    http://www.majorgeeks.com/downloadget.php?id=3155&file=10&evp=3304750663b552982a8baee6434cfc13
    Thank you for the help, I'm on to the Adaware and clearing temp files.
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    Instead, paste your log in the link below for immediate results....  choose your language, this is English by default.
    http://www.hijackthis.de/index.php?langselect=english
    0
     

    Author Comment

    by:AxesWannabee
    Okay, done...sorry....I was a little confused...
    0
     

    Author Comment

    by:AxesWannabee
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    Join the club, LOL.  Confused is where I remain when I've been "INVADED" with all the awful intrusions out there.  Please do cut/paste any line items that aren't clear.  Will return when I can.  At work, but will check when time permits.
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    After pasting it there, click Analyze and post any items you're not sure about here.
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    Tried to view it;;;; not an MSN interface here so a bit confusing to view.
    BUT... HijackThis did point to this item
    C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe

    Something you want and need?
    0
     

    Author Comment

    by:AxesWannabee
    I have Verizon DSL...which the MSN browser comes with....

    I need it if it is a part of the DSL, however, I don't care to have it if it is for tracking me or for demographics info, etc.

    Would you like me to send the logfile (notepad) I have if it's easier to view?
    0
     
    LVL 27

    Accepted Solution

    by:
    What I'd recommend, since the Guidelines are very clear about keeping all question content within the question thread, is that you revisit the results and look at each entry ... including the 'unknown' processes which "may" or may not be intrusionary.  Also check with WindowsUpdate and MS for any updates.  Don't use Verizon in any form, so tough to help in that regard.  I always am very picky/choosy about what I allow to create cookies and access to my system, having learned from past experience that not all "goodies" and "tools" are free of intrusions.  

    I'm swamped with work, but will check back when I can.
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    By the way, on the side of caution; I do not install FREEWARE, or 3rd party software and players of tools... again from past experience and try to work with what is delivered in my OS and interfaces and keep the updated with patches and fixes as a matter of course.  I've found that many "freeware" and alternate players out there cause me more grief than benefit, so something else to consider.
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    Thanks, about to go to a meeting, saw this response.  If more is needed in this regard, comment and I'll return tomorrow or when time permits.  If I were a Verizon user and had problems and paying for a service, I'd sure go to them to "SAY FIX or ADVISE".

    ":0) Asta
    0
     

    Author Comment

    by:AxesWannabee
    Thank you so much astaec...you've fixed a two month problem in a few minutes!!!
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    YAY YAY YAY!  I am so pleased, AxesWannabee!  ":0)  Thank you for the good news.

    Best wishes to you.  Don't know if you are aware of the new Feedback option next to Expert comments, but they let us know how you feel outside of the question thread if we do "well" or "not".

    ":0)  Asta
    0
     

    Author Comment

    by:AxesWannabee
    No...I didn't know that....I'll look for that....
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    NAC solutions are thought by some to be a magic bullet; however this is not the case. This article contains sensitive information which is well known in the information security industry (at least for experts); however is not well known to the IT…
    Malicious software is nothing new. Viruses have been created and spread since before physical networks became popular; back then viruses spread via floppy disk and modem connections with shared systems. Viruses weren't so rampant and protecting your…
    Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
    Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    884 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now