TROJ BIPSY.D

I just ran trend micros scan and it reported that I have  TROJ BIPSY.D. Can anyone help me remove this?
thanks
withingtonAsked:
Who is Participating?
 
grujiczoranConnect With a Mentor Commented:
Hello,
You say that most of time you can boot in to windows. So try boot in to windows again. If successful, disconnect from network and Internet and stop all running processes that are not needed.
Click start, run and type command sfc /scannow  [Enter]
It may ask you for windows XP CD, insert it in to your CD ROM. This will check for any changes made to your system files.
If that does not help do this:
Since you clear your restore points you can not roll, so start system from your Windows CD in to recovery console.(make sure you have set to boot from CD ROM), if not sure pres and hold Delete key during boot-up (some BIOS require F2 or F12 key) and check there your boot sequence.
When boot up starts you will have option to select to install windows or repair. Pres R. You will get in to recovery console.
Run CHKDSK command
This site will explain all commands http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ntcmds.mspx 
That should fix boot problem.
If does.
Boot in safe mode
Hopefully you did write down infected files. Delete all of them if any is left.
Restart system back to normal windows.
Scan for viruses again, and write down all infected files and their locations if found.
Use Norton and trend micro
http://securityresponse.symantec.com/ 
http://housecall.trendmicro.com/housecall/start_corp.asp 
Run both of them.
Now, Disconnect from Internet and delete all found bad files. You my need to go back to safe mode to delete those you could not in first attempt.
Good Lock.

If CHKDSK did not fix boot problem, then this is solution you may try.
Registry recovery
http://support.microsoft.com/default.aspx?scid=kb;EN-US;307545 
0
 
CveselkaCommented:
Trend Micro should report what file is infected.  From what I can tell it is spyware.  Reboot into safe mode and delete the file.  
0
 
blue_zeeConnect With a Mentor Commented:

Go to Control Panel, System, System Restore. Turn off System Restore. This flushes out all of the restore points.

Then turn it back on and update your antivirus software and keep it updated.

If that doesn't help (believing the infected files are in the restore folder), run at least 2 of these AV online scanners:

Panda ActiveScan
http://www.pandasoftware.com/activescan 

Bitdefender
http://www.bitdefender.com/scan/Msie/index.php 

McAfee FreeScan
http://us.mcafee.com/root/mfs/default.asp 

Symantec Security Check
http://security.symantec.com/sscv6/ 

Pc-Cillin (Trend Micro Housecall)
http://housecall.antivirus.com/housecall/start_pcc.asp 

PcPitstop
http://pcpitstop.com/antivirus/default.asp 

RAV
http://www.ravantivirus.com/scan/ 

Zee
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
withingtonAuthor Commented:
added to this problem is that I cannot update NORTON virus definitions . . .

So, I turned off System Restore, did not yet turn it back on as I did this before I saw any reply posts, and am now running Symantic Online Scan

I will let you know the results. So far it has found 8 "threats"
0
 
blue_zeeCommented:

Yikes...
0
 
withingtonAuthor Commented:
ok, I amy or may not have gotten rid of all the bad stuff, but now it continualy hangs at the "welcome" screen when booting up. If I shut it down for a few seconds and then start it up, most of the time it will boot to Windows. ANy ideas?
0
 
blue_zeeCommented:

I would suspect Norton. Uninstall and test.

And a quick note: it's really NOT good having more than 1 Anti Virus running.

Zee
0
 
grujiczoranCommented:
Hello,
Uninstalling Norton may help with boot problem, but will not remove remaining viruses that are possible still on the system.
If viruses are still on the system and you remove AV, reinstalling it before removing viruses will probably be unsuccessful.
Beside I suggested online scanning, one at the time, not to install them. Clicking on above URL's will get you to free online scan.
There is possible that you may not be able to scan. That would sugest that system is infected badly. Having Norton already installed will help determined what files are infected and where are they.
I would remove Norton only if I'm sure, that is the problem.
0
 
withingtonAuthor Commented:
thanks for all your help. I think that I was able to rid myslef of all problems except for two malware files. . . that in a moment. I will tell you what I did:
scanned with PandaSoftware, Norton, TrendMicro. Only Panda Still finds 2 malwares that I am having problems getting rid of.  Ii had to uninstall Norton and then reinstall - obviously one of the files must have gotten currupted. I will get the names of the 2 files, but in the mean time I iwill raise the number of points for this question if anyone can help me with another problem on another computer

XP, Thunderbird - the inbox erratically changes numbers like from 333 to 1254 to 874 . . .  and on. When I delete any email it shows up again almost right away. And then out of the blue, the Inbox reflects the correct number of emails.

whats up with this? What virus do I have on this box?
0
 
withingtonAuthor Commented:
btw - the two files are: WebHancer and IPInsight. Any ideas on how to get rid of them? Also, the problem with thunderbird was that I had not compacted the folders. I had to delete some profile files and then all was fine.

THanks again, and if anyone knows how to get rid of those other files I would greatly appreciate it!
0
 
blue_zeeCommented:

Glad we could be of help. Thanks.

The files you mention are spyware, that these should take care of:

First of all, download NOW this Winsock fix:
http://downloads.subratam.org/WinsockFix.zip
If you lose internet access after the cleanup, run this tool.

After that, download the fully functional trial version of Spy Sweeper:
http://www.webroot.com/downloads/?WRSID=595f27d74dd2795a56af83b763c321e1
Install, UPDATE and run.
You may need to reboot and run again to clean all the nasties that cannot be deleted at once (“in use”).

Download Ad-Aware from here:
http://lavasoft.element5.com/support/download/
Install, UPDATE and run.
You may need to reboot and run again to clean all the nasties that cannot be deleted at once (“in use”).

Also excellent is SpyBot Search & Destroy available here:
http://www.spychecker.com/download/download_spybot.html
Install, UPDATE and run.
You may need to reboot and run again to clean all the nasties that cannot be deleted at once (“in use”).
You should also apply the "immunize" function, since it blocks roughly 1900 known 'bad' runs/apis/apps.

Even if Ad-Aware and SpyBot S&D are similar, they do clean different things. You should have both of them and use REGULARLY.

You can also install “preventive” software that will help you control these nasties:

SpywareBlaster:
http://www.javacoolsoftware.com/spywareblaster.html
Prevents the installation of Active-X based spyware, malware, dialers, etc
Currently protects you against 3400+ nasties.
Advantage: no system resources used!!!
Just download, install and UPDATE.

All of them extremely useful but you must keep them UPDATED.

Suggestion: Make sure you can see all files and folders and run Ad-aware and Spybot S&D in Safe Mode.

Zee
0
 
grujiczoranCommented:
Hello,
Have in mind that there some different variants of IPinsight. Look if you have some P2P programs installed on system, like Kazaa, sharebare and so on. If you do, remove them as well. Whot Zee sugest you is good. Also check manualy for this files. IPinsight creats them.

IPInsigt.dll
IPInsigt.pnf
IPInsigt.inf
Sentry.exe
Sentry.ini
IPInsigt.dll
Reason I'm teling you that, is that I did have exspiriance with it. After removing pest with spy removing programs, it did leave some files behind and thing reapired again.
Check registry entrys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Delete "sentry" if there
Restart machine. Not to say, be very cearful wiyh registry, and do it in seafe mod.
When you are completly don and sure you did get out all pests. Put back on restore points and do Windows updates.

On the end, to add on Zee arsenal of tools and they are all good, you should consider "Microsoft Windows Spyware" It is free and very good. To read more about this and download it, visit site below.

http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&DisplayLang=en 
See this site as well. More on MS Win. Spyware.
http://microsoft.blognewschannel.com/index.php/archives/2005/01/09/

To read about and remowe webhancer wisin Norton site.
http://securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html
good lock.

0
 
withingtonAuthor Commented:
\thanks for your reply.

I already have used S&D as well as AdAware. THey came out clean. I am now running SpySweeper.

Question: When I booted the puter up, I got 2 error messages that I had gotten before that I thought that I fixed: THe first was that the Time/Date deal was not correct and that I need to use the applet to correct it. After celecting OK, the puter continues to boot up and then after the windows desktop loads I get a Norton error message that informs me that a certain file cannot load and that Norton will be disabled. Yesterday when I was working on this computer, by the end of the day the messages not longer appeared. Note, yesterday I adjusted the time/clock.  Just now when I booted up I got those messages - as I said earlier - and the time/clock was dated in 1989. COuld those 2 error messages appear then not appear due to the CMOS battery? If so how hard is it to replace?

thanks
0
 
blue_zeeCommented:

The date/time changing after turning off PC is usually a sign of a failing CMOS battery.

The Norton not being enabled is a sign of a corrupt installation.

I would suggest an uninstall, restart and cleanup with this tool:

http://ca.huji.ac.il/bf/mcafee/NoNav.exe

This will clean your system of Norton residues.

Restart again and reinstall and update Norton.

That should do it.

Post back your findings.

Zee
0
 
blue_zeeCommented:

And almost forgot these:

Replacing Your Computer's CMOS Battery
http://www.rlrouse.com/computer-loses-time.html

Information about the computer CMOS
http://www.computerhope.com/help/cmos.htm
0
 
withingtonAuthor Commented:
thanks How in the world do you know this stuff!!!!  I will let you know what transpires
0
 
withingtonAuthor Commented:
about the 2 files that are still on the computer.  Panda shows them in the following location:
c:\undo\backup.cab[whInstaller.ini]
c:\undo\backup.cab[Belt.ini]

I can't seem to delete these files manually

thanks
0
 
grujiczoranCommented:
Hello,
Using Mcaffee tool to remove their competitor is not what you should do, unless you wish to install Mcaffee AV. Just thought, I may be wrong.

Before you replace battery on the Main board:
•      Get battery that exactly match yours existing
•      Go to CMOS settings [during boot up, pres and hold “dell key or other appropriate Keyboard key”]
•      Right down CMOS settings as they will change once you replace battery
•      Make sure you have protect PC from ESD
•      Change battery, start system and enter CMOS. Correct any changes if they bin made.
•      Restart the system.

To remove Norton:
•      Go to safe mode and use “add/remove” tool in “control panel”
•      Remove Norton AV and Norton Update manager
•      Manually remove all files and folders that are left behind (Use “search” and look for “NORTON and SYMANTEC”
•      Clean registry of Norton and SYMANTEC entries. You can do it manually by going in to registry “start, run, type regedit. Click on “EDIT” and then on Find. Type Norton and ENTER, delete entry’s associated with Norton (after delete pres F3 key and kip doing till search is over. Repeat same for Symantec. This can be time consuming and make sure you export and save registry before doing it. Not to say, be very careful what you delete.

You can use third party registry cleaners (some are free). I would be very careful with it. You can find all kinds in Google search.
Restart system and reinstall Norton.
Again I highly recommending you to install and run Microsoft Windows Spyware.

 
0
 
blue_zeeCommented:

Regarding the undeletable files, have you tried Safe Mode, navigate to that folder and manually delete it?

This could also be useful:

How do I delete an "undeletable" file?
http://www.dougknox.com/xp/tips/xp_undeletable_file.htm

Regardig the NoNav tool,  grujiczoran,

I am sorry you don't know the NoNav tool, that is NOT Mcafee. Even if the link seems to suggest that, you should take a look before commenting:

NONAV is an unsupported Symantec tool for removing files and registry keys from Norton Antivirus / Symantec Antivirus.
This is helpful for example when an upgrade from an older version fails and you need to prepare the machine for a clean re-installation.

The tool can be sent out to customers as long as they have been informed that nonav is an unsupported tool / without warranty and provided "as-is".

NONAV removes the following products from filesystem/registry:

NAV      Norton Antivirus 4.x / 5.x
NAVCE      Norton Antivirus Corporate Edition 7.0x 7.5x 7.6x
SAVCE      Symantec Antivirus Corporate Edition 8.0x 8.1x 9.x
SSC      Symantec System Center (from CE 7.x / 8.x / 9.x)
AMS      Alert Management System (from CE 7.x / 8.x / 9.x)
SCF      Symantec Client Firewall 5.x 7.x

NONAV can also be set to remove the following components:

Symevent drivers
LiveUpdate (1.5-2.0)
shared Virus Definitions
Central Quarantine Server / Quarantine Console

NONAV should leave other Symantec products alone on the machine but only very limited testing has been done on this.

PcAnywhere 10.5 / 11, Ghost 8.0/2003 and the Central Quarantine Server has been tested and appear to work fine after running nonav.

NONAV is designed to work on the following OS:
Windows 2003 Server
Windows XP
Windows 2000 Professional / Server
Windows NT4 Workstation / Server
Windows ME
Windows 98
Windows 95

The above was quoted from the included NONAV.TXT file.

And a footnote: the Add/Remove orocedure does not remove all the Norton/Symantec references in the registry and system (Surprised? Shouldn't be...)

Cheers,

Zee
0
 
grujiczoranCommented:
Hello,
Two files you are talking about are probably saved in guaranty folder of one of your cleaner programs.
Check guaranty of your programs and delete them from there.
If that is not the case. Again clear restore points and go to safe mode and navigate to folder and delete them from there.
This folder may be hidden. If so, click on “folder options” Then “View” Select “show hidden files and folders”
Then try to find it and delete. Restart the system and do all scaning again. When you are done do not forget pot back restore points.
 
Belt.ini is file created by adware. Another nasty thing. See Norton.

Important:
Before you install any Antivirus program on your system, you have to clean computer of all viruses and spywares. Installing AV programs on infected PC will not work well. Son or later you will have problems. Also some viruses will make AV work OK, but will not detect them.  

Sometimes cleaning viruses and spyware can be very time consuming and still anybody can very easily miss some little file that will make virus reaper. Maybe reinstalling OS is better choice. Backup and save all important files before reinstalling OS.  
Good lock  
0
 
grujiczoranCommented:
To blue_zee
I was wrong about NONAV, and yes I did not know about it. I Apologizing if my coment ofended you. I did not have attention whatsoever to undermind your help.
I did say to clean registry and explaying how.
any way I'm not doing it for competition, but to help and learn.
thanks.
0
 
blue_zeeCommented:

No problem, I was not offended at all.

Just thought you drew conclusions too fast, nothing else!

And thank you for the feedback, I appreciated your reply.

Thanks.

Zee
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.