[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

TROJ BIPSY.D

Posted on 2005-04-08
23
Medium Priority
?
477 Views
Last Modified: 2010-08-05
I just ran trend micros scan and it reported that I have  TROJ BIPSY.D. Can anyone help me remove this?
thanks
0
Comment
Question by:withington
  • 8
  • 7
  • 6
  • +2
23 Comments
 

Expert Comment

by:Cveselka
ID: 13740856
Trend Micro should report what file is infected.  From what I can tell it is spyware.  Reboot into safe mode and delete the file.  
0
 
LVL 29

Assisted Solution

by:blue_zee
blue_zee earned 800 total points
ID: 13741002

Go to Control Panel, System, System Restore. Turn off System Restore. This flushes out all of the restore points.

Then turn it back on and update your antivirus software and keep it updated.

If that doesn't help (believing the infected files are in the restore folder), run at least 2 of these AV online scanners:

Panda ActiveScan
http://www.pandasoftware.com/activescan 

Bitdefender
http://www.bitdefender.com/scan/Msie/index.php 

McAfee FreeScan
http://us.mcafee.com/root/mfs/default.asp 

Symantec Security Check
http://security.symantec.com/sscv6/ 

Pc-Cillin (Trend Micro Housecall)
http://housecall.antivirus.com/housecall/start_pcc.asp 

PcPitstop
http://pcpitstop.com/antivirus/default.asp 

RAV
http://www.ravantivirus.com/scan/ 

Zee
0
 

Author Comment

by:withington
ID: 13741173
added to this problem is that I cannot update NORTON virus definitions . . .

So, I turned off System Restore, did not yet turn it back on as I did this before I saw any reply posts, and am now running Symantic Online Scan

I will let you know the results. So far it has found 8 "threats"
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
LVL 29

Expert Comment

by:blue_zee
ID: 13741284

Yikes...
0
 

Author Comment

by:withington
ID: 13741877
ok, I amy or may not have gotten rid of all the bad stuff, but now it continualy hangs at the "welcome" screen when booting up. If I shut it down for a few seconds and then start it up, most of the time it will boot to Windows. ANy ideas?
0
 
LVL 1

Accepted Solution

by:
grujiczoran earned 400 total points
ID: 13742226
Hello,
You say that most of time you can boot in to windows. So try boot in to windows again. If successful, disconnect from network and Internet and stop all running processes that are not needed.
Click start, run and type command sfc /scannow  [Enter]
It may ask you for windows XP CD, insert it in to your CD ROM. This will check for any changes made to your system files.
If that does not help do this:
Since you clear your restore points you can not roll, so start system from your Windows CD in to recovery console.(make sure you have set to boot from CD ROM), if not sure pres and hold Delete key during boot-up (some BIOS require F2 or F12 key) and check there your boot sequence.
When boot up starts you will have option to select to install windows or repair. Pres R. You will get in to recovery console.
Run CHKDSK command
This site will explain all commands http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ntcmds.mspx 
That should fix boot problem.
If does.
Boot in safe mode
Hopefully you did write down infected files. Delete all of them if any is left.
Restart system back to normal windows.
Scan for viruses again, and write down all infected files and their locations if found.
Use Norton and trend micro
http://securityresponse.symantec.com/ 
http://housecall.trendmicro.com/housecall/start_corp.asp 
Run both of them.
Now, Disconnect from Internet and delete all found bad files. You my need to go back to safe mode to delete those you could not in first attempt.
Good Lock.

If CHKDSK did not fix boot problem, then this is solution you may try.
Registry recovery
http://support.microsoft.com/default.aspx?scid=kb;EN-US;307545 
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13743026

I would suspect Norton. Uninstall and test.

And a quick note: it's really NOT good having more than 1 Anti Virus running.

Zee
0
 
LVL 1

Expert Comment

by:grujiczoran
ID: 13743352
Hello,
Uninstalling Norton may help with boot problem, but will not remove remaining viruses that are possible still on the system.
If viruses are still on the system and you remove AV, reinstalling it before removing viruses will probably be unsuccessful.
Beside I suggested online scanning, one at the time, not to install them. Clicking on above URL's will get you to free online scan.
There is possible that you may not be able to scan. That would sugest that system is infected badly. Having Norton already installed will help determined what files are infected and where are they.
I would remove Norton only if I'm sure, that is the problem.
0
 

Author Comment

by:withington
ID: 13746879
thanks for all your help. I think that I was able to rid myslef of all problems except for two malware files. . . that in a moment. I will tell you what I did:
scanned with PandaSoftware, Norton, TrendMicro. Only Panda Still finds 2 malwares that I am having problems getting rid of.  Ii had to uninstall Norton and then reinstall - obviously one of the files must have gotten currupted. I will get the names of the 2 files, but in the mean time I iwill raise the number of points for this question if anyone can help me with another problem on another computer

XP, Thunderbird - the inbox erratically changes numbers like from 333 to 1254 to 874 . . .  and on. When I delete any email it shows up again almost right away. And then out of the blue, the Inbox reflects the correct number of emails.

whats up with this? What virus do I have on this box?
0
 

Author Comment

by:withington
ID: 13747517
btw - the two files are: WebHancer and IPInsight. Any ideas on how to get rid of them? Also, the problem with thunderbird was that I had not compacted the folders. I had to delete some profile files and then all was fine.

THanks again, and if anyone knows how to get rid of those other files I would greatly appreciate it!
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13747598

Glad we could be of help. Thanks.

The files you mention are spyware, that these should take care of:

First of all, download NOW this Winsock fix:
http://downloads.subratam.org/WinsockFix.zip
If you lose internet access after the cleanup, run this tool.

After that, download the fully functional trial version of Spy Sweeper:
http://www.webroot.com/downloads/?WRSID=595f27d74dd2795a56af83b763c321e1
Install, UPDATE and run.
You may need to reboot and run again to clean all the nasties that cannot be deleted at once (“in use”).

Download Ad-Aware from here:
http://lavasoft.element5.com/support/download/
Install, UPDATE and run.
You may need to reboot and run again to clean all the nasties that cannot be deleted at once (“in use”).

Also excellent is SpyBot Search & Destroy available here:
http://www.spychecker.com/download/download_spybot.html
Install, UPDATE and run.
You may need to reboot and run again to clean all the nasties that cannot be deleted at once (“in use”).
You should also apply the "immunize" function, since it blocks roughly 1900 known 'bad' runs/apis/apps.

Even if Ad-Aware and SpyBot S&D are similar, they do clean different things. You should have both of them and use REGULARLY.

You can also install “preventive” software that will help you control these nasties:

SpywareBlaster:
http://www.javacoolsoftware.com/spywareblaster.html
Prevents the installation of Active-X based spyware, malware, dialers, etc
Currently protects you against 3400+ nasties.
Advantage: no system resources used!!!
Just download, install and UPDATE.

All of them extremely useful but you must keep them UPDATED.

Suggestion: Make sure you can see all files and folders and run Ad-aware and Spybot S&D in Safe Mode.

Zee
0
 
LVL 1

Expert Comment

by:grujiczoran
ID: 13747852
Hello,
Have in mind that there some different variants of IPinsight. Look if you have some P2P programs installed on system, like Kazaa, sharebare and so on. If you do, remove them as well. Whot Zee sugest you is good. Also check manualy for this files. IPinsight creats them.

IPInsigt.dll
IPInsigt.pnf
IPInsigt.inf
Sentry.exe
Sentry.ini
IPInsigt.dll
Reason I'm teling you that, is that I did have exspiriance with it. After removing pest with spy removing programs, it did leave some files behind and thing reapired again.
Check registry entrys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Delete "sentry" if there
Restart machine. Not to say, be very cearful wiyh registry, and do it in seafe mod.
When you are completly don and sure you did get out all pests. Put back on restore points and do Windows updates.

On the end, to add on Zee arsenal of tools and they are all good, you should consider "Microsoft Windows Spyware" It is free and very good. To read more about this and download it, visit site below.

http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&DisplayLang=en 
See this site as well. More on MS Win. Spyware.
http://microsoft.blognewschannel.com/index.php/archives/2005/01/09/

To read about and remowe webhancer wisin Norton site.
http://securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html
good lock.

0
 

Author Comment

by:withington
ID: 13748061
\thanks for your reply.

I already have used S&D as well as AdAware. THey came out clean. I am now running SpySweeper.

Question: When I booted the puter up, I got 2 error messages that I had gotten before that I thought that I fixed: THe first was that the Time/Date deal was not correct and that I need to use the applet to correct it. After celecting OK, the puter continues to boot up and then after the windows desktop loads I get a Norton error message that informs me that a certain file cannot load and that Norton will be disabled. Yesterday when I was working on this computer, by the end of the day the messages not longer appeared. Note, yesterday I adjusted the time/clock.  Just now when I booted up I got those messages - as I said earlier - and the time/clock was dated in 1989. COuld those 2 error messages appear then not appear due to the CMOS battery? If so how hard is it to replace?

thanks
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13748133

The date/time changing after turning off PC is usually a sign of a failing CMOS battery.

The Norton not being enabled is a sign of a corrupt installation.

I would suggest an uninstall, restart and cleanup with this tool:

http://ca.huji.ac.il/bf/mcafee/NoNav.exe

This will clean your system of Norton residues.

Restart again and reinstall and update Norton.

That should do it.

Post back your findings.

Zee
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13748137

And almost forgot these:

Replacing Your Computer's CMOS Battery
http://www.rlrouse.com/computer-loses-time.html

Information about the computer CMOS
http://www.computerhope.com/help/cmos.htm
0
 

Author Comment

by:withington
ID: 13748301
thanks How in the world do you know this stuff!!!!  I will let you know what transpires
0
 

Author Comment

by:withington
ID: 13748338
about the 2 files that are still on the computer.  Panda shows them in the following location:
c:\undo\backup.cab[whInstaller.ini]
c:\undo\backup.cab[Belt.ini]

I can't seem to delete these files manually

thanks
0
 
LVL 1

Expert Comment

by:grujiczoran
ID: 13748406
Hello,
Using Mcaffee tool to remove their competitor is not what you should do, unless you wish to install Mcaffee AV. Just thought, I may be wrong.

Before you replace battery on the Main board:
•      Get battery that exactly match yours existing
•      Go to CMOS settings [during boot up, pres and hold “dell key or other appropriate Keyboard key”]
•      Right down CMOS settings as they will change once you replace battery
•      Make sure you have protect PC from ESD
•      Change battery, start system and enter CMOS. Correct any changes if they bin made.
•      Restart the system.

To remove Norton:
•      Go to safe mode and use “add/remove” tool in “control panel”
•      Remove Norton AV and Norton Update manager
•      Manually remove all files and folders that are left behind (Use “search” and look for “NORTON and SYMANTEC”
•      Clean registry of Norton and SYMANTEC entries. You can do it manually by going in to registry “start, run, type regedit. Click on “EDIT” and then on Find. Type Norton and ENTER, delete entry’s associated with Norton (after delete pres F3 key and kip doing till search is over. Repeat same for Symantec. This can be time consuming and make sure you export and save registry before doing it. Not to say, be very careful what you delete.

You can use third party registry cleaners (some are free). I would be very careful with it. You can find all kinds in Google search.
Restart system and reinstall Norton.
Again I highly recommending you to install and run Microsoft Windows Spyware.

 
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13748467

Regarding the undeletable files, have you tried Safe Mode, navigate to that folder and manually delete it?

This could also be useful:

How do I delete an "undeletable" file?
http://www.dougknox.com/xp/tips/xp_undeletable_file.htm

Regardig the NoNav tool,  grujiczoran,

I am sorry you don't know the NoNav tool, that is NOT Mcafee. Even if the link seems to suggest that, you should take a look before commenting:

NONAV is an unsupported Symantec tool for removing files and registry keys from Norton Antivirus / Symantec Antivirus.
This is helpful for example when an upgrade from an older version fails and you need to prepare the machine for a clean re-installation.

The tool can be sent out to customers as long as they have been informed that nonav is an unsupported tool / without warranty and provided "as-is".

NONAV removes the following products from filesystem/registry:

NAV      Norton Antivirus 4.x / 5.x
NAVCE      Norton Antivirus Corporate Edition 7.0x 7.5x 7.6x
SAVCE      Symantec Antivirus Corporate Edition 8.0x 8.1x 9.x
SSC      Symantec System Center (from CE 7.x / 8.x / 9.x)
AMS      Alert Management System (from CE 7.x / 8.x / 9.x)
SCF      Symantec Client Firewall 5.x 7.x

NONAV can also be set to remove the following components:

Symevent drivers
LiveUpdate (1.5-2.0)
shared Virus Definitions
Central Quarantine Server / Quarantine Console

NONAV should leave other Symantec products alone on the machine but only very limited testing has been done on this.

PcAnywhere 10.5 / 11, Ghost 8.0/2003 and the Central Quarantine Server has been tested and appear to work fine after running nonav.

NONAV is designed to work on the following OS:
Windows 2003 Server
Windows XP
Windows 2000 Professional / Server
Windows NT4 Workstation / Server
Windows ME
Windows 98
Windows 95

The above was quoted from the included NONAV.TXT file.

And a footnote: the Add/Remove orocedure does not remove all the Norton/Symantec references in the registry and system (Surprised? Shouldn't be...)

Cheers,

Zee
0
 
LVL 1

Expert Comment

by:grujiczoran
ID: 13748480
Hello,
Two files you are talking about are probably saved in guaranty folder of one of your cleaner programs.
Check guaranty of your programs and delete them from there.
If that is not the case. Again clear restore points and go to safe mode and navigate to folder and delete them from there.
This folder may be hidden. If so, click on “folder options” Then “View” Select “show hidden files and folders”
Then try to find it and delete. Restart the system and do all scaning again. When you are done do not forget pot back restore points.
 
Belt.ini is file created by adware. Another nasty thing. See Norton.

Important:
Before you install any Antivirus program on your system, you have to clean computer of all viruses and spywares. Installing AV programs on infected PC will not work well. Son or later you will have problems. Also some viruses will make AV work OK, but will not detect them.  

Sometimes cleaning viruses and spyware can be very time consuming and still anybody can very easily miss some little file that will make virus reaper. Maybe reinstalling OS is better choice. Backup and save all important files before reinstalling OS.  
Good lock  
0
 
LVL 1

Expert Comment

by:grujiczoran
ID: 13748526
To blue_zee
I was wrong about NONAV, and yes I did not know about it. I Apologizing if my coment ofended you. I did not have attention whatsoever to undermind your help.
I did say to clean registry and explaying how.
any way I'm not doing it for competition, but to help and learn.
thanks.
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13748789

No problem, I was not offended at all.

Just thought you drew conclusions too fast, nothing else!

And thank you for the feedback, I appreciated your reply.

Thanks.

Zee
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question