Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware


  • Please log in to reply
22 replies to this topic

#1 sherilyne

sherilyne

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 09 October 2007 - 07:18 PM

I have had a recent problem with a virus, spyware, malware, or something like that. I have downloaded various anit spyware programs and have seemed to resolve most of the issues. What I don't understand is how one particular malware ("Complexel Trojan") continues to be detected every time that I restart my computer. The anti spyware program that detects it is Anti Spyware Shield. I also have super-anti spyware installed, and Smitfraud. Neither of these two detect this malware. Why won't it STAY GONE after I check "remove threat" ? I am running Windows XP on a compaq presario notebook pc. Is there a permanent way to remove this?

Moderator Edit: Moved topic to the more appropriate forum. ~ Animal

Edited by Animal, 09 October 2007 - 08:01 PM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:03 PM

Posted 09 October 2007 - 07:28 PM

a complementary product to antivirus software which is specialized in protection against harmful software. Antivirus software often features an inadequate protection against Trojans, Dialers and Spyware. aČ fills this gap." - tg911


http://www.emsisoft.com/en/software/free/

a squared

sometimes it takes an antivirus program, an anti-trojan program and anti spyware to finish killing something

if something keeps coming back then you might try your scans from safe mode, at least you are disconnected from the internet then
Chewy

No. Try not. Do... or do not. There is no try.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:03 PM

Posted 09 October 2007 - 09:52 PM

What type of anti-virus are you using? Have you tried doing your scans in "SAFE MODE"? Are you doing scans while logged into the Administrator's account or an account with administrator privileges?

No single product is 100% foolproof and can detect and remove all threats at any given time. The security community is in a constant state of change as new malware infections appear. Each vendor has its own definition of what constitutes spyware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another.

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download Dr.Web CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with Dr.Web CureIt as follows:
  • Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop. (You can use Notepad to open the DrWeb.cvs report)
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:03 PM

Posted 09 October 2007 - 11:59 PM

Are you doing scans while logged into the Administrator's account or an account with administrator privileges?



do the scans need to be done from the hidden administrative account or is the regular default one OK?

windows xp?
Chewy

No. Try not. Do... or do not. There is no try.

#5 sherilyne

sherilyne
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 10 October 2007 - 06:38 AM

Chewy, Which a squared should I download....

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:03 PM

Posted 10 October 2007 - 08:08 AM

try quietman's advise first, it's a very good first step to getting control back of your computer, I tested it last night, alto slow it seemed an excellent approach, there were glitches in selecting the custom scan that I didn't like, just run the full one

run the free version of A squared

whatever you do, don't have similar antimalware programs running on your computer at the same time, that can be as bad as any virus or trojan

Edited by DaChew, 10 October 2007 - 08:10 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#7 sherilyne

sherilyne
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 10 October 2007 - 12:02 PM

Ok, I followed the instructions by quietman, AND I ran the free version of a squared. Then, I re-ran the AntiSpyware Shield to see if it would still detect this complexel trojan that it seems to always find. Once again, it showed up!! Could AntiSpyware Shield be scamming me? Although the Dr. CureIt did find and cure several trojans, the a squared only detected adware and riskware...no malware. (I quarantined the detected results from a squared, by the way).

So now my question is which spyware programs do I uninstall so that I don't have the problem created by running several??? I just removed SuperAntiSpyware, but not the quarantined itemsor scan logs(? I think that is what the prompt said). I still have Smitfraud, AntiSpyware Shield, and now Dr. Cureit, A2, and ATF-Cleaner. AntiSpyware Shield is the only one that runs on startup, I think. By the way, I am usually the only one that uses my computer, so I think it is always in the administrator for these kinds of things.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:03 PM

Posted 10 October 2007 - 12:39 PM

Could be a false positive. Did Anti Spyware Shield provide a specific file name and location associated with the Trojan it is detecting?

If so, get a second opinion. Go to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
Post back with the results of the file analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 sherilyne

sherilyne
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 10 October 2007 - 01:25 PM

Quietman,
Yes, when I clicked on the malware detected by the AntiSpyware Shield for more information, it said this:

"Filesystem: C:\959b454a5694eac5f353a33843f5\update"

When I go to the local disk c folder, I can see this file there.
When I tried to scan with jotti's virusscan, I got the following message:

"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file".

I tried to delete this file by right clicking and deleting, and an error came up telling me that access is denied. It also says this when I try to open the "update" folder, even though it says that the folder is empty????

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:03 PM

Posted 10 October 2007 - 02:42 PM

Update is a name given to many files, some good, some bad. For example, a file with that name belongs to Spyware Doctor's Smart Update. You can see a list of more such examples here.

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. I am finding numberous references to update.exe in folders with long random alpha-numerical names such as yours in Kaspersky online scans. In each instance, the scan indicates the "Object is locked skipped" which explains why you cannot access it. This is normal with files protected by the system and the Object is locked skipped detections are not malware nor are they infected.

In cases, where Kaspersky scans found update.exe in other areas of the system, it indicated the file was malware but skipped because this online scan detects but does not remove.
C:\Documents and Settings\Administrator\Desktop\update.exe Infected: Trojan-Dropper.Win32.FriJoiner.b skipped
C:\RECYCLER\S-1-5-18\Dc3\Update.exe Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 sherilyne

sherilyne
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 10 October 2007 - 09:38 PM

I ran the kaspersky, and it revealed that there were 28 problems, but most of them said "object locked - skipped". There were some that said "Trojan Download - skipped". I guess that means that the trojans are under control? I do notice a difference in the way that my computer runs now. It used to skip letters when typing, and would not load all of my programs correctly. Both of those seem to be corrected.

I still would like to know if I need to uninstall some of the many antispyware programs that I have downloaded to correct these issues. I have them listed in an earlier post. But, thanks for all of the help offered. I would have pulled all of my hair out trying to fix this on my own!

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:03 PM

Posted 10 October 2007 - 10:05 PM

there's nothing wrong with having different anti-malware programs in your arsenal, just keep them from loading at bootup,
it's nice to have one or 2 real time protectors if they don't conflict

I use spybot, superantispyware, trojan hunter and even nortons for scans

some are harder than others to disable the real time protection

firefox with the noscript is a good idea
Chewy

No. Try not. Do... or do not. There is no try.

#13 sherilyne

sherilyne
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 10 October 2007 - 10:36 PM

Thanks...good to know. I will be sure to post again if problems return, or new ones arise.

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:03 PM

Posted 11 October 2007 - 05:29 AM

I ran the kaspersky, and it revealed that there were 28 problems...There were some that said "Trojan Download - skipped".

What was the name and location of the files flagged as Trojan Download?

I guess that means that the trojans are under control?

Kaspersky's online scan does not remove anything, that's why is says skipped.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 sherilyne

sherilyne
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 12 October 2007 - 09:05 AM

I did not look at the location of the files, I will have to run the Kaspersky again....I will post it when I get it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users