Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Tanspy


  • Please log in to reply
9 replies to this topic

#1 JDM2

JDM2

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 24 January 2008 - 03:04 PM

Ran Spyware Doctor and it said I have Trojan Tanspy. Booting up the computer last I got a message I had never seen before: "Windows Host Scripts Have Been Disabled on This Machine. Please contact your administrator."

Any idea where to go from here?

SDFix maybe?

Thanks for your input.

Jeff

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:21 PM

Posted 24 January 2008 - 06:53 PM

Did your scan provide a specific file name associated with this malware threat and if so, where is it located (full file path) at on your system? If your scan saved a log file, it should show exactly what and where the malware was found so post that instead.

How to disable-enable Windows Scripting Host.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 JDM2

JDM2
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 24 January 2008 - 08:07 PM

Did your scan provide a specific file name associated with this malware threat and if so, where is it located (full file path) at on your system? If your scan saved a log file, it should show exactly what and where the malware was found so post that instead.

How to disable-enable Windows Scripting Host.


Thanks, Quietman. Here's a screen shot:

Posted Image

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:21 PM

Posted 25 January 2008 - 08:14 AM

It does not show the original name of location it was found. The file looks to have been renamed when it was safely moved to quarantine and no longer a threat.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 JDM2

JDM2
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 25 January 2008 - 10:47 AM

Thanks, Quietman.

You replied to someone earlier today who had a problem with a host entry. I noticed this too:

From DSS:

-- Files created between 2007-12-23 and 2008-01-23 -----------------------------

2008-01-23 22:17:05 0 d-------- C:\Program Files\Symantec
2008-01-23 22:17:05 0 d-------- C:\Documents and Settings\Jeff\Application Data\Symantec
2008-01-23 21:21:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-01-23 20:56:46 0 d-------- C:\Program Files\Spyware Doctor
2008-01-23 20:56:46 0 d-------- C:\Documents and Settings\Jeff\Application Data\PC Tools
2008-01-23 20:09:53 2014 -r-h----- C:\WINDOWS\system32\drivers\hosts
2008-01-23 20:09:44 0 d-------- C:\Program Files\RogueRemover PRO

**Snip**

Or would C:\WINDOWS\system32\drivers\hosts have been created by Rogue Remover? Notice those two entries are just 9 seconds apart.

Thanks for any info you are able to provide.

Jeff

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:21 PM

Posted 25 January 2008 - 12:12 PM

Rogue Remover would not create that.

The HOSTS file is found in these default locations:
Windows Vista -> C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows XP -> C:\Windows\system32\drivers\etc\hosts
Windows 2K -> C:\WInnt\system32\drivers\etc\hosts
Windows 98 -> C:\Windows\hosts
Windoes ME -> C:\Windows\hosts
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 JDM2

JDM2
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 25 January 2008 - 02:04 PM

Rogue Remover would not create that.

The HOSTS file is found in these default locations:
Windows Vista -> C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows XP -> C:\Windows\system32\drivers\etc\hosts
Windows 2K -> C:\WInnt\system32\drivers\etc\hosts
Windows 98 -> C:\Windows\hosts
Windoes ME -> C:\Windows\hosts


So just use your link above to disable VBS? Not sure what to do next.

Thanks,


Jeff

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:21 PM

Posted 25 January 2008 - 04:23 PM

The link I gave provides instructions on how to tell whether Windows Scripting Host (WSH) is installed on your machine. Sorry I was not clear but I wanted you to check that first.

You can download Symantec's NoScript utility. Scroll down to the section "How to disable (or re-enable) the Windows Scripting Host" to find the link and follow the instructions.

Please download OTMoveIt2 by OldTimer and save to your Desktop.
  • Double-click on OTMoveIt2.exe to launch the program.
  • Copy the file(s)/folder(s) paths listed below - highlight everything in the quote box and press CTRL+C or right-click and choose Copy.

C:\WINDOWS\system32\drivers\hosts

  • Return to OTMoveIt2, right-click in the open text box labeled "Paste List of Files/Folders to be Moved" (under the light blue bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTMoveIt\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 JDM2

JDM2
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 25 January 2008 - 11:13 PM

Thanks a lot as always, Quietman...

C:\WINDOWS\system32\drivers\hosts moved successfully.

OTMoveIt2 v1.0.14 log created on 01252008_231055

Norton No-Script said scripts were enabled so I disabled them for now.

Hope you have a nice weekend. Appreciate your help.

Jeff

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:21 PM

Posted 26 January 2008 - 10:08 AM

Your welcome.

Don't forget to set a new restore point.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users