Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cassave Trojan Eating Me Alive ! Please Help Someone !


  • Please log in to reply
14 replies to this topic

#1 bentatsico

bentatsico

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 29 September 2008 - 05:16 AM

Hi world !
I am on windows xp and a friend recently managed to get a trojan called cassava onto my pc.
I have run spybot and a trial version of kapersky mulitple times and still have no joy !
is this a case of a complete system re install or is there another way ?
If there is anybody out there who could help i would be eternally gartefull !
cheers
x
:thumbsup:

BC AdBot (Login to Remove)

 


#2 lomaxomatic

lomaxomatic

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 29 September 2008 - 05:22 AM

try with pc tools spyware doctor. If you are able to find out the name of the trojan, then you could be able to get that aswell. Fist of all check whether it is infecting your internet explorer (if you are using), you can check its presence by going on the tools option and manage add on section. If its there then there will be associated .dll files in system 32 folder of windows.

Kindly let me know the symptoms, then i can suggest you better.

#3 bentatsico

bentatsico
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 29 September 2008 - 05:25 AM

ok will run spyware doctor and post what i get !
am fairly non savvy on pc !!!
thanks for the replie !
x
b

#4 bentatsico

bentatsico
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 29 September 2008 - 05:32 AM

ok as soon as i opened spyware doctor i got a pop up telling me :

----------------------------------------------

! proactive defense


process is tryiong to inject into another process. this behaviour is typical of some malicious programe.
details..... (nothing happens when clicking this blue highlited link)

riskware:
invader

running process (pid:3472):
c:/program files\spyware d...\pcts.exe


then it gives options to terminate, deny, skip, add to trusted zone

----------------------------------------------------------------

As i say i am not very pc savvy, but i don't think this pop up is spyware doctor as i have seen it before since having problems, the pop-up is always on top and it appears that spyware doctor will not run ??

this is all the info i have
thanks again

#5 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 29 September 2008 - 05:35 AM

I have requested your topic to be moved to the 'Am I infected' section'
but meanwhile you could please run the scan malawarebytes as per these instructions http://www.bleepingcomputer.com/forums/ind...st&p=960031

and post the resultant log for the Team to check out for you :thumbsup:

#6 bentatsico

bentatsico
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 29 September 2008 - 05:39 AM

another pop up this time in red !

-------------------------------------------------------
process is trying to install driver and gain full access to operating system. security control will not be available anymore detail.....

suspicious action:
suspicious driver installation

running process (pid:2244):
c:\program files\spyware d ...\pctssvc.exe

-----------------------------------------------------------

have just realise that those pop ups may be kapersky ones, have shut spybot and kapersky however spyware doc will still not run, it appears in the system tray yet all options are in grey and do not work !

I am sure te name of this trojan is cassava

thanks again !

#7 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 29 September 2008 - 05:53 AM

Please try running the malawarebytes Scan and post the report for review by the Team :thumbsup:

Also;you mention

a trial version of kapersky

??

I wonder if you have more than ONE antivirus program on board; kindly tell us what your installed antivirus program is and other protection?

#8 bentatsico

bentatsico
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 29 September 2008 - 06:05 AM

i ahve currently on my pc
kapersky (30 day trial i think, downloaded from tucows.com)
spyware doctor (free version again downloaded from tucows)
spybot search and destroy
and now malwarebytes !

here is the malware bytes log :

-------------------------------------------

Malwarebytes' Anti-Malware 1.28
Database version: 1221
Windows 5.1.2600 Service Pack 2

29/09/2008 11:50:12
mbam-log-2008-09-29 (11-50-12).txt

Scan type: Quick Scan
Objects scanned: 48930
Time elapsed: 7 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fqbewlna.bgvq (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fqbewlna.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Quarantined and deleted successfully.


------------------------------------------------------------------------------------

I have just restarted my pc and immediatly a spybot s&d window popped up saying......

--------------------------------------------------------------------------------------

spybot - Search & Destroy has detected an important registry entry that has been changed.

category : system system startup global entry
change : key detected
entry : spybotsnd
old data : C:\program files\ spybot - serch & destroy\spybotsd.exe

and it gives the options to allow or deny the change
and i have done nothing with this so far

-------------------------------------------------------------------------------------------

#9 bentatsico

bentatsico
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 29 September 2008 - 07:05 AM

ok so i have re scanned with malwarebytes anad here is the log, however when i scan with spybot s&d it tells me i have the trojan cassava in c:\program files\casinoonnet\arena. this is the same trojan that i keep encountering and that whenever spybot finds it is unable to remove !



heres the last malwarebytes log :
--------------------------------


Malwarebytes' Anti-Malware 1.28
Database version: 1221
Windows 5.1.2600 Service Pack 2

29/09/2008 12:40:19
mbam-log-2008-09-29 (12-40-19).txt

Scan type: Quick Scan
Objects scanned: 48886
Time elapsed: 5 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


-------------------------------------------------------

but as i say spybot keeps telling me i have the trojan cassava !
please help this is driving me mad

#10 lomaxomatic

lomaxomatic

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 29 September 2008 - 07:34 AM

the services which were trying to inject in the computer are the processes of spyware doctor. Do not worry let them start, because if you block them , spyware doctor wont start at all. Trust me spyware doctor is 99% effective in trojan cases. none other can do much better. I am using that on a lot of pc's i encountered and success rate is amazing.

#11 lomaxomatic

lomaxomatic

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 29 September 2008 - 07:36 AM

first of all just keep one anti spyware, if you are using spybot, then try to remove it and then start scanning using pc tools spyware doctor. Because of you use more than one anispyware , both of them will cause problem and try to run which will make the system slower.

Scan with confidence, you will be feel better. A first shot of the run which is intelligent scan you will get that trojan hunted.

After the removal, do a complete scan for your satisfaction. Most of the trojans, reside in regsitry and system 32 of windows. Initial intelligent scan remove those.

#12 lomaxomatic

lomaxomatic

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 29 September 2008 - 07:39 AM

let me tell you , probably you have opened , any website on which there was an ad of casinos. People generally click it by mistake, and get stangled in trojan spreaders. The same happened with your system as well.

#13 bentatsico

bentatsico
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 29 September 2008 - 10:00 AM

ok i have uninstalled kapersky and spy bot and then run spyware doc, in intelli and full and it keeps coming up with problems !
i am lost !!!!!!!!!!!!!!

#14 lomaxomatic

lomaxomatic

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 29 September 2008 - 11:12 AM

can you let me know what problem. See it will show you the problems what are persisting in your computer and when you click next it will remove them automatically. You do not have to do the extra efforts. Just scan and click on next . On scanning , it will give you a whole series of virus/trojan , other malicious things, and clicking on next will reach to the repair page. Then at this page you can re[air them all at just one go.

Later on you can reinstall your choice of products if you do want to use kaspersky. I have been using spyware doctor, and it is 100% safe and 99% effective.

It will remove all the trojans without a trace making your computer safe.

#15 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 29 September 2008 - 03:55 PM

Pleasse run a scan with superantispyware ; instruction can be found
http://www.bleepingcomputer.com/forums/ind...st&p=959604
lets see what it finds
also run a scan with the stand-alone Stinger from http://vil.nai.com/vil/stinger/stinger.htm

its exe is http://download.nai.com/products/mcafee-av...nger1001602.exe

When did you last update spybot?and if you are encountering problems with it have you tried to uninstall it and reinstall it?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users