Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trogan Need Help.


  • Please log in to reply
14 replies to this topic

#1 DSTM

DSTM

    "Bleepin' Aussie Addict"


  • Members
  • 2,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SYDNEY-AUSTRALIA
  • Local time:01:12 AM

Posted 13 April 2007 - 07:14 AM

I downloaded a program a few minutes ago and need help, as I haven't a clue what to do.
This is the AWG Message.

Trogan Horse Generic 2.MSS.
C:WINDOWSSystem32SiKernell.dll
Back up copy infected.

I pressed heal in AvG and as far as I know it's in the Vault.
Where do I go from here?Any help would be much appreciated.
If any replies would you be kind enough to make the instuctions,simple.
Thanks in advance.

Edited by DSTM, 14 April 2007 - 02:08 AM.















BC AdBot (Login to Remove)

 


#2 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:04:12 PM

Posted 13 April 2007 - 07:16 AM

Which program did you download from where?

#3 DSTM

DSTM

    "Bleepin' Aussie Addict"

  • Topic Starter

  • Members
  • 2,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SYDNEY-AUSTRALIA
  • Local time:01:12 AM

Posted 13 April 2007 - 07:19 AM

From Freedownload Centre,Fozzie.
It was a free Browser.

Called Finebrowser
I Net Form Filler
They came down together.

I run Trend Micro scan at 1.00 am this morning and only been on BC Forum today,nowhere else.
FreeDownload Centre was the only other Web sight.and while installing,the Trogan came up.
Hope this helps.

Edited by DSTM, 13 April 2007 - 07:53 AM.















#4 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:12 AM

Posted 13 April 2007 - 08:01 AM

A good reason to use SiteAdvisor!!
http://www.siteadvisor.com/sites/freedownloadscenter.com

As a double check, I would use the two programs below.
Install Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:12 AM

Posted 13 April 2007 - 09:48 AM

When a program quarantines a file or moves it into a virus vault, that file is safely held there until you take action to delete it so you should be ok. If your anti-virus is able to heal or repair the infection file, same thing, you should be ok.

However, I agree with buddy215 about doing a double-check to ensure your system is clean.

Download and scan with Dr.Web CureIt. Follow the instructions here for performing a scan.

If your running Win XP/2000, you can download and scan with AVG Anti-Spyware 7.5 in "SAFE MODE".
Be sure to print out and follow the AVG Anti-Spyware Install-Scan Instructions.

If your still having problems or want an expert to review your system, please see the "Preparation Guide For Use Before Posting A Hijackthis Log". In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install HJT in the proper location.)

When you have done that, post your log in the HijackThis Logs and Analysis Forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 DSTM

DSTM

    "Bleepin' Aussie Addict"

  • Topic Starter

  • Members
  • 2,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SYDNEY-AUSTRALIA
  • Local time:01:12 AM

Posted 13 April 2007 - 11:08 AM

Thanks so much you guys for your expertise :thumbsup:
I will post back when I have done the scans, as suggested.















#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:12 AM

Posted 13 April 2007 - 11:40 AM

Your welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 DSTM

DSTM

    "Bleepin' Aussie Addict"

  • Topic Starter

  • Members
  • 2,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SYDNEY-AUSTRALIA
  • Local time:01:12 AM

Posted 14 April 2007 - 07:46 AM

Update.
Downloaded and installed siteadvisor,again.Deleted it a month ago as I thought it was slowing the system.
Already had SuperAntispyware installed,so that was a plus.
Also had Avg 7.5 already installed.Run in safe mode as per Quietman 7 instructions. :thumbsup:
Downloaded Bitdefender 8. This is a magic piece of freeware.

There are a couple of things I'm not sure about, and would appreciate the answer.
This is the report from AVG free.
The Trogan is in the AVG Vault.

Trogan Horse Generic 2.MSS.
C:WINDOWSSystem32SiKernell.dll
Back up copy infected.
Cannot heal file.


1 Can I leave it in the vault indefinately?
2 What is the said file do,because everything seems to be working fine now.
3 Back up copy of what,infected.
4 Cannot heal file-Do I need it?
I will be extra careful next time downloading programs, Members swear by.This took hours to try and fix.

Thanks in advance.















#9 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:12 AM

Posted 14 April 2007 - 09:25 AM

Note that kernell is spelled with two "Ls". That is what is in your quarantine file so it can be deleted from quarantine. You can also leave it there as long as you want to. That trojan has been around a while as you will see in the link I provided. You might want to check to see if the good dll spelled with one L is on your computer. The file path is in the link below.
http://www.trendmicro.com/vinfo/virusencyc...EA&VSect=Sn
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#10 Walkman

Walkman

  • Banned
  • 1,327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:12 AM

Posted 14 April 2007 - 09:30 AM

sikernel.dll
SiKernel.dll is a Spyware component.
SiKernel.dll is a Browser Helper Object.
It monitors user Internet activity and sends private inforamtion to a hacker.
SiKernel.dll is used to display advertising information.
Delete the SiKernel.dll and from BHO list using RegRun

Removal: SiKernel.dll is removed by RegRun.

Also, to help you with your BHO's and HJT, download BHODemon
http://www.definitivesolutions.com

And the reason you will want that program is the fact that it will not only tell you which BHO's you have on your computer, it will tell you what program it belongs to and when it was installed, unlike HJT. It's fast, and very reliable as to your BHO's.

So, in other words, if you do send in a HJT log, you'll have no doubt what-so-ever as to what BHO's are on your computer, and which program is responsible for it being there. This tool is very effective and it works fast. It doesn't have to scan your computer to find the BHO's. It looks in one location, and if they're on your computer, it'll find them.

The owner says he isn't keeping up with it due to a fire and such, but the program is still available. Get it, and take the guess work out of your BHO's.


[Added Info]
The process belongs to the software unknown by unknown.

Description: SiKernel.dll is located in the folder C:\Windows\System32. Known file sizes on Windows XP are 58368 bytes (80% of all occurrence), 57344 bytes.
This .dll file is a Browser Helper Object (BHO) that runs automatically every time you start your Internet browser. BHOs are not stopped by personal firewalls, because they are identified by the firewall as your browser itself. BHOs are often used by adware and spyware. The unique ID of this BHO is 0140DF95-9128-4053-AE72-F43F0CFCA062. There is no description of the program. The program is not visible. SiKernel.dll is located in the Windows folder, but it is not a Windows core file. The file is able to change the behavior or monitor the Internet Explorer. The file is not a Windows system file. Therefore the technical security rating is 82% dangerous, however also read the users reviews.

The above is another reason to use Firefox with it's add ons, and PeerGuardian, because your firewall isn't going to stop it, and if it's malicious or such, chances are their ip address have been banned, which means it would never get to communicate with the internet anyway. That's one reason why I stress to people to use PeerGuardian 2. It's better than a firewall, and I'd put any program that transmit back and forth from your computer to the internet, and visa-versa to the challenge.

Edited by Walkman, 14 April 2007 - 09:51 AM.


#11 DSTM

DSTM

    "Bleepin' Aussie Addict"

  • Topic Starter

  • Members
  • 2,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SYDNEY-AUSTRALIA
  • Local time:01:12 AM

Posted 14 April 2007 - 09:53 AM

Thanks so much,Buddy215 and Walkman.This is great when these things are explained.
Will use the information provided,and sure appreciate your help. :thumbsup:

EDIT.I have acronis true image.By backup copy infected,are they refering to acronis D drive back up is infected?And I can't just Reload Windows useing the acronis Disc?

Edited by DSTM, 14 April 2007 - 10:07 AM.















#12 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:12 AM

Posted 14 April 2007 - 11:42 AM

Hi DSTM,

Could you please do me a favor and post your HijackThis log, then link to it back here and let me have a look?

I don't mean to be a jerk about this, but the file in question has been misidentified. Exact spelling of the file name is important. What you have gets no hits on Google so is completely unkown at this time.

SiKernell.dll <--is what you have

NOT

Kernell.dll <--TROJ_DESTINY.A in the Trend Micro article
SiKernel.dll <--Note only one L--may be related to this or not: http://www.castlecops.com/tk1271-SiKernel_dll.html

Trojan files usually have been added in toto and can be completely deleted. True viruses infect files that you might want, so when a bad file is found, the AV will treat it like a virus and attempt to return the file to its original state--heal it. Since it doesn't know what the original state is, then it can't be healed so it is quanrantiend and can just be deleted.

If you haven't deleted this file from quarantine yet, do let me know. I would like to get a sample of it if possible--we like to submit new threats to AV companies and see what new files are out there.

I'm going to post this now, but have some other answers to your questions that I will post in just a bit.

The thing about people

is they change

when they walk away.--Mipso


#13 DSTM

DSTM

    "Bleepin' Aussie Addict"

  • Topic Starter

  • Members
  • 2,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SYDNEY-AUSTRALIA
  • Local time:01:12 AM

Posted 14 April 2007 - 12:31 PM

Kernel is only spelt with one L,Sorry my mistake,Papakid.I was so stressed when I posted.
It is still in the AVG Vault.

Edited by DSTM, 14 April 2007 - 12:35 PM.















#14 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:12 AM

Posted 14 April 2007 - 01:18 PM

OK, that does change some things. I can understand you being stressed and you have my apologies for how this all happened.

However, from what I'm seeing this all may be because of a false positive and you could be worrying for nothing. If you notice in the CC database, which is the most reliable information we have, the status of the BHO is not determined. This is kind of hard to explain, but both AVG and SiteAdvisor may have been mistaken. AdsCleaner and Finebrowser appear to be from the same company--a BHO is a browser Add-on--could be good or bad. Common good ones are popup blockers, and this is an ad blocker. AVG called this a generic trojan, so that is probably a heuristic detection which are more susceptible to false positives. Probably this BHO is part of the FineBrowser and legit.

Have I confused you yet? :thumbsup: I think the best thing for now is I will download and install the trial version of FineBrowser and see if I can get some more solid information. If you haven't done so already, uninstall Fine Browser and you should be OK. Relax. I still wouln't mind seeing a HJT log but that is up to you.

Just some other comments:

Downloaded Bitdefender 8. This is a magic piece of freeware.

Don't know if you downloaded the AV application and installed it, but it is not a good idea if you have AVG already installed. I believe buddy215 meant for you to run the online scanner with Internet Explorer. I see there is a free trial of the program, but it is not needed when you can scan and clean online.

The free version of BitDefender does not have a resident scanner that stays in memory like most other AV's so it is less likely to cause conflicts and fight for resources like when you do have two AV's installed. Which is why more than one AV is not recommended. But I have noticed in lHJT logs that there are some services installed, so it will slow down your system and really aren't necessary to have.

1 Can I leave it in the vault indefinately?

This has already been answered. In quarantine it won't be running, so safe to leave it. Or it can be deleted from quarantine.

3 Back up copy of what,infected.

Not really sure about this.

BHO Demon is a nice product, but it isn't needed to help determine if a BHO is good or bad which is mostly what we are concerned about. We have databases to help determine that. When is relatively unimportant.

Also you don't need RegRun or Peer Guardian. The RegRun people may also have been mistaken in their database entry--with so much stuff out there it is hard to come up with reliable information. 82% dangerous still leaves 18% possibility they are wrong. All you have to do to remove the problem is uninstall the programs and the BHO that came with it--or just the BHO, which you've done if it is in quarantine.

The thing about people

is they change

when they walk away.--Mipso


#15 DSTM

DSTM

    "Bleepin' Aussie Addict"

  • Topic Starter

  • Members
  • 2,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SYDNEY-AUSTRALIA
  • Local time:01:12 AM

Posted 14 April 2007 - 03:42 PM

Thanks so much Papakid,for the detailed explanation,and I understand what your saying.I feel much relieved.I will read up on the tutorial and post a HJT log to make sure all is well.For a lay person it's hard to determine what are positives or false positives.

In answer to your other query,
I have Avg free installed,which also scans my emails.
Also;
Bitdefender 8 free version as an on demand virius scanner.
Avg anti rootkit scanner.
Avg 7.5 antispyware.
Ad-Aware se personal
SuperAntispyware.
Advanced windows care v2 personal.
Siteadvisor.
Eusing reg cleaner.
SP2 firewall which only protects 1 way.Need an easy to manage firewall.Heard Comodo is OK.

Thanks again to all who helped. :thumbsup:

Edited by DSTM, 15 April 2007 - 12:26 AM.


















0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users