Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Algsvr.exe


  • This topic is locked This topic is locked
10 replies to this topic

#1 Murasame

Murasame

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 09 July 2007 - 01:56 AM

Hi,
I just knew some minutes ago that this pseudo-excel file that has been running in my task manager is actually a malicious exe that has been running all along. I need some help in removing this from my computer totally. Below is my hijackthis logfile.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:39 PM, on 7/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\algsrv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 163.21.40.5:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ASocksrv] SocksA.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BSserver] FileKan.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: prxernsp.dll
O10 - Unknown file in Winsock LSP: prxerdrv.dll
O10 - Unknown file in Winsock LSP: prxerdrv.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4000 bytes

BC AdBot (Login to Remove)

 


#2 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 PM

Posted 10 July 2007 - 01:41 PM

Hi -

Please follow these steps in the order stated.
You will need to print these directions because you will be working in Safe Mode without an Internet connection.

• I see that you have no Anti-Virus program ("AV") present on your system. Please install an Anti-Virus program.
Active Virus Shield -or- AntiVirฎ are good FREE Anti-Virus programs.
Never install more than one Anti-Virus scanner on your system! Having more than one AV installed will likely cause your system to become unstable and seriously decrease the reliable detection of any malware.
After installing the AV program, have it perform a complete scan, and let it delete everything it finds.

• Also, I see no software Firewall program present on your system. This will greatly help in preventing your system from being infected by malware. Please install a Firewall program because you really do need one.
Comodo -or- Jetico are good FREE software Firewall programs and are the two top programs in the ratings.
See, Understanding and Using Firewalls

• Please set your system to show all files.
- Go to Start > open My Computer
- Select the Tools menu and click Folder Options.
- Select the View tab and, under Hidden files and folders, select Show hidden files and folders
- Uncheck Hide file extensions for known file types
- Uncheck Hide protected operating system files (Recommended)
- Click Apply, then OK

• Reboot into SAFE MODE
To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter.

• Start HijackThis, click System Scan Only and place a checkmark next to the following items:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ASocksrv] SocksA.exe
O4 - HKCU\..\Run: [BSserver] FileKan.exe


Close ALL browsers and open windows/programs leaving just HijackThis and click 'Fix Checked'.
Exit HijackThis.

• Navigate to and delete the following files if present:
C:\WINDOWS\SOCKSA.EXE
C:\WINDOWS\system32\SOCKSA.EXE
C:\WINDOWS\system32\algsrv.exe
C:\WINDOWS\system32\FileKan.exe

• Reboot into NORMAL MODE

• Download Superantispyware
  • Load Superantispyware and click the check for updates button.
  • Once the update is finished click the scan your computer button.
  • Check Perform Complete Scan and then next.
  • Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
  • Make sure that they all have a check next to them and press next.
  • Click finish and you will be taken back to the main interface.
  • Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  • Copy and paste the log in your next reply.
• Post back with the log from Superantispyware and a new HiajckThis log.

Edited by waterfalls, 10 July 2007 - 01:55 PM.

Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#3 Murasame

Murasame
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 11 July 2007 - 05:34 AM

Thanks for replying waterfalls!

But this trojan is harder than I imagined to get rid of. Some of the problems I encountered while following the steps listed.

1)• Please set your system to show all files.
- Go to Start > open My Computer
- Select the Tools menu and click Folder Options.
- Select the View tab and, under Hidden files and folders, select Show hidden files and folders
- Uncheck Hide file extensions for known file types
- Uncheck Hide protected operating system files (Recommended)
- Click Apply, then OK

After clicking OK, I went back to check the settings again. The Show hidden files and folders tab will appear to be unchecked again. No matter how many times I repeat this, it will always revert back to this.

2)• Start HijackThis, click System Scan Only and place a checkmark next to the following items:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ASocksrv] SocksA.exe
O4 - HKCU\..\Run: [BSserver] FileKan.exe

Close ALL browsers and open windows/programs leaving just HijackThis and click 'Fix Checked'.
Exit HijackThis.

• Navigate to and delete the following files if present:
C:\WINDOWS\SOCKSA.EXE
C:\WINDOWS\system32\SOCKSA.EXE
C:\WINDOWS\system32\algsrv.exe
C:\WINDOWS\system32\FileKan.exe

I went about deleting the related files and ran hijackthis to clear those logs you stated. For some reason, the 'application' will start again. The same old files will appear again and the same registry entries that showed up in hijackthis will appear again too.

3)I'm thinking the trojan is hiding the true .exe file in windows and I cant seem to get hold of that and delete it. I also went to the net and search about this and there's this mandrin website showing the steps on how to get rid of the virus. I'm not really proficient at playing around with registries and would like some help on it. Its in mandrin and I do understand mandrin but do not know the terms they are referring to in mandrin.

Here's the link anyway: http://ewer.netbei.com/53764.shtml

Hope I can stamp out this little bug >.<

#4 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 PM

Posted 11 July 2007 - 11:05 AM

Please post the logs I requested.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#5 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 PM

Posted 11 July 2007 - 04:32 PM

A couple of other things -

Please note that my very first statement says:
"Please follow these steps in the order stated."

There is a reason that I posted the steps in the order that I did.

As far as showing hidden files, you have to click "OK" and then "Apply" for it to take effect.

Additionally, after rebooting into Safe Mode, I posted that you fix those entries in HijackThis first and then delete the files. Your post reflects that you attempted to delete the files before you ran HijackThis to fix the entries.

So, as requested, please post the logs - and please read my future posts carefully so as to follow my directions.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#6 Murasame

Murasame
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 14 July 2007 - 05:43 AM

Superantispyware Logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/14/2007 at 04:16 PM

Application Version : 3.9.1008

Core Rules Database Version : 3269
Trace Rules Database Version: 1280

Scan type : Quick Scan
Total Scan Time : 00:06:34

Memory items scanned : 349
Memory threats detected : 0
Registry items scanned : 522
Registry threats detected : 0
File items scanned : 7946
File threats detected : 20

Adware.Tracking Cookie
C:\Documents and Settings\Yong Tat\Cookies\yong tat@atdmt[2].txt
C:\Documents and Settings\Yong Tat\Cookies\yong tat@msnportal.112.2o7[1].txt
C:\Documents and Settings\Yong Tat\Cookies\yong tat@ads.adbrite[2].txt
C:\Documents and Settings\Yong Tat\Cookies\yong tat@stats[1].txt
C:\Documents and Settings\Yong Tat\Cookies\yong tat@statcounter[1].txt
C:\Documents and Settings\Yong Tat\Cookies\yong tat@questionmarket[2].txt
C:\Documents and Settings\Yong Tat\Cookies\yong tat@adbrite[1].txt
C:\Documents and Settings\Yong Tat\Cookies\yong tat@3.adbrite[1].txt
C:\Documents and Settings\Yong Tat\Cookies\yong tat@revsci[2].txt
C:\Documents and Settings\Yong Tat\Cookies\yong tat@casalemedia[1].txt
C:\Documents and Settings\Yong Tat\Cookies\yong tat@doubleclick[2].txt
C:\Documents and Settings\Yong Tat\Cookies\yong tat@msnportalbeetoffice2007.112.2o7[1].txt
C:\Documents and Settings\Yong Tat\Cookies\yong tat@ad02.doubleadx[2].txt
C:\Documents and Settings\Yong Tat\Cookies\yong tat@www.burstnet[2].txt
C:\Documents and Settings\Yong Tat\Cookies\yong tat@advertising[2].txt
C:\Documents and Settings\Yong Tat\Cookies\yong tat@2o7[1].txt
C:\Documents and Settings\Yong Tat\Cookies\yong tat@tribalfusion[1].txt
C:\Documents and Settings\Yong Tat\Local Settings\Temp\Cookies\yong tat@msnportal.112.2o7[1].txt
C:\Documents and Settings\Yong Tat\Local Settings\Temp\Cookies\yong tat@msnportalbeetoffice2007.112.2o7

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/14/2007 at 06:35 PM

Application Version : 3.9.1008

Core Rules Database Version : 3269
Trace Rules Database Version: 1280

Scan type : Complete Scan
Total Scan Time : 00:14:06

Memory items scanned : 329
Memory threats detected : 0
Registry items scanned : 3338
Registry threats detected : 0
File items scanned : 21436
File threats detected : 3

Adware.Tracking Cookie
C:\Documents and Settings\Yong Tat\Cookies\yong tat@atdmt[1].txt
C:\Documents and Settings\Yong Tat\Cookies\yong tat@msnportal.112.2o7[1].txt
C:\Documents and Settings\Yong Tat\Cookies\yong tat@doubleclick[1].txt

Hijackthislog:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:42:44 PM, on 7/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\CTFMON.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1184256234734
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3838 bytes

#7 Murasame

Murasame
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 14 July 2007 - 05:49 AM

I ran the antivirus and deleted the stuff it found. After that, it corrupted my win32 because I cannot open my C drive by double clicking but have to right click and select open instead. I tried to repair the registry by "upgrading" using the windows XP disc but apparently it crashed on bootup.

Thus, I reformatted my computer and installed all the programs reccommended to me. The above logs are obtained after the reformat.

Final question: the antivirus program (I got antivir) detected the earlier trojans from the external harddisk when I plugged it in. I chose the delete option when they were detected. When I reveal all the system files on the external harddisk, there is a folder named RECYCLER, whereby it stores information on all the files that were deleted from the external harddisk last time. Is it safe to deleted the items inside the recycler? Because I'm worried the trojan still exists inside there.

#8 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 PM

Posted 14 July 2007 - 11:21 AM

Hi -

Your log looks clean.

Regarding the folder 'Recycler' - what you have is correct. To put it more simply, when you delete a file, the file is stored in the Recycle Bin. The file remains in the Recycle Bin until you empty the Recycle Bin or restore the file. The Recycler folder contains a Recycle Bin for each user that logs on to the computer, sorted by their security identifier (SID). So, to answer your question - yes, delete the files. The easiest way is to log onto each user and empty the Recycle Bin. Otherwise, follow these directions.

BTW, while the infected files may still be in the Recycle Bin, they can't reinfect you - except that they will be included in a newly-created Restore Point. If you notice, my instructions below for creating a new Restore Point begin with emptying the Recycle Bin.

• Please set your system to hide system files.
- Go to Start and open My Computer
- Select the Tools menu and click Folder Options.
- Select the View Tab and, under Hidden files and folders, check Do not show hidden files and folders
- Check Hide file extensions for known file types
- Check Hide protected operating system files (Recommended)
- Click Apply, then OK.

• If you have not done so, please empty your Recycle Bin.

• Create a new Restore Point:
- Go to Start > All Programs > Accessories > System Tools > System Restore.
- When the utility opens, select "Create a new restore point" and click Next
- Name the restore point - something like "After infection cleaned" or "After cleaning"
- Click Create.

• Delete the old Restore Points:
- Go to Start > All Programs > Accessories > System Tools > Disk Cleanup. Click Ok.
- Click the "More Options" tab.
- Where it states "System Restore" - click Clean up.
- All of the old Restore Points will be deleted EXCEPT for the one you just created.

Reboot your computer.

• To keep this clean in the future, I would suggest the following things:

• Install Spywareblaster. SpywareBlaster doesn't scan and clean for so-called spyware but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls and also prevents the installation of any of them via a webpage. Update it periodically.

• Install IE-SPYAD puts over 20,000 sites in your restricted zone, so you will be protected when you visit innocent-looking sites that are not actually innocent at all.

* Avoid illegal sites because that's where most malware is present.
* Don't click on links inside pop-ups. If you should get them, use ALT + F4 to close them.
* Don't click on links in spam messages claiming to offer anti-spyware software because most of these so-called removers ARE spyware.
* Download free software only from sites you know and trust because a lot of free software can bundle other software, including spyware.

• Let your anti-virus and anti-spyware scanners scan frequently and don't forget to update before scanning.

• I suggest you perform an online virus-scan once in a while (Housecall and/or Bitdefender) because what one virus-scanner can't find, another one maybe can.

• Make sure your Windows has the latest updates by going here.

• More information on how to prevent malware can be found at So how did I get infected in the first place? (by Tony Klein) and Malware Prevention: Prevent Re-infection.

Happy surfing again! :thumbsup:
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#9 Murasame

Murasame
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 14 July 2007 - 11:38 AM

I need to rephrase what I posted in my 2nd previous post regarding this:

"Final question: the antivirus program (I got antivir) detected the earlier trojans from the external harddisk when I plugged it in. I chose the delete option when they were detected. When I reveal all the system files on the external harddisk, there is a folder named RECYCLER, whereby it stores information on all the files that were deleted from the external harddisk last time. Is it safe to deleted the items inside the recycler? Because I'm worried the trojan still exists inside there."

I noticed that the trojan actually transmits through portable hardware devices. So it exists in both my external harddisk and thumbdrive. In the case of my external harddisk, there is this system folder named RECYCLER, which is shown when I follow these steps, which you taught before.

- Select the View tab and, under Hidden files and folders, select Show hidden files and folders
- Check Hide file extensions for known file types
- Check Hide protected operating system files (Recommended)
- Click Apply, then OK

The folder will show up and there will be some files in it. Is it safe to remove them? Because earlier on I removed the trojan that stayed in my external harddisk by deleting an .INF and the trojan file itself from the external harddisk. I'm worried it might stay inside the files in the system folder of the external harddisk.

Anyway, I will follow the last part of the instructions posted. Just need to clarify some stuffs. :thumbsup:

EDIT: I overlooked the hyperlink on the instructions you gave me on removing files in recycler. However, if I do see the files in recycler is it alright to directly delete it? Or its better to follow the instructions given?

Attached Files


Edited by Murasame, 15 July 2007 - 06:40 AM.


#10 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 PM

Posted 14 July 2007 - 02:15 PM

You did a good job in researching. :thumbsup:

Yes, the infection that you had on your C:\ drive is spread by removable drives. As I previously mentioned, you should delete the files in your Recycle Bin, i.e., empty ALL of your Recycle Bins. You can either 'directly' delete them or follow the directions on the Microsoft support page. It doesn't matter which method you select. I personally would select what you termed 'directly' deleting them because I would feel more secure in my manually having deleted the files/emptying the Recycle Bins, thus knowing that they were nuked. So, check all of the drives - your C:\ drive, your external hard drive and your thumbdrive.

Also, you should periodically scan those drives with AntiVir as well.

Hope this answered your question...
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#11 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 PM

Posted 24 July 2007 - 01:38 AM

Since this issue appears resolved ... this topic is closed.

Everyone else please begin a new topic.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users