Trojans Found Serendipitously

Hope Chaslang picks up this one. It’s the third part of the trilogy, and he has already seen the first two parts.

This is the third computer, the new one, a Lenovo 3000 H200 with Win XP. It’s the one I bought in May after “Spyware Disabled McAfee Security” on the Compaq, and I tried to upgrade the old eMachines just to get by long enough till I got the Compaq running again. I really got tired of going to the library to check email, and I did not want to buy a Vista computer. I was hoping to wait it out until Win 7 had SP1. But then I got “Malware in the First Allocation Unit” on the eMachines, so I found this Lenovo with XP and bought it. How else was I going to download all those MG tools and correspond with you in the Malware Forum?

Out of the box I updated the antivirus program and downloaded a ton of Windows updates. Set up one Admin (Janice) and one restricted user (Jack) account, disabled the guest account, and password-protected (14 characters!) the original Administrator account and those two I created. Well, everything on the Lenovo seemed OK and the Trend Micro Internet Security (TMIS) it came with had only found “bad” cookies, including the last full scan on 072409. I had just gone back to “How to protect yourself from malware!” and downloaded SpywareBlaster (which TMIS did not like) and adjusted the only two Active X security settings I had not changed: Set Navigate sub-frames across different domains to Prompt and Set Allow paste operations via script to Disable.

I was about to start a thread asking Chaslang what those last two settings meant. I googled them both and got the idea that web pages can have something from more than one actual location and that spyware can do bad things with the clipboard data. Close? Anyway, I got the prompt about sub-frames navigating when I signed out of ATT Yahoo and I was baffled by when to say yes and when to say no. I’m guessing ATT Yahoo could have things from both AT&T and Yahoo on the same page, so how do I decide which choice to make? I said yes, hope that was not a mistake.
Plus I could not read the links for Configuring CIS for Maximum Security with ZERO Alerts for Novices. I got an error message instead. I signed up and looked through Comodo Forums but could not find the topic, so I was hoping there was another way to get the info.

So, still wondering why I got a different login URL for my ATT Yahoo account on the Compaq, I got the idea to run HijackThis on it (since all the McAfee stuff was off) and then run HijackThis on the Lenovo (which should be a clean baseline) and compare the entries. Yes, I know two totally different computers, but I thought I would like to have a baseline on the Lenovo when it was not compromised with malware, so I would be able to see what had changed if I did get infected.

So I ran HijackThis on the Compaq 072409 and tried to print from notepad and my printer would not print it. Tried canceling and deleting it several times and ways and it was still stubbornly there “deleting” but never getting gone. So I gave up (for awhile) and went to the Lenovo just to do basic maintenance. I cleared the cache of temp files, ran CCleaner and defragged (it had been a month) even though it said it did not need it. Since I had SuperAntispyware on it, I updated it and ran it, finding nothing. It was getting late last night, but I saw Malwarebytes there too and I thought, what the heck, I’ll run it, too.

Now you know what’s coming. Imagine my surprise when I look over at the screen and see 5(!) threats. I am hoping for “bad” cookies, but up come registry entries and Trojan.Agent and Trojan.BHO. So I googled those entries and found all sorts of bad news. I turned off the computer to deal with it today.

I ran Trend Micro scan and found even more. See attached.

I had ComboFix in the C:\Download folder since I’d downloaded everything on the Lenovo and burned a CD to put it on the Compaq and the eMachines. I tried to update it at bleepingcomputer.com, but kept getting a message that server could not be found, so I ran the old copy I already had. It looked like it only looked at #49, took just a few seconds and gave a report. I disconnected from the internet before I ran ComboFix and RootRepeal since I had to disable Trend Micro to run them. So it will be out of date. RootRepeal and MGTools are going to be the same date, so if you have newer, I will try to get them later.

I am really bummed by this third strike. It seems all I have done the last 4 months is take computers apart, upgrade and put them back together, fight spyware, move them around and fight some more spyware. ARRRGGHH!!! I was totally unsuspecting that I would find any problems on the Lenovo since the 072409 Trend Micro scan was clean but for the cookies. I guess I am lucky I stumbled upon my findings by accident.

One of the things I found googling the first registry entries was Article ID: 555373 - Last Review: July 19, 2005 - Revision: 1.0Screen background flickering. My monitor has been flickering, but it’s the same age as the old eMachines, so I thought maybe it was going out. I had put other monitors with the other two computers so I don’t know if this monitor would flicker with them or not. I don’t remember it flickering when it was attached to the Compaq prior to April. In retrospect there are two other problems I have had with the Lenovo, and malware never crossed my mind. The date and time keep changing to 13 hours later (Chinese time?) and I have to set it back. Occasionally, on opening a new window to view a web page, the page will not fully open and the page will just display in the upper left quadrant, but not fully, and the internet explorer icon will be all that is for that page in the menu bar below. Don’t know if those are important details, but I will mention them all the same.

Also, since the basic computer maintenance guide said to run CCleaner on all user accounts, I’d like to know if it makes any difference running spyware scans on admin or restricted user accounts. I ran them on the Janice admin account, but then I did rerun SuperAntispyware and Malwarebytes on the Jack limited account. Malwarebyes found 3 threats on the limited account. Should a scan on an admin account get them all?

Looking forward to solving my problems…….Hope the third time’s the charm.

 

Rest of attachments
This second MB is from the limited user account.

 

Chaslang, you’re right. Sorry to have dumped all my frustrations on you. Commiserate with me just a bit. :cryI’ll adjust my communication style to yours.

In my Admin account, I ran the Windows Messenger link you provided. I disabled it for all users. I don’t see anything different.

Before I ran any scans I could not open ATT Yahoo to read email (or go to ATT or Yahoo sites). If the site should come up after an ever so long delay, it let me enter username and PW but then just looped back to the same page. Today, before and after running Windows Messenger fix, when I try to log into att.my.yahoo.com, I am sent to a https page titled Yahoo Account Info, which requests alternate email address (already there) and/or mobile phone (both optional) to send password resets and account emails. It insists upon my entering two secret questions and answers (not going to!) and will not let me continue otherwise. I do NOT get this screen when I log in on any other computer at home or library.

I can get into Hotmail and PeoplePC email accounts but Gmail takes forever trying to open (never does) after I enter ID and PW, won’t let me close the page, sometimes then crashes IE and shuts down.

Still in Admin account, I ran the Windows Messenger link a second time, choosing uninstall option. I don’t see anything different. Same problems with Yahoo and Gmail on Admin account.

I rebooted and tried the limited user account. I can get into ATT Yahoo email and read it with no problem! However, I cannot SEND anything from it; when I click Compose, Loading…comes up at the top center of the page like it usually does, but then stops and leaves me on the same page I started. Gmail has the same problems as Admin account.

On the MGTools hijackthis log, I noticed line O2 with a no name BHO. O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
Doesn’t that have to go? How do I get rid of it?

 

Chaslang, so glad to get your reply!

I hate to say that I did not even know I had Windows Messenger on the computer. If I have ever used it, I am unaware. I don’t IM anybody—always thought it was too risky. On googling (you knew I would) I found that Microsoft recommends it be disabled; well, news to me. Darn that Microsoft! If they think it should be disabled, why don’t they send a patch out to take care of it?

I gather you do not consider the things in MB and TM scan worrisome. It’s just that finding anything that shouldn’t be there on my new computer is like finding that first scratch or dent on a shiny new car—upsetting!. Since you see all kinds of malware every day, you know which ones are really bad. I see anything, my incomplete rules of thumb say any registry modification equals bad. I just want to feel secure that my information on my computer is not going to be stolen, and on those occasions when I do shop online, that my credit card number is not going to be stolen either. No need for you to say anymore about them. Your statement above that they are insignificant is good enough for my peace of mind.

I did remove the no name BHO with HJT. Well, darn that Microsoft a second time! You’d think they could slap a name on all their BHOs. I’d looked through a bunch of posts and was using pattern recognition to form my rules of thumb that no name BHOs were bad. Then there has to be an exception which ruins my theory!

As for TrendMicro settings, you are right on target with that too. When I found the MB threats and then the things in my TrendMicro scan, I decided nothing else was getting in and nothing was going out and raised my level of protection on Internet and Email from Medium to High. The wording for High is “This setting provides the most protection against web threats. TMIS only lets you open Web sites with a very good reputation, and blocks all others.” Having never used TrendMicro before and having never had my level of protection on any computer higher than Medium, I had no idea I was blocking myself. :-o Once I moved TM back to Medium, Gmail will let me in, but only if I use https, and I can email from Yahoo just fine with the limited account. Gmail lets me in the Admin account with setting Low and https. Still cannot get in Yahoo via the Admin account. That’s OK; I’ll pursue it in the Software Forum if I still have problems after I change my security programs as I plan below.

The trial subscription on TM runs out on 082409 and I am planning on replacing it with Avast and Comodo firewall. I still cannot read the link for Configuring CIS for Maximum Security with ZERO Alerts for Novices that you have in “How to protect yourself from malware!” I got an error message instead: “The topic or board you are looking for appears to be either missing or off limits to you.” I signed up and looked through Comodo Forums but could not find the topic, so I was hoping there was another way to get the info. Would you check to see if the link works for you?

Yes, this file does exist. Properties on it: regi driver, copyright Intervideo Corp. It must be a part of Intervideo WinDVD 8 which shows up in Add or
Remove Programs as last used on 3/13/09, which seems odd since I started using this computer in May. Windows Live Toolbar has same date, so maybe that is when Lenovo installed them both. I guess I should try the Intervideo—I have just been using the built-in Windows CD burning for my backups.

Thank you for looking over my logs again to rule out malware. I appreciate it very much.

Now, what do I need to do to finish up?

And Chaslang, if I ever send you another post you want done differently, just kick it back to me by email and tell me to redo it. I won’t mind at all. I can see you are way too busy to have to edit posts.

BTW, former math major here, got A’s in everything from Honors Calculus to Differential Equations to Statistics. So I get your signature.

 

Chaslang, I have been working through the rest of your sticky: How to Protect Yourself from Malware! It was what I had been doing before I got sidetracked with the problems in this thread.

This is an intentional bump, since this thread is coming to its end anyway, so you can put me at the very end of the queue. I know you have plenty of folks waiting with much worse problems than I ever had. No rush for a reply, and if you prefer, you may refer me to the Software Forum for the answers to any questions.

I finished the Disabling Autoruns procedure with success.

I downloaded and installed the latest Mozilla Firefox. I am trying to figure out if I should just say yes to the bar that says additional plug-ins are available on each page. Anything I should not grab? Anything I should not do? It will take a bit of getting used to.

I updated the Mozilla part of Spywareblaster (rest had already been done) and checked all the cookies to stay away.

Looks like I still need the Sun Java. (Don’t be mad when I say this—I have it on my other computer and I never knew there was a Sun Java cache to empty!)

How do I do that? You know that I definitely do not want any “baddies” anywhere!

I did set to Prompt, but what do I say when the Prompt comes up? That ATT Yahoo page does that to me about sub-frames when I close it. How do I know when to say yes and when to say no? Should I just say no all the time?

Since Trend Micro put up such a fuss when I installed Spywareblaster (gave me two high alerts, and surprised me since TM had never had to alert me to anything at all before), I thought I’d research compatibility with Spybot before I tried to put it on. I ran into the big argument between Safer Networking and TrendMicro. This is just giving me a headache, although it looks as if Spybot can be installed after TMIS. Anyway, I may just hold off until I switch to Avast and Comodo firewall, since it’s a matter of just two weeks. Are you aware of any incompatibilities among the Avast, Comodo, Spywareblaster and Spybot? I don’t want to create any new problems. Some boring stability would be nice for a change.

Wish I could report to you that I’d gotten everything done in the sticky. I still plan to.

Having problems with three computers in about as many months has not been fun, but I have enjoyed fighting malware with you and learning from you. Thanks for sharing your knowledge. I appreciate your help on everything very much.

I’m done. You may close this thread.

 

Chaslang, may I ask you a few more questions? I am almost through the Sticky: How to Protect yourself from Malware! on my Lenovo computer.

I am so glad you recommended Mozilla Firefox. I had been unable to get into ATT Yahoo email in my Admin acct. The page that kept asking for a cell number and security questions does not appear at all in Mozilla, and I can log in with no problem at all! (It is still there in IE6.) Firefox is noticeably faster than IE6; I can read email as fast as click, delete, click, delete. It was worth doing the sticky if just for that alone.

I discovered I had MS Java on the computer, no Sun. I verified that the MS Java files to be removed existed. Then I used the removal tool in the sticky.

Right after, I went on to download the Sun JRE 6 Update 16. I installed it and went through Mozilla to verify Sun Java was working, and it was. However, when I went to IE6, SJ was not working. All I get is the dreaded red X.

Sun provides three different troubleshooting methods: I’ve enabled Java in both browsers, I’ve tried enabling it through Java's control panel and I've cleared both browser caches. I went through all three procedures once, closing and opening browsers, and then a second time, rebooting afterwards. I uninstalled and reinstalled Sun Java and went through all three procedures again, unchecking the choices and rechecking them, but nothing works in IE6. Then I made IE6 my default browser, hoping that would help, and went through everything again—still red X. I guess I could just live with it and use Mozilla most of the time, which I plan to do. However, I’m guessing a time will come when I’ll need Java in IE6, so I wonder if you have any other troubleshooting ideas.

I then went back to verify that MS Java had been removed. Not entirely. I wouldn’t think having some MS Java files still would conflict with Sun Java, but I wanted to ask to make sure. The file java.PNF is still in the C:\Windows\inf folder. The tool removed the files jview.exe and wjview.exe from the C:\Windows\system32 folder and took the MS Java related files out of the C:\Windows\java folder, but left the folder itself with a Citrix Online file g2mdlhlpx.exe. Do I need that file for anything or should it go? I tried running the tool a second time with no better results. Then I thought I’d just use the first method instead of the removal tool. However, I get a Microsoft VM uninstall box that states: “If this component is uninstalled, Microsoft Internet Explorer will not be able to download files from the World Wide Web. Do you still want to uninstall the Microsoft VM?” I said no, assuming I might not be able to get Automatic Updates or much of anything else via IE6. So what should I do?

Re: Windows Messenger--On every computer I‘ve always had Automatic Update set for automatic download, notify me for installation, since I like to see just what Microsoft is sending as patches. The only thing that has come through that I have not installed is IE8; it is there every time I click the Automatic Update icon in systray. On looking through the posts, I see you guys have had to hand out that WM fix to quite a few folks, so it seems a lot of us must have somehow missed the patch for Windows Messenger.

Since I had to be missing something, I went to Windows Update and found SP3 had downloaded but I had not installed it. I imagine it came sometime during all my computer troubles. I thought it might have IE8 with it and I did not want to install it since I had read that some who installed IE8 found problems with it and ended up uninstalling it. I thought SP3 would just remain to nag me, but instead only IE8 shows up when I click the Automatic Update icon in systray.

Re: Windows XP Service Pack 3 (KB936929), I found this, so I went ahead and installed it. “XPSP3 will continue to ship with IE6 and contains a roll-up of the latest security updates for IE6. If you are still running Internet Explorer 6, then XPSP3 will be offered to you via Windows Update as a high priority update. You can safely install XPSP3 and will have an updated version of IE6 with all your personal preferences, such as home pages and favorites, still intact.” I hoped it would fix my Java problem, but red X still.

Here are all Microsoft updates that I have not installed. Which do you recommend I install to enhance security?

High-priority (2)
Internet Explorer 8 for Windows XP
Update for Windows XP (KB968389) strengthen authentication credentials

Software, optional (11)
Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update (KB951847) x86
Update for Root Certificates [May 2009] (KB931125)
Microsoft Base Smart Card Cryptographic Service Provider Package: x86 (KB909520)
Windows Search 4.0 for Windows XP (KB940157)
Windows Media Player 11
Update for Microsoft Core XML Services (MSXML) 6.0 Service Pack 1 (KB934268)
Remote Desktop Connection (Terminal Services Client 6.0) for Windows XP (KB925876)
Update for Windows XP (KB904942) resolve HTTP authentication issues in Windows-based systems that do not appear until Microsoft Internet Explorer 7 is installed
Update for WMDRM-enabled Media Players (KB891122)
Update for Windows XP (KB896344) enable support for collecting data in a 32-bit Windows XP environment and applying it to a 64-bit Windows XP environment
Windows Messenger 4.7 (Odd that WM would be here unless maybe that’s a fixed version?)

I have new AV, firewall and Spybot downloaded, just waiting to put them on, hoping to get the above all straightened out first.

 

No problem. I know that is true. I read that there are 6000 new malware threats every day, or four every minute, and that 1.2 million unique pieces of malware were detected in the first six months of the year, as many as were detected in all of '08.

Just wanted to let you know, except for Java problems and some software questions, I completed the Sticky for both computers. (And I am not going to talk about problems on more than one computer here so I don’t violate Rule #4.)

I also wanted to let you know this.

You might want to warn everyone making this choice that the current Crawler toolbar 1.3 is called “Not compatible with Firefox 3.5.2”. That’s the message I get in Mozilla.

It’s been nice to find an expert whose answers I can trust, and I am hoping your Sticky will keep me safe on the malware superhighway. That’s why I’ve been intent on getting it done. That’s also why I asked so many questions. One expert opinion from you has been worth 20 Google results for me to sort out. I hope I find the folks in the Software Forum as knowledgeable.

No need for a reply. One day I may send you a sticky about what I learned in the Malware Forum. Thanks for everything.:wave

 

Chaslang, this is just FYI. I posted in the Comodo forums and tracked down the link for Configuring CIS for Maximum Security with ZERO Alerts for Novices. The topic was revised 082409 and has been renamed How To Achieve Max Security With ZERO Alerts! Here’s where to find it: https://forums.comodo.com/feedbackc...e_max_security_with_zero_alerts-t44371.0.html
There is a YouTube video with it now.

When you edit your sticky next time, you ‘ll have the new info to go under 5) AntiSpyWare Tools, Free Tools, Comodo to replace the old link.