Backweb & WREN.F Trojan - HELP!

Hey guys -

I've done everything recommended on the forums. You can read most of the history here:

http://forums.majorgeeks.com/showthread.php?t=40123

I have a brand new 144 G Compaq Presario, AMD Athlon (tm) XP 3000+, 2.10 GHz, 448 MB of Ram. My OS is XP Home.

Here's the latest things I have done.

1. Downloaded all of the Windows updates and installed, including software, hardware & office. Restarted computer.

2. Double checked and made sure System Restore was disabled. It was.

3. Checked to see if Network Security Service was running. It wasn't listed.

4. Enabled viewing of hidden files and folders and extensions. Should I just keep these in view or hide them again?

5. I did online virus scans from TrendMicro - nothing was found.

6. I did online virus scan from PandaSoftware - Found 4! Removed them!! Here's the log:
>>
Incident Status Location


Virus:JS/Illwill.A Disinfected Personal Folders\Deleted Items\price_08.zip[price.html]
Virus:W32/Bagle.AM.worm Disinfected Personal Folders\Deleted Items\price_08.zip[price.exe]
Virus:JS/Illwill.A Disinfected Personal Folders\Deleted Items\price_new.zip[price.html]
Virus:W32/Bagle.AM.worm Disinfected Personal Folders\Deleted Items\price_new.zip[price.exe]

7. I went into safe mode and ran the CCleaner. It fixed 137 problems, most of which were left over registry files from removing software, etc. I saved a reg. back-up. Should I keep this?

8. Still in safe mode, I ran Ad-Aware with the VX2-plug-in. There were 40 objects which included e-acceleration, cookies and typical MRU stuff.

9. Still in safe mode, I ran Spybot. Nothing was found.

10. Still in safe mode, I ran CWShredder - it was clean.

11. Still in safe mode, I ran Kill2Me. I think my computer was clean, but it cleaned it anyways.

12. Still in safe mode, I went ahead and ran the about:Buster program. It was clean. I kept the log file. Do you need to see it?

13. Still in safe mode, I ran A2. It was clean.

14. I tried to run AVG in safe mode, but got an error: Driver (CORE) not found winerr=2
I went ahead and ran AVG once I got back into full mode and it was clean. I also got an error message again right after I booted back up into full-mode that said: C:\DOCUME~1\Owner\LOCALS~1\TEMP\AAWTMP\C5040281\tetra.dll Trojan Horse Downloader.Wren.F may be on your computer. Run AVG. When I ran the AVG, it did not find it.

15. I checked out the Black Viper website that Nirvana recommended. That place scares me! I'm terrified of disabling something in the processes. I checked out the list, and although I have a few processes that he says are okay to disable, I have a TON that aren't on the list. Also, I'm not sure I understand the correct way to disable them.

So, I still have backweb running in my processes and a few others that don't look good to me.

My processes are listed on the 2nd page of the above thread if you need to see them. I tried to upload them here, but it won't let me. (http://forums.majorgeeks.com/showpost.php?p=418363&postcount=23)

Anyone have any ideas on what I should do next?? HELP!!

 

Please help??

 

Chaslang -

Should I delete what's in the TEMP folder or the Temporary Internet files folder?

The TEMP folder has what looks like important folders - such as:
Adobe
FrontPage Temp Dir

etc...

It's okay to delete all of this??

Thank you!!!

 

Hi Shelle,

This is for after chaslang has fixed you up
If you want a bit more info on Backweb - http://pestpatrol.com/pestinfo/b/backweb.asp . Note that it is sometimes bundled with Compaq products. If you have already covered this, I apologize for the redundancy!

PP

 

Ok Chas -

Got this error:

Cannot delete Perflib_Perfdata_7d8:
It is being used by another person or program. Close any programs that might be using the file and try again.

There's also several strange files left - like
temp.log
skycaptain.bmp
re2.bmp
Perflib_Perfdata_7d8.dat


Thank you Phillie - I'll read up on that. I didn't know about backweb at all!

HUGS to you both!!!

 

Ok.

Went to delete that file - it isn't there. I did a search for it and it said that drive was unavailable.

Quick question before I run HijackThis. Can I create a new folder on my desktop for it?? Is that cool??

 

ACK!! Let me redo it. I got ahead of myself. Gonna delete the extraction. I don't know how to create a directory - but I think I can figure it out. Give me a few....

Sorry! I'm technically challenged in some areas!

YES - viewing of hidden files is enabled.

How do you view the other thingy bob??

 

How do I hide protected operating system files?

Uhm, I'm not using Windows explorer... It's been so long I don't even know how to do it. I'm going into my computer and following file paths that way. Is that okay?

How do I create a directory?

Sorry - I thought I was smarter than this - apparently I'm not.

 

Ok - created a directory for HiJackThis
Enabled system viewing - Knocking myself in the head - shoulda know where this is. Thank you for reminding me where explore is... awfull how you forget after months of not having to use it.

Ok - off to do a HijackThis log. Be back in a jiff!

Bless you!! <kissing of the feet>

 

Here it is!! What next??

 

Hey ran this after using the advance mode. Still got the same error.

 

Tried again - it said unavailable. May have been moved.

Um - I confess - I use WildTanget but it's not a must-have. Use it every once in a while.

 

I also just started using mozilla firefox browser. See? I AM learning... Maybe there's hope for me yet??

 

Oops... uhm, should I rerun it?? I'm sorry. You know, I did go back and read the README file. just a little too late me-thinks..

If you want me to redo it I will.

One other thing - My new computer didn't come with an XP disc. What is wrong with these people?? Is that going to be a problem? Uhm, another confession: I did a backup of my new computer - 6 whole discs in all! - AFTER I realized I had the trojans and stuff....

Flog me!!

 

Ok -

I ran HJT in full mode and removed the 02 thingys you said to remove.

Then I got into safe mode under administrative. I ran HJT again and saved the log file. It's attached.

I searched for the file and got the same error as before.

I also ran down through Windows Explorer (aren't you glad you re-taught me how to do that???) and couldn't get access to the OWNER folder. Duh - because I was on as ADMIN.

So.. me being my little resourceful self - I logged off and went back in as owner. See? Aren't you proud? I did Win. Exploring again and got to the Owner, Local, Temp file and did not see a AAWTMP folder or file. All that other crap was in there and I selected it all and tried to delete it. It said, "No Way Jose!"

So, I came back on and here I am. It's 1:30 a.m. here and I can usually stay up late since my husband ran off with Uncle Sam to go play in the sand - but for some odd reason I'm tired. Can I get back with you tomorrow on this Chas??

My brain is fuzzy and I'm libel to mess you up with not doing things right.

You are THE MAN!! Love ya' honey, but sleep calls....

 

Chas -

I checked out that article from MS on AVG. That's weird because I just downloaded AVG about a month ago and my OS is XP Home.

I Win. Explored my way down to that folder. Here's what's in it. (yes, viewing of hidden files and folders are enabled):
1. A folder - QWMSHTML - It appears empty.
2. Folder - VBE - Inside is file MSForms.exd
3. File - IadHide4.dll
4. jusched.log
5. Perflib_Perfdata5_ac.dat
6. re2.bmp
7. SETUP.INF
8. skycaptain.bmp
9. summer.bmp
10. temp.log
11. tmp.xpi
12. wecerr.txt
13. ymsgr.exe

That's it. I don't see the tetra.dll file at all.

Wow! I just tried to delete. It let me get rid of all except:
1. IadHide4.dll
2. jusched.log
3. Perflib_Perfdata5_ac.dat
4. re2.bmp

That's odd... isn't it?? I hope I didn't mess anything up.

Hope you got some sleep man. 6 am came way too soon for me!
I'm around all day, so if/when you get a chance....

Thank you for staying up so late with me! You're cool!

 

Hey Chas!!

Sorry I didn't get back to you yesterday. It was hectic!

I read those links.

I removed the backweb & Wild Tangent. Aren't you proud??

I had to stop backweb in the processes and then explore down to it. <g> I'm so glad you reminded me how to use explore! TY!

Also, I read about the virus vault. I do empty that now. I found it about 2 or 3 days ago.

I don't know if I'm clean or not, because I don't know about that WREN.F trojan. You've seen my HJT log, is everything okay now?

Bless you my techie friend! You're the bestestest!

 

Hey chas - -

I"ll look into that website and into Sun Java. I think I'm okay now. I still have a lot of processes running (45!) and I checked out the website that Nirvana sent me to - but that stuff is just GREEK to me. It scared me!

You'll be proud to know that I'm at least looking into getting DreamWeaver and kicking FP out the door. I know, I know, it's not HTML but it's better than FP - right??

Bless you my friend - and this forum. You guys ROCK!!

Forever indebted!

 

Chas -

Man - I'm sorry!! I've been bogged down with this new project - and stuff.

Here is that HiJack log you requested and - I think I'm having some other serious problems. I am still getting my FP extensions corrupted. Now I have the error: SERVER ERROR: Cannot create folder "_vti_cnf". when I go to publish my website from FP 2002. And - just now - I lost my FireFox browser right after I ran the HiJackThis scan! I didn't realize that was going on.

Anyways, when you get a chance, can you take a look?

Thanks!!
Shel

 

Oops - My Firefox works fine. Sorry!! I lost my homepage though.

Thank you!!!!!
Shel

 

Hey -

Nope, don't use RealPlayer or Quick Time. I was going to do the uninstall for the Java - then I read #4 - I don't understand it. So I didn't do it. I just did now though - and am stuck at #4. I don't understand how to find REG-KEYs and stuff and how to find system root and all that. Makes no sense to me. I'm sorry!

My homepage should be: www.refdesk.com

What does it say it is??

Bless you my friend for coming to my rescue once again. I will follow your instructions exactly if you can explain #4 in the removing MS Java stuff. I'm a idiotic semi-computer geek.

Ok - I'm heading to bed - no rush on this. My website is back to doing it's crazy stuff and I'm tired of trying to fix it. I sent out a quick message to my subscribers today that the site is down and will stay down for a few days. <sigh> I hate working for myself!

BTW - My web hosting company swears up and down that I am corrupting the FP extensions every time I publish my website. I back to not being able to publish anymore because of the error I get (see previous post).

I'm to the point if you told me to do a complete format - I'm ready to. I'm about at my wits end. I'm running AVG every day. I try to remember to run Ad-aware & Spybot every day, but I don't always remember. But they're usually really clean except for cookies.

I ran CCleaner again tonight - BTW.

AND - System restore is off - hidden files are being shown.

Again - I'm headed to bed. I ramble when I'm tired. Thank you CHAS! You are - as I've said - the bestestest!

Your banging her head against the hard desk friend,
Shelle

 

Oops - I forgot one thing - then I'm going to bed - really! I am!

Every time that I turn my computer on - I get a backend web error telling me the file cannot be found. I don't have the exact error, but I could if you need it. I'm guessing some of the registry (?) files are still on the system?? It's not important, just annoying.

Bowing down at your feet in complete and utter exhaustion and incredible thanks!
Shelle

 

Chas -

You are so COOL!!! Took your advice. Removed QuickTime and Real Player. Also did a HijackThis and Fix for that line. It worked!

Ok - I'm headed over to the software forum to see if anyone has any ideas about what's going on.

Thank you so much for all of your help! You are great!!!

Bless you!
Shelle

 

Just FYI -

You guys are the greatest. Major Geeks is by far the best website I have found with the most impressive people. I am constantly amazed by the helpfulness, amazing knowledge and friendliness here.

I don't know the history of this site, who started it, if you guys get paid or what, but I want you to know that I am very impressed and just wish that I could return the favor. I've been recommending it to anyone and everyone who will listen though.

Thank you for everything!!!
Shel

 

Chas -

Thanks for the heads up. That's so cool!!! Amazing that you guys do this strictly voluntarily. Bless you guys!!

BTW - - just a quick question: When I go to my own personal website and do a refresh (to see if the last error'ed FTP worked) I get a strange thing that pops up in the bottom brower bar. It says transferring from www.thecorpwriter.com as it should, then, very quickly it says, transferring from zinelist.com. I checked with my web host and they said that's indicative of a virus. Could that be causing my problems?

And, yes, I re-posted in my original software thread that I'm still having problems. Waiting to hear back from them. They originally told me to come to the spyware section, where you blessed man, helped me.

Thanks dearheart!!
Shel

 

Chas - you poor thing. You're having to deal with me some more! I'm sorry!

Uhm, I don't know how to check my hosts file. And I don't use IE anymore - I'm using Firefox. What's a Default Prefix? And - I don't have a clue about how to read the HijackThis log - it's all strange looking to me.

I'm sorry!!!

You know something that I am thinking of doing? I've been re-doing my website based off of a backup from my hosting company. Well, it dawned on me that it may have been corrupted. So even though they completely re-created my account and "cleaned" everything - maybe I'm still resending corrupted files to the server?? Know what I mean?

So, maybe I just need to start completely fresh and have them re-create my account, have me delete all my files, uninstall FP, reinstall FP and start my 17 page website all over from complete scratch. ICK!

What do you think?

Bless you my friend. I think I'm going to adopt you!
Shel

 

'nother mouth to feed? Bah. I'm a good cook. Besides, it's all I can offer since I'm taking advantage of your expertise!

Ok - here's the hosts file - I don't understand how you can glean any information from it - but here it is:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

And, I'm attaching my HijackThis log file. Bless you my friend!

Thanks!
Shelle