FrontPage - Trojan HELP PLEASE!!

Hey guys -

I am at a loss as to what is going on with my NEW computer - can you please, please, please help me?

Here's the background:

Got fiber-optic cable installed Saturday. Before then, I was running on dial-up. About the last week of dial-up, I noticed that it was slow. I checked with my ISP and they said nothing was wrong on their end.

I run Adaware, AVG and Spybot on my computer everyday. Yes, I do the updates every day too - if there are any.

As soon as I got my cable installed, I discovered that I had a Trojan Horse Downloader (1-4) on my computer. Then, I discovered that I had MS XP SP2 that had installed on it's own even though I had it set to not download or install.

Using MS instructions, I removed the SP2, although I couldn't remove the Windows XP Hotfix (SP2) [See KB810243 for more information] program.

Then, after running AVG, Adaware & Spybot I still couldn't get the Trojans removed. I found this forum - YAY! - and discovered the CCleaner and CWShredder. I ran them and appear to be virus free according to all of the programs.

I then immediately installed ZoneAlarm firewall (should have done that in the first place - silly me :-0 ).

Everything is fine - except I get these stupid runtime errors in my brower at different times - I added another post for that one last night.

Since then, I've been in talks with my hosting company for my website for the last 2 days and we still haven't resolved my problems - they're at a loss too.

I can't publish - I always get a server error. Also, it appears that the files on their server get corrupt. Every so often, my website will revert back to an older version of an index page without my navigation links. They've had to reload my website from their backup twice already. They've reinstalled my FP extensions 3 times. I have completely removed all my web files and uninstalled FP2002 from my computer, restarted it, reinstalled FP2002 and pulled down a restored backup from my webhost. I immediately tested a publish page and it worked fine. I worked on my files for about 6 hours, went to publish again, and lo and behold! SERVER ERROR!

The last thing that was done from their end was another restore, another FP extension install and they completely recreated my account.

I STILL can't publish!!! I run a business and I'm at my wits end! Can someone please help me!!
PLEASE!!

 

make sure Zone Alarm isn't blocking any thing..

You may also want to head to OFFICEUPDATE.COM and get all the latest patches for office.

 

Thanks Kodo -

I turned off ZoneAlarm a few times to make sure it isn't this.

I also have all the microsoft updates current, minus the SP2.

Thanks for the suggestions!

BTW - I'm running XP Home on a brand new 144 G Compaq Presario, AMD Athlon (tm) XP 3000+, 2.10 GHz, 448 MB of Ram.

Anyone else?? Please?

 

Anyone? Kudo? Please - I'm dying out here. Please!?

I really am at a loss as to how to fix this problem. Do I run HijackThis?

I'm scared to do a system restore because the Trojan I had may be locked in on the restore point.

Should I do that anyway?

Thanks!
Shelle

 

Please, please, please. Someone help me! Should I go ahead and run HijackThis and post it? Would that help? Should I just go back to a restore point and hope that the old Trojan isn't there?

Thanks!
Shelle

 

Everytime I get a customer that has a virus or trojan problems, I get Ad-aware, Spybot and any AntiVirus I can find, usually Symantec Corporate Edition because it isn't like the Norton AntiVirus and it works well. It doesn't have to be Norton/Symantec however.
Than I boot into Safe Mode with Networking. I run Spybot first, check for updates, run a scan, delete all. Than I run Adaware 2nd, get the latest updates, scan, remove. Than AntiVirus and if it finds anything I can either remove it or download a removal tool to do so.

This always works for me, just remember to do this in Safe Mode.

Good luck.

 

Hey KrazyKr1 -

Thank you for this advice. I've already done all this though. I even used CWShredder and CCleaner. All done in safe mode. I've removed software and stuff that I thought may be interferring. I've done a detect and repair in FP. I use AVG, Adaware and Spybot on a daily basis and constantly use ZoneAlarm.

I've turned off ZoneAlarm to publish and that didn't work. I've been talking to my web host for days and they swear it's on my end and they've done all they can.

I've followed all the instructions in the advice for removing Trojans in this forum to the letter. I'm not particularly computer savvy, but I was an assistant IT at my former job. No degree, just interested and read a lot.

I've tried everything I know to do.

BTW - According to everything my Trojan is gone.

I don't know anything about BIO's or REG's or DLL files though. Maybe it has something to do with that?

Thank you!!
Shelle

 

So if every program is not finding anything, what is the exact problem you are experieicing now?

 

Hey -

Everytime I go to publish my FP files for my website, I get a Server Error.

This is what my webhost company has done so far:
It seems that everytime I do TRY to publish, the the files on their server get corrupt. Even though I cannot get through. Every so often, my website will revert back to an older version of an index page without my navigation links.

They've had to reload my website from their backup twice already. They've reinstalled my FP extensions 3 times. I have completely removed all my web files and uninstalled FP2002 from my computer, restarted it, reinstalled FP2002 and pulled down a restored backup from my webhost. I immediately tested a publish page and it worked fine. I worked on my files for about 6 hours, went to publish again, and lo and behold! SERVER ERROR!

The last thing that was done from their end was another restore, another FP extension install and they completely recreated my account.

I just checked and there aren't any more Office Updates for me to do. I've already run the detect and repair option in FP.

My host swears it's on my end and they suggest that I still have a Trojan lurking somewhere. I've re-run everything (AVG, SpyBot, Adaware) in SafeMode again last night. Nothing came up except some cookies, which I deleted.

Got any advice? Thank you for helping me!!!
Shelle

 

your virus could be in the system restore points and can't be cleaned by an AV. you need to turn off system restore and it will erease all your restore points and any viruses that may be contained therein.

 

Ok Kodo -

I went back and turned off the System Restore again. I have turned it off several times when running in safe mode and such. I keep going back and turning it back on. Should I just leave it off?

What next?

 

that's a personal preference. Though in the context of possibly having viruses, I would leave it off until you are certain that your system is free and clear of them. One you've made this decision, you can turn it back on if you like. It's saved some people before.. so it's up to you.

 

Okay - thanks Kodo! I didn't know that.

I'm sorry to keep bugging you guys.... I can usually handle stuff like this from reading and such, but I've done everything you guys suggest in the virus forums. I personally don't think I have one anymore, but I'm not sure.

I really think it's my software - or a problem I got while I had the Trojan and/or had MS SP2. Should I just go ahead and bite the bullet and re-download SP2? I really would like to wait until some glitches are ironed out in it, but maybe that's what is wrong with FP??

Thanks!!

 

looking back at your posts you mentioned that you have all microsoft updates current. Does this statement also pertain to the office suite or just windows? I would like to clarify this.

 

I've got both my MS Windows updates and Office updates current.

 

I haven't checked yesterday or today for MS windows updates - let me go to that real quick.

I still am wary of the SP2 though.

 

are you running a web server on your local machine?

 

It may be an issue with un-installing SP2. I would probably re-install it and try again.

Also download the trial version of NOD32 Antivirus from http://u4.eset.com/betaeval/nentenst_beta2011.exe

This is by far the most efficient Anti Virus scanner i have used, and will pick up any Virus your other scanner may have missed.

(Please note i didnt link to the MajorGeeks version as they have not update their link to the SP2 compatible version of NOD yet.)

 

Nope - I'm just a girl sitting at home with a new computer paying $5 per month for my web hosting service - which is an excellent company BTW.

I don't run my own server or anything.

 

Kodo -

I just checked MS windows update and all they're telling me is to install the SP2.

Should I do that?

Nirvana - Thanks for that AV program. I'll download it and see what it does.

Thanks guys for helping me out! I really appreciate it!

I'll swap some writing services for your help or something!

 

1. Run Nod32 Scan for viruses.
2. Run Ad-Aware again to make sure no Spyware.
3. Post up your Task Manager, so we can check if you have any services resident in memory that shouldnt be. Right click Task bar, Task Manager, Alt+Printscreen to take the pic.

Should look like this :-

http://my.opera.com/forums/attachment.php?s=&postid=660673

 

Nirvana -

Ok, I downloaded the Nod32 scan.

Quick question: Should I run it in SafeMode and unhide all files?

Thank you!! I'll do what you say and get back to you!

Thank you! Thank you! Thank you!

 

Nirvana - Kodo -

Okay - -

Here's what I've done so far:
****
Ran virus scan from Nod32: It was clean - except I got these odd msgs:
>> Error occured while scanning MBR sector of the 2. physical disk. Error reading sector.
>> Error occured while scanning MBR sector of the 3. physical disk. Error reading sector.
>> Error occured while scanning MBR sector of the 4. physical disk. Error reading sector.
>>Error occured while scanning C:\pagefile.sys. Error opening file. [file locked]. [4]
AND THEN THIS:
>> number of scanned files - 20325
>>number of viruses found - 0
>> Notes: [4] file cannot be opened. It is being exclusively used by another application or operating system.

*****
I ran updated Adaware it found cookies & MRU files which I deleted. Only like 7 cookies in all. I've got the log file saved if you need to see it.

****
I also ran AVG again, just to make sure - it was clean.
*****
I checked MS Updates and got these:

814078: Security Update (Microsoft Jscript version 5.6, Windows 2000, Windows XP)
816093: Security Update Microsoft Virtual Machine (Microsoft VM)
Update Rollup 1 for Microsoft Windows XP (KB826939)
Security Update for Windows XP (KB839645)
*****
I rebooted.
*****
THEN THIS ERROR CAME UP:

Trojan horse Downloader.Wren.F
C:\DOCUME~1\Owner\LOCALS~1\TEMP\AAWTMP\C5040281\tetra.dll

It suggested that I run AVG - I did. Nada!!!!
*******
I'm attaching my processes pix to this in WORD.
It'll take 3 docs!! I have a lot running and that doesn't sound good.
*******
HTH!!
Thanks!!

 

Here's the 3rd view of my task processes!

 

READ ME FIRST: Basic Spyware Removal & Hijack This Tutorial. Important!

 

Kodo -

I've done most of this - but I'm going to go through the whole process again.

I'll let you know how it goes.

Thanks!

 

I noticed backweb in your processes.. you have spyware on your system. That's why I posted the link.

 

Kodo is right, i notice a few suspicous services as well as backweb.exe

Visit Black Vipers site here :- http://www.blackviper.com/WinXP/servicecfg.htm

And close all services you dont need. 48 is a HUGE number of mostly useless services you got running. You should have about 20 optimally for the average home user.

 

Hey guys -

Just wanted to give you a heads up. I am about to begin your last two suggestions.

My husband just left for training at Camp Shelby, MS. He is going to go to Iraq in December or January... so the last few days have been busy.

Thank you for all of you advice. I will let you know as soon I as I get everything done.

Bless you!!!

 

Okay - Here's the rundown on what I've done:

1. Downloaded all of the Windows updates and installed, including software, hardware & office. Restarted computer.

2. Double checked and made sure System Restore was disabled. It was.

3. Checked to see if Network Security Service was running. It wasn't listed.

4. Enabled viewing of hidden files and folders and extensions. Should I just keep these in view or hide them again?

5. I did online virus scans from TrendMicro - nothing was found.

6. I did online virus scan from PandaSoftware - Found 4! Removed them!! Here's the log:
>>
Incident Status Location


Virus:JS/Illwill.A Disinfected Personal Folders\Deleted Items\price_08.zip[price.html]
Virus:W32/Bagle.AM.worm Disinfected Personal Folders\Deleted Items\price_08.zip[price.exe]
Virus:JS/Illwill.A Disinfected Personal Folders\Deleted Items\price_new.zip[price.html]
Virus:W32/Bagle.AM.worm Disinfected Personal Folders\Deleted Items\price_new.zip[price.exe]

7. I went into safe mode and ran the CCleaner. It fixed 137 problems, most of which were left over registry files from removing software, etc. I saved a reg. back-up. Should I keep this?

8. Still in safe mode, I ran Ad-Aware with the VX2-plug-in. There were 40 objects which included e-acceleration, cookies and typical MRU stuff.

9. Still in safe mode, I ran Spybot. Nothing was found.

10. Still in safe mode, I ran CWShredder - it was clean.

11. Still in safe mode, I ran Kill2Me. I think my computer was clean, but it cleaned it anyways.

12. Still in safe mode, I went ahead and ran the about:Buster program. It was clean. I kept the log file. Do you need to see it?

13. Still in safe mode, I ran A2. It was clean.

14. I tried to run AVG in safe mode, but got an error: Driver (CORE) not found winerr=2
I went ahead and ran AVG once I got back into full mode and it was clean. I also got an error message again right after I booted back up into full-mode that said: C:\DOCUME~1\Owner\LOCALS~1\TEMP\AAWTMP\C5040281\tetra.dll Trojan Horse Downloader.Wren.F may be on your computer. Run AVG. When I ran the AVG, it did not find it.

15. I checked out the Black Viper website that Nirvana recommended. That place scares me! I'm terrified of disabling something in the processes. I checked out the list, and although I have a few processes that he says are okay to disable, I have a TON that aren't on the list. Also, I'm not sure I understand the correct way to disable them.

So, I still have backweb running in my processes and a few others that don't look good to me.

I tried to published my website from FP again, to see if the issues would have been resolved by my efforts. It hasn't. I still get server errors.

What next?? PLEASE HELP!!

 

Kodo? Nirvana? Anyone?

Please read the above post - - I did what you guys said. What next?

HELP!! Please!!

Thanx!

 

when it says "server error" is there any other information given besides those two words?

 

It says:
Unable to open "http://www.thecorpwriter.com".
Server error. The web server at "http://www.thecorpwriter.com" does not appear to have the FrontPage server extensions installed.
Possible causes:
1. The web server may not have FrontPage Server Extensions installed.
2. The web server may be temporarily out of service.
3. If you are connecting through a proxy server, the proxy settings may be incorrect.
4. An error may have occured in the web server.

If this server does not support FrontPage Server Extensions, may still be able to publish to the server via FTP.

That's it!

I talked to my web host company for 2 whole days. If you'll re-read my earlier posts, you'll see what all they did.

Any advice? My computer is right at 1-MONTH old - I'm ready to kick it out!

Thanks Kodo!!!

 

BTW-

The last thing my guys at my web host company said, was to use the www. from now on. I used to publish using: http://thecorpwriter.com.

I try it both ways and I still get the same error.

PLUS, I still apparently have back end or whatever it is - and maybe that WREN.F Trojan horse Downloader.

I'm at a total loss here. I'm usually much better at handling this type of stuff. I'm sorry!

 

I'm going to have to look around a bit more for an answer.. but my gut feeling says it's corrupted Front Page Extensions. Sometimes this requires the extensions to be removed and the entire site to be removed and then recreated and then FPE installed again and then your site uploaded again. Ahhh, the memories..

FYI: there's an error under your ghost writing services section

 

ARGH!!! See, that's what I'm thinking - but here's the MAJOR problemo....

I have completely uninstalled and then reinstalled FP and FP files. I even rebuilt the dang thing almost from scratch - well, I use a template, but heck, it works! I don't know nut'in about HTML...

My hosting company has completely uninstalled and reinstalled my entire account. I've lost all my past site stats in the process.. <sigh>

Would it help if I upgraded to FP2003? Is it on my end?

There's lots of error on the site right now.. thanks for telling me though. I may have missed that one! I've got some "beuoo-ti-ful" changes made, but I can't get the danged thing published!

Thanks Kodo. I'll await your wise words on what to do next. Hey, any thoughts on that backweb and WREN.F trojan?

I bow at your feet until you return oh great one!

 

Where's the error at? I don't see one. All the links seem to be working fine. I'm lost...

Hey Kodo - you're wonderful! Thank you for helping me! <big smackaroos on the caboose!>

**Hi, my name is Shelle, and I'm a past brown-noser. Yes, I will still brown-nose to get what I want. Brown-nosing is not a thing of the past. It is here to stay! Brown-nosers Unite!**

A proud graduate of BN'ers University!

 

Well Shelle. I wasn't referring to you having to reinstall Front Page on your machine. I was referring to the host having to complete recreate your website on thier IIS webserver and you having to re-upload everything again.

as for the error:
[font=Verdana,Arial,Helvetica,sans-serif] Tired of writing those annual professional articles? What to do a company history?

Shouldn't that read:
[/font][font=Verdana,Arial,Helvetica,sans-serif] Tired of writing those annual professional articles? Want to do a company history?


[/font]

 

ACK! EEK! See?? I posted that website up about a month ago, quickly!! Then spent hours revamping it. I just wanted to have "something" up there. Now I can't change it! And I'm a writer! - Lordy, I'm so ashamed!

Do you have any suggestions? Are you still looking into it? My host company has already done that - well, they reinstalled the website from a backup. Plus they recreated my account. They reinstalled FP extensions 3 times.

Should I go back to them again? Should I leave you alone and be quiet? Don'tcha hate people who just talk & talk?

 

honestly, I don't think it's your end. So I would go back to them again. If they give you a hard time, you may need to consider finding a new host.

Shelle, I would also consider picking up an HTML book and learning the basics of it all. This will help ween you off of relying on Front Page to do it for you.

Learning how websites/servers work on some level is important.

 

Thank you Kodo! I will brow-beat them to death. I think they're trying, they're a good company (well, they have been). If they don't get it fixed I'll move to another company.

Thank you for the advice on learning HTML. I know just the bare basics which doesn't help much. That's something I probably will have to learn, or, hire someone to do it... I'm a stick-in-the mud if it's too difficult for me to learn. I'd have to have someone standing over me telling me what to do, then I'd learn it. Maybe I'll attend a basic HTML 101 class at the college.

What should I do about that backweb thing and the WREN.F trojan that keeps popping up. I've run all the stuff you've advised. Any ideas on that one?

Thank you again so much!! You've been great!!

 

start a new thread in the spyware forum regarding your backweb and trojan issue. This way that topic alone can be covered completely.

 

Will do Kodo. Thank you so, so much!! I'm about to get on my host company's rearend and see if I can get sometwhere with them. Thank you!!!

 

KODO!!!

Guess what!? It worked!! They fixed it just like you told 'em to! Man oh man! I could buy you New York!! Well - uh, if I had the money...

Just got a big project, so maybe I could send you uhm, a postcard!? Thank you my friend! You have made my year!!

 

Yoo-Hoo - - KODO!!

Are you there??

Ok - - I've been working with Chas in the spyware forum and think I've got everything solved. I THOUGHT my issues with my web company were through....

BUT - I'm having troubles again. Chas thinks my computer is clean. My web hosting company thinks I'm the one corrupting my FP extensions everytime I publish. I'm back to square one again. My website looks awful - lost navigation buttons and stuff. Now I'm getting an error when I publish:

SERVER ERROR: Cannot create folder "_vti_cnf".

I don't know what else to do... except maybe go and buy the 2003 FP upgrade?

Any ideas?

Thanks!!
Shelle

 

I was having crap (!) trying to publish my site with frontpage. It is a nice editor, but trying to publish with it was a pain in the posterior. Server errors, etc. . So I gave up trying to publish with it. I just create or edit with it. I downloaded filezilla, which is a free web publishing program. It took a little while to figure out how to publish with it, but it was well worth it. No more server errors, etc.

Link to download filezilla:
http://sourceforge.net/project/showfiles.php?group_id=21558

 

Hey BentLady -

Thanks for the heads up. I'll keep that link - just in case. You never know.

I think I've got everything running smoothly now. I finally had to scrap the whole website and start all over. I apparently had corrupt files and the only way to fix the problem was to ditch them.

FrontPage is a good editor - I love working with it. Been thinking of Dreamweaver though when I upgrade. Heard lots of good things about it, but I don't know much about it at all.

Welcome to MG!! It's a great place!
Shelle

 

Glad to hear that everything is going alright.

I agree, FP is a good editor. I used Dreamweaver last year, and it's a nice one as well. Easy to use, but juist like with frontpage, it takes a while to learn.

Thanks for the welcome. Have a nice evening.


BentLady

 

Just an FYI for front page users. You shouldn't use a regular FTP to upload sites created with FrontPage. You should use FrontPages publishing utility in the program. If you create new folders in your site, Front Page generates the necesseary extensions in that folder to make your pages work (if you've used something in your pages that requires extensions). If you upload a folder with pages that use extensions via an FTP , the required FPE generation will not take place and your pages won't work.

To further clarify:
Can you FTP without using FP. Yes, but only for files that do not use FPE's.