Hey Chas read this please...

I downloaded a program or application called "ssm" it's a monitoring services program you may have heard of. It was recommended to me from a member of the forum. And I am not thinking nor accusing of mal intent, don't miss-understand that ok.... But AntiVir gave me a warning upon extracting the zip files that a trojan was attached to one of the files. The trojan named "tr/drp.aphex.lace.b" was what it came up with, and it was attached to the file "mchook9x.dll" , does that make sense ? I didn't use the exact caps in this type. But those were the names of what AntiVir found... Is that a real trojan ? Thanks CT

 

Did you try to D/L it from somewhere else? I D/Led SSM from here ( http://www.sevenblue.com/hertz/ssm.zip -the other 2 were Russian sites, which I mostly avoid) and scanned the zipped and unzipped files with Avast and it came up clean.

 

No I only had the one link given to me. I was skeered to look for that on my own after the trojan popped up. I'll check that out now thanks..... CT

 

Hummm..... That makes me curious for sure. Because I haven't loaded anything on my pc that hasn't come from MG or Ad-aware (LSP Tool, And VX2) , or my Other updates for my security software. SpyBot, SpyBlaster, and AntiVir.
I have ran check after check after check, with Trend Micro's "houscall", I did housecall three times by itself to be sure I was clean, along with updated a2, and I then went back to run McAfee's online scanner as well. I really don't see how it could have gotten past the tools I ran, and what I have loaded for my security now. But thanks for the advice and I will run that scanner now also. Better safe than sorry ...... Thanks carl

 

I haven't had time yet to try and reload the program from the other sites JustPlaying gave me. I ran AntiVir from safe mode again, the first time I only quarantined the file, because I wanted to know for sure what I had. I went back and ran it again as stated. It came back again that the trojan was attached to that file. This time I went ahead and deleted the file with AntiVir. I then ran the AV program again in safe mode. It came back clean that time. I removed the ssm zip file with Suredelete, I believe it's gone now. But I am about to try and run Pest Scan now online.

2. One other thing that makes me very suspicous about what is going on with this pc.

3. In safe mode running any type of AV software, I get that same warning message that my boot files are locked, and that the Av program was unable to read the files. I have removed Ad-aware SE and deactived SpyBot Resident, I did not do anything with SpyBlaster as of yet, should I ?

4. Is this a legit application = I was just looking around in the regestry the other day. I noticed an application apparently running the regestry, the name is what got my attention...... "PersistantHandler" < Is that what MS named the application for the regestry ? That scared me bad ?
Help.......... CT

 

Thanks for getting back to me on these things guys.... After reading what AbbySue gave me from Pest Patrol, I really believe that this was one of those first trojans found on my system. And after AntiVir was ran again, and found the same issue in it's quarantined folder. I am thinking that it was probably removed the first time by AntiVir. But it didn't kill the other files it loaded on my system, and therefore it reactivated itself after the reboot. I was looking into my other security programs breifly, but didn't see that trojan patern listed, but I may have missed it in a2. SpyBot for sure doesn't list it.
And Star17, I trust you ! I know that you didn't do anything wrong at all. Somehow it just liked that file I guess, and went right to it on installation. Pest Patrol gave me the info I need to remove the trojan manually. And I and going to try that before I do anything else. That was very informative from Pest Patrol. I would buy the product if I wern't affraid to place my credit info over the net right now. So I'll just have to do the manual removal for now.
Thanks Chas for the info on the regestry issue also. That makes me feel better too.... See ya'll later. Carl

 

Actually I am not really familar with zip files, duhme, I figured AV would catch it on download like an exe file. Hey I am learning ..... Slowly but surely....... And I never thought for a moment that you had any mal intent Star. If that could have been a possibilty, I think someone like that on this site would have been exposed long ago. They wouldn't be here long at all would they...... I'll check out that link later, I have to re-print the info from Pest Patrol. ........... Thanks for you help Star !
CT

 

Well I don't know what to think now !

1. PestPatrol's online scanner found 30 issues everything else has missed. No trojans or virus', nor any worms.
2. It picked up 6 hijackers, with several installations in each one. 1 cookie, and several other Adware and Spy's.
3. I thought Ad-aware and SpyBot and the other things I have ran had my system clean. Some of the pest were as old as dirt, I am very disapointed in Ad-aware and SpyBot.
4. You guys keep hyping on Avast, is there a better AV Program out there?
5. I am now to the point I don't want any more second rate applications on my pc's. I am going to remove AntiVir and install Avast and run it. I also went ahead purchased PestPatrol, and ZAlarm Pro so I can use them to clean this pc up.
6. Task Manager didn't show me the "binder.exe" , nor either of the other two files listed in that report at the link AbbySue gave me. I want to go back and do some reading on the subject. And I will keep an eye on the process' running from now on incase it pops up again.
7. What doesn't make sense is that if those two Trojans and the worm and virus AntiVir displayed when I first ran it were false positives. As you guys are thinking with this issue, Then why do I have applications that now that do not function anymore. Some of my screensavers for example are messed up, not all of them are distroyed, but they all worked fine before this all came about lately. And I know I didn't remove any of their files.....
See Ya's CT

 

Oh and I run WinZip, but AntiVir doesn't have an option to scan zip files.....
CT

 

Star, I have a2 loaded and updated, but it didn't detect AphexLace.B either and I ran it several times over the course of all this prior to finding this with AntiVir yesterday. If I am not wrong, and I am fairly sure this is correct. The two trojans AntiVir originally displayed were Backdoor/TR, one of the other two either the worm or the virus had something to do with the name "LoveMe" I think.
But Norton missed all of them, and I kept it updated weekly..... I am really curious as to what exactly is going on with all this. I had my settings changed many times without cause on ZAlarm, and several times I found Norton's Guard disabled without apparent cause also. But even than my screensavers were never messed up, and now they are..... Beats me .... I am going to try that download again for "SSM" , I really want that so maybe I can see something happening.............. Bye CT

 

Well I am not sure what is up with all this...... Today Avast found a virus also, two entries of it..... ( "Matya" "pav.sig" ) I deleted one and quarantined the other. Anyone got info on this one or where I can find info ? I am going to look on a couple places that ya'll have shown me thus far. But if it isn't there and ya'll already know this. Please give a location if you know one. How reliable is Aavast ? Does it locate false positives also ? SSM hasn't shown me anything that Task Manager already has, they are both showing same process' running..... Any Ideas Guys and Gals ? CT

 

I forgot a question ......

1. Could it be that I have these virus' located in the Archive files that are locked ?
2. How can I get access to unlock the Archive files to scan them ?

I know someone here has the answer to this..... Thanks for your help in advance..... CT

 

Okay got that lined out, Panda AV ! Guess that's what I get for trying to scan with so many applications huh.....

1 I still would like to know how to scan the locked archive with Avast, can someone help my with this ?
Thanks CT

 

Thanks Chas, I found the info needed on Avast site. It's the Panda Av sig giving false positive.

1. I think this system is clean now. Ram is up much better also.

2. And I like the Avast setup, this is a very cool AV application. I hope they just keep it updated on current threats, time will tell I guess.

3.Thanks for all your help Chas..... I didn't mean to give you a hard time in what I did trying to fix my pc..... I hope I don't have to call on your help again soon, I don't want anymore virus', but I know that if I need too, I can count on everyone here to give me the tools and info I might need to undo probs. And I do appreciate each and everyone who contributes to this forum. This has been very a knowledgable and interesting couple of weeks I have spent here. I think this is very cool myself........ Maybe 20 years from now, I might even be a Geek ! LOL CT

 

1. You won't believe this !!!!!!!!!!! I found binder on this pc, not running in process though. While scanning with PestPatrol this afternoon, and letting Avast's "On Access Protection Messaging" run also. I watched the files as they were displayed. Sure enough I did see "binder.exe" and "stub.exe" as well.
2. A new scan didn't reveal the AphexLace trojan, with Avast nor PestPatrol.
And I haven't seen it running in process with the binder or stub files, but I am positive I saw them listed today. But I have not a clue where to look or how to find them and remove them from here.
3. I am going to go back to that page AbbySue gave me and do some more reading there on it. So you don't have to reply now with a solution, but please keep me in mind and when you see me reply back to this post again. Please check on me incase I am in trouble.
4. I'm thinking that maybe AntiVir caught the trojan at a point where it could stop it from spreading further. And maybe what I saw today was the regestry entries..... Does that make sense ? But I don't understand really why Avast showed the files if they were not running in process ? It's got me confused, so I guess the best thing to do is just what I am doing now. Talking to you about it....... Thanks Chas

 

1. I still have Sys Restore turned off, I didn't want to save any bad issues. And I believe that AntiVir had the only log for what I found that day, and should be gone sense uninstalling the application right? I double check it though...
2. Unfortunantly it was going by to fast to get the full path but I do know that it was in my step-daughters account I setup for her. But that makes me wonder also, cause when I found that the first time I do not recall it being there, maybe it was and I missed that. Not sure. But I have been scanning c: all files and folders to be extra safe.
3. I am really wondering if someone has gotten access to my hard drive from the net. For several reasons, I went back to find the exact link AbbySue gave me the other day, and I cannot find it now. That entire post is missing for me, I searched and searched, but it is or at least was missing, I'll check it again now that I am back on the board.
4. I just ran a2 again after updating it again. It didn't find the AphexLace.B trojan. a2 gives an option to search for a particular file so I placed binder.exe in the box and a2 shut down pretty fast when I ran the search. I guess that was a no-no.....
5. I haven't quite figured out yet how to get Avast's "On Access Scanner Message" application to record and save the report. But I am going to work on that, and then try to get that location of what I saw earlier. Maybe with any luck it's still in Avast and I can get to it. I spent an hour earlier trying to figure it out, but it is evading me. But sense I found the files, and started trying to find them, my pc has locked up three times on me, and that is unusual for my system. I rarely have it completely lock up or crash, maybe once or twice this past year untill now. And those times were most likely my fault. As now it may very well be also. Running Avast's Resident Protection, and PestPatrol at the same time is not good I figure. But I didn't realize Avast was actually scanning. I thought it was reporting what was being scanned rather. But it flushed the varmitts out anyway. More reading to do, thanks for checking on me ...... Carl

 

Dern you'r going to think I am crazy now I guess, But AbbySue's reply (#5) in this thread is now back and right where it should have been earlier when I looked. I promise dude I checked close and it wasn't there, I read each one twice from the point that she made her first reply to me.
Granted I may be crazy to some extent, but I don't have trouble with my vision, at least I haven't so far that I know of. LOL
I have two more questions that may be of value also in regards to this, but I will hold off on those for the moment...... See Ya

 

Well this thing has got my pc by the b**ls...... As I finished some more reading early this morning and minimized my browser. I had an Alert displayed from SSM stating that PestPatrol was monitoring "TR/DRP Backdoor... running" . I freaked, looked for a way to read the rest of the file name and path. But it didn't have a scroll nor maximize button. Gave me an option to close the process. So I did...... I had Avast's "On Access Scanner Messaging" running at that time in hopes of locating the AhexLace.B 's "binder.exe" location. So I am thinking that it recorded the info in the log. Of course the log is now zipped and in confinment, I tried to "save as" but that didn't work, It gives me an option to restore to my c: drive, but is that going to hurt me further?
I kept watching "Avast Scanner Messaging" the binder.exe file is no longer small letter text. It's now caps all the way. "BINDER.EXE" So that made it easier to spot anyway. And it is in Windows\sys32 somewhere. But I still haven't seen it running in process. I am thinking that this thing has changed my registry pretty much, I am seeing files with names I have never seen before. And in "SSM" Registry It shows a bunch of stuff that I have just discovered are most likely changed registry entries. I didn't understand what I read in the help files the other day about that. I gave permission to allow it. It gives the discription like "HKLM\..\Current Version Runonce -but no value or program name like the rest that are located in that section, there are about 10 different Keys that are the same as that, in the manner of how they look, and states Current Version Run or Runonce.
I don't know if I would better off to just reload the OS and programs I have. From disc of course....... Or try to undo this stuff......... I know that I have gone as far today as I can. I have to get to work. This is killing me, I hate to spend any more time on this, but I also hate to loose a good pc to stuff like this....... Give me your advice Chas I need it ...... Carl

 

Hey Chas, I have been watching task manager everytime I have a free moment to go to my pc. I was on this all night last night, had it open and re-checking it frequently. It hasn't shown me the specific name binder.exe or any of the others you mentioned. I am looking at processes in task manager, it just isn't here. Here is a list of what I have running currently, size and all info displayed......

Image Name User Name CPU Mem Usage

ybrowser.exe Carl Tapp 02 19,680k
taskmgr.exe Carl Tapp 03 4, 800k
ycommon.exe Carl Tapp 00 2,168k
ashDisp.exe Me 00 2,928k
zlclient.exe Me 00 2,080k
txtmbmon.exe Me 00 328k
Imgicon.exe Me 00 52k
ybrwicon.exe Me 00 564k
ConnectionMang... Me 00 2, 128k
txtmbmgr,exe Me 00 272k
hlcmd.exe Me 00 216k
explorer.exe Me 05 5,464k
vsmon.exe System 00 4,552k
svchost,exe Sys 00 496k
pctspk.exe sys 00 148k
ActivityDisk.exe sys 00 120k
ashServ.exe sys 00 10,624k
aswUpdSv.exe sys 00 36k
LEXPPS.EXE sys 00 356k
spoolsv.exe Me 00 648k
LEXBCES.EXE sys 00 76k
OSA.EXE Me 00 236k
svchost.exe Local Service 00 76k
svchost.exe NETWORK Service 00 684k
svchost.exe sys 00 3,684k
svchost.exe sys 00 1,268k
svchost.exe sys 00 1,080k
lsass.exe sys 02 1,108k
services.exe sys 00 980k
winlogon.exe sys 02 756k
csrss.exe sys 00 1,752k
smss.exe sys 00 32k
AD2KClient.exe Me 00 36k
FreeRam XP pro 1... Me 02 1,960k
ashMaiSv.exe Me 00 1,224k
System System 00 36k
System Idle Process System 90 20k


And that's it...... Some of the CPU counts are moving up and down a little, but not much at this time. I click refresh it makes no difference in any added or removed processes. CPU ranging from 16 to 25 % , average 18% mostly. These are all I have seen active.......

My question I started to ask you was this...
1. I went to services to look for service.msc and if it was active, I didn't see it. But I was curious because after I saw that Alert on my monitor, I wanted to see if maybe Windows had recorded a log of it. I found that Windows performance and alert logs had been turned off..
2. I found that " Local Disk Manager Administrative SVSC" had been stopped also, and "Start up type" was set to = Manual
3. I found also that my "WMI Performance Adaptor" had also been stopped and set to = Manual ... The file name caught my attention also =
"system32\wbem\wmiapsrv.exe"
4. Why it caught my eye as strange is that SpyBot S&D found "webemess" adware or what ever it was on my pc also. And I am seeing alot of "wbem" on some of my files.

Does that give you any needed info ? Seemed funny to me that those two Services were stopped and set to manual. I haven't had time to check up on them, to see if that is Windows default settings for those. Thought you might know if that is correct for those, and if that is something that has been effected by what is on this pc. My Ram has dropped from 32MB to 15 MB now also. I refreshed Task Magr. nothing new in process.....

5. I wanted to ask also if it would hurt to just run explorer and search for the files names you just gave me. Or would it start the virus process on the pc ?
6. Does this info I have given you change what you need me to do now?
Let me know, I'll wait to hear yes or no from you..... Ok Thanks CT

 

Okay, well I can't remeber exactly the words that were told to me, but someone wanted me to check on service.msc, when I was dealing with this from the start. I have not changed any settings or anything. I was just looking to see why my performance and alert log were turned off.
Yes so I could retreive the info on the trojan PestPatrol was monitoring.
I have not had the chance nor time to get technical tranning on computers, everything I know about them I have learned on my own from reading and experimenting, looking around in the different doors in Windows. I guess it's a bad habit I have, I have always been the one thrown into everything, "like the boy who was thrown in the water and his father said, sink or swim".
What I have read about trojans backdoors is that, they can provide access to someone on the net to give them full access to your computer. I wanted to buy tickets online last week to take my daughter to SixFlags, saving me half on the cost. But I decided not to run my new pc on the net untill I know I have sufficent security for it, so that left me with double checking this pc so I could buy the tickets without loosing my credit card info to someone. If a hacker has my password, I can deal with that, because I have not entered my credit info on this pc, except for when I purchased PP last week. But I knew that was a chance that I had to make because I needed the program.
I don't know what these trojans can do right down to each and every detail. I certainly do not have time to read the details for each virus and trojan on the net. So as far as I am concerned at this time, anything is possible in relations to them.
And no my Ram is not 32MB, guess you have dealt with to many issues to remember I was concerned about my mem being drained at times. I noticed when that Alert popped up for PestPatrol, my ram was way down like it had been displaying before we started this.
My system : emachine t1090, 40 mb hd , 128 ram, 900 MHz Intel Celeron, 3D AGP graphics - Intel Direct, XP 2600 updated except for SP2.
I have read that artical you linked me to, maybe I am paranoid, I thought this thing was clean after all the programs I ran, and the lack of not finding binder and the others not running in task, and a2 and PP not picking up the trojan last week.
Also, I have not downloaded or opened any email except what I knew where it came from for sure. And used yahoo mail service to recieve those. I only downloaded programs from PP, MG for Avast and the SSM sites. The only websites my pc has been on is SixFlags, and my business contact sites. So unless this has come from one of those places, then it has been on this pc for a while. And if that's the case then who knows what damage has been done, not I.... I'll do only as you instruct and take this one step at a time, and not look around at anything except what we deal with untill this is over okay.... Thanks Chas CT

 

I wanted you to know that I was in administrative services looking around before I came back online, and after seeing that Alert for the Trojan. I have ran a2 and Avast, in safe mode from F8, I have also ran PestPatrol in safe mode, I also ran Ad-aware SE in safe mode after I finally got it to let me access it from safe mode. I did these seperately and each one after a fresh reboot to safe mode. I did have all extentions and files unchecked also. However, I see why I confused you with "services.msc", I should have gone back to read that again, I was confused myself LOL... I didn't recall the exact procedure or even how to look for ("Network Security Service"), and to disable it. So maybe that is why nothing picked up on the tr/drp...
Hey I have been getting too little sleep, 26 hrs up and 2 1/2 sleep sense Sunday. Now here it is again, 1:58 am. But I am not rushing it, I am reading and learning and yes I have been looking, but not now.
I am gone now going to run the procedures you gave me then go to bed.
Tomorrow .... Thanks..... CT

 

Advanced search only showed binder.exe as part of Office Pro 97, core.dll , stub.exe came up in search as part of other programs, example : avastcore....didn't find the names of these files as solo files.
With all scans with all listed programs mentioned in the "Read Me First: Spyware Removal" nothing is showing up. Each scan comes up clean. I made double sure each was updated also.
Yet with SSM I have this.....
"Internal Error while processing directive 11: Can't get name of target process, which is accessed by C:\Computer Security Tools\ssm\SysSafe.exe"
Yet the program seems to function normal in every aspect otherwise.

I have one other question now also... Under Windows XP folder options\ view tab. Not only do I have show hidden folders and extentions, but I also have " Hide Protected Operating System Files" (Recommended). Nothing is mentioned in the "Read Me First: Spyware Removal" about this. This is Xp's Archieve files location correct ? Should this be scanned as well ?
Thanks Carl

 

Okay well I wasn't sure that with the hide protected windows files or folders what ever it is called, that it was scanning the Archive files that did not get read according to the reports. Not even in safe mode did the archive files get read according to the reports I looked at after the scans. I did know how to do an advanced search and did that many times looking for the files associated with that trojan. But hasn't came up with anything, other than what I mentioned in my last post.
However my ram is doing much better now that I have ran these programs and cleaned up the things they have. I am sure as was mentioned previously Norton was draining the memory with the problems I did have. I just can't figure out what happened to my screen savers and some other things are working properly now either. When they all were okay before this last bout that popped up. I am going to do some more research and then call the pc's manufacturer to see if I can reinstall windows core files from my disc without hurting anything else. I can't recall when I reloaded xp before from my disc if it gave me any options to repair Windows or not. If I still have problems after that, I can reload XP because I have transferred all my important documents and programs to zip disc and then loaded them on my new pc. I scanned them also with housecall and pestpatrol before loading them to my zip disc, glad I had that zip drive for sure, much better than those tiny floppy disc. I'll let you know it all turns out, and yes I will uninstall SSM. But I already did as you sugested and tried to reinstall and see what happened. But I haven't seen any more notices from my security programs stating any problems. Oh well, beats me !!!!!! Excuse the pun ..... Later
Thanks Again Chas ! CT