Trojan Horse Startpage.AY

so AVG pops up last night

"AVG Resident Shield
Virus Trojan Horse Startpage.AY
is found in file C:\system volume information\_restore {36413119-BA31-4B36-BB21-534E11EB77EC}\RP89\A0005098.EXE
to remove this virus, please run AVG for window"

I allso noticed that my software firewall Kerio Personal Firewall4
wasn't running, i tryed to start it and it gave me some error message as to why it wouldn't start (should have written it down but did not)

i run avg for windows it tells me it has found and healed 2 virus
test results read

FILE: C:\IE46Bin.exe
virus name: Trojanhorse startpage.AY HEALED OK

FILE: C:\Q230903.exe
virus name: Trojanhorse downloader.winshow.d HEALED OK


after this i restart my computer cause i allso notice i have some win xp updates ready to start up once i restart so i figures maybe they were security things (automatic update had happened a little while back i just don't often restart my puter for them to take effect but now i did)
computer restarted
Kerio Firewall is up and running seemingly fine
i deside to go to Symantecs site and run there virus checker thingy and it tells me
71171 files scanned, 2 file(s) infected on your disk drives.


No viruses were detected in memory.


Your computer is infected with at least one known virus or Trojan horse.

Search for the name of the virus(s) listed below on the Symantec Security Response site for removal information.


No viruses were detected in memory.

Your computer is infected with at least one known virus or Trojan horse.

Search for the name of the virus(s) listed below on the Symantec Security Response site for removal information.

C:\Program Files\Windows Media Player\wmplayer.exe.tmp is infected with Download.Trojan

C:\Documents and Settings\Log on\Local Settings\Temporary Internet Files\Content.IE5\8TGVKPOR\jbe1[1].xml is infected with VBS.Downloader.Trojan

and right about the time i am done with this AVG Resident Shield pops up again with the exact same message as is written at the top of this post.
i run AVG again and it picks up nothing (even though it just sent me a message from resident shield that it does)

so that is things as they are now
p.s. why does this $*&# allways happen to me

 

i didn't download anything.
my firewall is allways up.
untill last night when i noticed it was down, and i couldn't restart it
i didn't download anything though

 

I dunno. Lucky, I guess.

Anyhoo, there are several obvious suggestions for you to try here. JIC you haven't done them all yet, here goes:

1. When WU tells you to restart your computer, do it. The updates are absolutely useless until you reboot and they overwrite the "in use" files they are replacing.

2. Go to C:\Program Files\Windows Media Player, find wmplayer.exe.tmp, and Delete it. Empty the Rec Bin.

3. Shut down System Restore and reboot (BUT SEE 4), to get rid of everything in the SVI folder. Then after reboot, go back to Sys Restore and reset your settings, so it will start over.

4. When you shut down (SEE 3), shut down to reboot to a command prompt, and in the command prompt window, change directory (CD) to C:\Documents and Settings\Log on\Local Settings, and Delete (RD) Temporary Internet Files.

5. Then use Ctrl-Alt-Del to reboot and let it reboot normally, and re-run the AV program.

That should do it.

If you can't get rid of the TIF folder, post back and I'll give you a URL for a coupla batch files that'll do it. XP will recreate it when you next open IE, but if you can get rid of it for the moment it'll be history and the CONTENT folder and all of its little dark secrets will be gone, too.

 

this sounds bad but...

i don't know how to reboot to a comand prompt.

 

Hmmm.

Have you ever used DOS or DOS-like commands? Do you know what I mean by RD above? (I'm not trying to make you uncomfortable. I have to have an idea what you know here so I'll know what else I have to tell you.)

What options do you see in your Start Menu when you click Start, then Shut Down...?

(You can use Cancel once you note what the options are. You don't HAVE to shut down just because you get to the shutdown panel).

 

i can work around dos ok. and can open up the DOS looking comand prompt within XP but that isn't the same as booting to a comand prompt. i think.

i don't know what this is about "Delete (RD) Temporary Internet Files. "
i am pretty sure i can figure out how to delete stuff through the comand prompt but i dont' know what all that is.
system restore i understand just find can turn it off on and all that . when i first used a computer was probly windows95 so DOS was allready pretty much not in use.

when i click "Turn off computer" i cann then, send it to "standby" "turn off" or "restart"

 

Windows XP doesnt include DOS which is not likely what you are talking
about. While booting you can press F8 and select Safe Mode w/ Command
Prompt to has a emulation of the DOS Command Prompt.

is this what you mean?

 

Ya know, I always thought it funny that there is no DOS in XP, yet all XP installs have:


command.com
msdos.sys
autoexec.bat
config.sys
io.sys

There are some files missing sure, but nonetheless...

 

You've got it. That's the best we can do in XP, and it still behaves itself like DOS. The important thing here is that Windows won't let you delete the Temp Int Files folder (it's a protected folder) but you can get rid of it at the command prompt, and Windows will re-make it.

When you've booted to the command prompt and it's there on the screen blinking at you, type
CD C:\Documents and Settings\Log on\Local Settings
The appearance of the command prompt will change to a version of the line you just typed.
Now type
RD Temporary Internet Files
and confirm if asked.

Then Ctrl+Alt+Del to reboot to Windows. Then re-run your AV.

I think all that will still work. If it doesn't do what we want it to, it at least won't do any harm, and if you tell me it didn't work, I'll get you a couple of batch files that will do the whole thing for you.

The object of all this, of course, is just to kill everything that has been touched by the virus.

 

Since I might not be on the forum if you can't get rid of TIFs the way I suggested, here's the link I promised to a fine solution that I use regularly. Just pay attention to the XP parts of the page and get the XP version of the file and put it in C:\ and make a shortcut to it or download the shortcut offered on this page. I've edited mine to just delete TIFs, and not all the other folders, but it won't hurt to delete the other folders, too.

Milly's WinClean Command is HERE (click)

This solution to cleaning up some bothersome folders periodically is clever because it runs during the next boot after you use the shortcut, operates before Windows can protect the files and folders, and then deletes its own trigger, so that it doesn't do anything until you use the shortcut again.

Good luck!

 

The system can not find the file specified"
it tells me that three times fast when i

CD C:\Documents and Settings\Log on\Local Settings
The appearance of the command prompt will change to a version of the line you just typed.
Now type
RD Temporary Internet Files

however i am able to change to that directory as in i am able to
cd C:\DOcuments and Settings\Log on\Local Settings\Temporary Internet Files

it finds dir then just fine. i am confused about this here

 

DOS mode doesn't like 'complex' names with spaces in them, it treats each word as a separate file. You've got a couple of choices:

1. Do a dir /x and it will list all files/directories including their short (8 character) name, you can delete it using this name - ie rd tempor~1 or something along those lines.

2. Put the directory name in quotes, ie rd "Temporary Internet Files" which it treats as one filename.

Checking this I needed to use switches to delete a directory containing files - rd /q /s tempor~1

 

Thanks for the correction and input, lesrae.

Yes, I forgot about the filename problem, so this is the line that should work (with the switches added--they're in my cmd file, but I forgot to put them into the post above):

rd /s/q "Temporary Internet Files"

And if you can't navigate to a target with quotes around long names, try using the short-naming convention of DOS: use the first six letters (ignoring spaces), then a tilde (~) and then the number 1 (not the letter "ell"). So
Mybig Longnamefile
becomes
MYBIGL~1

Sorry you're having trouble here, but this is all a learning experience (for you AND for the ones trying to help). What is dead simple when you can sit down at a computer and control it is a LOT more difficult when you have to tell somebody else how to do it with a text message.

 

it's not really trouble, yes it is a learning experiance, this is a good thing, I am patient (sp?) with it,
thanks allot for help, dont' drive yourself too crazy.

 

so i gave it that comand line (once in the correct dir of corse)
rd /s/q "Temporary Internet Files"

the computer started "thinking" for a moment and then popped up -ready for next comand- it gave me no message to say it did what i told it or why it couldn't.
so i was looking at
C:\Documents and Settings\Log On\Local Setings>_

i typed in the comand at the top of this post, hit enter, after a 15 second (unusual for my puter) pause it showed

C:\Documents and Settings\Log On\Local Setings>
C:\Documents and Settings\Log On\Local Setings>_

so i think it is done, cause i typed in the same comand line again and it couldn't find file specified, indecateing it was deleted.

 

Yessir, that would be what the computer is saying. Congrats.

Now may you remain free of the bug.

 

BWAAHAHAHAHAHAAA

i restarted my system ran my AVG, and allso symantics virus check you can do from their web site, and nothing is detected

I win against the bad people again.
I don't mind people that can manipulate networks and hack into systems and all that, i just hate malicious people.

thanks for all the help

 

He who laughs last laughs best. Congrats again.