View Full Version : Nod 32
ZeroTolerance
08-08-2004, 08:47 PM
anybody knows a good anti virus anit trojan programs that would kill trojans
here is my trojan files. i have 2
only 1 trojan i posted
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\bi.cab is infected with trojan Win32/TrojanDownloader.Stubby.A. NOD32 cannot clean this infiltration.
Rip The Jacker
08-08-2004, 08:59 PM
Have you tried restarting in safe mode and deleting the files yourself?
ZeroTolerance
08-08-2004, 09:08 PM
Originally posted by Rip The Jacker@8 August 2004 - 21:00
Have you tried restarting in safe mode and deleting the files yourself?
yes
i raned NOD32 in safemode but it didnt delete it. i tried deleteing it my self manually but i couldnt find the file.
Rip The Jacker
08-08-2004, 09:09 PM
Hmm... try using Trojan Remover (http://www.simplysup.com/), see what happens.
ZeroTolerance
08-08-2004, 09:13 PM
Originally posted by Rip The Jacker@8 August 2004 - 21:10
Hmm... try using Trojan Remover (http://www.simplysup.com/), see what happens.
ok
Rip The Jacker
08-08-2004, 09:15 PM
If you can't find the file, all you have to do is go to Start > Run > type in "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\" without the quotes, and click OK, the folder holding the trojan should have opened up.
peat moss
08-08-2004, 09:19 PM
ZeroTolerance, Friend you have some major problems with that puter! Have you tryed
Hijack this ? Run program then post here. Some kind soul will help.
http://www.siena.edu/antivirus/Spyware/hijackthis.htm
ZeroTolerance
08-08-2004, 09:24 PM
Originally posted by Rip The Jacker@8 August 2004 - 21:16
If you can't find the file, all you have to do is go to Start > Run > type in "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\" without the quotes, and click OK, the folder holding the trojan should have opened up.
wouldnt that activate the trojan?
ZeroTolerance
08-08-2004, 09:27 PM
Originally posted by peat moss@8 August 2004 - 21:20
ZeroTolerance, Friend you have some major problems with that puter! Have you tryed
Hijack this ? Run program then post here. Some kind soul will help.
http://www.siena.edu/antivirus/Spyware/hijackthis.htm
ogfile of HijackThis v1.98.0
Scan saved at 4:30:50 PM, on 8/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Documents and Settings\Owner\Desktop\trayit\trayit!.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trojan Remover\jyi1.exe
C:\Program Files\Trojan Remover\jyi1.exe
C:\Documents and Settings\Owner\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Startup: TrayIt!.lnk = C:\Documents and Settings\Owner\Desktop\trayit\trayit!.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab)
Rip The Jacker
08-08-2004, 09:32 PM
Originally posted by ZeroTolerance+8 August 2004 - 13:25--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (ZeroTolerance @ 8 August 2004 - 13:25)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin-Rip The Jacker@8 August 2004 - 21:16
If you can't find the file, all you have to do is go to Start > Run > type in "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\" without the quotes, and click OK, the folder holding the trojan should have opened up.
wouldnt that activate the trojan? [/b][/quote]
No. Just make sure you leave out the "bi.cab" part at the end.
Do this at Start > Run:
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\
This will open the folder, then look for the "bi.cab" file and delete it.
Don't do this:
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\bi.cab
That will open the file.
I have to go to work, good luck.
peat moss
08-08-2004, 09:33 PM
Originally posted by ZeroTolerance+8 August 2004 - 13:28--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (ZeroTolerance @ 8 August 2004 - 13:28)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin-peat moss@8 August 2004 - 21:20
ZeroTolerance, Friend you have some major problems with that puter! Have you tryed
Hijack this ? Run program then post here. Some kind soul will help.
http://www.siena.edu/antivirus/Spyware/hijackthis.htm
ogfile of HijackThis v1.98.0
Scan saved at 4:30:50 PM, on 8/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Documents and Settings\Owner\Desktop\trayit\trayit!.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trojan Remover\jyi1.exe
C:\Program Files\Trojan Remover\jyi1.exe
C:\Documents and Settings\Owner\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Startup: TrayIt!.lnk = C:\Documents and Settings\Owner\Desktop\trayit\trayit!.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab) [/b][/quote]
Wow are you quick! Good one. :D
ZeroTolerance
08-08-2004, 09:34 PM
Originally posted by Rip The Jacker+8 August 2004 - 21:33--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (Rip The Jacker @ 8 August 2004 - 21:33)</td></tr><tr><td id='QUOTE'>
Originally posted by ZeroTolerance@8 August 2004 - 13:25
<!--QuoteBegin-Rip The Jacker@8 August 2004 - 21:16
If you can't find the file, all you have to do is go to Start > Run > type in "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\" without the quotes, and click OK, the folder holding the trojan should have opened up.
wouldnt that activate the trojan?
No. Just make sure you leave out the "bi.cab" part at the end.
Do this at Start > Run:
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\
And look for the "bi.cab" file and delete it.
Don't do this:
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\bi.cab
That will open the file. [/b][/quote]
ok i searched for the file and i dont see bi.cab
i see
bi
bi
bi
hungrylilboy
08-08-2004, 10:41 PM
not being funny but get rid of avast!
i had it for years and was a huge fan until i got a very bad destructive virus that killed all my .exes, .mp3, .avi files.
i then learnt that they dont have a huge database of old viruses, simply use the most common ones which is how they get good results in "in the wild" tests. they recently failed some tests too.
my advice would be to clean it up this time then move to kav or nav.
ZeroTolerance
08-09-2004, 01:32 AM
i did, anybody know any other good programs?
Rip The Jacker
08-09-2004, 05:02 AM
Originally posted by ZeroTolerance@8 August 2004 - 13:35
ok i searched for the file and i dont see bi.cab
i see
bi
bi
bi
3 "bi" files? What are they're extensions? In fact, I'd bet those are the files your looking for.
Chame1eon
08-09-2004, 07:29 AM
you can see the extensions by going to my computer>tools>folder options>view and unchecking "hide extensions for known file types"
if you open the cab file with winrar you can find and delete the file without deleting the entire archive.
ZeroTolerance
08-09-2004, 08:01 PM
Originally posted by Chame1eon@9 August 2004 - 07:30
you can see the extensions by going to my computer>tools>folder options>view and unchecking "hide extensions for known file types"
if you open the cab file with winrar you can find and delete the file without deleting the entire archive.
it was a winrar bi.cab file but i deleted it already but i deleted the file but its still active on my computer. how do i get rid of it completely?
peat moss
08-09-2004, 08:08 PM
Originally posted by ZeroTolerance+9 August 2004 - 12:02--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (ZeroTolerance @ 9 August 2004 - 12:02)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin-Chame1eon@9 August 2004 - 07:30
you can see the extensions by going to my computer>tools>folder options>view and unchecking "hide extensions for known file types"
if you open the cab file with winrar you can find and delete the file without deleting the entire archive.
it was a winrar bi.cab file but i deleted it already but i deleted the file but its still active on my computer. how do i get rid of it completely? [/b][/quote]
Is it still in the winrar archive?
ZeroTolerance
08-09-2004, 08:14 PM
Originally posted by peat moss+9 August 2004 - 20:09--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (peat moss @ 9 August 2004 - 20:09)</td></tr><tr><td id='QUOTE'>
Originally posted by ZeroTolerance@9 August 2004 - 12:02
<!--QuoteBegin-Chame1eon@9 August 2004 - 07:30
you can see the extensions by going to my computer>tools>folder options>view and unchecking "hide extensions for known file types"
if you open the cab file with winrar you can find and delete the file without deleting the entire archive.
it was a winrar bi.cab file but i deleted it already but i deleted the file but its still active on my computer. how do i get rid of it completely?
Is it still in the winrar archive? [/b][/quote]
no i deleted before i put it in winrar, i just deleted manually.
Chame1eon
08-10-2004, 09:35 AM
I'm not sure what you are saying. you deleted it then put it in winrar :huh: ?
ZeroTolerance
08-10-2004, 05:17 PM
Originally posted by Chame1eon@10 August 2004 - 09:36
I'm not sure what you are saying. you deleted it then put it in winrar :huh: ?
i could of open the file in winrar but i deleted.
Powered by vBulletin® Version 4.2.3 Copyright © 2024 vBulletin Solutions, Inc. All rights reserved.