Recovering from a Trojan

Here you can find everything you need to know about Dll-Files. You can also share your knowledge regarding the topic.

Moderators: DllAdmin, DLLADMIN ONLY

Post Reply
frog
Posts: 6
Joined: 01 May 2009, 23:00

Recovering from a Trojan

Post by frog »

Windows XP SP3

Here is a long story that I hope I can keep short. On April 29, there
suddenly appeared on screen a window that indicated that some form of a
virus or malware was present on my system and wanted to know whether it
was okay to scan for this critter(s). Since I did not recognize the
window and had learned from earlier newsgroup exchanges that such could
be dangerous, I attempted to click this window of the system...it would
not let me take that action. I then from the start button turned the
system off. That seemed to make everything work as normal. The next
morning, I received a message from my CA Anti Virus software that it had
two trojan items deleted from my system. The two items were:

4/30/2009 0:08:11 AM File Infection: C:\Documents and
Settings\Frog\Local Settings\Application
Data\Mozilla\Profiles\Frog-SeaM\Cache\4160AC69d01 is Win32/FakeAlert.AHW
trojan. Deleted
4/30/2009 0:08:11 AM File Infection:
C:\Docume~1\Frog~1\Locals~1\Temp\omfa4cOp.exe is Win32/FakeAlert.AHW
trojan. Deleted

Well, as soon as this happened, I did a complete virus scan of my
system---nothing found. I next did a complete Malwarebytes' scan of my
system---nothing was found. I then did a complete Windows Defender scan
of my system---nothing was found. I next did a dis clean-up, deleting
all temp files and removed everything from the recycle bin. I also did
a sfc /scannow, CHKDSK C: /F /R, and a defrag. My system continues at
this point to be acting normal.

Today, I decided to see what if anything is being reflected in the Event
Viewer. New things are appearing in this log as follows:

Application (The same entry has appeared three times since April 30)
Type...Date...Time...Source...Category...Event...User...Computer
Error...5/1/2009...2:00:02
PM...MPSampleSubmission...None...5000...n/A...Frog-ADF6F864
Discription: Event Type mptelemetry, P1 8024400e, P2 endsearch, P3
search, P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows
defender, P8 NIL, P9 NIL, P10 NIL.

System (The same entry has appeared 31 times since April 30)
Type...Date...Time...Source...Category...Event...User...Computer
Warning...5/2/2009...9:34:47
AM...WinDefend...None...3004...N/A...Frog-ADF6F864
Description:Windows Defender Real-Time Protection agent has detectede
changes. Microsoft recommends you analyze the software that made these
changes for potential risks. You can use information about how these
programs operate to choose whether to allow them to run or remove them
from your computer. Allow changes only if you trust the program or the
software publisher. Windows Defender can't undo changes that you allow.

The bottom line---the only software change that was made to my system in
recent times involved updates...upgrading to Internet Explorer 8, CA
Anti Virus updates, Malwarebytes' software updates, and Windows Defender
updates. Thus, I don't have a clue as to what software changes were
made that caused problems with Windows Defender.

Well, there is my situation (please let me know if I need to provide any
additional information). Do I need to take any action regarding the
above? If so, in easy to understand guidance, what action should I
take? Is there something in the firewall that needs to be checked in
order to prevent unwanted things like the Trojan items from getting on
my system?

Thanks in advance for anything sent my way.


Frog

randem
Posts: 17
Joined: 14 Mar 2009, 00:00

Re: Recovering from a Trojan

Post by randem »

This little read may be helpful http://www.randem.com/virusproblems.html to
give you some ideas on how to proceed.


--
Randem Systems
Your Installation Specialist
The Top Inno Setup Script Generator
http://www.randem.com/innoscript.html
Disk Read Error Press Ctl+Alt+Del to Restart
http://www.randem.com/discus/messages/9 ... 1236319938



"Frog" <frog@pond.com> wrote in message
news:uw5cB0zyJHA.5032@TK2MSFTNGP05.phx.gbl...
> Windows XP SP3
>
> Here is a long story that I hope I can keep short. On April 29, there
> suddenly appeared on screen a window that indicated that some form of a
> virus or malware was present on my system and wanted to know whether it
> was okay to scan for this critter(s). Since I did not recognize the
> window and had learned from earlier newsgroup exchanges that such could be
> dangerous, I attempted to click this window of the system...it would not
> let me take that action. I then from the start button turned the system
> off. That seemed to make everything work as normal. The next morning, I
> received a message from my CA Anti Virus software that it had two trojan
> items deleted from my system. The two items were:
>
> 4/30/2009 0:08:11 AM File Infection: C:\Documents and Settings\Frog\Local
> Settings\Application Data\Mozilla\Profiles\Frog-SeaM\Cache\4160AC69d01 is
> Win32/FakeAlert.AHW trojan. Deleted
> 4/30/2009 0:08:11 AM File Infection:
> C:\Docume~1\Frog~1\Locals~1\Temp\omfa4cOp.exe is Win32/FakeAlert.AHW
> trojan. Deleted
>
> Well, as soon as this happened, I did a complete virus scan of my
> system---nothing found. I next did a complete Malwarebytes' scan of my
> system---nothing was found. I then did a complete Windows Defender scan
> of my system---nothing was found. I next did a dis clean-up, deleting all
> temp files and removed everything from the recycle bin. I also did a sfc
> /scannow, CHKDSK C: /F /R, and a defrag. My system continues at this
> point to be acting normal.
>
> Today, I decided to see what if anything is being reflected in the Event
> Viewer. New things are appearing in this log as follows:
>
> Application (The same entry has appeared three times since April 30)
> Type...Date...Time...Source...Category...Event...User...Computer
> Error...5/1/2009...2:00:02
> PM...MPSampleSubmission...None...5000...n/A...Frog-ADF6F864
> Discription: Event Type mptelemetry, P1 8024400e, P2 endsearch, P3 search,
> P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8
> NIL, P9 NIL, P10 NIL.
>
> System (The same entry has appeared 31 times since April 30)
> Type...Date...Time...Source...Category...Event...User...Computer
> Warning...5/2/2009...9:34:47
> AM...WinDefend...None...3004...N/A...Frog-ADF6F864
> Description:Windows Defender Real-Time Protection agent has detectede
> changes. Microsoft recommends you analyze the software that made these
> changes for potential risks. You can use information about how these
> programs operate to choose whether to allow them to run or remove them
> from your computer. Allow changes only if you trust the program or the
> software publisher. Windows Defender can't undo changes that you allow.
>
> The bottom line---the only software change that was made to my system in
> recent times involved updates...upgrading to Internet Explorer 8, CA Anti
> Virus updates, Malwarebytes' software updates, and Windows Defender
> updates. Thus, I don't have a clue as to what software changes were made
> that caused problems with Windows Defender.
>
> Well, there is my situation (please let me know if I need to provide any
> additional information). Do I need to take any action regarding the
> above? If so, in easy to understand guidance, what action should I take?
> Is there something in the firewall that needs to be checked in order to
> prevent unwanted things like the Trojan items from getting on my system?
>
> Thanks in advance for anything sent my way.
>
>
> Frog

pa bear [ms mvp]
Posts: 117
Joined: 01 Mar 2009, 00:00

Re: Recovering from a Trojan

Post by pa bear [ms mvp] »

There is a very good chance that you are seeing the effects of a hijackware
infection!

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwa ... fault.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection' scan
(only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/pag ... ng_Malware

**Seek expert assistance in
http://spywarehammer.com/simplemachines ... board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://www.dslreports.com/forum/cleanup, http://aumha.net/viewforum.php?f=30
or other appropriate forums.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

Frog wrote:
> Windows XP SP3
>
> Here is a long story that I hope I can keep short. On April 29, there
> suddenly appeared on screen a window that indicated that some form of a
> virus or malware was present on my system and wanted to know whether it
> was okay to scan for this critter(s). Since I did not recognize the
> window and had learned from earlier newsgroup exchanges that such could
> be dangerous, I attempted to click this window of the system...it would
> not let me take that action. I then from the start button turned the
> system off. That seemed to make everything work as normal. The next
> morning, I received a message from my CA Anti Virus software that it had
> two trojan items deleted from my system. The two items were:
>
> 4/30/2009 0:08:11 AM File Infection: C:\Documents and
> Settings\Frog\Local Settings\Application
> Data\Mozilla\Profiles\Frog-SeaM\Cache\4160AC69d01 is Win32/FakeAlert.AHW
> trojan. Deleted
> 4/30/2009 0:08:11 AM File Infection:
> C:\Docume~1\Frog~1\Locals~1\Temp\omfa4cOp.exe is Win32/FakeAlert.AHW
> trojan. Deleted
>
> Well, as soon as this happened, I did a complete virus scan of my
> system---nothing found. I next did a complete Malwarebytes' scan of my
> system---nothing was found. I then did a complete Windows Defender scan
> of my system---nothing was found. I next did a dis clean-up, deleting
> all temp files and removed everything from the recycle bin. I also did
> a sfc /scannow, CHKDSK C: /F /R, and a defrag. My system continues at
> this point to be acting normal.
>
> Today, I decided to see what if anything is being reflected in the Event
> Viewer. New things are appearing in this log as follows:
>
> Application (The same entry has appeared three times since April 30)
> Type...Date...Time...Source...Category...Event...User...Computer
> Error...5/1/2009...2:00:02
> PM...MPSampleSubmission...None...5000...n/A...Frog-ADF6F864
> Discription: Event Type mptelemetry, P1 8024400e, P2 endsearch, P3
> search, P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows
> defender, P8 NIL, P9 NIL, P10 NIL.
>
> System (The same entry has appeared 31 times since April 30)
> Type...Date...Time...Source...Category...Event...User...Computer
> Warning...5/2/2009...9:34:47
> AM...WinDefend...None...3004...N/A...Frog-ADF6F864
> Description:Windows Defender Real-Time Protection agent has detectede
> changes. Microsoft recommends you analyze the software that made these
> changes for potential risks. You can use information about how these
> programs operate to choose whether to allow them to run or remove them
> from your computer. Allow changes only if you trust the program or the
> software publisher. Windows Defender can't undo changes that you allow.
>
> The bottom line---the only software change that was made to my system in
> recent times involved updates...upgrading to Internet Explorer 8, CA
> Anti Virus updates, Malwarebytes' software updates, and Windows Defender
> updates. Thus, I don't have a clue as to what software changes were
> made that caused problems with Windows Defender.
>
> Well, there is my situation (please let me know if I need to provide any
> additional information). Do I need to take any action regarding the
> above? If so, in easy to understand guidance, what action should I
> take? Is there something in the firewall that needs to be checked in
> order to prevent unwanted things like the Trojan items from getting on
> my system?
>
> Thanks in advance for anything sent my way.
>
>
> Frog

patrick keenan
Posts: 23
Joined: 05 Mar 2009, 00:00

Re: Recovering from a Trojan

Post by patrick keenan »

"Frog" <frog@pond.com> wrote in message
news:uw5cB0zyJHA.5032@TK2MSFTNGP05.phx.gbl...
> Windows XP SP3
>
> Here is a long story that I hope I can keep short. On April 29, there
> suddenly appeared on screen a window that indicated that some form of a
> virus or malware was present on my system and wanted to know whether it
> was okay to scan for this critter(s). Since I did not recognize the
> window and had learned from earlier newsgroup exchanges that such could be
> dangerous, I attempted to click this window of the system...it would not
> let me take that action. I then from the start button turned the system
> off. That seemed to make everything work as normal. The next morning, I
> received a message from my CA Anti Virus software that it had two trojan
> items deleted from my system. The two items were:
>
> 4/30/2009 0:08:11 AM File Infection: C:\Documents and Settings\Frog\Local
> Settings\Application Data\Mozilla\Profiles\Frog-SeaM\Cache\4160AC69d01 is
> Win32/FakeAlert.AHW trojan. Deleted
> 4/30/2009 0:08:11 AM File Infection:
> C:\Docume~1\Frog~1\Locals~1\Temp\omfa4cOp.exe is Win32/FakeAlert.AHW
> trojan. Deleted
>
> Well, as soon as this happened, I did a complete virus scan of my
> system---nothing found. I next did a complete Malwarebytes' scan of my
> system---nothing was found. I then did a complete Windows Defender scan
> of my system---nothing was found. I next did a dis clean-up, deleting all
> temp files and removed everything from the recycle bin. I also did a sfc
> /scannow, CHKDSK C: /F /R, and a defrag. My system continues at this
> point to be acting normal.
>
> Today, I decided to see what if anything is being reflected in the Event
> Viewer. New things are appearing in this log as follows:
>
> Application (The same entry has appeared three times since April 30)
> Type...Date...Time...Source...Category...Event...User...Computer
> Error...5/1/2009...2:00:02
> PM...MPSampleSubmission...None...5000...n/A...Frog-ADF6F864
> Discription: Event Type mptelemetry, P1 8024400e, P2 endsearch, P3 search,
> P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8
> NIL, P9 NIL, P10 NIL.
>
> System (The same entry has appeared 31 times since April 30)
> Type...Date...Time...Source...Category...Event...User...Computer
> Warning...5/2/2009...9:34:47
> AM...WinDefend...None...3004...N/A...Frog-ADF6F864
> Description:Windows Defender Real-Time Protection agent has detectede
> changes. Microsoft recommends you analyze the software that made these
> changes for potential risks. You can use information about how these
> programs operate to choose whether to allow them to run or remove them
> from your computer. Allow changes only if you trust the program or the
> software publisher. Windows Defender can't undo changes that you allow.
>
> The bottom line---the only software change that was made to my system in
> recent times involved updates...upgrading to Internet Explorer 8, CA Anti
> Virus updates, Malwarebytes' software updates, and Windows Defender
> updates. Thus, I don't have a clue as to what software changes were made
> that caused problems with Windows Defender.
>
> Well, there is my situation (please let me know if I need to provide any
> additional information). Do I need to take any action regarding the
> above? If so, in easy to understand guidance, what action should I take?
> Is there something in the firewall that needs to be checked in order to
> prevent unwanted things like the Trojan items from getting on my system?
>
> Thanks in advance for anything sent my way.
>
>
> Frog

You should clear the browser caches, temporary folders, and temporary
internet files folders more often. The free tool ccleaner can help you
significantly with this (www.ccleaner.com). Those locations, and as well
music file-sharing programs, are a main source of infections.

Note that this will also remove things like saved passwords for web sites,
but if your PC has been saving those and has been infected you should be
thinking about changing them anyway.

HTH
-pk

frog
Posts: 6
Joined: 01 May 2009, 23:00

Re: Recovering from a Trojan

Post by frog »

Thanks for the responses.

This has become a very difficult time for
this novice computer technician. I attempted to perform the first two
tasks in your message PA Bear---download/run the MSRT manually and Run
the Windows Live Safety Center's 'Protection' scan---with out complete
success. I was able to accomplish the first task without difficulty(no
problems found) and was never able to download/run the second item.
This, coupled with the fact that I was receiving a message every morning
at startup that two items were removed from my system by my Anti-virus
software, was the last straw for my frustration threshold. I decided to
revert back to an external drive Casper backup of the C drive that was
made on April 15, which seems to be performing okay for the present.
Subsequent to reloading this backup, I have updated my anti-virus
software...Microsoft Windows software, and again I downloaded/run the
MSRT manually (no problems were found). I am not, however, able to
download and perform the Windows Live Safety Center's 'Protection'
scan...it indicates that I must make some change that is identified on
the lower portion of the window...nothing shows below.

I am having one problem at the present time involving the
drive letter on one partition of my hard drive. Previously the drive
was known as New Volume (E:) and now is known as New Volume E (E:). I
have attempted to rename this partition back to it's original
identification without success. I attempted to make this change by
Right-clicking My Computer>Manage>Disk Management>right-click the
desired drive/partition>Change Drive letter. Is there some other way to
re identify this drive?

Frog




PA Bear [MS MVP] wrote:
> There is a very good chance that you are seeing the effects of a
> hijackware infection!
>
> NB: If you had no anti-virus application installed or the subscription
> had expired *when the machine first got infected* and/or your
> subscription has since expired and/or the machine's not been kept
> fully-patched at Windows Update, don't waste your time with any of the
> below: Format & reinstall Windows. A Repair Install will NOT help!
>
> 1. See if you can download/run the MSRT manually:
> http://www.microsoft.com/security/malwa ... fault.mspx
>
> NB: Run the FULL scan, not the QUICK scan! You may need to download the
> MSRT on a non-infected machine, then transfer MRT.EXE to the infected
> machine and rename it to SCAN.EXE before running it.
>
> 2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection'
> scan (only!) in Safe Mode with Networking, if need be:
> http://onecare.live.com/site/en-us/center/howsafe.htm
>
> 3. Run a /thorough/ check for hijackware, including posting the
> requested logs in an appropriate forum, not here.
>
> Checking for/Help with Hijackware
> http://aumha.net/viewtopic.php?f=30&t=4075
> http://mvps.org/winhelp2002/unwanted.htm
> http://inetexplorer.mvps.org/data/prevention.htm
> http://inetexplorer.mvps.org/tshoot.html
> http://www.mvps.org/sramesh2k/Malware_Defence.htm
> http://www.elephantboycomputers.com/pag ... ng_Malware
>
> **Seek expert assistance in
> http://spywarehammer.com/simplemachines ... board=10.0,
> http://forums.spybot.info/forumdisplay.php?f=22,
> http://www.dslreports.com/forum/cleanup,
> http://aumha.net/viewforum.php?f=30 or other appropriate forums.**
>
> If the procedures look too complex - and there is no shame in admitting
> this
> isn't your cup of tea - take the machine to a local, reputable and
> independent (i.e., not BigBoxStoreUSA) computer repair shop.
> --
> ~Robear Dyer (PA Bear)
> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
>
> Frog wrote:
>> Windows XP SP3
>>
>> Here is a long story that I hope I can keep short. On April 29, there
>> suddenly appeared on screen a window that indicated that some form of a
>> virus or malware was present on my system and wanted to know whether it
>> was okay to scan for this critter(s). Since I did not recognize the
>> window and had learned from earlier newsgroup exchanges that such could
>> be dangerous, I attempted to click this window of the system...it would
>> not let me take that action. I then from the start button turned the
>> system off. That seemed to make everything work as normal. The next
>> morning, I received a message from my CA Anti Virus software that it had
>> two trojan items deleted from my system. The two items were:
>>
>> 4/30/2009 0:08:11 AM File Infection: C:\Documents and
>> Settings\Frog\Local Settings\Application
>> Data\Mozilla\Profiles\Frog-SeaM\Cache\4160AC69d01 is Win32/FakeAlert.AHW
>> trojan. Deleted
>> 4/30/2009 0:08:11 AM File Infection:
>> C:\Docume~1\Frog~1\Locals~1\Temp\omfa4cOp.exe is Win32/FakeAlert.AHW
>> trojan. Deleted
>>
>> Well, as soon as this happened, I did a complete virus scan of my
>> system---nothing found. I next did a complete Malwarebytes' scan of my
>> system---nothing was found. I then did a complete Windows Defender scan
>> of my system---nothing was found. I next did a dis clean-up, deleting
>> all temp files and removed everything from the recycle bin. I also did
>> a sfc /scannow, CHKDSK C: /F /R, and a defrag. My system continues at
>> this point to be acting normal.
>>
>> Today, I decided to see what if anything is being reflected in the Event
>> Viewer. New things are appearing in this log as follows:
>>
>> Application (The same entry has appeared three times since April 30)
>> Type...Date...Time...Source...Category...Event...User...Computer
>> Error...5/1/2009...2:00:02
>> PM...MPSampleSubmission...None...5000...n/A...Frog-ADF6F864
>> Discription: Event Type mptelemetry, P1 8024400e, P2 endsearch, P3
>> search, P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows
>> defender, P8 NIL, P9 NIL, P10 NIL.
>>
>> System (The same entry has appeared 31 times since April 30)
>> Type...Date...Time...Source...Category...Event...User...Computer
>> Warning...5/2/2009...9:34:47
>> AM...WinDefend...None...3004...N/A...Frog-ADF6F864
>> Description:Windows Defender Real-Time Protection agent has detectede
>> changes. Microsoft recommends you analyze the software that made these
>> changes for potential risks. You can use information about how these
>> programs operate to choose whether to allow them to run or remove them
>> from your computer. Allow changes only if you trust the program or the
>> software publisher. Windows Defender can't undo changes that you allow.
>>
>> The bottom line---the only software change that was made to my system in
>> recent times involved updates...upgrading to Internet Explorer 8, CA
>> Anti Virus updates, Malwarebytes' software updates, and Windows Defender
>> updates. Thus, I don't have a clue as to what software changes were
>> made that caused problems with Windows Defender.
>>
>> Well, there is my situation (please let me know if I need to provide any
>> additional information). Do I need to take any action regarding the
>> above? If so, in easy to understand guidance, what action should I
>> take? Is there something in the firewall that needs to be checked in
>> order to prevent unwanted things like the Trojan items from getting on
>> my system?
>>
>> Thanks in advance for anything sent my way.
>>
>>
>> Frog
>

Post Reply