General SecurityPost any general questions related to security, viruses or spyware here.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
That Trojan is a downloader, and you got it by a driveby install of some toolbar or you installed some sort of adware [do not mean Ad-Aware] program on your computer.
You didn't mention your OS, but the loophole you may not be aware of is your System Restore if you have ME or XP. You can remove the trojan all you want, but if it is in there, it gets put back. You need to disable System Restore, reboot, then enable it again.
But follow this recommendation. Get CWShedder, Spybot, and HijackThis, all free and the links are below. First run CWS with the Fix Option with all browsers closed, then reboot. Install Spybot, update it, then do the scan, have it remove everything already checked off.
Then use HJT to do a scan, and post the log on here. Don't do anything with HJT yet, wait for advice. It is just a tool, it doesn't tell you what is bad.
I just removed a Trojan from Program/Common/Updater sui.exe and thought I was pretty clever 'cause I used HJT and eliminated the 04 that related to the updater file and then use Move On Boot to snuff it out then rebooted.
It seems my action has created a problem for me 'cause now I have a/this Trojan in Program/Common/Updater delupdate.exe but when I look for the Updater file it is now not there so I am lost as to how I can locate it to remove it.
The other thing is...Is one able to determine if the Trojan is in System Restore or is that a trial and error approach.....yu know sorta guess work !!!
Roy 66
Current log
Logfile of HijackThis v1.97.7
Scan saved at 7:06:39 PM, on 8/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
If you did a full scan [all files and folders] with AVG, and a virus is found in C:\System Volume Information\etc, that is one way you know, and AVG cannot get it out, XP will not let it. Only XP can do it for you, by disabling System Restore, rebooting, then enabling it again. The Restore Points are deleted and then recreated new by doing this.
About the file in C:\Program Files\Common Files\Updater, have MoveOnBoot delete the entire folder, you do not need that folder.
Your HJT log looks clean to me, only one thing need fixing that I see.
when I look for the Updater file it is now not there so I am lost as to how I can locate it to remove it.
That should have read Updater folder.......it has gone but I had an AVG readout that I had a Trojan in there Updater/delapdate.exe and when I went to load it into Move On Boot of course I couldn't find the Folder/file.
Thanks for your tip on SVI 'cause believe it or not AVG says I've got one there now "Downloader.Keenval.C" and in future when I get an SVI readout at least I'll know where to go to deal with the critter and so will many others who take a peek at this posting.
For the life of me I haven't a clue how and/or why I am being infected so consistently.
OK away I go to exterminate this critter and hopefully I don't get a read out from AVG to go to Updater folder as it ain' ther any more.
I am posting this at 7:48pm Tues June 8....what time is it in Texas
I did an online scan with RAV and it suggested 1 infection being:
C/Program Files/Incredifind/BHO/IncFindBHO.dll-TrojanDownloader:win32/????.bx
Well I did an AVG on this and it came up clean so I did some online searching and found that it was a useless bit of add on that wasn't helpful at all so I have sent it to the Recycle bin..the whole IncrediFind folder.
Looks like I dropped the ball in your last thread and failed to have you do after-fix-cleanups and protections. My apologies. First, update Ad-aware again.
Assuming that the updater folder is gone, disable system restore.
You will need to show hidden files and folders.
Open C:\Windows\Prefetch, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open and run Ad-aware configured for a custom full scan. Delete all it finds.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.
Reboot and enable system restore.
Do you have Spybot Version 1.3? If not, download it from my signature and install. Allow it to load SD Helper. Open it up and click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click the link below that for SpywareBlaster, download, install and update.
Download and install IESpyads.
That will give you an added layer of protection against unwanted parasites.
The other thing is...Is one able to determine if the Trojan is in System Restore or is that a trial and error approach.....yu know sorta guess work !!!
Probably not, and not worth the effort to find it unless you knew the date of the initial infection. If you have repeated infections because the trojan hasn't been fully removed, then, because of the daily SR points being created,
the trojan gets "backed up". In that case, shut down SR and then re-enable. This should be done once you're clean.
SR will re-infect you ONLY if restores are done by you, otherwise the trojan just sits there in SR's restore files, a potential re-infection source.
For the life of me I haven't a clue how and/or why I am being infected so consistently.
There are a few things you can check. Go into Internet Options, go to Advanced tab. In the list of items there, make sure both Install On Demand's are unchecked. The On Demand is not your demand but on the website's demand.
Then go to the Security Tab, with Internet highlighted, click on the Custom button. For the ActiveX controls, which begins at the top, have them set in this fashion, going down the line.
Prompt
Disable
Disable
Enable
Enable
The 016's in the HJT log are these controls, your Macromedia Flash/Shockwave will still work.
Then go into Spybot and use the Immunize feature, with 1.3 version you are protected against 1622 threats. Some of these threats involve the Trojan.Downloaders.
If you want further protection, get the IESpyads file from my Signature below, it will put a bunch of websites into your Restricted Sites Zone. This will only work if you go into the Restricted Zone, and set everything to Disable, if no Disable select High, set Password to Prompt, and these sites will not be able to put so much as a cookie on you. Just take a read through the webpage you download it from.
Only Install on demand (other) was ticked so I removed that, though I don't really know its purpose/function or why it's there.
So a webpage can install just about anything it pleases, the Install on Demand [other] is how so many people get driveby installs.
The ActiveX controls were as you suggested.
Good, that means the Install on Demand [other] was one culprit.
Immunization with Spybot came up with 1914 items 1161 blacklisted.
Click on the green cross with the word Immunize next to it. Then down below where it says Browser Helper, put a checkmark for the box next to "Enable Permanent blocking of bad addresses in Internet Explorer".
Down below that, it may say "Block all bad pages silently", this is fine.
When both are done correctly, you should see two green circle icons with a white check.
First, update Ad-aware again. 
