The AM Forum

I think I have a trojan or some weird virus on one of my computers.  Scanning with 2 different virus scanners doesn't reveal anything, yet every once in a while when using Google and clicking on a weblink I am redirected to various but similar domain names that offer free system virus scans.  My gut tells me these are bogus because opting out causes the offending website to initiate what looks like a scan which I do not believe is what is occurring.  I will not post any of the redirected domain names for fear of someone here clicking on them.  The question is do I indeed have something to be concerned about ( I think I do since my other 3 machines don't seem to do this).  How do I fix it if anyone has any experience with this sort of thing?  Is it related to my web browser only (SeaMonkey)? Any ideas?  Researching how to fix this leaves some uncertainty. I don't know if I'm being directed to legit websites

That's not your browser... I get those once in a while with IE.

My first response is to close the browser, and try again... if the same thing happens, I don't bother trying that website again.

I don't know, it MAY be malware.....

also check your proxy setting in IE, it should be set to disabled.
there was a virus/malware going around that would hijack IE and reroute your traffic through their proxy server, giving them the ability to see where you go and harvest passwords.
make sure IE has the latest security patch that was released a week or two ago (do all windows updates)
and start using Mozilla Firefox  :)

The problem is with my Mozilla browsers and IE for that matter too.  Never use IE however.

Spybot S&D works well. Also, check your task manager for which processes are running. You may be able to find something there that shouldn't be running.

Yup, you prolly have a virus. Happened to me several weeks ago after my teen son used my computer one night, in spite of having Symantec anti-virus in place. Miscellaneous web sites kept popping up on my browser.

Symantec didn't find or remove same.

I did find two fixes. One is called combofix, it's freeware and available for download at numerous locations. Read and understand the instructions first.

http://www.myantispyware.com/2007/10/08/combofix-another-free-anti-spyware-tool/

If that doesn't do it, try a program called Stopzilla. It's kind of funky, costs $9.95, it often finds crap that is irrelevant, but it did the trick. You can download it for free, do a scan, and find any malware in your computer. You have to register and pay if you want it to remove what it finds.

I'm really disappointed in the performance of  Symantec Corporate version 10.

If you are running XP, make SURE the firewall settings haven't been altered from NO exceptions.

I use Avast antivirus and zonealarm firewall both free versions for home use, and good as/better than the symantec antivirus and windows firewall. One PC is connected directly to the internet with just these running and there have been no problems even though there are daily attacks. This does not address spyware. But if I worry about that then I remove it myself after finding it with "hijack this".

Firefox is falling into some security problems too. No one is absolutely safe.

Thanks for the tip on the PROXY settings.

I had a virus called ANTIVIRUS 2009(?) Can't remember exactly. And it looked official, like it was from M$. This virus had the MS logo security shield and it kept trying to re-direct me for a scan, and I figured that MicroSoft wouldn't do that, so I found the file in my documents, but couldn't delete it or move it. I HAD NORTON and it wouldn't catch it or remove it.
I bought SHIELD DELUXE 2008 and it found it and deleted the virus. Shield Deluxe does not slow the computer down like Norton does.
Have a great New Year!!!!

Fred

Fred,
That's the critter I'm dealing with Antivirus2009.  I'll have to try the Shield Deluxe 2008. Nothing else seems to deal with it.  Thanks.  I'll keep you posted on the results.

Hi Bob,

I use AVAST and a firewall and MS Explorer.

About five months ago I got my first virus ever, since 1987 pre-internet. I clicked on a U-Tube video that evidently contained a trojan. I should have gotten suspicious when the video required an additional click to work... sigh.  It did the same thing as yours - started "pretending" to scan for viruses, but instead was downloading files to my machine. It then wanted $$ to "cure" the problem. Kept popping up.  Classic scam.

I tried all the usual cures, but finally said the heck with it. This is a drastic measure, but sure-fire to work...I reloaded XP and started from scratch. Everything works FB now, of course... :-)

I was told that the infected computer could infect the other ones on the same router/network, so I kept them all off during this short period.

These days, I never click on a link that bypasses the MS warning window of "safe" sites or files. I had gotten a warning message before the problem started. Since then, so far so good...  Hope you find a less drastic cure, but sometimes this is the one that saves time in the end, assuming you have a backup of important work..

T

I had one on a drive I installed as a second in this machine. I found the file and moved it to another folder then deleted it. It took a couple trys but I was able to track it down and remove the thing. I didn't want to reload XP.

Fred said:
I've had some issues like that. I found the only way to remove them is to either log on as administrator, or open up Windows in 'Safe Mode'. AOL used to have crap like that where it would let you delete it. I was in Safe Mode once and for some unknown reason I successfully deleted it.

Tom,
I can get complacent at times and that is what bit me.  Usually I'm on the ball when it comes to stuff like this but I got lazy.  Usually unknown files go to another machine I do not care about but unfortunately it is on my office machine.  A relative of mine from overseas brought something she thought my wife would like so I transferred it from her thumbdrive yesterday and that's when strange things started happening. That machine is off the network for now until I can isolate and kill it and prevent potential snooping from the outside. All the financial stuff is on the machine.  The other computers including this one were turned off so there's no worry about them being infected. 

I tried a System Restore by going to a point previous to this problem but that didn't work.

I'm in the thinking I have to reload it mode.  It's probably due for it anyway but I will try to work around it first. 

For me this is my 2nd virus/trojan/malware problem.  Like you I never really worried about it to much and never ran virus protection software, until now.  Personally, I can't stand the stuff.  It just bogs down the machine.

I tried running McAfee, Symantec and AVG with no luck.  Right now Shield Deluxe (the one Fred recommended) is running.  We'll see what happens.

I'm on vacation until 1/5 so I'm leaning to a reload and starting over since I have the time.  Unfortunately, dickin around with a PC was not how I wanted to spend my vacation.  Oh well.

I'd like to kick these idiots in the "G.D. balls" for doing this stuff.

Thanks for the tips everyone.  Still scanning.

Does anyone know if there is a software company that makes a piece of software that runs in the background that shows who or what is connected from the outside to ones computer.  I know Zonealarm does something like this but I'm not looking for something that pops up all the time or is a firewall.  Something that runs as a separate window and shows or monitors IP addresses and whether traffic is inbound or outbound but just sort of runs in the background.

Zone Alarm does exactly that. It won't give you popups if you shut that feature off, and it will keep a log of attempted connection IPs and ports for you. Doesn't use much CPU or memory, either.

I really liked the older versions of ZA. V 5.X and V6.X
The newest versions are bloated.
You can download them all here:

http://www.oldapps.com/old_version_download_ZoneAlarm.php

When you install it, it'll start up automatically when you start your computer. If you open the startup folder, add this to the target:
<space>/nosplash

That makes it start silently in the background.

Tom, there was no need to nuke your PC to get rid of that.  Boot in safe mode then do a system restore from the day before.  Good to go!

My kid downloaded some cracked program that had one of those hostage-ware "virus remover" things and a couple of rootkits to boot.  The rootkits were a bitch to get rid of, I used blacklight beta.  The rootkits were insidius in that they get into the file registry and tell file explorer to ignore all files associated with them, so you can't even see 'em.  Blacklight apparently does some kind of compare, and has its own utility to rename the file so you can then see it and delete it.  It took about 10 reboots to find all the files though.

I use a Mac. No such problem. Carry on.

John,

Yeah, I would have definately tried that if I knew about it back then.

However, that darn virus had renamed all the regular files in my computer with a, "virus infected" extension with the current date. It happened in a few minutes as the "virus scan" scam was taking place.  The system restore wouldn't have restored all those files too. It also started deleting and/or making certain programs unusable saying something like, "administrator has blocked access."   You get to the point where there's so much damage it's better to throw in the towel and nuke it sometimes. I agree, Bob, let's kick those hackers in the GD balls!

I noticed a system restore didn't work in Bob's case, but I will try it if I run across this again.

TNX for the info.

T

Bill,
I too like the older ZA programs. 

Really what I was looking for was for something that not necessarily logs IP addresses but shows connections in real-time, on the fly as it were. 


All,
I think I have the problem licked after multiple scans using various programs none of which seemed to reveal anything.  I did do a system restore going back 2 months instead of a couple of days (the time frame in which I thought I picked something up).  I'm not sure if this was the solution or not but the machine seems to be working as it should and seems to run more efficiently.  Maybe something got on it in the last 8 weeks that I didn't notice before until spending many hours on the computer like yesterday and was able to observe it more critically than just a few minutes each day.  We'll see... 

Oh, one other thing I did.  I updated my hosts file from MVPS.org and put in the offending websites to block those as well.  MVPS doesn't have them in their latest hosts file, at least not yet.

I used to have ZA but the latest update did nothing but cut me offline. It was notorius for not letting me into authentic web sites, (www.ping.com to name one). I didn't get any satisfaction from their Tech Support so I dumped them like a bad habit. Later on, my son's roommate at college told him that ZA is quite the memory hog.

I had the ZA on one of my machines about a month ago.  When trying to setup a network share ZA wouldn't let me do it.  It kept blocking my own machine.  I too noticed it sucked up memory.  Off it came. 

Here's my two cents. 

A couple weeks ago I was surfing one of my favorite comic sites (using my Firefox 2.0.0.16) and suddenly I got a bunch of popups.  It was all downhill from there whatever virus, driveby download -- whatever.  had taken complete control of my settings -- my XP OS was trashed.  Oh yea, whatever it was it took away all my setpoints so I couldn't go back to some other time when the system was working properly.

After some attempts using various tools including Norton Corporate AV, I gave up and restored my OS from a recent image I had made with Acronis.  Problem solved.

Next, I installed ZoneAlarm's Forcefield.  So far, I'm OK.  I ALWAYS  run in the PRIVATE BROWSER mode.  Oh, one odd side effect of ZA FF is that in the regular mode I cannot get my home page EVER when I start up FF but in the PRIVATE BROWSER,  I get it back.  that's very odd.  Another oddity is if I go to "Tools" and make a setting and hit OK, the dialogue doesn't go away.  If I hit cancel it goes away and the setting has been made.  I'll let you guys know if anything else develops but so far -- no popups no warnings but if I check their "Protection Activity" I see that ZA FF has been busy.  We'll see how things go.  I can stop ZA FF by doing the 3 fingered salute (control, alt, delete) and end ZA FF.

Bottom line?  Get a program that can make an image of your OS.  There are several choices:  Acronis "True Image," Symantec's "Ghost" (bloatware warning) and Terabyte's "Image for Windows."  I never could get Terabyte to recognize my USB ports, for what it's worth.  Once you get an image of your OS you can always go back and restore your OS should you have a HD failure of a disaster such as I had.  the jury is still out with ZA FF.

Cheers, Al VTP

Hi Bob

Wonder if we are talking about the same product.  I have noticed that ZA can be pretty much a bully when installed.  That's why I had removed it in previous times.  So far ZA FF seems to be pretty transparent and I can always turn it off with the 3 fingered salute and end the program

Al

Hi Al,
No, I was referring to the ZA firewall, their free firewall.  Yeah, I noticed it was much ornery than earlier versions.  Like Bill, HG stated I liked their earlier firewall programs.  They didn't seem to be there at all.  Some of the earlier version don't run on XP or later.

well that could be the problem, Firefox is up to version 3.0.5, you should upgrade for bugfixes/security reasons.

this is from firefox's site
Firefox 2.0.0.x will be maintained with security and stability updates until mid-December, 2008. All users are strongly encouraged to upgrade to Firefox 3.

You can also use "dd", the disk dump program that comes with all Linux distributions. It's free.

73,

Bill W1AC

I recently upgraded to the latest ZoneAlarm free version.  I can't tell much if any difference from the older versions.  It is currently using about 4k of memory (per Task Manager, two each zlclient.exe @ about 2k each).  I now have Firefox 3.0.5 and it still eats up gobs of memory, despite claims that the memory leak problem was solved with Version 3.

Hi Don and others.  Well, I have held off 'cause I've heard that FF 3 was having some issues.  So I'd be most interested in any feedback re: security issues.  My problem was a new experience for me.  Never had that problem and hope I never have it again

Al

The problem with FF3 that I was aware of was that it wasn't compatible with the "record" function on the newer version of RealPlayer that allows you to download flash videos such as YouTube to HDD.  Supposedly, they corrected the problem, but even before upgrading to FF3 I sometimes had trouble saving videos, and would have to copy and paste the URL to IE to save a copy.

What would happen to me is that the video would appear to record normally, but when I would try to play it back, all I would get was a black screen, even though the  little thing at the bottom of the viewing area would tick off seconds and indicate that the video was playing, and "properties" indicates the full size file is saved.

It still happens to me at times.  One thing I have found that helps is to let the video download 100% before trying to save it.

Bob,

I found another way to get the system back.

The other night my mouse software suddenly stopped working in XP.  I couldn't get the keyboard to do a past system restore... just no keys to get the job done - needs the mouse.

So I took out the original XP installation disks and rebooted. One of the options is a "Repair" of a previous installation. It took about 45 minutes, but the system was replaced and I retained everything as before. Original files, everything.  The mouse worked again.

I'll bet that is a good method for serious virus problems too, since it boots directly before the old Windows boots up. I would try a standard system restore first, of course, but this worked just as well.

Later -

T

Thanks Tom.  I never thought of the installation disk and doing a repair but that's good to know for future reference.   I'll keep that in mind. Hopefully, there won't be a next time at least for some time to come.

Doing a system restore going back 2 months seems to have done the trick.  I did scan the system with various scan tools but they revealed nothing. So I think going back 2 months rather than a few days helped.  In addition to that, I put the offending web addresses in the hosts file and 127.0.0.1'ed them. There's no evidence that my system is looking for these websites either. So far so good at this point.  All seems normal again.

Now is probably a good time to be extra careful. Many IT professionals have recently been laid off. Some may turn to criminal activities for income.

<2 cents>

Be familiar with what's normally running in Accessories > System Tools > System Information > Software Environment > Startup Programs and Running Tasks. You'll normally be able to detect unusual activity there. Many trojans will put .dll, .ini etc files in C:\Windows or C:\Windows\Win32. Sort by date and look for recent additions - about the time of infection. Knowing what doesn't belong, delete these (you may find some are currently running  ;) ) and their associated registry entries and you're usually all done.

Slaying them manually is great sport! Oh yeah...if you think you're infected unplug your internet connection pronto to put a halt to possible additional unwanted downloads.

</2 cents>   

Totally agree. Not only downloads and uploads but snooping and control.  That was my first action upon suspicion and left it disconnected until cleaned.