Help with a trojan worm virus needed.....

**Qballbandit** · 12-13-2005, 10:18 AM

Hi,
Wish I could say it was a good morning, but....
Last night, I was putting the finishing touches on my PC after having a high-speed internet connection activated at my home. Got the modem hooked up ( a nice little Motorola sb5120), installed the software from Comcast, and I was up and running. I started to browse around a little bit just gawking at how fast it was compared to my old dial, and all of a sudden WHAM - my IE closed out, my desktop went black, and there was this rather suspicious giant "WARNING" message on my desktop, with some verbage under it (it didn't look very credible, but is stated I just got a virus/malware) A bunch of icons started appearing on my desktop, and I sat there freaking out because I forgot to start my Anti-Virus back up after the install.
Here are the motions I went through after thsi all happened:
1) I did a ctrl/alt/delete to see what was running, and there was
all this c-r-a-p started that I had never seen, so I ended them.
2) I started AVAST (I am running a freeware trial) anti-virus, and
it told me I had a trojan virus, and to run a reboot and scan,
which I did, it found about 23 spots throughout my system that
the worm hit. I deleted them all.
3) As the boot-up finished, I saw my picture appear that I use as a
desktop, then my desktop items all loaded but the desktop blinks
with an altering pale blue color - hiding my desktop picture.
4) I ran Norton - an entire scan, found some more remnants, deleted
them.
5) Ran Spybot & Adaware about 4 times each until they couldn't find
anymore mess related to this event (found like 53 items, when on
a normal basis, I am clean as a whistle)
6) From msconfig, stopped all these odd executes from starting at
boot-up. Some were in my temp folder, some in WINDOWS/SYSTEM32
folder. I can not find 2 of the executes in system32 folder that
I am seeing in the startup deck in msconfig????
7) Unplugged the friggin' modem!

At this point, my other 2 accounts can log on normally, and see their default desktops, but my admin desktop keeps acting weird, hiding my desktop picture, and falshing the alternate pale blue color instead (when I do a shutdown, or restart - the pale blue disappears, and I see my saved desktop picture underneath)
I am not sure I am out of the woods yet, as I have not tried to really do anything. I just went to bed comatose....
What more do you think I should check?
What is the problem with my desktop?
How do I find the 2 hidden executes in my system32 folder?
Should I have deleted all this evil stuff, or quarantined it?
I just panicked and kept saying delete to all of it, I was so p-i-s-s-e-d off.

This is my first ever encounter with a virus in 10 years of home PC'ing, so any help would bu TREMENDOUSLY appreciated.
Thanks much,

Neil :7

p.s. I am at work, so if anyone asks me specific file names of the malware and such, I will respond tomorow morning..

**Qballbandit** · 12-13-2005, 11:34 AM

...as an afterthought, I also have a system restore point from a day earlier saved in XP Pro...would it help me to roll back and do another virus scan???

Neil :7

**navav2004** · 12-13-2005, 11:49 AM

Not a Virus Expert....

Sorry to hear of your troubles...If you could get the name of the 2 .exe's in your sys32 folder and google them to see if they are legit before deleting...

I would recommend you get rid of IE and switch to Mozilla...

I would also recommend on your way home you pick yourself up a linksys router...Not that it would have helped you in this perticular situation...But on a broadband connection I would HIGHLY recommend a Hardware Firewall!! (such as the LinkSys)..

Good Luck!!

**Qballbandit** · 12-13-2005, 12:07 PM

Thanks Chuck, yes a router is in the works with a firewall in the very near future.
I also am going to uninstall Norton, because I don't like it. Comcast offers Mcafee for free to high speed users, I will download, install and keep that running and updating.
I will also look at the 2 names and google them.
And finally, I will look at LinkSys as you mention..I'l go google that right now!

Appreciate the comments,

Neil :7

**navav2004** · 12-13-2005, 01:59 PM

Hey sorry I ment to copy some links but ran out of time here at work...he he

Here is a link to the LinkSys Router I was referring to...All you would need to do is buy it...Hook it up per the instructions...Boom...There is your "Hardware Firewall"...Then when I get home I will put some links on here for you to go test it out...You should score completly "Stealth"...

This is the one I have...4 Ports (4 Computers)...
http://www.newegg.com/Product/Produc...82E16833124001

You can usually pick them up at just about any computer store...Even Walmart, Radio Shack, Staples (Office Supply type of place)...

Here is a link to Mozilla...It's a web browser...It's allot safer than IE...(Less vunerable to exploit attacks)...I'm guessing that is how you contracted your buddy "trogan horse" (IE)...
http://www.mozilla.com/firefox/

**Qballbandit** · 12-13-2005, 02:06 PM

Chuck, very much appreciated...but I beat you to the punch!! :P
I looked on newegg, and zipzoomfly and found that router for $69..I will pursue it as soon as I can.
Yes, IE....but I will look into Mozilla too!

Thanks man, now - go back to work!!!

Neil :7