Hit by a Trojan.

  • Thread starter Thread starter Peter Nolan
  • Start date Start date
Hello,

I was attacked by a Trojan:

http://www.bleepingcomputer.com/startups/ibm00001.exe-12302.html

and made a mistake using the solution offered by www.bleepingcomputer.com
I have this file -ibm00001.dll- and can view part of it. I'm wondering if it contains any
information that might help deactivate this Trojan.

Peter Nolan.
Dublin.



Peter:

The Charter for this News Group specifically states...

"The following are also prohibited:

HTML or Rich Text formatted posts. All posts (messages) must be in plain text only and be
human-readable. "
http://www.stormpages.com/eaegis/antivirus.htm


That being said, please perform the following...


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } 4 batch files, 6 Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend, Kaspersky and McAfee Anti Virus Command
Line Scanners to remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *
 
Hello,

I was attacked by a Trojan:

http://www.bleepingcomputer.com/startups/ibm00001.exe-12302.html

and made a mistake using the solution offered by www.bleepingcomputer.com
I have this file -ibm00001.dll- and can view part of it. I'm wondering if it contains any
information that might help deactivate this Trojan.

Peter Nolan.
Dublin.



Peter:

The Charter for this News Group specifically states...

"The following are also prohibited:

HTML or Rich Text formatted posts. All posts (messages) must be in plain text only and be
human-readable. "
http://www.stormpages.com/eaegis/antivirus.htm


That being said, please perform the following...


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } 4 batch files, 6 Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend, Kaspersky and McAfee Anti Virus Command
Line Scanners to remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *
Click to expand...


Hello Dave,

Many thanks for your comprehensive reply. I appreciate it very much.
You will be startled perhaps to hear that in the six years that I've been
using the PC I'm using right now which is a Compaq Presario 5410 that I've
upgraded with respect to memory and adding a 20Gigs slave drive I have never
used anti-virus software apart from a short period when I had an up-to-date
InoculatelIT Personal Edition that I didn't continue to update as time went
by. It looks like it is no longer available from Computer Associates who
appear to market eTrust Anti-Virus software. I visit technical and
quasi-techical sites exclusively and my guess is it is for this reason I
have been free from attack by infernal malware. However a few weeks ago I
strayed just once to a site I would not normally visit and while it wasn't
porn it was of a technical nature either. A pop-up appeared that began
drifting slowly down the text I was trying to read and when I clicked on
what appeared to be the close button I activated the Trojan. Access to
Google became impossible and when I was finally able to run a scan using
eTrust's program it listed ibm00001.exe as a possible offender but then
didn't fix the problem. Still it was great to know what the infection was
and I happened to be in a thread in comp.lang.visual.basic.misc asking a
question in a thread I posted entitled "Computing for Outlook Express in VB"
when I mentioned being hit by this Trojan. One of the group's experts gave
me the link for Bleeping Computer and armed as I was with all the tools I
needed to fix the problem I made a mistake because, believe it or not I was
feeling nervous, and cannot now use the great programme AutoRuns.exe
provided by Bleeping Computer. I'm delighted to say however that good has
come from bad and took action in the form of buying a Mini Mac that I hope
to set up as my portal to the Internet. Another of the
comp.lang.visual.basic.misc advised me to switch to Linux and I was advised
many times in same thread to do a full restore/reformat of my HDD using the
CD that returns my beautiful PC to it's original state. Incidentally, or
perhaps not incidentally I have a copy of BcWipe that wipes deleted files
clean or makes them unreadable after say one or two passes. So if push comes
to shove as we say here in Ireland I may in the end do a full restore
followed by a seven pass wipe of all deleted files using BcWipe because such
a seven pass wipe is recommended by the US Navy computer experts.
I bought Norton Internet Security 2005 but this huge program that was many
times bigger than I imagined it would be seemed to overpower my old and now
well out of date PC and I uninstalled it as it made using OE difficult.
I will do the best I can to implement your dazzling protocol but this
particular Trojan sends another pop-up the desktop when I visit even the
very safe websites I normally visit if there is such a thing as a sake site.
I now know that to interact with doggone pop up in any of the four possible
ways I can it will hit me again and make a bad situation worse so I press
ctrl+alt+del that forces me out of !E 6 altogether and I have to start all
over again continuing to be frustrated by this pop-up till at some point it
doesn't appear. So using the Internet is now pointless with this pesky
pop-up ready to harass me now every time.
When I stated that I had access to the ibm00001.dll and could read some of
it's contents I was hoping it might contain something like a registry entry
that would by deleting such an entry completely immobilise this Trojan. For
example there is "Address of Entry Point": 00006c2a in the DLL and I
thought perhaps this might be the kind of thing at a deep level to prevent
the Trojan from working.
I want you to know how much I appreciate your magnanimous reply.

Many thanks,

Peter Nolan. Ph.D.(physicist)
Dublin.
 
From: "Peter Nolan" <[email protected]>
|
| Hello Dave,
|
| Many thanks for your comprehensive reply. I appreciate it very much.
| You will be startled perhaps to hear that in the six years that I've been
| using the PC I'm using right now which is a Compaq Presario 5410 that I've
| upgraded with respect to memory and adding a 20Gigs slave drive I have never
| used anti-virus software apart from a short period when I had an up-to-date
| InoculatelIT Personal Edition that I didn't continue to update as time went
| by. It looks like it is no longer available from Computer Associates who
| appear to market eTrust Anti-Virus software. I visit technical and
| quasi-techical sites exclusively and my guess is it is for this reason I
| have been free from attack by infernal malware. However a few weeks ago I
| strayed just once to a site I would not normally visit and while it wasn't
| porn it was of a technical nature either. A pop-up appeared that began
| drifting slowly down the text I was trying to read and when I clicked on
| what appeared to be the close button I activated the Trojan. Access to
| Google became impossible and when I was finally able to run a scan using
| eTrust's program it listed ibm00001.exe as a possible offender but then
| didn't fix the problem. Still it was great to know what the infection was
| and I happened to be in a thread in comp.lang.visual.basic.misc asking a
| question in a thread I posted entitled "Computing for Outlook Express in VB"
| when I mentioned being hit by this Trojan. One of the group's experts gave
| me the link for Bleeping Computer and armed as I was with all the tools I
| needed to fix the problem I made a mistake because, believe it or not I was
| feeling nervous, and cannot now use the great programme AutoRuns.exe
| provided by Bleeping Computer. I'm delighted to say however that good has
| come from bad and took action in the form of buying a Mini Mac that I hope
| to set up as my portal to the Internet. Another of the
| comp.lang.visual.basic.misc advised me to switch to Linux and I was advised
| many times in same thread to do a full restore/reformat of my HDD using the
| CD that returns my beautiful PC to it's original state. Incidentally, or
| perhaps not incidentally I have a copy of BcWipe that wipes deleted files
| clean or makes them unreadable after say one or two passes. So if push comes
| to shove as we say here in Ireland I may in the end do a full restore
| followed by a seven pass wipe of all deleted files using BcWipe because such
| a seven pass wipe is recommended by the US Navy computer experts.
| I bought Norton Internet Security 2005 but this huge program that was many
| times bigger than I imagined it would be seemed to overpower my old and now
| well out of date PC and I uninstalled it as it made using OE difficult.
| I will do the best I can to implement your dazzling protocol but this
| particular Trojan sends another pop-up the desktop when I visit even the
| very safe websites I normally visit if there is such a thing as a sake site.
| I now know that to interact with doggone pop up in any of the four possible
| ways I can it will hit me again and make a bad situation worse so I press
| ctrl+alt+del that forces me out of !E 6 altogether and I have to start all
| over again continuing to be frustrated by this pop-up till at some point it
| doesn't appear. So using the Internet is now pointless with this pesky
| pop-up ready to harass me now every time.
| When I stated that I had access to the ibm00001.dll and could read some of
| it's contents I was hoping it might contain something like a registry entry
| that would by deleting such an entry completely immobilise this Trojan. For
| example there is "Address of Entry Point": 00006c2a in the DLL and I
| thought perhaps this might be the kind of thing at a deep level to prevent
| the Trojan from working.
| I want you to know how much I appreciate your magnanimous reply.
|
| Many thanks,
|
| Peter Nolan. Ph.D.(physicist)
| Dublin.
|

If you are getting many IE Pop-Ups then adware/syware types of malware could on the
platform.

You can switch from using IE as the Default Browser to FireFox or Opera. If for your
profession you require IE (and I know there are requirements on that Browser) then I suggest
that you use anti spyware software.

Please download, install and update the following software...

Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

BHODemon
http://www.definitivesolutions.com/bhodemon.htm


I await the results of you running the Multi AV Scanning Tool and the above anti spyware
applications.
 
From: "Peter Nolan" <[email protected]>
|
| Hello Dave,
|
| Many thanks for your comprehensive reply. I appreciate it very much.
| You will be startled perhaps to hear that in the six years that I've been
| using the PC I'm using right now which is a Compaq Presario 5410 that I've
| upgraded with respect to memory and adding a 20Gigs slave drive I have never
| used anti-virus software apart from a short period when I had an up-to-date
| InoculatelIT Personal Edition that I didn't continue to update as time went
| by. It looks like it is no longer available from Computer Associates who
| appear to market eTrust Anti-Virus software. I visit technical and
| quasi-techical sites exclusively and my guess is it is for this reason I
| have been free from attack by infernal malware. However a few weeks ago I
| strayed just once to a site I would not normally visit and while it wasn't
| porn it was of a technical nature either. A pop-up appeared that began
| drifting slowly down the text I was trying to read and when I clicked on
| what appeared to be the close button I activated the Trojan. Access to
| Google became impossible and when I was finally able to run a scan using
| eTrust's program it listed ibm00001.exe as a possible offender but then
| didn't fix the problem. Still it was great to know what the infection was
| and I happened to be in a thread in comp.lang.visual.basic.misc asking a
| question in a thread I posted entitled "Computing for Outlook Express in VB"
| when I mentioned being hit by this Trojan. One of the group's experts gave
| me the link for Bleeping Computer and armed as I was with all the tools I
| needed to fix the problem I made a mistake because, believe it or not I was
| feeling nervous, and cannot now use the great programme AutoRuns.exe
| provided by Bleeping Computer. I'm delighted to say however that good has
| come from bad and took action in the form of buying a Mini Mac that I hope
| to set up as my portal to the Internet. Another of the
| comp.lang.visual.basic.misc advised me to switch to Linux and I was advised
| many times in same thread to do a full restore/reformat of my HDD using the
| CD that returns my beautiful PC to it's original state. Incidentally, or
| perhaps not incidentally I have a copy of BcWipe that wipes deleted files
| clean or makes them unreadable after say one or two passes. So if push comes
| to shove as we say here in Ireland I may in the end do a full restore
| followed by a seven pass wipe of all deleted files using BcWipe because such
| a seven pass wipe is recommended by the US Navy computer experts.
| I bought Norton Internet Security 2005 but this huge program that was many
| times bigger than I imagined it would be seemed to overpower my old and now
| well out of date PC and I uninstalled it as it made using OE difficult.
| I will do the best I can to implement your dazzling protocol but this
| particular Trojan sends another pop-up the desktop when I visit even the
| very safe websites I normally visit if there is such a thing as a sake site.
| I now know that to interact with doggone pop up in any of the four possible
| ways I can it will hit me again and make a bad situation worse so I press
| ctrl+alt+del that forces me out of !E 6 altogether and I have to start all
| over again continuing to be frustrated by this pop-up till at some point it
| doesn't appear. So using the Internet is now pointless with this pesky
| pop-up ready to harass me now every time.
| When I stated that I had access to the ibm00001.dll and could read some of
| it's contents I was hoping it might contain something like a registry entry
| that would by deleting such an entry completely immobilise this Trojan. For
| example there is "Address of Entry Point": 00006c2a in the DLL and I
| thought perhaps this might be the kind of thing at a deep level to prevent
| the Trojan from working.
| I want you to know how much I appreciate your magnanimous reply.
|
| Many thanks,
|
| Peter Nolan. Ph.D.(physicist)
| Dublin.
|

If you are getting many IE Pop-Ups then adware/syware types of malware could on the
platform.

You can switch from using IE as the Default Browser to FireFox or Opera. If for your
profession you require IE (and I know there are requirements on that Browser) then I suggest
that you use anti spyware software.

Please download, install and update the following software...

Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

BHODemon
http://www.definitivesolutions.com/bhodemon.htm


I await the results of you running the Multi AV Scanning Tool and the above anti spyware
applications.
Click to expand...


Hello Dave,

Once again many, many thanks for your great reply. Because of that infernal
pop-up that dogs me every step when I use IE 6.0 using IE 6 is pretty much a
non starter at the moment. I was hoping for a lethal but ultra-simple way to
immobilise this Trojan but I'm mistaken I guess to think that something as
simple as a registry entry from that DLL might do the trick but never mind.
I have heard a whole lot of recommendations for FireFox. I'm about to put my
beautiful six year old Presario away and set up the new Mini Mac as my
gateway to the Internet but not without installing AV SW on the Mac first. I
will be very safe in any case but I gather that hackers are sending out
salvos of malware that no longer makes the national news' bulletins like on
occasions in the past.
So I plan to set aside my Presario in it's now corrupted state and just live
with it.
I also have a brand new HP Compaq SR1519UK PC still in it's box and will set
this up too as I am an intermedite level VB programmr with limited
experience. I want to learn VC++ as well and this I hope to do on the HP
Compaq 1519UK. Still all is not lost and who knows I may be able to clean up
my aging Presario at some point something I will always want to do.
I reckon I could attempt to install Norton Internet Security 2005 on my
updated, faster and quieter 20Gig Seagate HDD and It's likly the install
will complete fully unlike when, assuming incorrectly this program was
small, I attempted an install it on the tiny 4.3Gig master HDD that came
with the Presario at the start. Time will tell and by time mean only the
next few days. I copied and pasted your knock-out replies in a folder and
hope to implement all your instructions.

Warm regards,

Peter.
Dublin.
 
On that special day, Peter Nolan, ([email protected]) said...
I'm about to put my
beautiful six year old Presario away and set up the new Mini Mac as my
gateway to the Internet but not without installing AV SW on the Mac first.
Click to expand...

That's the best way to deal with safety issues, as there are currently
no viruses or worms known to be in the wild, that attack the OS X
machines. Set it up as your gate to the internet, and don't open
attachments, even if they appear to be a "harmless jpeg" (with known
extensions turned invisible, it might be ANYTHING), and you should be
safe.

Better yet, all these ActiveX exploits that are inherent in the
Internet Exploere, won't work in Firefox or Safari.
I may be able to clean up
my aging Presario at some point something I will always want to do.
I reckon I could attempt to install Norton Internet Security 2005 on my
updated, faster and quieter 20Gig Seagate HDD and It's likly the install
will complete fully
Click to expand...

Please don't. Even if it installs, it won't run well on your old Win9x
machine, because NIS 2005 is designed for XP only, even if they claim
the contrary. Ask Heather for a story about it.

There are free anti virus programs out there, that will have a lesser
imprint on your Compac's performance, like AVG by Grisoft or Avast!
which is saiud to be very good at detecting malware, and taking little
of your precious CPU time (I don't have any experience with it, as AVG
does its job here, rather quietly)

And if you need a firewall (which doesn't do much on a Win9x system, as
there are few services that could be attacked, if you uncheck the
TCP/IP binding from your internet connection and deactivate the printer
and file sharing), take the last Kerio. It should do a decent job
without swamping you with "I saved you from attack xy", which woudn't
even have affected you, provided you keep your system up to date with
Windows Update.

And please keep the built-in Firewall (or rather Packet Filter) of
Windows XP active on your new PC, as it will do the same job, only
without constantly crying wolf.


Gabriele Neukam

(e-mail address removed)
 
online.com...

On that special day, Peter Nolan, ([email protected]) said...
first.

That's the best way to deal with safety issues, as there are currently
no viruses or worms known to be in the wild, that attack the OS X
machines. Set it up as your gate to the internet, and don't open
attachments, even if they appear to be a "harmless jpeg" (with known
extensions turned invisible, it might be ANYTHING), and you should be
safe.

Better yet, all these ActiveX exploits that are inherent in the
Internet Exploere, won't work in Firefox or Safari.


Please don't. Even if it installs, it won't run well on your old Win9x
machine, because NIS 2005 is designed for XP only, even if they claim
the contrary. Ask Heather for a story about it.

There are free anti virus programs out there, that will have a lesser
imprint on your Compac's performance, like AVG by Grisoft or Avast!
which is saiud to be very good at detecting malware, and taking little
of your precious CPU time (I don't have any experience with it, as AVG
does its job here, rather quietly)

And if you need a firewall (which doesn't do much on a Win9x system, as
there are few services that could be attacked, if you uncheck the
TCP/IP binding from your internet connection and deactivate the printer
and file sharing), take the last Kerio. It should do a decent job
without swamping you with "I saved you from attack xy", which woudn't
even have affected you, provided you keep your system up to date with
Windows Update.

And please keep the built-in Firewall (or rather Packet Filter) of
Windows XP active on your new PC, as it will do the same job, only
without constantly crying wolf.


Gabriele Neukam

(e-mail address removed)
Click to expand...

Hello Gabriele,

I'm delighted to hear that you advise me not to install NIS 2005 on my
20Gigs slave HDD. I had an inkling that the humungous program(over 200Mb)
would probably swamp my out of date but lovable PC!
You don't have to worry about me not appreciating the help you are giving me
because I do something difficult to prove but maybe you can make a leap of
faith and take just my word for it.


Your fellow European,

:)

Peter.
Dublin.
 
Back
Top