Trojan

[quartet-man]

Well, the Administrative Assistant seems to have a trojan on her computer. She started getting a ton of undeliverable mail messages yesterday. I was doing taxes and never replied to her email. She called and woke me up this morning and said that her email login wouldn't work.

I did a System Restore to early yesterday morning. I then went to my email to see what her sign in password was (I had sent them to our webmaster who hosts us) and that said:

"We've observed outgoing emails that have known characteristics with a trojan infection on one or more of your PCs. The following email account(s) were used to send the email. Please scan the PC that uses this email address with an updated AV and Malware scanner to ensure that the infection is removed..

For your security we made the following password changes:...... "

After that, I started scanning with Malwarebytes. It needed updated by about 40 days and I installed the new version. It occurred to me that maybe I should go back before the restoration so that in case the Trojan had been removed, it would find it so I would know what the issue was, possibly when it happened, and that it had been eradicated. Anyhow, then Malwarebytes had issues with working, so I undid that restoration and started doing a full scan. I then intend to scan with MSE. Any other suggestions thus far?

[rjfvillarosa]

As much as it pains me to say this. I have been having some great results using Windows Defender Offline. It cleaned a machine for me a few days back that nothing else would touch.
Download the correct version, burn to a CD then boot the machine up from the CD, make sure the machine has an active internet connection so the app can update the virus signatures. I have both 64bit and 32bit versions on CD and it soon tells you if you have booted with the wrong version (saves starting the machine up to discover what version of Windows is installed).

What is Windows Defender Offline?

[quartet-man]

Cool, I forgot about that. I will do that as well as what I said above. I might also do the above scans in Safe Mode at some point too.

[Panama Red]

In my experience, when your email box is sending spam, it's due to the fact that someone has hacked the email password NOT because the computer is infected. I get calls from customers with this issue periodically (usually with a yahoo or hotmail box) and I simply tell them to change their password to something stronger - use a mix of alphabetical and numberical characters and throw in a couple of capitals or special characters (if allowed). Bottom line, qm, if you don't find any sign of infections on the pc, don't be surprised. Also, if you do your scans in Safe Mode, make sure you do another scan in Normal mode as Safe Mode doesn't allow scanning of the Restore files. Plus, when you scan in Normal with MBAM and have MS Security Essentials active, MSE will often pickup an infected file missed by Mbam.

[jdeb]

Windows Defender Offline is catching everything for me as well. It is a great tool. I have wasted time trying to use others and now I am content with it.

[11290slk]

Made the CD, changed the boot sequence in Bios but it keeps booting with the HDD instead of the CD drive. Disabled everything but the CD drive in Bios but still boot from HDD. Might have to go in and pull the power from the HDD just to get a CD boot.

[rjfvillarosa]

How did you create the CD?

[11290slk]

Through the windows defender "utilities" and I believe it was, imapi v2.0 that it prompted me to load.

[rjfvillarosa]

If you double click the icon after downloading to open the app, you get to a GUI that offers you get three options.
1. create a bootable CD/DVD
2. create a bootable USB drive
3. create an ISO image

Did you see any of these?

[11290slk]

Short answer, yes I did see and use 2 of those options.

First tried #2 (USB drive) and created that but could not get it to boot from USB, even after disabling HDD in BIOS.

Then went to option #1, CD, created that and still could not boot from CD, even after changing boot order in BIOS. It did come up as "press any key to boot from CD Drive" but then still defaulted to HDD.

[rjfvillarosa]

Can you post the specifications of the machine you are trying to clean?

In order to boot from a USB device you will probably need to enable "USB legacy" in the BIOS.
Because you are being given the option to boot from the CD I am begining to think something has gone wrong with the burning process of the CD.

[11290slk]

It's an older (about 4 or 5 years) Intel Core 2 Duo with an Asus P5B board that I built. 4gb ram on board with WinXP Pro.

Really not overly concerned right now but thought I would see if Defender Offline would work. Thinking about building a new one in a few weeks or at the very least just biting the bullet and reformatting this one. I haven't done that on this one for about 3 years so it's kind of due anyway. I've got XP with SP3 slipstreamed to kind of speed things up but still takes a long time to get everything back on. Just haven't felt like devoting the time to it lately.

[rjfvillarosa]

I have a feeling your CD didn't burn correctly.


sorry QM. didn't mean to hijack your thread.

[11290slk]

Possible. May try it again and see. Looked on the CD in My Computer and there are an awful lot of files on it. May just not have made it "bootable" but that is the option I tried. Strange though that it wouldn't work with the USB stick also though. System always defaulted to HDD no matter what I do/did in BIOS sequence.

[rjfvillarosa]

When you tried the USB stick did you ever get the option to boot from it?

[11290slk]

NO, didn't have any boot sequence options except HDD, CD drive and Floppy. Disabled all but Floppy, didn't work and then disabled all in hopes that would work. Didn't. Then made the CD and disabled all except CD drive but that didn't work either. Might look tonight and see if there is a newer BIOS but never did like doing those updates that much.

Reformatting just seems to be the right thing to do right now.

[rjfvillarosa]

Check the BIOS for the "enable USB legacy" option, make sure it's enabled and try the USB stick again.

[11290slk]

Was set to "auto" changed it to "enabled", disabled HDD and CD drive in boot sequence and it wouldn't let it boot to anything. No options for picking a USB device.

Thanks for all your help. Not going to work with it anymore today or maybe not at all. I can get rid of malware items with reformat so that seems to be the best option right now. Just need to bite the bullet, so to speak, and do it.


Appreciate the help and assistance.

[quartet-man]

No problem at all as far as the "hijacking". I have done that before too at least as far as going off on tangents. Besides, the problems mentioned later could be ones I encounter tomorrow while doing it.

Update. Malwarebytes found nothing. I started doing the MSE scan and going to check back on it. Both were in normal mode as I am doing them using Logmein. Her password should have had letters and numbers if not caps, but will be changed either way.

[quartet-man]

My CD did the same thing (made on my work computer, not the problem one). It said I needed imapi v2.0. I had to validate my version of Windows first (XP). I kept going in circles after that, so I finally did it in I.E. instead of Firefox and got to proceed. I chose 1 for CD and burned it. When getting to her computer, there was a quick (just a few seconds) that said hit any key to boot from CD. I did, and it loaded files twice and then the screen went black. I never heard any activity after that, ejected the CD, and had to shut the computer off. I am getting ready to try to a USB stick.

NOTES: There was an advanced option for an ISO, but I didn't do it. Also, it has to reformat the jump drive to use it, so fortunately I had temporarily transferred the data off of it to my hard drive.

[glc]

Try creating the iso, then use CD burning software to burn it.

[11290slk]

Quote:

Originally Posted by quartet-man My CD did the same thing (made on my work computer, not the problem one). It said I needed imapi v2.0. I had to validate my version of Windows first (XP). I kept going in circles after that, so I finally did it in I.E. instead of Firefox and got to proceed. I chose 1 for CD and burned it. When getting to her computer, there was a quick (just a few seconds) that said hit any key to boot from CD. I did, and it loaded files twice and then the screen went black. I never heard any activity after that, ejected the CD, and had to shut the computer off.

Same as my experience. Maybe it's because we're both in Indiana.

[quartet-man]

Quote:

Originally Posted by glc Try creating the iso, then use CD burning software to burn it.

Will do. UPDATE: The jump drive version was created successfully, but I can't get her computer to boot from it (at least I presume not since it goes to the sign in screen). USB Legacy is enabled and the boot order has removable media as the second boot device after CD.


EDIT: The ISO version did the same as the first CD. It will tell you (for a few seconds) to hit any key to boot from CD. Then it loads files twice and goes to a black screen. I have left it this time to see if it ever goes anywhere else.

Here is where I am getting it from and it is the 32 bit version.
http://windows.microsoft.com/en-GB/w...fender-offline

[glc]

If you both are having problems trying to boot with a CD or flash drive, pull the hard drive and scan it with another computer.

[quartet-man]

Quote:

Originally Posted by glc If you both are having problems trying to boot with a CD or flash drive, pull the hard drive and scan it with another computer.

How do I access the program to do so? Will it be on the CD media to double click?

[rjfvillarosa]

glc is suggesting you "slave" the infected harddrive to a working machine with good upto date copies of MSE and any other antivirus/malware scanners that you use.
I am going to download new copies of both 64 and 32 bit versions and see if I can create a bootable CD. I have old copies of both apps stored on my harddrive and they work fine.

[quartet-man]

Quote:

Originally Posted by rjfvillarosa glc is suggesting you "slave" the infected harddrive to a working machine with good upto date copies of MSE and any other antivirus/malware scanners that you use. I am going to download new copies of both 64 and 32 bit versions and see if I can create a bootable CD. I have old copies of both apps stored on my harddrive and they work fine.

Okay, thanks I might do that tonight and have it scan while the secretary is gone.

[11290slk]

Been following the latest information. Going to try to make a bootable CD from my laptop when I get home and see if that does anything different with the desktop situation.

[rjfvillarosa]

Just made the ISO's then created the CD's using MagicISO, both failed to boot in an old scrapper Sony laptop. I then tried an old CD I made sometime ago and it booted up straight away.
I am going to let the app make the CD's this time and see what happens.

[quartet-man]

Quote:

Originally Posted by rjfvillarosa Just made the ISO's then created the CD's using MagicISO, both failed to boot in an old scrapper Sony laptop. I then tried an old CD I made sometime ago and it booted up straight away. I am going to let the app make the CD's this time and see what happens.

Thanks for the update. It sounds like to me an issue with their files.