What's new
Fantasy Football - Footballguys Forums

Welcome to Our Forums. Once you've registered and logged in, you're primed to talk football, among other topics, with the sharpest and most experienced fantasy players on the internet.

Windows pop-up screen (2 Viewers)

I am very distressed that the powers that be here have known about this for 2 days yet have not made an announcement nor have they said anything in this thread about it.

 
My home computer has PC-cillin, but not Norton is PC-cillin sufficient anti-virus protection. Thanks for your help
I agree with Fighting Wombat -- pretty much any of the name brand antiviruses should do the trick as long as your virus pattern files are up to date.
 
Updated IE6 worked great...also installed a new PC-based antivirus (my network admins never saw fit to install antivi on my PC :( )Ran a new antivirus today (the AVG freeware listed on the thread) and it found a TrojanHorse, but removed it.My point being that please make sure you run an antivirus on your PC hard drive even after you've downloaded the IE patches.Cheers

 
Updated IE6 worked great...also installed a new PC-based antivirus (my network admins never saw fit to install antivi on my PC :( )Ran a new antivirus today (the AVG freeware listed on the thread) and it found a TrojanHorse, but removed it.My point being that please make sure you run an antivirus on your PC hard drive even after you've downloaded the IE patches.Cheers
Yep, the MS patches will help in preventing you from getting the trojan, but won't detect or remove it if it's already there.
 
I am very distressed that the powers that be here have known about this for 2 days yet have not made an announcement nor have they said anything in this thread about it.
I completely agree with this. I had no idea this was going on until some posted a link in the FFA. This post started two days ago and no annoucement is put up while people's computers are getting infected.
 
I am very distressed that the powers that be here have known about this for 2 days yet have not made an announcement nor have they said anything in this thread about it.
David posted another thread about this. It sounds like they were trying to work with the source of the problem, (their internet security provider) to see what was going on first.By the way, it sounds like several different viruses have been found, we don't necessarily know which might have been from FBG's ISP being hacked, and which people acquired other ways. So you really do want to do a virus scan.Also, just having virus protection software is not enough. The AV software needs definition files that tell it what to look for for each virus. As new viruses are found, these change over time. Most decent AV software can do scheduled updates of these definition files, and scheduled scans of your harddrive.At a minimum, I would suggest setting your AV program to download new definitions every night and scan every night. Have it go off at 3 am or some other time when it won't impact your use of the machine.I thought my sys admin had set my work machine up to do this and later found out I had 3 month old virus definitions. I had a virus on the machine because it wasn't in the old definitions, and all the while I was feeling comfortable that my machine was clean. So you definitely need to make sure you're updating your definitions daily.
 
Wow - When I started this thread I had no idea what trouble was really brewing behind that little pop up window on FBGs main page.

Updating my brower worked great to stop it. But I already had the backdoor.coreflood virus on my CPU. When I did a full system scan with updated virus definitions last night my computer came up clean.

This morning I decided to check it further to make sure. Went into C:\Windows\System, and then Norten registered the virus.

You can't do anything with it unless you are in safe mode. Even if you came up clean yesterday on your virus check, run it again in safe mode. Also go to C:\Windows\System as well to double check everything.

Here is the list of what was on my computer:

Date: 7/31/03, Time: 8:54:04, . on N1Z3Z9

The file

C:\WINDOWS\SYSTEM\CQTBAR.exe

is infected with the Backdoor.Coreflood virus.

Unable to repair this file.

Date: 7/31/03, Time: 8:54:56, . on N1Z3Z9

The file

C:\WINDOWS\SYSTEM\CQTBAR.exe

is infected with the Backdoor.Coreflood virus.

Unable to quarantine this file.

Date: 7/31/03, Time: 8:55:22, . on N1Z3Z9

The file

C:\WINDOWS\SYSTEM\CQTBAR.exe

is infected with the Backdoor.Coreflood virus.

Unable to delete this file.

Date: 7/31/03, Time: 8:55:34, . on N1Z3Z9

The file

C:\WINDOWS\SYSTEM\CQTBAR.exe

is infected with the Backdoor.Coreflood virus.

Access to the file was denied.

Date: 7/31/03, Time: 8:55:34, . on N1Z3Z9

The file

C:\WINDOWS\SYSTEM\CQTBAR.exe

is infected with the Backdoor.Coreflood virus.

Unable to repair this file.

Date: 7/31/03, Time: 8:55:38, . on N1Z3Z9

The file

C:\WINDOWS\SYSTEM\CQTBAR.exe

is infected with the Backdoor.Coreflood virus.

Unable to quarantine this file.

Date: 7/31/03, Time: 8:55:40, . on N1Z3Z9

The file

C:\WINDOWS\SYSTEM\CQTBAR.exe

is infected with the Backdoor.Coreflood virus.

Unable to delete this file.

Date: 7/31/03, Time: 8:55:42, . on N1Z3Z9

The file

C:\WINDOWS\SYSTEM\CQTBAR.exe

is infected with the Backdoor.Coreflood virus.

Access to the file was denied.

Date: 7/31/03, Time: 9:07:10, on N1Z3Z9

Virus scan started.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\SYSTEM\LPPZSQI.DLL is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\SYSTEM\CQTBAR.DLL is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\SYSTEM\CQTBAR.exe is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\SYSTEM\LKEHZJD.DLL is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\SYSTEM\JVAWHCI.DLL is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\SYSTEM\PREHAHL.DLL is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\SYSTEM\FJMWYJJ.DLL is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\SYSTEM\UHRLOQN.DLL is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\SYSTEM\LKQYQDK.DLL is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\SYSTEM\JPXRLAB.DLL is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\SYSTEM\UEQZLMC.DLL is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\SYSTEM\SANJLMK.DLL is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\SYSTEM\WWWBAOH.DLL is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\SYSTEM\DOTCCEC.DLL is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\SYSTEM\XCILGFJ.DLL is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\SYSTEM\CLHTNPI.DLL is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\SYSTEM\XKKSVKK.DLL is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\TEMP\lppzsqi.dll is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\TEMP\cqtbar.dll is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\TEMP\lkehzjd.dll is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\TEMP\dotccec.dll is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\TEMP\jvawhci.dll is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\TEMP\prehahl.dll is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\TEMP\fjmwyjj.dll is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\TEMP\lkqyqdk.dll is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\TEMP\jpxrlab.dll is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\TEMP\ueqzlmc.dll is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\TEMP\uhrloqn.dll is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\TEMP\sanjlmk.dll is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\TEMP\wwwbaoh.dll is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\TEMP\xcilgfj.dll is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\TEMP\clhtnpi.dll is infected with the Backdoor.Coreflood virus.

The file was quarantined.

Date: 7/31/03, Time: 10:20:52, on N1Z3Z9

The file C:\WINDOWS\TEMP\xkksvkk.dll is infected with the Backdoor.Coreflood virus.

The file was quarantined.

 
Dang...that's just nasty! Thanks GoRaiders for starting the thread and bringing it to everyone's attention. And to the others that helped to sniff this thing out! :thumbup:

 
I second the thanx GoRaiders! When i first seen it i just thought my computer was Fing up again!! And thanx to all you smart (computer guru) guys!!This is for you :banned:

 
I second the thanx GoRaiders! When i first seen it i just thought my computer was Fing up again!! And thanx to all you smart (computer guru) guys!!This is for you :banned:
I hope that's soda...I have a bit of a hangover :X
 
Just wondering if it's just my computer, but when I try to bring up the main page, it comes up without any graphics, and none of the links on the main page work. Is footballguys down?

 
I hope that's soda...I have a bit of a hangover
Whatever you like my man, whatever you like!!So your head feels like this today, :wall: :wall: :wall: !!!
pretty much! getting better though! and like I just told a female friend of mine....it's nothing that a few beers won't fix :D
 
Thanks GoRaiders for the heads up!and for the rest of you complaining about Joe and David. Knock it off. These two and the rest of their staff bend over backwards on every issue to please their clients. They didn't plant the virus. Some jackass did.Hell, they could have just waited an posted the info on the pay side. If you have a computer and don't check it, its YOUR fault. They sell firewalls, anti-virus software and a whole host of material to protect you and your system. You've CHOSEN to not buy or install these things. No one WANTS a trojan virus. Especially a website.

 
Question for the IT guys in the know, I found the virus installed on my work PC, which is networked.1) Does the virus permit the hackers access to my networked files?2) Would I have any idea that they were using my PC in any way? 3) Is there a way to easily check to see if any files were accessed/compromised?Thanks in advance,Jason

 
Question for the IT guys in the know, I found the virus installed on my work PC, which is networked.1) Does the virus permit the hackers access to my networked files?2) Would I have any idea that they were using my PC in any way? 3) Is there a way to easily check to see if any files were accessed/compromised?Thanks in advance,Jason
I'm not a network guru but I'll attempt an answer here...A lot depends on how your company is networked. I'm not sure what port this trojan uses but their are some obscure ports commonly used by trojans. Your IT peeps likely have a hardware firewall that will not allow traffic on these known ports. While the trojan may be able to snoop, it can't phone home.
 
They could have taken control of your pc with the same privileges that you have. It's not real likely that they did take control of your pc, though. These things usually remain dormant until they are used for Denial of Service attacks. If your workplace has a competent firewall in place, they likely block unused ports, so it shouldn't have been able to contact the IRC server that would have been used to control your pc.

 
Question for the IT guys in the know, I found the virus installed on my work PC, which is networked.1) Does the virus permit the hackers access to my networked files?2) Would I have any idea that they were using my PC in any way? 3) Is there a way to easily check to see if any files were accessed/compromised?Thanks in advance,Jason
That's a hard question to answer. One thing that seems pretty definite is that the Backdoor.Coreflood connects to an IRC chatserver channel to report its availability to hackers -- that's where it gets its remote commands. If your PC is behind a firewall, it may not be able to connect back to the IRC channel after it was infected, which would pretty much mean that you were walled off from being remote controlled even though the virus was able to infect your PC.IRC typically uses ports 6667 and 6668 TCP and UDP. If you can connect to the internet from your PC on the IRC ports, you *may* have been intruded on. But even if the opportunity existed, it's very difficult to say whether you were actually compromised or not.
 
Question for the IT guys in the know, I found the virus installed on my work PC, which is networked.1) Does the virus permit the hackers access to my networked files?2) Would I have any idea that they were using my PC in any way? 3) Is there a way to easily check to see if any files were accessed/compromised?Thanks in advance,Jason
I'm in the same boat as Jason.Any more word on this?
 
Question for the IT guys in the know, I found the virus installed on my work PC, which is networked.1) Does the virus permit the hackers access to my networked files?2) Would I have any idea that they were using my PC in any way? 3) Is there a way to easily check to see if any files were accessed/compromised?Thanks in advance,Jason
I'm in the same boat as Jason.Any more word on this?
Just a followup to confirm (per McAfee's site) that the virus attempts to connect outbound to an IRC channel on port 6667. If you can establish an IRC connection to the internet and were infected with the virus, it is *possible* that your PC might have been intruded on by hackers. The primary purpose of the virus was to initiate denial of service attacks, so it's not clear how fully-featured the remote control afforded by the virus is. CoreFlood Detailed Info
 
WEll crap.....I have the virus now.....Norton went off and found 11 of them...I ran VirusScan night before last and I was clean....Last night I ran it again and had 11 of the bastards.......Norton can't fix, delete, or quarantine them!..Now what?.....any ideas?A little too late for the updates and patches.....I though Norton would keep stuff out. I have kept it updated....
Whitesnake, To remove the trojan/virus, you will need to boot into safe mode. On most PCs, you will have to hold down the F8 key when booting the PC. A menu will appear. Select #3, Safe Mode. Safe mode loads only the minimal drivers you PC needs to function, but not the trojan/virus. Once in safe mode, run the virus scan. Your AV software should have no problem getting rid of it. Once the initial trojan was loaded, it created a backdoor. The hacker could then load what ever he/she wanted. I your case, it looks like 10 more trojans/virii were added. That's why NAV missed it.
Thanks a bunch....this seemed to do the trick!
 
Here is the link to Symantec wesbite so you can perform a security check on your computer. Basically they try to access your computer through the different ports to see if you have any weaknesses. Your work network (assuming your company is not behind the times) should have a firewall and already blocked off these ports. If not, the symantec scan will let you know.

My guess is they were not able to access your CPU at work, since most work networks are fairly secure.

Security Scan

Also, there is a major flaw in the Microsoft O/S that needs to be patched on most computers and networks. You may want to alert you company IT dept (although they should already know). Word is this is a major flaw and could cause some series damage globally if attacked.

Microsoft Security Update

 
I just ran the Trend Micro Virus Scan that someone suggested in this Thread

I've got this Virus, some kind of Worm

Unable to clean the file 'C:\Windows\ApplicationData\MSN6\UserData\{1D6DF360-8682-01C1-0300-0000C550BD9E}\Hotmail\TemporaryMailFiles(0008517C)\bgcolor.exe' Because it is currently in use
Step by step (as I am an Idiot), How do I fix this?This is on the Trend Micro site:

If HouseCall finds a virus:

If HouseCall finds a virus on your PC, it means that your current antivirus solution is not working properly.

When HouseCall finds a virus, it will list the name of the virus as well as the name of the infected file. Click on the virus name to learn more about it.

Click on the "Clean" button to remove the virus.

Certain viruses, such as Trojans, scripts, overwriting viruses, and joke programs which are identified as "uncleanable", should simply be deleted.
Can I just delete this file? (However that is done)
 
Last edited by a moderator:
Wow...great discussion everyone. Question on the IE6 and Service Pack....I currently have been running IE 6 without the patch and of course I've been seeing the window pop-up on the FBG's main page the last couple of days. After reading this thread, I decided I must download the patch. Do I need to download and install 'Internet Explorer 6 Service Pack 1'? Then do I need to go back an download the 'Cumulative Patch for IE6 SP1'?So I'm not just getting a patch for IE 6. I must first get IE6 service pack 1, then get the patch for it?

 
I just ran the Trend Micro Virus Scan that someone suggested in this Thread

I've got this Virus, some kind of Worm

Step by step (as I am an Idiot), How do I fix this?

This is on the Trend Micro site:

If HouseCall finds a virus:

If HouseCall finds a virus on your PC, it means that your current antivirus solution is not working properly.

When HouseCall finds a virus, it will list the name of the virus as well as the name of the infected file. Click on the virus name to learn more about it.

Click on the "Clean" button to remove the virus. 

Certain viruses, such as Trojans, scripts, overwriting viruses, and joke programs which are identified as "uncleanable", should simply be deleted.
Can I just delete this file? (However that is done)
I think bgcolor.exe comes from one of the Klez viruses. Try to delete it. You might not be able to. If not, boot up in safe mode (press F8 when you see the starting windows message) and run virus scan or delete it. I'd run virus scan again anyway. Here's the link to the free AV program
 
Wow...great discussion everyone. Question on the IE6 and Service Pack....I currently have been running IE 6 without the patch and of course I've been seeing the window pop-up on the FBG's main page the last couple of days. After reading this thread, I decided I must download the patch. Do I need to download and install 'Internet Explorer 6 Service Pack 1'? Then do I need to go back an download the 'Cumulative Patch for IE6 SP1'?So I'm not just getting a patch for IE 6. I must first get IE6 service pack 1, then get the patch for it?
If it were me, I'd click on Tools and then Windows Update in IE. If you're running win2k or XP there's a critical update for that too. A lot of updates will come up, you really only need the one's under the critical heading.
 
Wow...great discussion everyone. Question on the IE6 and Service Pack....I currently have been running IE 6 without the patch and of course I've been seeing the window pop-up on the FBG's main page the last couple of days. After reading this thread, I decided I must download the patch. Do I need to download and install 'Internet Explorer 6 Service Pack 1'? Then do I need to go back an download the 'Cumulative Patch for IE6 SP1'?So I'm not just getting a patch for IE 6. I must first get IE6 service pack 1, then get the patch for it?
I believe (but am not positive) that if you use the windows updater, it will get everything for you.I had the SP1, but didn't have some other more recent IE patches apparently. I used the windows updater (from IE, go to the Tool menu and select Windows Update) and as part of everything else it updated, it added the extra patches I was missing to IE.So I believe you can just use windows updater and it will get everything microsoft has put out for you.
 
Wow...great discussion everyone.  Question on the IE6 and Service Pack....I currently have been running IE 6 without the patch and of course I've been seeing the window pop-up on the FBG's main page the last couple of days.  After reading this thread, I decided I must download the patch.  Do I need to download and install 'Internet Explorer 6 Service Pack 1'?  Then do I need to go back an download the 'Cumulative Patch for IE6 SP1'?So I'm not just getting a patch for IE 6.  I must first get IE6 service pack 1, then get the patch for it?
I believe (but am not positive) that if you use the windows updater, it will get everything for you.I had the SP1, but didn't have some other more recent IE patches apparently. I used the windows updater (from IE, go to the Tool menu and select Windows Update) and as part of everything else it updated, it added the extra patches I was missing to IE.So I believe you can just use windows updater and it will get everything microsoft has put out for you.
Thanks GregR. That's probably an easier way than what I did, which was to download the entire IE6 Service Pack 1. It took about 45min-1hour for the download and install on my dial-up connection. But when I re-booted, the version was updated. I installed the cumulative patch for IE6 service pack 1 just in case. Now that I've gotten this far, I guess I need to download one of those free virus scan programs and take a look.TO EVERYONE :thumbup: thanks a lot for the great communication and support.Troutedit for spelling
 
Last edited by a moderator:
Hey guys, I did a little digging into Microsoft and how it handles patches, and automatic updating. Basically, if you are already at the current patch level you probably didn't have a problem with this virus. If not, you should be at it... but you might ask (as I did) how can you find out when there's a new critical update that you should get?

Micro$oft gives you the ability to do it, but you need to grab it yourself for Windows 2000 and Windows 98. I think it's bundled into XP already.

If you go to IE's Tools->Windows Update menu and do the full update of everything MS wants you to have, it will also install the Automatic Updater (at least in Win 2k). If you go to Control Panel you'll see an entry for it. It will check for new critical updates, and either install them automatically, or download them then tell you that they are there so you can ok their installation.

So what I'm saying is, don't just download the SP1 for IE6. Run Windows Update and get yourself all the patches including the automatic updater so you stay current after that. I believe you can go to http://windowsupdate.microsoft.com/ to get the update, if for some reason you can't access it through the Tools menu.

 
Me personally, I don't like having the auto-update enabled. I want to know what's being installed before it happens. But for those who tend to forget or ignore the updates it's a good thing. I somehow sometimes forget myself even though I get about 100+ emails each day from a security/bugtraq mailing list.Hopefully this is the end to all the virus/trojan crap here....it's time to get back to football!!!!

 
Last edited by a moderator:
This hit me hard at work today. I had 14 infected files. GDB having to call the IT guys to fix something you broke, that your not supposed to be doing in the first place. Kind of like asking your wife to look at the scabs on your tool a week after tapping a $20.00 pro. GregR, Wombat and, 3C’s are posting the same stuff that the IT dude had me do today, so trust them, they know what they are talking about. One thing that I haven’t seen posted was to write down the names of the infected files. GregR posted at the bottom of page two, how to check your registry. I had the virus there as well. Compare the list you wrote down and delete those files from your registry. Be very careful while doing this, I would PM one these guys for help if your not sure. Then from the “Start-Search menu, start typing in the file names, and manually delete any that match what you wrote down.

 
Me personally, I don't like having the auto-update enabled. I want to know what's being installed before it happens.
I have mine set to download the patch and inform me, but not install it.
 
This hit me hard at work today. I had 14 infected files. GDB having to call the IT guys to fix something you broke, that your not supposed to be doing in the first place. Kind of like asking your wife to look at the scabs on your tool a week after tapping a $20.00 pro. GregR, Wombat and, 3C’s are posting the same stuff that the IT dude had me do today, so trust them, they know what they are talking about. One thing that I haven’t seen posted was to write down the names of the infected files. GregR posted at the bottom of page two, how to check your registry. I had the virus there as well. Compare the list you wrote down and delete those files from your registry. Be very careful while doing this, I would PM one these guys for help if your not sure. Then from the “Start-Search menu, start typing in the file names, and manually delete any that match what you wrote down.
Backing up your registry first is a good idea as well. Instructions can be found here. Instructions for backing up the entire registry (not just one key) are near the bottom, separated by Windows version.
 
This hit me hard at work today. I had 14 infected files. GDB having to call the IT guys to fix something you broke, that your not supposed to be doing in the first place. Kind of like asking your wife to look at the scabs on your tool a week after tapping a $20.00 pro. GregR, Wombat and, 3C’s are posting the same stuff that the IT dude had me do today, so trust them, they know what they are talking about. One thing that I haven’t seen posted was to write down the names of the infected files. GregR posted at the bottom of page two, how to check your registry. I had the virus there as well. Compare the list you wrote down and delete those files from your registry. Be very careful while doing this, I would PM one these guys for help if your not sure. Then from the “Start-Search menu, start typing in the file names, and manually delete any that match what you wrote down.
Backing up your registry first is a good idea as well. Instructions can be found here. Instructions for backing up the entire registry (not just one key) are near the bottom, separated by Windows version.
Very good idea...of course I never do it. :bag: It's going to bite me one day. I think all that get's added to the registry (in this case) is a command to start the trojan on reboot. Since the executable is gone (by AV removal), it won't hurt if it's still there. The reason you would want to write down the names of the infected files (IMHO) is just in case one of them is a critical (necessary) file.Very funny analogy there mvp22 :rotflmao:
 
I have mine set to download the patch and inform me, but not install it.
Maybe I'll try that...it's just something about that little pop-up message bubble thing that annoys me.
 
Maybe I'll try that...it's just something about that little pop-up message bubble thing that annoys me.
If it annoys you less than getting trojans installed on your computer, then I think it's worth it! The auto-update thing probably saved me on this and I'd recommend it to everyone, especially if you have a broadband connection. Set your antivirus to auto-update as well and you should be about as safe as possible.
 
Thanks so much for bringing this to our attention and to all the guys helping out in fixing it!What I am wondering is if everyone who went to their site will have a virus. I went there 2 times at least, and saw the thing pop up, but when I just ran a virus scan with Norton (about 9 months old) and I got nothing. Am I clean, or do I have to do more?Thanks! PSI also updated Explorer.

 
If you saw the pop-up, I'd be concerned. Sounds like most AV scanners won't see it until you reboot. I'd get the latest virus definitions and rescan. If nothing, reboot into safe mode and scan again. <wondering outloud> if you were to search for the txtprog.exe file if it would show up </wondering outloud>

 
If it annoys you less than getting trojans installed on your computer, then I think it's worth it! The auto-update thing probably saved me on this and I'd recommend it to everyone, especially if you have a broadband connection. Set your antivirus to auto-update as well and you should be about as safe as possible.
It's just one of those things that bugs me...sort of feel like big brother is watching me. I get all the MS bulletins and way too many emails from bugtraq, so I stay on top of it. And I agree wholeheartedly, if you're AV program has an autoupdate, use it. I use Symantec, they only put out live-update releases once a week...if I could I'd set it to update every day.
 
Thanks so much for bringing this to our attention and to all the guys helping out in fixing it!What I am wondering is if everyone who went to their site will have a virus. I went there 2 times at least, and saw the thing pop up, but when I just ran a virus scan with Norton (about 9 months old) and I got nothing. Am I clean, or do I have to do more?Thanks! PSI also updated Explorer.
you need to make sure your AV definitions (aka signatures) are up to date. Scanning with old signatures will accomplish nothing because NAV won't know the trojan is a trojan. NAV (actually ALL AV software) has to be told what to look for. That is what the definition/signatures do. Open up NAV and check the date on the signatures (it should be displayed). The date should be no older than 1 week ago.
 
Allrighty, I'm running Windows XP. Updated my IE to the latest 6.0 version (it says SP1). Downloaded the AVG 6.0 Anti-Virus System and ran a virus check. I have the Trojan Horse BackDoor.Apdoor on my machine. The file it is infecting is C:\\WINDOWS\SYSTEM32FGSVUYE.EXE but I could not remove the virus from the file. Tried deleting the file, but got slapped down on that request as well. I tried restarting in Safe Mode, but I can't get the AVG 6.0 Anti-Virus System to run in safe mode. The error is something like "a needed component isn't running" or something like that.Any tips for me? I'm not the most super computer literate guy, so dummy terms is probably best for me in my situation. Any assistance appreciated. Thanks to all the guys who have already helped me a ton with the info in this thread!

 
Bump for some of the others.My thoughts. You have 2 options...other than buying a copy of NAV or McAfee. Boot into safe mode, then either:1) Do a search of your hard drive for files called "FGSVUYE.*" w/o the quotes. There should be exe's and dll's. Delete those files.2) I'm not at all familiar with the AVG product, but if you were trying to run the windows app, maybe you can try running it from command line. I'm not certain what the program name is, but look in the AVG folder that was created by the install. Might be something like AVGSCAN.EXE. Open a command prompt window and type in the name of the program.But, hopefully an AVG user can help. I need to get going on to work, I'll check in later...

 
That would work fine, but unfortunately his problem is that he can't get the AV software to start up when in safe mode.

 
Allrighty, I'm running Windows XP. Updated my IE to the latest 6.0 version (it says SP1). Downloaded the AVG 6.0 Anti-Virus System and ran a virus check. I have the Trojan Horse BackDoor.Apdoor on my machine. The file it is infecting is C:\\WINDOWS\SYSTEM32FGSVUYE.EXE but I could not remove the virus from the file. Tried deleting the file, but got slapped down on that request as well. I tried restarting in Safe Mode, but I can't get the AVG 6.0 Anti-Virus System to run in safe mode. The error is something like "a needed component isn't running" or something like that.Any tips for me? I'm not the most super computer literate guy, so dummy terms is probably best for me in my situation. Any assistance appreciated. Thanks to all the guys who have already helped me a ton with the info in this thread!
I agree with 3Cs -- I would boot into Safe Mode, then launch a Command Prompt by choosing Run from the Start menu, then type:cmdin the Run box and press <enter>. A black command box should appear; when it does, type:del c:\windows\system32\fgsvuye.exeinto the box and press <enter> to run the command. This should delete the infected file. Then type:exitand press <enter> to close the Command box.Then I would boot back up normally and re-run the AVG scan. If it finds other infected files, write down their full path and filename like you did for the last infected file you found, and if AVG can't quarrantine or delete them, you can boot back into Safe Mode and repeat the process above, substituting the full path and name of each infected file for c:\windows\system32\fgsvuye.exe in the del (delete) command above.If this doesn't work, you should be able to use AVG in DOS mode once you boot into Safe Mode -- here are the steps you can take to do this:AVG in DOS Mode
 
Last edited by a moderator:
Nice work everyone. I've now downloaded the latest IE 6.0 with SP1 and patch. Then I downloaded AVG and ran a scan. It found 150 :eek: . that's right 150 :eek: infected files. It identified 4 viruses. they are:Trojan Horse BackDoor.apdoor (only 1 infected file)I-Worm/BadTransII (only 2 infected files)Win32/EIKern (19 infected files)I-Worm/klez.H (by far the most_Per the recommendation I moved the infected files to the vault. Now most of the infected files have a 'Healed OK' status...some still say 'virus vault'. The Trojan Horse and the Win32/EIKern are the only 2 that do not have the 'healed ok' status. Now what do I need to do? :confused: 1. Most of the I-Worm/klez.H infected file are in c\windows\temp\ various numbers and letters.EXE. For example c\windows\temp\BHY81B1.exe is infected, but AVG says it's healed ok. Now what do I do? I don't even know what that file is :confused: There's probably over 100 of them like that. Do I need to go to all those files and delete them from my C: drive? Or should I just let them remain there knowing they're 'healed'.2. Some of the I-Worm/klez infected files are in my program files- such as c\program files\adaptec.... Adaptec is my CD creator software. After running the AVG scan and trying to heal everything, AVG is saying that the status is 'healed ok'. But, my desktop icon for Adaptec is looking different. I'm assuming I just need to may re-install the now clean program? It just seems strange the Adaptec program was infected, then healed, now needs to be re-installed, but my photo editing program (Presto! Image) was also infected, then healed, now it's running like normal. 3. The Win32/.EIKern and the Trojan Horse do not have the 'Healed OK' status. The files are in c\program files\various number and letters. Example c\program files\YHK7310.EXED is infected and now in the virus vault (not healed ok). I have no idea what those files are. Those files have the ' ->virus vault' status. Not sure what that means either. Does it mean AVG couldn't fix those files but moved them in a safe vault area? Should go to those files and delete them? I don't know what they're for or what they do, should I just get rid of them?I hate to be deleting 150 files if I don't need to, but I may have no other option. Maybe I just throw the computer out the window and start over. Any advice on what to do with these 150 files would be greatly appreciated.

 

Users who are viewing this thread

Top