Pop-ups and Trojans

[QMom]

For the past two days I've been getting this pop-up error - "App_Vero_38446 (X in red circle) can't resolve hostname to IP address". I've looked everywhere else and can't get the pop-ups to stop. I ran Trend's House Call and it found two trojans on several files - troj_delf_d and bkdr_lith.103.a. The files they were attached to are hnsys32.dll, cpch32.dll and sysupdt32.exe. I quarantined and deleted those as instructed, but the popups are still appearing. I upgraded Norton, and it didn't find anything at all. I uninstalled anything I installed since three days ago (games); I scoured the registry to see what's starting up or causing this problem; I have a firewall in my Linksys router; the other computer on my network isn't affected, nor are the other profiles on this computer; I'm careful to delete and block spam, and I haven't gotten any emails with attachments; I have two IM services, but they haven't been fired up in a week; and I power off my DSL every night. For whatever reason, my System Restore won't go back three days. I've gone through my Event Viewer and Services and didn't see anything unusual. I just uninstalled VPN. I looked through the forums here (admittedly not all of them) and followed some instructions - like making sure XP has all its service packs and updates.

Can anyone help me? Do I have to reformat this thing?? Have I honestly been hacked?

 

[KimberTech]

Did you disable system restore before running antivirus to clean your system?
If not, you have not cleaned the mess out.

It sounds like you have disabled part of it by deleting some files, and it is giving you an error because in this instance you are a server...and you are trying to communicate with the client side and not getting through. (That would be a good thing.)

Go here and run another scan after you disable system restore:

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Search out the infections, and follow the instructions on getting rid of them. You are already off to a good start.


Members of Tek-Tips provide answers to questions based on the information given. For the best answers, post detailed descriptions of the issue. Use the search features of the site to see if your issue was already addressed in another thread.

 

[QMom]

Thanks, Kimbertech. I did neglect to turn off system restore previously, so I did that today and scanned again using all three methods - Panda, Norton, and Trend. Only Trend found the trojans. However, if my computer is attempting to communicate with something because it's a server, how do I change it to a workstation? I do remember making that choice some time ago, but I don't remember where that setting is. Do you think that would affect my network?

Maybe I could try using a different profile...

 

[Accessdabbler]

Eliminating some viruses can be a big hassle and, frankly, you are never really sure you've gotten rid of it. You can spend hours trying to thwart the virus.

Personally, I would back up all valuable data then completely wipe the drive (including FDISK or even a low-level format if you can find the right utility for your drive). If you were planning on buying a new drive in the near future, now would be a good time.

Once your system is back alive and kicking, make sure you have 2 programs running:

1. ZoneAlarm - Firewall to block intrusions

2. Grisoft AVG6 - Free virus scanner. Set the program to update daily.

Finally, install all OS updates and patches before you begin to reinstall programs.

 

[QMom]

Thank you everyone for responding so quickly. The popups are driving me nuts! I did in fact install a new, larger hard drive recently, and I was considering reformatting the old one anyway. It looks like fate - or some bored hacker - has pushed me to go ahead and do it.

With all the hours of searching for a solution to my issue, I'm glad I came across this forum. It's reassuring to know that someone is out there, wherever you all are, willing to take the time to help others and share their expertise.

 

[Accessdabbler]

One thing to try, disable the Messaging Service.

I use Win2K but it should be in the same approximate place on WinXP.

Go to Start > Settings > Control Panel > Administrative Tools > Services. Scroll down the list looking for Windows Messaging or Messaging Service. Double-click it and set it for Disabled.

An annoying type of spam started going around using the Messenger Service that sent WinPopups to people on the internet. These are text-only messages that are not harmful, just incredibly annoying. They are ridiculously easy to do. Go to a command prompt and try this:

net send xxx.xxx.xxx.xxx "Hi there!"

Put in your IP address for the X's. If you know other people using WinXP or Win2K you can put in their IP address. It will work only if they:

1. Are running the Messaging Service and,
2. Do not have a firewall/NAT protecting them.

 

[manarth]

You may have adware (in addition to the trojans): see FAQ608-3482 for removing - good luck!

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[QMom]

Thanks for your suggestion, Manarth. I don't want to give the wrong impression though. When I refer to &quot;pop-ups&quot;, I mean the error message that keeps popping up every time it fails, not necessariy advertisements. I did consider adware, because I found an unusual entry in the registry that turned out to be adware. I found several such entries and deleted them, then following your suggestion, I ran Spybot and it found 71 more. ....But I'm still getting the error.

I contacted Trend, and their support tech suggested I send them the virus log. While gathering that, I also looked at the firewall log and discovered after some digging that my router is suddenly failing to send log information to the IP address it has been using for the past year. So I'm waiting for a reply from Linksys about that.

I'm going to be bald before this is resolved ....

 

[manarth]

here's some steps I'd go through (whilst I'm scratching my head wondering what the &*£&quot;'s going on!)

- delete all temp files / temp internet files / cookies, etc
- scan for adware, etc
- run a virus scan (if I feel it probably is a virus)

- if a particular name is referenced (e.g. &quot;App_Vero_38446&quot I'd search the entire system (you can search not just file names, but also file contents using windows search) for the name
- because it's a DNS issue (hostname --> IP) I'd look at the relevant &quot;hosts.&quot; (in your windows directory) and &quot;lmhosts.&quot; (same as &quot;hosts.&quot; but for netbios names), and your DNS server details (or WINS if you use that)
- Ctrl:Altelete to show what Apps / Processes / Threads are running... a great trick is to look for anything you don't recognise, then plug the filename into Google... if it's malware, you can be sure of a good few hits!


<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[QMom]

I would like to extend a gigantic thank you to everyone who offered suggestions for resolving my bizarre error problem. I wish I had written down everything I did to try to get that annoying pop-up message to go away. Somehow, it went away just as suddenly as it came. Actually, I tried a couple more things this morning that might have helped. I checked the PC-Cillin firewall log and it showed my router having firewall blocking issues trying to communicate with either its own activity log or my computer. (Which is strange in itself because I was still able to network and access the internet.) I started checking every single router setting and found nothing had changed. I discussed this strangeness with a friend, who suggested I reinstall my router from scratch. Instead, I tried resetting it .... again .... then I unplugged it for a minute to completely reset it. The messages kept coming. I got frustrated and turned off the computer. Now, I've been online for 15 minutes and <knock wood> NO MORE MESSAGES!!

I appreciate all your suggestions. The best lesson from all this is that my computer is now so very clean from adware, viruses or trojans. I found and removed all kinds of garbage that I didn't need, and I have a whole new understanding of my registry. I can now sleep through the night, and I'm no longer afraid to approach my computer. My apologies if I kept anyone else awake....

Thank you again, everyone!