I caught a Trojan Horse Virus from a ZSNES that was apparently from a bad source. McAfee detected it but, was unable to remove the file. I tried AVG and that removed it. Should I change all my passwords? Because there are a lot of them. After I removed the virus I changed the "important" passwords. Both emails, Steam, Amazon, XoO, and WAR beta.
http://forum.aumha.org/viewtopic.php?f=30&t=34090&start=0&st=0&sk=t&sd=a This thread helped me a lot! Read it, you'll find some nice tips on certain programs like: Malwarebytes Anti-Malware
do you know the name of the Trojan or the Virus? that would help considerably as to whether you need to be concerned about any personal information leaks.
C:\WINDOWS\ydpty.pif McAfee calls it a Generic.dx I think the was trying to turn my comp into a zombie because McAfee also deleted Local Settings\Temp\server.exe also a Generic.dx It wasn't there long and while the scanners were going I disconnected my computer from the net. Thanks for the help everyone.
sorry I don't know ydpty.pif and unfortunately "Generic.dx" is McAfees way of saying "it looks like a Trojan but we don't have a case/name for it yet (also true with unknown *.pif files)" Seeing as how it was trying to establish a possible bot out of your machine you best assume that there may be a key logger installed as well. Are you certain that this Trojan you installed did install that server.exe and that is all it installed? you may want to check out these tools to see if that is in fact all it installed and who your machine may still be talking to. the problem with bots is that once you run the Trojan it buries it's installers in hidden files and often checks to see that its uncompressed executables (such as the one you found) are still there and if not re-installs them. If you can not confirm that the executed Trojan is completely removed, unfortunately you may need to rebuild your system (worse case scenario). but like i said...check out those tools, read your logs and watch your network traffic (TCPView is great for that), File, Process and Registry Traffic (Precess/File Req Mon are good tools). If all looks cool after a couple days then don't stress it and just make certain your virus scan is clean, updated and through. if you keep finding installers that you didn't install after you think you have cleaned the system then prepare to rebuild. Trojans, unlike viruses, do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc. So be careful what you run from sources that are less then trustworthy to avoid this in the future.
Is there anything particular I should be looking for? This is the first time I have used these programs. The Process Monitor and the File Monitor, I have been telling it to exclude programs that I know what they do and are just filling up the sheets with their functions. Programs like McAfee, AVG, Spybot's Teatime, and Firefox. I have also been through and googling the various .exe and process. As I find out what they do I have been excluding them from the lists. The only ones left in the Process Monitor are explorer.exe, services.exe, rundll32.exe, and MDM.exe. In the File Monitor all that is left is explorer.exe. They are left because the sites I am getting this information from says that they have potential to be exploited by Trojans.
unfortunately these programs takes some getting used to as have to first learn what is normal computer communications and what is not. TCPView: the best one to start with and watch what IPs your box is chatting to. If it never babbles to anything other than what you expect it to then I wouldn’t worry too much. you can sort by remote address or process (run your computer with no other programs running to minimize these lists) and see if there are processes or IPs you do not know. From there you can Google the processes and see if they are legit and use programs like Sam Spade by Blighty Design to see who owns what IPs. It will take some getting used to but after some time you will start to recognize what is OK and what looks suspicious. If you don't see any suspicious communications over the period of perhaps an hour then you could stop here and assume all is cool. if you do see a process that is communicating suspiciously and you can’t account for it then move on to the next step... Process Monitor: Same thing...kill all unnecessary programs to make the list easier to view. Look up processes you don't know and filter out ones that are confirmed legit (this will take some time). If you found a process via TCPView that looked suspicious then you can have the filter only show that questionable process and see what it is doing. Through this program you can see the Registry and File paths the process accesses. This will help you track down hidden installations. BE EXTREMELY CAREFUL & FULLY RESEARCH A SUSPECTED PROCESS, REG AND FILE PATH BEFORE YOU DELETE ANYTHING. With all these tools move slowly and research your questions and findings as you may accidentally be looking at a legitimate system process/file with suspicion. File Monitor: This program is very similar to Process Monitor and Registry Monitor, in that it tells you what processes are doing with what files and can further help you investigate suspicious files. With these four programs, some work and online research you should be able to track down just about any virus, Trojan or active hack and clean it out.
Again thank you tremendously for all the help. About the only process in TCPView that I can't figure out what it is are 5 System: 4.
System is your System process. It's commonly process ID 4. It deals internal processes and file/print sharing which is why those ports are listening. In most cases perfectly normal. If you aren't seeing anything weird after an hour or so...I would say you're cool and not stress to much about your 'puter. Changing your passes are always a good idea, but I seriously doubt they were in trouble. My guess is you had an extremely unsophisticated Trojan that tried to establish a file or ftp server on your box (most likely for warez), of which your McAfee caught early on. If that was the case these Trojans rarely care about your personal information, but are more so interested in your bandwith and hard drive. hard to tell without seeing it first hand
Thanks again, I have been watching it for some time and nothing out of the ordinary. Except for [System Process]:0 but, what I found is that is just the system idling. The state is TIME_WAIT. I could link you the file. It is in a .rar folder and the virus only seemed to activate when you execute the ZSNES. I am going to ask first because I don't want to some how cause problems.
That's exactly what the Trojans did, and look where it led them. Oh, and if you want zsnes that bad, why don't you go straight to the source? http://www.zsnes.com/
oooohhh the forums first double entendre? grats EF2 for raising the bar with ancient history and modern technology. hard to do.
The one that was infected I got off or rapidshare that came with 55 ROMs. The ROMs with it was why I went with it instead of getting it directly from that site.
Most of the 55 were games I was going to hunt down anyway. I know there are lot of games but, most of them aren't worth playing.
On computer (I don't know if it is on any other platforms), AVP2 is THE shit. I never played AVP though, so maybe it isn't as good.
Alien vs Predator is the worst game I've had the misfortune to buy. Wasn't sure what I was thinking...it also ranks up there with Super Play Action Football... AvP on the PC is pretty cool, but I could never play through the alien part in #2. I love the arcade version by Capcom the best though (side-scrolling beat em up as Predators or space marines!).