TalkTalk Trojan? (MK 2)
pca_thejammy.b - 29 September 2008 - 2:31pm
For some reason I'm unable to see any comments after Isitme's. At the bottom it just says....... Now go to
Both Burn-IT and Glamdring have responded, but when I check.......Nowt.
I've e-mailed both, but the so called new PCA layout doesn't show when anyone leaves a message. Oh progress!
Log in to PCAnswers
How to...
Reduce XP startup times
Nick Veitch - 5 September 2008 - 10:58am
Nick Veitch shows you how to reduce startup times in Windows XP using the free startup customisation program, AutoRuns. Remove pointless helper applications and get into Windows faster. ... read more »
Latest PC news from TechRadar
- 5 reasons widgets may be the next big TV trend
- Exclusive: Virgin & ITV: Internet details not yet finalised
- Ballmer's CES keynote - all the details
- Virgin Media seals on-demand deal with ITV
- AMD rolls out much improved Phenom II CPU
- In Depth: Is 45nm silicon enough to save AMD?
- Windows 7 Beta available worldwide Friday
- Sony launches world's lightest 8-inch netbook
Copyright 2006 - 2008 Future Publishing Limited(company registered number 2008885), a company registered in England and Wales
whose registered office is at Beauford Court, 30 Monmouth Street, Bath, BA1 2BW, UK
Mine was: Is he using a USB
pca_Burn-IT - 29 September 2008 - 5:48pmMine was:
Is he using a USB Broadband modem at home.
If so it may be in the drivers for that.
Dave Burnett Microsoft MVP Shell/User (see http//mvp.support.microsoft.com/ )
God doesn't play dice Does that mean I was supposed to be like this??
TalkTalk Trojan? (MK 2)
pca_thejammy.b - 29 September 2008 - 7:53pmThanks Dave,
I've now got the comp with modem here. I've uninstalled the modem driver, but because I'm on cable and T/T needs a BT line, I'll talk my friend into re-jnstalling the driver at his own house and double check it there.
Thing is, even if the modem driver was infected, would all the anti-virus and Trojan programs I've already run, including Hjthis, not still pick up any nasties in there?
Should have. Have you done a
pca_Burn-IT - 30 September 2008 - 11:33amShould have.
Have you done a 'Rootkit' check on his machine??
Dave Burnett Microsoft MVP Shell/User (see http//mvp.support.microsoft.com/ )
God doesn't play dice Does that mean I was supposed to be like this??
TalkTalk Trojan? (MK 2)
pca_thejammy.b - 30 September 2008 - 6:30pmThanks again Dave,
Yes, had run McAfee Stinger, nothing came up. When I ran Spyware Doctor, it came up with...Trojan.dns_changer, Softomate,Zango_search_assistant, Rxtoolbar and download.popuper. It deleted them all.
It seems the second he tries to connect to the internet with TalkTalk's modem, Spyware Doctor pops up trying to block Download.popuper from getting in. If he tries to block it, he simply can't get connected to the internet. He has to allow Download.popuper., before he can get connected. I assume all the other nasties just come in after that!
Unfortunately, I haven't seen this in action at his house, but have no reason to doubt him. His son & daughter use Bebo, Facebook and many other dicy programs, but it's the fact that after I clean his machine and I'm certain it's clean, he takes it away from here and is immediately in trouble just trying to connect to TalkTalk. I can run it all day here with no problems.
One thing I don't understand is I can't directly connect to the internet using my wireless adaptor, without starting his machine in safe mode, to change his manual Wireless Zero Configuration to Automatic. This will only stay put on the next boot, then reverts back to Manual after every boot up. He's using a Media Centre XP O/S and I think that could be part of the reason.
I've been doing a bit of
pca_Burn-IT - 30 September 2008 - 11:08pmI've been doing a bit of poking around, and it seems that downloader.popuper does indeed hide itself somewhere else and come back.
Some think that Superantispyware may do a better job at removing it.
Did you try several restarts and rescans to see if this is happening.
Did you confirm that he is indeed using a USB modem. If so get hold of that as well and with it plugged into the machine (but not the phone line) try to connect through it and see if it pops up then.
If so, and it didn't without it plugged in, then the trojan is lurking in the drivers for the modem OR in the Windows Dial up (possibly a stray entry in the registry in the dialler section)
I'll pass on the wireless one for the moment. Can we raise that as a separate issue if it remains after this one is solved.
Dave Burnett Microsoft MVP Shell/User (see http//mvp.support.microsoft.com/ )
God doesn't play dice Does that mean I was supposed to be like this??
TalkTalk Trojan? (MK 2)
pca_thejammy.b - 1 October 2008 - 6:32amThanks again Dave,
Think that's about the only program I haven't used in it. I do have it on my own machine. It did try to take out some genuine files though.
I did connect his TalkTalk modem here and re-booted, but nothing changed. He does have a extra 1394 LAN connection showing in his Network, but that seems ok. Just don't know what he uses it for.
I'm getting to the desperate stage, so will have a go with the SuperantispywarePro. The last thing I want to do is a clean install.
Superantispyware
Isitme - 1 October 2008 - 9:54amAs I said right back in my first reply, this is my favourite at the moment. As Dave suggests, run it with the Modem plugged in. This particular nasty may be triggered by the modem being activated, which would account for it not running on your system.
The 1394 is actually the Firewire or iLink adapter, usually used for downloading MiniDV tapes or connecting external drives, but it can be used to network. This is why it is shown as a network adapter, although few use it as such.
You should advise him to get a proper router, they are very cheap now and are far easier to use and are more secure than a USB modem.
TomD
TalkTalk Trojan? (MK 2)
pca_thejammy.b - 1 October 2008 - 11:13amThanks Tom,
I'll be getting the computer back this weekend, so will have a go with Superantispyware Pro. with the modem attached All this virus scanning isn't half time consuming though. Just wasn't sure what that 1394 was used for either.
He's thinking on going for a Laptop, so a router's really the best way to go.
Hopefully, we'll get there.......eventually!
1394 as said is Firewire.
pca_Burn-IT - 1 October 2008 - 1:16pm1394 as said is Firewire. Firefire communicates using standard network protocols which are processed on the card and is why it is more efficient than USB that uses the CPU to control it.
Not only do you need the modem attached, but you must try to connect through it so that the dialler is active as well. You will get an error. Leave the error on the screen and hence the dialler active while you do the scan.
Dave Burnett Microsoft MVP Shell/User (see http//mvp.support.microsoft.com/ )
God doesn't play dice Does that mean I was supposed to be like this??
TalkTalk Trojan? (MK 2)
pca_thejammy.b - 1 October 2008 - 6:37pmThanks again Dave,
That might pose a problem with connecting to a non BT phone line. I'm on Virgin Media cable. I do have a BT line, but it's not active. I have suggested helping him over his own phone line, with his puter connected to TalkTalk, but he's not very savvy with computers.
I tried to get a dial tone using his puter here, but again for some reason it came up as no dial tone. I didn't go into that any further, but I'll now have to get round it somehow! I didn't realise the modem would have to be connected with an active dialer. Can I assume that will only apply to using his 1394 firewire.
I'll come back to you after the weekend.
Ignore the Firewire - that
pca_Burn-IT - 1 October 2008 - 7:24pmIgnore the Firewire - that is just a kipper.
I don't expect you to connect. What you need to do is TRY to connect using his modem.
That will activate the Dialler Software that is used with a USB BB Modem. As I said, I expect it to fail, but I am hoping that if you leave the error message on the screen, the dialler software will still be active and hopefully SuperAntiSpyware will analyse it.
Dave Burnett Microsoft MVP Shell/User (see http//mvp.support.microsoft.com/ )
God doesn't play dice Does that mean I was supposed to be like this??
TalkTalk Trojan? (MK 2)
pca_thejammy.b - 1 October 2008 - 7:44pmThanks Dave,
Got that. Will give it a try on Saturday and let you know. I'll keep my fingers crossed as well, just in case!
I delayed reporting back,
pca_thejammy.b - 5 October 2008 - 7:40amI delayed reporting back, until the infected computer had re-connected to TalkTalk and run, overnight.
After scanning with Superantispyware, Spyware doctor and about a dozen other anti-virus and antispyware, trojan and rookit programs. I finally downloaded a 15 day trial version of Viper.
It picked up the additional Trojan Downloader-Gen, which none of the others did.
I still had to uninstall the Speedtouch 330 modem and driver, run Superantispyware, Spyware doctor and Viper again before the system, I think, was cleared. .I then re-set System Restore and rebooted. Everything points to the modem driver being infected, as you suggested. Problem is, I don’t think any of the anti-virus/trojan programs could check the modem driver file. I think it was the deletion of the driver that the nastie was deleted along with it.
I would never have given a thought to the modem driver being infected. I wrongly thought the anti-spyware and anti-virus programs would find most if not all of the nasties. How wrong I was.
Once again many, many thanks to all at P. C. Answers forum, for your valued and expert knowledge and assistance.
Regards,
John.