Trojan Horse, JAVA/BYTE Verify, MS03-011



jlee
07-09-2005, 10:48 PM
Hello,

I recently tried to delete virusus from my AVG Anti-virus vault and it
appears that the Trojan horse virusus (quantity 3) are released into my
Winows Internet Explorer 5.5.

Probably should have left well enough alone.

I have Windows 95 and when I launch Explorer, the address defaults to:
res://C:\WINDOWS\system32\shdocpa.dll/security.htm

Is there a way to extract the viruses. I tried to change the properties in
the Internet Explorer - but the launch always goes back to the address above.

I appreciate your advice.
--
Sincerely,

jlee

David H. Lipman
07-09-2005, 10:48 PM
From: "jlee" <jlee@discussions.microsoft.com>

| Hello,
|
| I recently tried to delete virusus from my AVG Anti-virus vault and it
| appears that the Trojan horse virusus (quantity 3) are released into my
| Winows Internet Explorer 5.5.
|
| Probably should have left well enough alone.
|
| I have Windows 95 and when I launch Explorer, the address defaults to:
| res://C:\WINDOWS\system32\shdocpa.dll/security.htm
|
| Is there a way to extract the viruses. I tried to change the properties in
| the Internet Explorer - but the launch always goes back to the address above.
|
| I appreciate your advice.
| --
| Sincerely,
|
| jlee

1) Dump the contents of your IE cache -
Start --> settings --> control panel --> Internet options --> delete files

2) Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

3) Dump the contents of your Sun Java cache -
Start --> settings --> control panel --> Java applet --> cache --> clear
or
Start --> settings --> control panel --> Java applet --> general --> settings -->
delete files

4) Download the TrendMicro Sysclean Front End

Download the utility SYSCLEAN_FE at the following URL --
http://www.ik-cs.com/got-a-virus.htm
SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
Direct URL --
http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe

5) Execute; SYSCLEAN_FE.EXE
Choose; Unzip
Choose; Close

Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
when you get to the menu dhoose [1] so you can boot into Safe Mode.

6) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

7) Reboot your PC into Safe Mode and shutdown as many applications as possible.

8) Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
Choose [2] on the menu and let SYCLEAN.COM scan your computer.

9) Restart your PC and perform a "final" Full Scan of your platform
Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
Choose [2] on the menu and let SYCLEAN.COM scan your computer.

10) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),

11) Reboot your PC.

12) If you are using WinME or WinXP, create a new Restore point

* * Please report back your results * *

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Crouchie1998
07-09-2005, 10:48 PM
How does the same copy/pasted reply work? Each case is different yet your
answer is an exact duplicate of every other post you answer. Plus, all you
are doing is pointing people to use your own website tools instead of ones
that are possibly a lot better. It is sad when you have to resort in getting
hits to your website this way

Crouchie1998
BA (HONS) MCP MCSE

Malke
07-09-2005, 10:48 PM
Crouchie1998 wrote:

> How does the same copy/pasted reply work? Each case is different yet
> your answer is an exact duplicate of every other post you answer.
> Plus, all you are doing is pointing people to use your own website
> tools instead of ones that are possibly a lot better. It is sad when
> you have to resort in getting hits to your website this way
>
> Crouchie1998
> BA (HONS) MCP MCSE

This is completely untrue. Dave's boilerplate reply - and mine - is a
first step in malware troubleshooting applicable to nearly every poster
on this group. It establishes the state of the OP's computer in terms
viral infection. The fact that it is copy/pasted is irrelevant as the
information contained within is valid and true.

The website tools that Dave offers are to help inexperienced people use
antivirus tools created by antivirus companies. In addition, Dave's
website has no ads, so there would be no reason for him to "resort in
getting hits".

What an ugly post you made. And where did you answer the OP's question?

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

David H. Lipman
07-09-2005, 10:48 PM
From: "Crouchie1998" <crouchie1998@spamcop.net>

| How does the same copy/pasted reply work? Each case is different yet your
| answer is an exact duplicate of every other post you answer. Plus, all you
| are doing is pointing people to use your own website tools instead of ones
| that are possibly a lot better. It is sad when you have to resort in getting
| hits to your website this way
|
| Crouchie1998
| BA (HONS) MCP MCSE
|

It is NOT exact ! This reply is specific to Java based infectors as noted by the additional
instruction...

3) Dump the contents of your Sun Java cache -
Start --> settings --> control panel --> Java applet --> cache --> clear
or
Start --> settings --> control panel --> Java applet --> general --> settings -->
delete files

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Catamount
07-09-2005, 10:48 PM
Malke wrote:
> Crouchie1998 wrote:
>
>
>>How does the same copy/pasted reply work? Each case is different yet
>>your answer is an exact duplicate of every other post you answer.
>>Plus, all you are doing is pointing people to use your own website
>>tools instead of ones that are possibly a lot better. It is sad when
>>you have to resort in getting hits to your website this way
>>
>>Crouchie1998
>>BA (HONS) MCP MCSE
>
>
> This is completely untrue. Dave's boilerplate reply - and mine - is a
> first step in malware troubleshooting applicable to nearly every poster
> on this group. It establishes the state of the OP's computer in terms
> viral infection. The fact that it is copy/pasted is irrelevant as the
> information contained within is valid and true.
>
> The website tools that Dave offers are to help inexperienced people use
> antivirus tools created by antivirus companies. In addition, Dave's
> website has no ads, so there would be no reason for him to "resort in
> getting hits".
>
> What an ugly post you made. And where did you answer the OP's question?
>
> Malke
And not to sound like a broken record...


YEAH! What he said!

Phil Weldon
07-09-2005, 10:48 PM
I haven't followed this newsgroup in a while, so what is it with this
'Crouchie1998' alphabet soup guy, anyway? Just an idle question, but I
thought I'd give you a nod of support.

Phil Weldon, on the watch for the next 'swen' B^)

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:eFFTXSeZFHA.2664@TK2MSFTNGP15.phx.gbl...
> From: "Crouchie1998" <crouchie1998@spamcop.net>
>
> | How does the same copy/pasted reply work? Each case is different yet
> your
> | answer is an exact duplicate of every other post you answer. Plus, all
> you
> | are doing is pointing people to use your own website tools instead of
> ones
> | that are possibly a lot better. It is sad when you have to resort in
> getting
> | hits to your website this way
> |
> | Crouchie1998
> | BA (HONS) MCP MCSE
> |
>
> It is NOT exact ! This reply is specific to Java based infectors as noted
> by the additional
> instruction...
>
> 3) Dump the contents of your Sun Java cache -
> Start --> settings --> control panel --> Java applet --> cache -->
> clear
> or
> Start --> settings --> control panel --> Java applet -->
> general --> settings -->
> delete files
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

Catamount
07-09-2005, 10:48 PM
I suspect it be a troller...maybe...

Phil Weldon wrote:
> I haven't followed this newsgroup in a while, so what is it with this
> 'Crouchie1998' alphabet soup guy, anyway? Just an idle question, but I
> thought I'd give you a nod of support.
>
> Phil Weldon, on the watch for the next 'swen' B^)
>
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> news:eFFTXSeZFHA.2664@TK2MSFTNGP15.phx.gbl...
>
>>From: "Crouchie1998" <crouchie1998@spamcop.net>
>>
>>| How does the same copy/pasted reply work? Each case is different yet
>>your
>>| answer is an exact duplicate of every other post you answer. Plus, all
>>you
>>| are doing is pointing people to use your own website tools instead of
>>ones
>>| that are possibly a lot better. It is sad when you have to resort in
>>getting
>>| hits to your website this way
>>|
>>| Crouchie1998
>>| BA (HONS) MCP MCSE
>>|
>>
>>It is NOT exact ! This reply is specific to Java based infectors as noted
>>by the additional
>>instruction...
>>
>>3) Dump the contents of your Sun Java cache -
>> Start --> settings --> control panel --> Java applet --> cache -->
>>clear
>> or
>> Start --> settings --> control panel --> Java applet -->
>>general --> settings -->
>> delete files
>>
>>--
>>Dave
>>http://www.claymania.com/removal-trojan-adware.html
>>http://www.ik-cs.com/got-a-virus.htm
>>
>>
>
>
>

David H. Lipman
07-09-2005, 10:48 PM
From: "Phil Weldon" <notdiscosed@example.com>

| I haven't followed this newsgroup in a while, so what is it with this
| 'Crouchie1998' alphabet soup guy, anyway? Just an idle question, but I
| thought I'd give you a nod of support.
|
| Phil Weldon, on the watch for the next 'swen' B^)
|

Thanx Phil, Catamount, Chek and Malke.

I don't know what's up with him. However, I received an email note from a MS MVP about him
this AM indicating Crouchie1998 doesn't like advice contrary to his thinking. The MVP also
indicated that a UK MVP had to ban him from an online developer forum for abusing others.
The MVP also indicated that Crouchie1998 basically copied the signature "BA (HONS) MCP MCSE"
from another MVP. Yada, yada....

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Phil Weldon
07-09-2005, 10:48 PM
Just in case it has been discussed, it seems at least my ISP has gotten
pretty thorough antivirus screening at work. No infected emails have been
delivered to my mailboxes this year.

Keep up the good work.

Phil Weldon

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:e7jWcYhZFHA.3648@TK2MSFTNGP14.phx.gbl...
> From: "Phil Weldon" <notdiscosed@example.com>
>
> | I haven't followed this newsgroup in a while, so what is it with this
> | 'Crouchie1998' alphabet soup guy, anyway? Just an idle question, but I
> | thought I'd give you a nod of support.
> |
> | Phil Weldon, on the watch for the next 'swen' B^)
> |
>
> Thanx Phil, Catamount, Chek and Malke.
>
> I don't know what's up with him. However, I received an email note from a
> MS MVP about him
> this AM indicating Crouchie1998 doesn't like advice contrary to his
> thinking. The MVP also
> indicated that a UK MVP had to ban him from an online developer forum for
> abusing others.
> The MVP also indicated that Crouchie1998 basically copied the signature
> "BA (HONS) MCP MCSE"
> from another MVP. Yada, yada....
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

poker_pro@hotmail.com
07-09-2005, 10:49 PM
Lemme see now, this one guy is offering help to people free of charge and
this other dude has nothing but mouth for a volunteer AND he even comes
equiped with "Pat-Myself-On-The-Back-Moron-In-Training-Initials" to extoll
the virtues of his low self esteem, hmmn I wonder which guy Id wanna talk to
if I had a problem in this newsgroup? Oh and does this stuff...............
>>BA (HONS) MCP MCSE
Does this scream attention please and do you REALLY wanna start an initial
war in this newsgroup,? Youd get so far buried you would be scared to come
out from underneath your blanket my friend. What blanket, why your "Security
Blanket" get it? lol

"Crouchie1998" wrote:

> How does the same copy/pasted reply work? Each case is different yet your
> answer is an exact duplicate of every other post you answer. Plus, all you
> are doing is pointing people to use your own website tools instead of ones
> that are possibly a lot better. It is sad when you have to resort in getting
> hits to your website this way
>
> Crouchie1998
> BA (HONS) MCP MCSE
>
>
>

MAP
07-09-2005, 10:49 PM
Crouchie1998 wrote:
> How does the same copy/pasted reply work? Each case is different yet
> your answer is an exact duplicate of every other post you answer.
> Plus, all you are doing is pointing people to use your own website
> tools instead of ones that are possibly a lot better. It is sad when
> you have to resort in getting hits to your website this way
>
> Crouchie1998
> BA (HONS) MCP MCSE

The same copy/pasted answer is given because IT WORKS!
Also the tools on Dave's website are not his, he just provides links for the
download.

--
Mike Pawlak


Trojan Horse, JAVA/BYTE Verify, MS03-011