Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Jan 8th, 2009, 8:11am
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Regarding HelpExp.Exe   Backdoor.IRC.Microb		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Regarding HelpExp.Exe   Backdoor.IRC.Microb  (Read 970 times)
Binkie
Newbie
*



I love YaBB 1G - SP1!

   


Posts: 14
Regarding HelpExp.Exe   Backdoor.IRC.Microb
« on: Nov 28th, 2003, 2:50pm »		 Quote Quote  Modify Modify
I was able to to find the name of the trojan horse, but I do not know how to proceed in removing it from my files.  Must this be done manually or will Trojan Hunter remove it?
 
It's called:   Backdoor.IRC.Microb
 
Once again I apologize for my total ignorance in this matter.  I sincerely appreciate any help you can offer.
 
Thanks,
Binkie
IP Logged
Matt_Day
Senior Member
****




Apparently I love YaBB 1G - SP1!

   


Gender: male
 Posts: 317
Re: Regarding HelpExp.Exe   Backdoor.IRC.Micr
« Reply #1 on: Nov 28th, 2003, 4:09pm »		 Quote Quote  Modify Modify
Have you scanned with TH, and have the latest ruleset?
« Last Edit: Nov 28th, 2003, 4:10pm by Matt_Day » IP Logged
Matt Day
Binkie
Newbie
*



I love YaBB 1G - SP1!

   


Posts: 14
Re: Regarding HelpExp.Exe   Backdoor.IRC.Microb
« Reply #2 on: Nov 29th, 2003, 2:46am »		 Quote Quote  Modify Modify
I was finally able to complete the the scan with Trojan Hunter and below is what I found.  What do I do nextHuh
 
Warning: Unable to unpack UPX-packed file C:\Windows\Temporary Internet Files\Content.IE5\D2L50WNO\webcamplugin1(1).exe
 
Found possible trojan file:  C:\Program Files\couponsandoffers\couponsandoffers.exe (SDBOT)
 
Found possible trojan file:  C:\Program Files\websearch\websearch.exe (SDBot)
 
Can you please help me??
 
Thanks,
Binkie
« Last Edit: Nov 29th, 2003, 2:53am by Binkie » IP Logged
Matt_Day
Senior Member
****




Apparently I love YaBB 1G - SP1!

   


Gender: male
 Posts: 317
Re: Regarding HelpExp.Exe   Backdoor.IRC.Micr
« Reply #3 on: Nov 29th, 2003, 9:43am »		 Quote Quote  Modify Modify
TH has flagged these files because:
The first one is in the Windows folder and uses a special compression method.  This is sometimes used by trojans.  However, that file doesn't seem like a trojan.
 
The second and third files have been flagged as they have characteristics of SDBot.
 
I would send all of these files to submit@trojanhunter.com in the same fashion I mentioned earlier...
 
However, this would seem a seperate incident to your Microb trojan.  The fact that you are getting that every time you reboot would suggest there is a dropper on your pc.  I had a look at Norton's write up of the trojan but there isn't anything available yet suggesting it is new.  I will keep searching for you.
IP Logged
Matt Day
Matt_Day
Senior Member
****




Apparently I love YaBB 1G - SP1!

   


Gender: male
 Posts: 317
Re: Regarding HelpExp.Exe   Backdoor.IRC.Micr
« Reply #4 on: Nov 29th, 2003, 10:03am »		 Quote Quote  Modify Modify
Are the following files present on your machine at all? Use the search/find files or folders in Windows to look for them...
 
bnc.mrc
ntpass.mrc
rconnect.conf
un.drv
updater.ini
 
 
Matt
« Last Edit: Nov 29th, 2003, 10:05am by Matt_Day » IP Logged
Matt Day
Binkie
Newbie
*



I love YaBB 1G - SP1!

   


Posts: 14
Re: Regarding HelpExp.Exe   Backdoor.IRC.Microb
« Reply #5 on: Nov 29th, 2003, 11:43pm »		 Quote Quote  Modify Modify
I did a search for those letters you listed above but did not locate any.
 
Could the trojan be in the boot up files?  The virus warning comes up right after windows loads and before all the programs have finished coming up on the task bar.
IP Logged
Binkie
Newbie
*



I love YaBB 1G - SP1!

   


Posts: 14
Re: Regarding HelpExp.Exe   Backdoor.IRC.Microb
« Reply #6 on: Nov 30th, 2003, 5:37am »		 Quote Quote  Modify Modify
Matt,
 
I can't tell you how much I appreciate your continuing help.  I've thought about taking the computer in to the repair shop.  But I am wondering if they can do anything different than run the antivirus software that I have already used?
 
What is a dropper?
 
Thanks so much again!
Binkie
IP Logged
Binkie
Newbie
*



I love YaBB 1G - SP1!

   


Posts: 14
Re: Regarding HelpExp.Exe   Backdoor.IRC.Microb
« Reply #7 on: Nov 30th, 2003, 7:07am »		 Quote Quote  Modify Modify
I don't know if this will help, but when Norton quarantines the trojan it is the program Alset\HelpExpress that shows up as quarantined.  Could it mean that something within that program is infected?
 
Thanks,
Binkie
IP Logged
Matt_Day
Senior Member
****




Apparently I love YaBB 1G - SP1!

   


Gender: male
 Posts: 317
Re: Regarding HelpExp.Exe   Backdoor.IRC.Micr
« Reply #8 on: Nov 30th, 2003, 9:43am »		 Quote Quote  Modify Modify
on Nov 29th, 2003, 11:43pm, Binkie wrote:
Could the trojan be in the boot up files?

It's possible.  To find out, go start, run, and type msconfig and press enter.  Then click the startup tab and look through the list for HelpExp.exe .
 
I was reading a similar topic on dslreports/broadband reports, with the same file?  Was it you? Smiley
 
If so, you mentioned the item didn't show up in quarantine...
 
Does it show up in "backup items" just below quarantine?
 
If not then it looks like Norton is not having access to the file suggesting it is in use.  My theory of a dropper (something that sits on your computer and downloads or places the trojan on your system again and again, seems unlikely if this is the case).
 
I would follow these steps:
 
(Many people will suggest disabling system restore if you are on XP/ME.  However I will not suggest this straight away as sys restore may be a future alternative...  anyone feel free to criticise this... I just wanted to leave a further possibility open for now)
 
1.  Reboot in safe mode: choose to restart your pc, and while it is booting up keep pressing the F8 key repeatedly... eventually a menu will appear with about 8 options; use your keyboards "arrow keys" to navigate to the one that says "system restore".  
 
2.  Once your pc has booted up, it will look very funny (thats normal).  Run LiveUpdate for Norton, and then run a full system scan and see if anything is found and deleted.
 
3.  Reboot.  It will go out of safe mode by itself.
« Last Edit: Nov 30th, 2003, 9:45am by Matt_Day » IP Logged
Matt Day
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5960
Re: Regarding HelpExp.Exe   Backdoor.IRC.Microb
« Reply #9 on: Nov 30th, 2003, 10:26am »		 Quote Quote  Modify Modify
Does this URL help any?
 
http://www.kephyr.com/spywarescanner/library/helpexpress/index.phtml
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Binkie
Newbie
*



I love YaBB 1G - SP1!

   


Posts: 14
Re: Regarding HelpExp.Exe   Backdoor.IRC.Microb
« Reply #10 on: Dec 1st, 2003, 1:26am »		 Quote Quote  Modify Modify
Hi Matt,
 
I want to THANK YOU for all your help.  You have been so patient with me.  I can't tell you how much I appreciate your efforts!  I was finally able to remove Helpexp.Exe from my computer which solved the problem.  To do so, I followed the instructions from the link that Siliconman posted.  It necessitated going into the registry and removing HXDL.exe manually.
 
Again, THANK YOU SO VERY MUCH!!!!!  I intend to tell everyone I know about Trojan Hunter and the wonderful, helpful people here.
 
Binkie
IP Logged
Binkie
Newbie
*



I love YaBB 1G - SP1!

   


Posts: 14
Re: Regarding HelpExp.Exe   Backdoor.IRC.Microb
« Reply #11 on: Dec 1st, 2003, 1:31am »		 Quote Quote  Modify Modify
Lastly:  No, it wasn't me on the dsl/broadband board.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5960
Re: Regarding HelpExp.Exe   Backdoor.IRC.Microb
« Reply #12 on: Dec 1st, 2003, 12:33pm »		 Quote Quote  Modify Modify
You're very welcome, Binkie.   Grin Cheesy Wink Smiley
 
Glad your problem is resolved!  Visit the forum frequently.  A lot of most friendly and useable interchange here.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register