[coastie65]

Hi All, I have just spent the better part of today dealing with a major infection. I was loking up some information on XP MCE 2005 installation and went to an Australian site as it looked like what I was looking for. The next thing I knew I was infected then came the fun. For starters I had a Trojan ( Trojan-Downloader-ZLOB). Took care of that with a scan using SUPERantispyware. Also ran Spysweeper & Avast!. I kept getting a BSOD as well when running the scans. Anyway, I eliminated the Trojan, but left me with another problem. A BIG slash screen with" WARNING! Spyware has been detected on your computer" was on my desktop. I also noticed that my wallpaper had been changed to just the plain blue from the Rio wallpaper. When I when to display, there were some tabs missing and I realized that my wallpaper had been Hijacked or something. The two things that was mentioned with the warning was: win32/Adware.virtumonde & win32/privacy Remover.M64. After doing a search, I found out it would mean prowling around in the registry and essentially removing anything with XPGuard in it. I tried the Registry cleaner in CCleaner, but it didn't work. I took the advice of spiritwind and downloaded the Malwarebytes utility and installed & ran it. That took care of that problem. It looks as if all is good again. I suspect, with all this registry stuff, I may have to do a repair, but shouldn't be a problem. spiritwind, thanks for providing the info and link to Malwarebytes, it is definitely a winner in my book. coastie65

[techie4fun]

Laugh my butt off, LOL. You got hosed big time. :D This is funny. You just made my after-noon.

[coastie65]

Believe me, I wasn't getting a lot of chuckles out of it. :D I failed to mention that before I Exorcised that Trojan, I had an array of Porn pop up, and I have never been bothered by that crap in the past. I have never had any BSODs either until this mess. Looks like After about 4 hours of working on this stuff, I have gotten it cleaned out. I found out that that Trojan allowed for the downloading of all kinds of crap, but as I said, that got exorcised real fast. It was the rest of that junk that caused me all the grief. If I noticed any problems with the OS, then I'll do a repair as the system restore doesn't seem to work again. All that just to refresh my memory on the install and reppair of XP MCE 2005. coastie

[Adama]

Hmmm Sorry, TFF, but I don't think that would be a funny thing to go through.

[coastie65]

Hi Adama, I can assure you, I wouldn't wish that experience on anybody. I am partly to blame as I went one click too many. I did manage to get a good refresher on the XP MCE 2005 Installation and Repair though. I actually got a 16 page printout that not only went step by step, but included screen shots at each step so you can get a clean install. I did confirm what I already knew, but I did see some things that I had forgotten and would have caused problems. I don't mind someone getting a chuckle at my expense. Techie was right, I think I really got hosed on that adventure. It looks like Malwarebytes came through when nothing else worked. !http://forums.pcworld.com/legacyimages/
1! coastie

[Flashorn]

Hey coastie!!


Sorry to hear about your Major Pain. If you could , I would like you to run
these two extra scans just to make absolutely sure nothing has a chance
to re-infect.

VundoFix by Atribune . It seems that you had ,

(form your description) a Vundo variation, which does leave remnants.

Here are the instructions: Safe for XP and Vista.



Normal Usage for Removal:
"Download VundoFix" to your desktop.

Double-click VundoFix.exe* to run it.
When VundoFix opens, click the Scan for Vundo* button.
Once it's done scanning, click the Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click YES*
* Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK*.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot
Now for the second one , this would be a Virus Scan from a Stand Alone Virus scanner.
This scanner is the concept and ongoing effort of a research facility from within a
University in the States and highly recommended. I also use it as a back-up.
Here is the web page along with instructions. It does NOT require a Install. Also you do NOT
up-date it as it comes out with a complete new version every time it needs to.
This AntiVirus will detect and kill all variants of Win32 viruses. (well, the ones we know of).
Dr.Web CureIt Free AntiVirus
So, PLZ make me happy and run those scans.


FLASHORN. !http://forums.pcworld.com/legacyimages/
1!

[SpiritWind]

Hi :



I think you are being overly optimistic IF you think you have adequately dealt with "Zlob" ;

this can be a very complex piece of Malware, sometimes a "Backdoor Trojan", as

described at www.geekstogo.com/2007/10/03/what-is-a-backdoor-trojan .

To make sure you have removed ALL parts of "it", some of which MAY be hidden from

programs such as Avast, SUPEAntiSpyware & Malwarebytes' Anti-Malware, I recommend

you submit a Request for Help on the [http://aumha.net/] Forums, staffed by several

"Microsoft Most Valuable Professionals" ; they will make use of Analytical Tools, such as

HijackThis, ComboFix, etc . At a minimum, you should run the Panda Anti-Rootkit

available at [http://research.pandasecurity.com/archive/Panda-AntiRootkit-Released.aspx] .

[coastie65]

Hi Guys, Ok, I've run VundoFix and it was clean as well as Panda. I haven't tried the second scan that Flashorn posted yet. After messing with this all day I'm a bit tired of the scans for the moment. The "Win 32" stuff got fixed as I got all my tabs back in Display and the Splash warning thing on the Desk top at startup has disappeared. I also ran CCleaner as well as the Registry part. The Trojan actually came up in Spysweeper and was quarantined and then removed. I haven't had any instances of unwanted and unexpected popups since I got rid of that thing and I'm reasonably sure it has been cleaned out. Oh yeah, there was something else I forgot to mention, the site was trying to get me to download and install a codec package, that I refused to install. I thinking my "Security" stuff may have had a lapse and that I may have been hijacked to another site, although I bailed out there immediately as something wasn't right. As I said, I was looking for some stuff on XP MCE 2005, and that site that I ended up at, just flat didn't look right from the git go, so I punched out. I wasn't expecting a video stream when looking for info on an OS, and apparantly I didn't have the right stuff to play the thing, which I had decided wasn't where I wanted to go in the first place. That is some real nasty business in my opinion, and hopefully I've worked my way out of this mess. It seems so anyway. coastie

[Adama]

Hi Flashorn,

Thanks for the great links. I saved them both to my faves to have them handy just in case. :x

[coastie65]

Hi Adama, Vundo worked well and it is worth saving. As for Dr. Web, I couldn't get that to download because the server was busy. While messing with this stuff, I found out I was missing some files. C:// WindowsRepairautoexec.nt & C://WindowsRepairconf.nt Seems like it's always something. I'm not overly concerned about those missing files though. I have a couple of Installation disks. coastie

[mjd420nova]

Coastie: If you could see my hairline you would know how it got that way. I spend roughly 3 out of 8 hours a cleaning up these user kinds of problems. I wish I could provide an accurate list of the sites that have been visited by others and been infected. Some users don't remember where they went and others I've found that were hijacked sites to spend these viruses and worms without the sites knowledge, as in it wasn't their fault. I just knock on wood that it wasn't a major "flash BIOS" type of trojan that required a reformat to clean it out, or worse, a blanking of the BIOS(remove the battery and short the terminals) kind of remedy. Not funny at all and you'll not get a snicker from me.

[Flashorn]

Hey Adama!!



You are welcomed. If you take a look at the Atribune.org site , you will see

that this is where ATF Cleaner resides along with other great security

programs. But before running those security programs,PLZ make us

part of your decision so we can better instruct you on how or when they

should be used

As for Dr.Web CureIt well, that's just a very good AntiVirus and with no

installation required makes it a nice tool to have around. No special

instructions other than you would have to choose some of the configuration

tabs that are available. Remember, If in Doubt ...........ASK.





FLASHORN. !http://forums.pcworld.com/legacyimages/
1!

[Flashorn]

Hey coastie!!



OK, since you seem reluctant to try Dr.Web here is another download

site for it, CNET Download.com - Dr.Web CureIt .

Alternate site : Softpedia.com .



OK, coastie , as you know it is not normal to Not be able to download Antimalware from the web.

Have you verified that both your System Restore and Windows Update programs are

working properly.

IF you still cannot download from the sites I have posted , you should not only

consider but act on the suggestion made by Spirit.

It won't hurt promise, I have been there, and would make your PC feel allot better.



I have seen some of those nasties come back after a week of being dormant.

This is why an analysis by a trained Malware Fighter is essential.

You might think that all is taken out but, there are always some leftovers keys.



So, run Dr.Web and then ask that your HijackThis scan be evaluated.





FLASHORN. !http://forums.pcworld.com/legacyimages/
1!

[coastie65]

Hey Flash, I ran VundoFix right then and there, when i tried Dr WEb, a message came up saying that the server was busy and to try later. Windows update is fine as i have a yellow shield in my tray containing that SP3 that I haven't installed. As for system restore it hasn't worked for a couple of weeks I guess. I had installed SP3 and something came up that required a System restore, so I lost SP3 in the process. I haven't reinstalled the thing yet. I can download from the sites with no problem, I also downloaded and ran Panda. The other stuff just hijacked my wallpaper in display. I lost two tabs in there. I ve got all that sorted out and all is good. I'm still checking on the Trojan though to be sure that thing is gone as well. coastie

[Flashorn]

OK !!coastie!!



Here you will find a link to a tutorial on how to use and correctly identify

any files that should not be in your HijackThis scan. Don't just take a look at it

and forget about it!!!! but, read a bit and learn to recognize what should and should NOT

be an entry in your HijackThis log. If you come across a file that you are suspicious of

or you do not recognize it as being part of some program already installed then Google the

string and find out where it belongs or to what program it belongs to. you might be surprised

at what you will find just on your own. IF you DO happen to find something that is out of place

then PLZ , have your scan evaluated.

Here is the link HijackThis Tutorial .





FLASHORN. !http://forums.pcworld.com/legacyimages/
1!

[coastie65]

Hey Flash, :D Man, I google everything that I don't think looks right. I do know that that Trojan will have a string in the registry usually starting with something like 017 HKLM and with a string ending in an address such as 68.129.123, well you get the idea. The one that that I was looking at from some one else at a site identified it and all he had to do was delete the entries from the registry as they had been "Locked out" from other methods of removal. In this case there were four lines all starting with 017 HKLM. Once they were deleted he was clean. See, I google. :D I'll check out the link though, always up for new info. coastie

EDIT: I went over there and downloaded and saved Hijack This. I also printed out the tutorial after having read it, for a quick reference if needed. Man, I've got more Spyware removal utilities in here. Oh well, at least I have plenty to work with. As well as some additional Info I am coming up with. I am feeling more secure in that I did in fact get that that thing removed though.

[rgreen4]

Coastie - now you can understand why I advocate a backup clone on the shelf. You know what you went through, and while all the cleaning and restoring is fine, I still advocate a backup clone. It is faster than anything else.

You of all people know how difficult an XP MCE installation can be, a clone restoration (if up to date) can be done in 5-10 minutes.

[coastie65]

Hi rg, :^0 Trust me, I've been giving it a lot of thought. I am not completely sure I have cleaned all of that Trojan out of here, although i haven't noticed any anomalies. I ran Hijack this and it hit on something it couldn't get to, so that doesn't sound so hot. I am reasonably sure it is a registry entry that needs to be deleted, but it is finding it that is beginning to become a problem. I don't subscribe to the theory of indiscirminately deleting something that looks vaguely suspiscious. Now, that having been said, I have recently deleted registry entries, but only after getting advice first ( I had a filter of some sort in the registry under the Optical drive). I need to do a repair as I am missing some files as I found out while messing with this Trojan thing. The files that I know are missing are dealing with Repair of all things. :p That thing was a downloader Trojan, and I don't particularly care for the type of stuff that popped up yesterday. Just the one time, but that was one time too many. Stay dry down there. We just officially went back into a drought situation and are on Mandatory Water restrictions. Hey, at least I didn't download and install that XP antivirus 2008. I kinda already knew about that thing. Yeah, that came up as well. I think I had everthing thrown at me. coastie

[coastie65]

Hi All, I have been meaning to get back here, but have been sidetracked. First, Flashorn, I went back and ran Dr.Web. It found one Trojan (Trojan.packed.600). It was in two places, one of which was System Volumes ( System Restore). It was sucessfully removed. I have run Superantispyware, Webroot, HiJack This, DrWeb,MalwareBytes, ans several other scans that I don't remember the name of. I also downloaded the information for the manuel removal of Trojan.Downloader.Zlob and have been through that. Talk about opening Pandora's box, WHEW!! The computer is running fast and snappy and no anomalies. I think I may have to do a repair at some point as I know I have some missing files. Spiritwind, I checked out the site and it is a very good site. I did sign up, as I was really impressed with their work. Although I haven't completely closed the book on this mess, I think I may have cleaned things up as I have been unable to turn up any thing else. As far as ZLOB goes, when I got the Manuel removal list, I went through it step by step. The first thing was to terminate two processes, There was only one listed and it was terminated. There were also two items to be unregistered which were no longer there as I think they were gotten initially. There were two registry entries to be deleted that no longer existed. Then there was a boatload of files that needed to be deleted, that took a great deal of time looking for. None of these files existed and I think were removed initially as well. I went to a site called Virus Total and it had a box that said " File MEDIA.CODEC.4.0.2.exe received on 08/21/2008. Anyway, there was definitely multiple infections that needed to be dealt with. Oh, another utility I ran was PANDA and it was negative. I'll continue to check to be sure, and as i said, at some point do a system repair. coastie

[coastie65]

[quote name='mjd420nova']Coastie: If you could see my hairline you would know how it got that way. I spend roughly 3 out of 8 hours a cleaning up these user kinds of problems. I wish I could provide an accurate list of the sites that have been visited by others and been infected. Some users don't remember where they went and others I've found that were hijacked sites to spend these viruses and worms without the sites knowledge, as in it wasn't their fault. I just knock on wood that it wasn't a major "flash BIOS" type of trojan that required a reformat to clean it out, or worse, a blanking of the BIOS(remove the battery and short the terminals) kind of remedy. Not funny at all and you'll not get a snicker from me.Hey mjd, No problem with the bios. Yep, this was a site that had been Hijacked. I wouldn't wish experience on anybody. I try to keep up with this stuff, but that mess was definitely a backdoor job for sure. I didn't even click to download the codec package, it just did it own it's own, and afterwards, up popped the porn. I knew then that I had been had as I never get that stuff. Anyway all seems well now, and the system is peppy and stable. Will probably have to do a Repair to replace some missing files, but shouldn't, be a problem. coastie