PC World Community: MAJOR LEAGUE INFECTION ...

Up to Discussions in Privacy & Security

This Question is Answered

29 Replies Last post: Sep 12, 2008 9:05 AM by coastie65 1 2 Previous Next

coastie65

9,163 posts since
Apr 2, 2007

Aug 21, 2008 1:02 PM

MAJOR LEAGUE INFECTION

Hi All, I have just spent the better part of today dealing with a major infection. I was loking up some information on XP MCE 2005 installation and went to an Australian site as it looked like what I was looking for. The next thing I knew I was infected then came the fun. For starters I had a Trojan ( Trojan-Downloader-ZLOB). Took care of that with a scan using SUPERantispyware. Also ran Spysweeper & Avast!. I kept getting a BSOD as well when running the scans. Anyway, I eliminated the Trojan, but left me with another problem. A BIG slash screen with" WARNING! Spyware has been detected on your computer" was on my desktop. I also noticed that my wallpaper had been changed to just the plain blue from the Rio wallpaper. When I when to display, there were some tabs missing and I realized that my wallpaper had been Hijacked or something. The two things that was mentioned with the warning was: win32/Adware.virtumonde & win32/privacy Remover.M64. After doing a search, I found out it would mean prowling around in the registry and essentially removing anything with XPGuard in it. I tried the Registry cleaner in CCleaner, but it didn't work. I took the advice of spiritwind and downloaded the Malwarebytes utility and installed & ran it. That took care of that problem. It looks as if all is good again. I suspect, with all this registry stuff, I may have to do a repair, but shouldn't be a problem. spiritwind, thanks for providing the info and link to Malwarebytes, it is definitely a winner in my book. coastie65

eMachines T5212.... Intel Pentium D 945 3.4Ghz..... evga 9800 GT 512 Mb PCI-E video card..... Realtec HD audio......2 Gb Crucial 667 Mhz DDR2 memory..... Lite on CD RW; DVD RW, DL,& Lightscribe optical drive...... Windows XP MCE 2005....... Antec Basiq 500w PSU......200 Gb Parallel ATA HDD.........Samsung 22" WS SyncMaster 2243BWX Monitor.

techie4fun

2,613 posts since
Oct 18, 2006

1. Aug 21, 2008 1:07 PM

in response to: coastie65

Re: MAJOR LEAGUE INFECTION

Laugh my butt off, LOL. You got hosed big time.

This is funny. You just made my after-noon.

coastie65

9,163 posts since
Apr 2, 2007

2. Aug 21, 2008 1:26 PM

in response to: techie4fun

Re: MAJOR LEAGUE INFECTION

Believe me, I wasn't getting a lot of chuckles out of it.

I failed to mention that before I Exorcised that Trojan, I had an array of Porn pop up, and I have never been bothered by that crap in the past. I have never had any BSODs either until this mess. Looks like After about 4 hours of working on this stuff, I have gotten it cleaned out. I found out that that Trojan allowed for the downloading of all kinds of crap, but as I said, that got exorcised real fast. It was the rest of that junk that caused me all the grief. If I noticed any problems with the OS, then I'll do a repair as the system restore doesn't seem to work again. All that just to refresh my memory on the install and reppair of XP MCE 2005. coastie

Adama

6,570 posts since
Sep 7, 2007

3. Aug 21, 2008 1:32 PM

in response to: techie4fun

Re: MAJOR LEAGUE INFECTION

Hmmm Sorry, TFF, but I don't think that would be a funny thing to go through.

coastie65

9,163 posts since
Apr 2, 2007

4. Aug 21, 2008 1:51 PM

in response to: Adama

Re: MAJOR LEAGUE INFECTION

Hi Adama, I can assure you, I wouldn't wish that experience on anybody. I am partly to blame as I went one click too many. I did manage to get a good refresher on the XP MCE 2005 Installation and Repair though. I actually got a 16 page printout that not only went step by step, but included screen shots at each step so you can get a clean install. I did confirm what I already knew, but I did see some things that I had forgotten and would have caused problems. I don't mind someone getting a chuckle at my expense. Techie was right, I think I really got hosed on that adventure. It looks like Malwarebytes came through when nothing else worked.

http://forums.pcworld.com/servlet/JiveServlet/downloadImage/5797/Yeah%21%21.gif

coastie

Flashorn

2,608 posts since
May 19, 2007

5. Aug 21, 2008 2:19 PM

in response to: coastie65

Re: MAJOR LEAGUE INFECTION

Hey coastie!!

Sorry to hear about your Major Pain. If you could , I would like you to run

these two extra scans just to make absolutely sure nothing has a chance

to re-infect.

VundoFix by Atribune . It seems that you had ,

(form your description) a Vundo variation, which does leave remnants.

Here are the instructions: Safe for XP and Vista.

Normal Usage for Removal:

"Download VundoFix" to your desktop.

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

*****Note: It is possible that VundoFix encountered a file it could not remove.*****
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot

Now for the second one , this would be a Virus Scan from a Stand Alone Virus scanner.
This scanner is the concept and ongoing effort of a research facility from within a
University in the States and highly recommended. I also use it as a back-up.

Here is the web page along with instructions. It does NOT require a Install. Also you do NOT
up-date it as it comes out with a complete new version every time it needs to.
This AntiVirus will detect and kill all variants of Win32 viruses. (well, the ones we know of).

Dr.Web CureIt Free AntiVirus

So, PLZ make me happy and run those scans.

FLASHORN.

Free Internet Security - WOT Web of Trust

Patience is Life.

SpiritWind

1,722 posts since
Aug 19, 2006

6. Aug 21, 2008 2:37 PM

in response to: coastie65

Re: MAJOR LEAGUE INFECTION

http://forums.pcworld.com/images/emoticons/grin.gif

Hi :

I think you are being overly optimistic IF you think you have adequately dealt with "Zlob" ;

this can be a very complex piece of Malware, sometimes a "Backdoor Trojan", as

described at http://www.geekstogo.com/2007/10/03/what-is-a-backdoor-trojan .

To make sure you have removed ALL parts of "it", some of which MAY be hidden from

programs such as Avast, SUPEAntiSpyware & Malwarebytes' Anti-Malware, I recommend

you submit a Request for Help on the http://aumha.net/ Forums, staffed by several

"Microsoft Most Valuable Professionals" ; they will make use of Analytical Tools, such as

HijackThis, ComboFix, etc . At a minimum, you should run the Panda Anti-Rootkit

available at http://research.pandasecurity.com/archive/Panda-AntiRootkit-Released.aspx .

For the BEST in what COUNTS in LIFE : http://www.tacf.org

coastie65

9,163 posts since
Apr 2, 2007

7. Aug 21, 2008 3:25 PM

in response to: SpiritWind

Re: MAJOR LEAGUE INFECTION

Hi Guys, Ok, I've run VundoFix and it was clean as well as Panda. I haven't tried the second scan that Flashorn posted yet. After messing with this all day I'm a bit tired of the scans for the moment. The "Win 32" stuff got fixed as I got all my tabs back in Display and the Splash warning thing on the Desk top at startup has disappeared. I also ran CCleaner as well as the Registry part. The Trojan actually came up in Spysweeper and was quarantined and then removed. I haven't had any instances of unwanted and unexpected popups since I got rid of that thing and I'm reasonably sure it has been cleaned out. Oh yeah, there was something else I forgot to mention, the site was trying to get me to download and install a codec package, that I refused to install. I thinking my "Security" stuff may have had a lapse and that I may have been hijacked to another site, although I bailed out there immediately as something wasn't right. As I said, I was looking for some stuff on XP MCE 2005, and that site that I ended up at, just flat didn't look right from the git go, so I punched out. I wasn't expecting a video stream when looking for info on an OS, and apparantly I didn't have the right stuff to play the thing, which I had decided wasn't where I wanted to go in the first place. That is some real nasty business in my opinion, and hopefully I've worked my way out of this mess. It seems so anyway. coastie

Adama

6,570 posts since
Sep 7, 2007

8. Aug 21, 2008 5:16 PM

in response to: Flashorn

Re: MAJOR LEAGUE INFECTION

Hi Flashorn,

Thanks for the great links. I saved them both to my faves to have them handy just in case.

coastie65

9,163 posts since
Apr 2, 2007

9. Aug 21, 2008 6:17 PM

in response to: Adama

Re: MAJOR LEAGUE INFECTION

Hi Adama, Vundo worked well and it is worth saving. As for Dr. Web, I couldn't get that to download because the server was busy. While messing with this stuff, I found out I was missing some files. C:// Windows\Repair\autoexec.nt & C://Windows\Repair\conf.nt Seems like it's always something. I'm not overly concerned about those missing files though. I have a couple of Installation disks. coastie

mjd420nova

1,239 posts since
Aug 5, 2006

10. Aug 21, 2008 7:01 PM

in response to: coastie65

Re: MAJOR LEAGUE INFECTION

Coastie: If you could see my hairline you would know how it got that way. I spend roughly 3 out of 8 hours a cleaning up these user kinds of problems. I wish I could provide an accurate list of the sites that have been visited by others and been infected. Some users don't remember where they went and others I've found that were hijacked sites to spend these viruses and worms without the sites knowledge, as in it wasn't their fault. I just knock on wood that it wasn't a major "flash BIOS" type of trojan that required a reformat to clean it out, or worse, a blanking of the BIOS(remove the battery and short the terminals) kind of remedy. Not funny at all and you'll not get a snicker from me.

Flashorn

2,608 posts since
May 19, 2007

11. Aug 22, 2008 3:42 AM

in response to: Adama

Re: MAJOR LEAGUE INFECTION

Hey Adama!!

You are welcomed. If you take a look at the Atribune.org site , you will see

that this is where ATF Cleaner resides along with other great security

programs. But before running those security programs,PLZ make us

part of your decision so we can better instruct you on how or when they

should be used

As for Dr.Web CureIt well, that's just a very good AntiVirus and with no

installation required makes it a nice tool to have around. No special

instructions other than you would have to choose some of the configuration

tabs that are available. Remember, If in Doubt ...........ASK.

FLASHORN.

Patience is Life.

Flashorn

2,608 posts since
May 19, 2007

12. Aug 22, 2008 4:27 AM

in response to: coastie65

Re: MAJOR LEAGUE INFECTION

Hey coastie!!

OK, since you seem reluctant to try Dr.Web here is another download

site for it, CNET Download.com - Dr.Web CureIt .

Alternate site : Softpedia.com .

OK, coastie , as you know it is not normal to Not be able to download Antimalware from the web.

Have you verified that both your System Restore and Windows Update programs are

working properly.

IF you still cannot download from the sites I have posted , you should not only

consider but act on the suggestion made by Spirit.

It won't hurt promise, I have been there, and would make your PC feel allot better.

I have seen some of those nasties come back after a week of being dormant.

This is why an analysis by a trained Malware Fighter is essential.

You might think that all is taken out but, there are always some leftovers keys.

So, run Dr.Web and then ask that your HijackThis scan be evaluated.

FLASHORN.

Patience is Life.

coastie65

9,163 posts since
Apr 2, 2007

13. Aug 22, 2008 4:46 AM

in response to: Flashorn

Re: MAJOR LEAGUE INFECTION

Hey Flash, I ran VundoFix right then and there, when i tried Dr WEb, a message came up saying that the server was busy and to try later. Windows update is fine as i have a yellow shield in my tray containing that SP3 that I haven't installed. As for system restore it hasn't worked for a couple of weeks I guess. I had installed SP3 and something came up that required a System restore, so I lost SP3 in the process. I haven't reinstalled the thing yet. I can download from the sites with no problem, I also downloaded and ran Panda. The other stuff just hijacked my wallpaper in display. I lost two tabs in there. I ve got all that sorted out and all is good. I'm still checking on the Trojan though to be sure that thing is gone as well. coastie

Flashorn

2,608 posts since
May 19, 2007

14. Aug 22, 2008 5:21 AM

in response to: coastie65

Re: MAJOR LEAGUE INFECTION

OK !!coastie!!

Here you will find a link to a tutorial on how to use and correctly identify

any files that should not be in your HijackThis scan. Don't just take a look at it

and forget about it!!!! but, read a bit and learn to recognize what should and should NOT

be an entry in your HijackThis log. If you come across a file that you are suspicious of

or you do not recognize it as being part of some program already installed then Google the

string and find out where it belongs or to what program it belongs to. you might be surprised

at what you will find just on your own. IF you DO happen to find something that is out of place

then PLZ , have your scan evaluated.

Here is the link HijackThis Tutorial .

FLASHORN.

Patience is Life.

Go to original post 1 2 Previous Next

Go to original post

Magazine

This Question is Answered

Aug 21, 2008 1:02 PM

MAJOR LEAGUE INFECTION

Actions

More Like This