PC World Community: MAJOR LEAGUE INFECTION ...

Up to Discussions in Privacy & Security

This Question is Answered

29 Replies Last post: Sep 12, 2008 9:05 AM by coastie65 Go to original post 1 2 Previous Next

coastie65

9,163 posts since
Apr 2, 2007

15. Aug 22, 2008 6:10 AM

in response to: Flashorn

Re: MAJOR LEAGUE INFECTION

Hey Flash,

Man, I google everything that I don't think looks right. I do know that that Trojan will have a string in the registry usually starting with something like 017 HKLM and with a string ending in an address such as 68.129.123, well you get the idea. The one that that I was looking at from some one else at a site identified it and all he had to do was delete the entries from the registry as they had been "Locked out" from other methods of removal. In this case there were four lines all starting with 017 HKLM. Once they were deleted he was clean. See, I google.

I'll check out the link though, always up for new info. coastie

EDIT: I went over there and downloaded and saved Hijack This. I also printed out the tutorial after having read it, for a quick reference if needed. Man, I've got more Spyware removal utilities in here. Oh well, at least I have plenty to work with. As well as some additional Info I am coming up with. I am feeling more secure in that I did in fact get that that thing removed though.

eMachines T5212.... Intel Pentium D 945 3.4Ghz..... evga 9800 GT 512 Mb PCI-E video card..... Realtec HD audio......2 Gb Crucial 667 Mhz DDR2 memory..... Lite on CD RW; DVD RW, DL,& Lightscribe optical drive...... Windows XP MCE 2005....... Antec Basiq 500w PSU......200 Gb Parallel ATA HDD.........Samsung 22" WS SyncMaster 2243BWX Monitor.

rgreen4

6,830 posts since
Oct 22, 2006

16. Aug 22, 2008 9:31 AM

in response to: coastie65

Re: MAJOR LEAGUE INFECTION

Coastie - now you can understand why I advocate a backup clone on the shelf. You know what you went through, and while all the cleaning and restoring is fine, I still advocate a backup clone. It is faster than anything else.

You of all people know how difficult an XP MCE installation can be, a clone restoration (if up to date) can be done in 5-10 minutes.

Thanks to Solar Wings for the special siggy.

coastie65

9,163 posts since
Apr 2, 2007

17. Aug 22, 2008 11:55 AM

in response to: rgreen4

Re: MAJOR LEAGUE INFECTION

Hi rg,

Trust me, I've been giving it a lot of thought. I am not completely sure I have cleaned all of that Trojan out of here, although i haven't noticed any anomalies. I ran Hijack this and it hit on something it couldn't get to, so that doesn't sound so hot. I am reasonably sure it is a registry entry that needs to be deleted, but it is finding it that is beginning to become a problem. I don't subscribe to the theory of indiscirminately deleting something that looks vaguely suspiscious. Now, that having been said, I have recently deleted registry entries, but only after getting advice first ( I had a filter of some sort in the registry under the Optical drive). I need to do a repair as I am missing some files as I found out while messing with this Trojan thing. The files that I know are missing are dealing with Repair of all things.

That thing was a downloader Trojan, and I don't particularly care for the type of stuff that popped up yesterday. Just the one time, but that was one time too many. Stay dry down there. We just officially went back into a drought situation and are on Mandatory Water restrictions. Hey, at least I didn't download and install that XP antivirus 2008. I kinda already knew about that thing. Yeah, that came up as well. I think I had everthing thrown at me. coastie

coastie65

9,163 posts since
Apr 2, 2007

18. Aug 29, 2008 6:12 AM

in response to: coastie65

Re: MAJOR LEAGUE INFECTION

Hi All, I have been meaning to get back here, but have been sidetracked. First, Flashorn, I went back and ran Dr.Web. It found one Trojan (Trojan.packed.600). It was in two places, one of which was System Volumes ( System Restore). It was sucessfully removed. I have run Superantispyware, Webroot, HiJack This, DrWeb,MalwareBytes, ans several other scans that I don't remember the name of. I also downloaded the information for the manuel removal of Trojan.Downloader.Zlob and have been through that. Talk about opening Pandora's box, WHEW!! The computer is running fast and snappy and no anomalies. I think I may have to do a repair at some point as I know I have some missing files. Spiritwind, I checked out the site and it is a very good site. I did sign up, as I was really impressed with their work. Although I haven't completely closed the book on this mess, I think I may have cleaned things up as I have been unable to turn up any thing else. As far as ZLOB goes, when I got the Manuel removal list, I went through it step by step. The first thing was to terminate two processes, There was only one listed and it was terminated. There were also two items to be unregistered which were no longer there as I think they were gotten initially. There were two registry entries to be deleted that no longer existed. Then there was a boatload of files that needed to be deleted, that took a great deal of time looking for. None of these files existed and I think were removed initially as well. I went to a site called Virus Total and it had a box that said " File MEDIA.CODEC.4.0.2.exe received on 08/21/2008. Anyway, there was definitely multiple infections that needed to be dealt with. Oh, another utility I ran was PANDA and it was negative. I'll continue to check to be sure, and as i said, at some point do a system repair. coastie

coastie65

9,163 posts since
Apr 2, 2007

19. Aug 29, 2008 6:23 AM

in response to: mjd420nova

Re: MAJOR LEAGUE INFECTION

mjd420nova wrote:Coastie: If you could see my hairline you would know how it got that way. I spend roughly 3 out of 8 hours a cleaning up these user kinds of problems. I wish I could provide an accurate list of the sites that have been visited by others and been infected. Some users don't remember where they went and others I've found that were hijacked sites to spend these viruses and worms without the sites knowledge, as in it wasn't their fault. I just knock on wood that it wasn't a major "flash BIOS" type of trojan that required a reformat to clean it out, or worse, a blanking of the BIOS(remove the battery and short the terminals) kind of remedy. Not funny at all and you'll not get a snicker from me.Hey mjd, No problem with the bios. Yep, this was a site that had been Hijacked. I wouldn't wish experience on anybody. I try to keep up with this stuff, but that mess was definitely a backdoor job for sure. I didn't even click to download the codec package, it just did it own it's own, and afterwards, up popped the porn. I knew then that I had been had as I never get that stuff. Anyway all seems well now, and the system is peppy and stable. Will probably have to do a Repair to replace some missing files, but shouldn't, be a problem. coastie

Flashorn

2,608 posts since
May 19, 2007

20. Aug 29, 2008 7:15 AM

in response to: coastie65

Re: MAJOR LEAGUE INFECTION

Hey coastie!!

Now, if it was in the System Restore, it would be advisable to Delete

the old restore points and create a new one starting now!!!

The other place I found that malware will hide is in the Jave cache.

It would be best not to keep any of those files on your PC from Java.

To do this , bring up the Java Control Panel.

Go to "Control Panel" and double click on the Java icon. This should

bring up the control panel for Java.

Java control Panel.jpg

On the General tab ,at the bottom,you will see "Settings" click on that.

This is what will show:

Temp files Settings.jpg

First , you will click on the "Delete Files" at the bottom. This is what will come up:

Click "OK" . You have just cleared your temps Files.

Next , you will UN-Check-Mark

the "Keep temporary Files On My Computer" check box. you do not need a double of

the malware in your Java cache where it will re-infect your PC.

Don't forget to click on the OK and then on the "Apply" and "OK" to finish the

procedure.

FLASHORN.

Free Internet Security - WOT Web of Trust

Patience is Life.

Adama

6,570 posts since
Sep 7, 2007

21. Aug 29, 2008 12:01 PM

in response to: Flashorn

Re: MAJOR LEAGUE INFECTION

Hi Flash,

Wow - That's great info, my friend. We're sure fortunate to have you here at PCW.

coastie65

9,163 posts since
Apr 2, 2007

22. Aug 29, 2008 12:32 PM

in response to: Flashorn

Re: MAJOR LEAGUE INFECTION

Hey Flashorn, I'm getting ready to head out to the Outer banks of North Carolina, for a week end long batchelor party for the son of a friend of mine. I have already deleted the restore files,as they didn't work anyway ( Probably due to the infection). I haven't created a new one, although Windows may have. The Java files were specifically scanned several times, but will probably delete them and reinstall, no big deal there. Anyway, I think I've pretty much got the mess cleaned up, but am still keeping a close eye on things to be sure. You know, this thing was running pretty good before the infection, but I swear it seems to be running even better now, missing files ( this I'm aware of ) and all. I'll probably take care of the Java thing when I get back as well as maybe a system repair from the installation disk. coastie

Flashorn

2,608 posts since
May 19, 2007

23. Aug 29, 2008 3:00 PM

in response to: coastie65

Re: MAJOR LEAGUE INFECTION

Hey coastie!!

Yeah,Java is not a rush thing but, would be nice if you got around to it.

I would be gone for the Week-end too if I didn't have any pop left to drink.LOL!

I hope you have a good week-end with your friends coastie!!

FLASHORN.

Patience is Life.

mjd420nova

1,239 posts since
Aug 5, 2006

24. Aug 29, 2008 3:16 PM

in response to: Flashorn

Re: MAJOR LEAGUE INFECTION

Rgreen hit on the sure cure remedy for these infections. Backups are so very important and can bring a smile to my face when the user smiles and hands me a disk(s) and says "go for it". I do a weekly backup of all my home systems so I'm ready but 95 percent of users don't and they wind up with a big frown. Now the Flash BIOS type of trojan/worms are another story and take a bit of hardware correction to stop them. Registry infections are manifest and evident when regular cleaning won't get rid of them and some are smart enough to even lock the users from making any changes, kind of like self protection. Firewalls, adblockers and virus checkers are nice but the hackers have increased their approaches such that they know how to get around them. No website is safe from being hijacked and so far I know of no way to protect yourself from that approach, except for keeping an up to date backup available. The other important thing is that you keep two backups, one the most recent and another a week older, as I've seen some users who only have one and it has turned out to be infected too.

coastie65

9,163 posts since
Apr 2, 2007

25. Sep 12, 2008 7:40 AM

in response to: coastie65

Re: MAJOR LEAGUE INFECTION

Hi All, I thought I would give you an update. I just ran two scans. One with Spysweeper and the other with SUPERantispyware after an update. Spysweepr produced the usual cookies and no biggies. When I ran SUPERantispyware, it came up with the usual cookies as well as an unknown trojan that was in my restore files. That having beens said, I have had some trouble with that and I guess that explains why. Anyway, I was unable to move to the chest. It did remove it when i got to that function. Just t be on the safe side, I have deleted ALL restore points and will reset a new restore point. I think that was one I was aware of and had forgot about. I'm going to run a second scan to check things out. coastie65

rgreen4

6,830 posts since
Oct 22, 2006

26. Sep 12, 2008 7:59 AM

in response to: coastie65

Re: MAJOR LEAGUE INFECTION

That thing has really given you fits. I think this evening will be a good time for me to update my clones. I have SAS set to run each morning. Interestingly my Vista machine usually comes up clean, but my XP machine always has 2-4 thing to quarantine and remove.

Thanks to Solar Wings for the special siggy.

Flashorn

2,608 posts since
May 19, 2007

27. Sep 12, 2008 8:13 AM

in response to: coastie65

Re: MAJOR LEAGUE INFECTION

Hey coastie!!

Did you do the Java thing??? They have a tendency of hiding in there as well.

That's why they keep coming back. Re-Run MalwareBytes and don't forget your

AV . Also a AntiRoot Scan would not hurt. This is the one I usually use:

F-Secure BlackLight

Downloads

• BlackLight – Rootkit Detection and Elimination Tool
• Removal Tools

F-Secure BlackLight is one of four best tested by AV-Test

Coastie , If you are to use BlackLight ,make sure it has time to

do a complete scan. Don't stop it mid way. This will ensure that

your system is free of rootkits. Only use the "Removal Tool" after

you have researched anything that BlackLight comes up with.

I have yet to find a rootkit , so I haven't used the Removal Tool.

The scan on XP and Vista took about 12 to 18 minutes to finish

depending on the size of your HDD.

FLASHORN.

Patience is Life.

coastie65

9,163 posts since
Apr 2, 2007

28. Sep 12, 2008 8:25 AM

in response to: rgreen4

Re: MAJOR LEAGUE INFECTION

Hey rg, The second scan came up negative except for three tracking cookies. I actually knew about that one but had forgotten it. Yeah, I'm chasing all sorts of stuff in here at the moment. My scan disk function is useless as there are no repair files to fix things. I'll get around to popping the Installation disk in here and do a repair of the OS sometime I guess.

. I believe the missing files situation is due to some overzealous cleaning on my part. coastie

coastie65

9,163 posts since
Apr 2, 2007

29. Sep 12, 2008 9:05 AM

in response to: Flashorn

Re: MAJOR LEAGUE INFECTION

Hey Flashorn, I completely forgot about Java. I was going to uninstall it and then reinstall, but got side tracked. Interestingly enough, SUPERantispyware added a rootkit thing in their latest update. But will try the other as well. I definitely have a lot to do with this thing, like fixing this "Part Time" optical drive and getting the printer and camera apps back in here. No big problem, just a nuisance mostly. I can print and scan at the most basic level using the Windows stuff. Over all it is running fine and snappy, so I guess I shouldn't complain too much as nothing of a radical nature is required. Yesterday, I worked with the HP stuff, but as usual, I failed to completely unstall everything and clean the stuff out before doing a reinstall so you can imagine how that went. Antway, we'll be checking out the anti root kit thing as well, as making sure this thing is clean, is my #1 priority and the nuisances can be taken care of in time. coastie

Go to original post 1 2 Previous Next

Go to original post

Magazine

This Question is Answered

Downloads

Actions

More Like This