Has anyone seen details of this new trojan/virus?

[news.rcn.com]

SYMPTOMS:

I recently found that my home page www.internationalawyer.org on my IE on my
desktop had been replaced with
http://mastersexxx.com/?m=abc&t=nx&...r.org/&x=52B6C5CC-64A8-436A-857C-A8D7355C3DC9.
It still starts with the www.internationalawyer.org home page. I am
reasonably sure no one has hit ENTER when asked to change the home page on
this computer recently.

At the same time I found two last entries in MSCONFIG were suddenly
suspicious looking non-named entries which changed something in my registry.
(cant see enough of that entry in MSCONFIG in Windows XP Pro to know what
exactly it is doing and you cant scroll to the right in MSCONFIG to see it)
By non-named, I mean that the names are simply a series of square symbols as
if the writer was using some foreign font and msconfig can't reproduce the
characters except as the Square Wingdings symbol.

When I tried to disable those entries in MSCONFIG, I found my antivirus
program stopped working. It appears as a box in systray with an X through
it. So I re-enabled them and the antivirus program now works. I immediately
ran a virus check and adaware and syybot (all suitably updated) and they now
show nothing untoward.

Does anyone recognise these symptoms? The antivirus program I use is Norton
which doesn't have any support any more: So I can't report this to them for
THEIR edification or for them to know about it or tell me what is going on.

 

[David H. Lipman]

From: "news.rcn.com" <news.rnc.com>

| SYMPTOMS:
|
| I recently found that my home page www.internationalawyer.org on my IE on my
| desktop had been replaced with
|
http://mastersexxx.com/?m=abc&t=nx&...r.org/&x=52B6C5CC-64A8-436A-857C-A8D7355C3DC9.
| It still starts with the www.internationalawyer.org home page. I am
| reasonably sure no one has hit ENTER when asked to change the home page on
| this computer recently.
|
| At the same time I found two last entries in MSCONFIG were suddenly
| suspicious looking non-named entries which changed something in my registry.
| (cant see enough of that entry in MSCONFIG in Windows XP Pro to know what
| exactly it is doing and you cant scroll to the right in MSCONFIG to see it)
| By non-named, I mean that the names are simply a series of square symbols as
| if the writer was using some foreign font and msconfig can't reproduce the
| characters except as the Square Wingdings symbol.
|
| When I tried to disable those entries in MSCONFIG, I found my antivirus
| program stopped working. It appears as a box in systray with an X through
| it. So I re-enabled them and the antivirus program now works. I immediately
| ran a virus check and adaware and syybot (all suitably updated) and they now
| show nothing untoward.
|
| Does anyone recognise these symptoms? The antivirus program I use is Norton
| which doesn't have any support any more: So I can't report this to them for
| THEIR edification or for them to know about it or tell me what is going on.
|

Sounds more like adware/spyware.


1) Download the following item...

Ad-aware SE (Free personal version)
http://www.lavasoftusa.com/

2) Update Ad-aware with latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using Ad-aware SE, perform a Full Scan of your platform and clean/delete
any parasites found.
6) Restart your PC and perform a "final" Full Scan of your platform using Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point

* * * Please report back your results * * *

I also suggest the use of Spybot Search and Destroy: http://security.kolla.de/

and possibly, BHOdemon: http://www.definitivesolutions.com/bhodemon.htm

 

[news.rcn.com]

'fraid running adaware in safe mode did even less than running it in normal
mode

Which at least revealed 8 supposedly critical objects which were on closer
inspection just innocuous looking cookies

Is this hiacking my browser to go to the same page and putting those curious
entries in my registry likely to be just nothing to worry about?

 

[David H. Lipman]

From: "news.rcn.com" <news.rnc.com>

| 'fraid running adaware in safe mode did even less than running it in normal
| mode
|
| Which at least revealed 8 supposedly critical objects which were on closer
| inspection just innocuous looking cookies
|
| Is this hiacking my browser to go to the same page and putting those curious
| entries in my registry likely to be just nothing to worry about?
|

That's the usual Adware/Spware tactic.
What about BHODemon and SpyBot S&D -- what were their respective results ?

 

[Peacekeeper]

From: "news.rcn.com" <news.rnc.com>

| 'fraid running adaware in safe mode did even less than running it in normal
| mode
|
| Which at least revealed 8 supposedly critical objects which were on closer
| inspection just innocuous looking cookies
|
| Is this hiacking my browser to go to the same page and putting those curious
| entries in my registry likely to be just nothing to worry about?
|

That's the usual Adware/Spware tactic.
What about BHODemon and SpyBot S&D -- what were their respective results ?

David i have found a mcafee user with the identical square boxes and home
page issue.



He is a current dat file user (then 3 weeks ago) and i asked him to submit
the suspect file to avert (it was 1.exe) i think.

Info of submitting the file if you have 1 suspect present is
http://forums.mcafeehelp.com/viewtopic.php?t=42043

I also found that his PC spammed mine and his whole address book with an
advert for a petrol usage reduction product.

He had scanned in safe and normal mode all our recommended adware scanners.

I will ask him if he got a reply or if he submitted the file.
Peace