Pulez trojan - anyone heard of it

[Gerry]

Hi All, has anyone heard of this beast, I was at a friends place and we found
it on the machine using 'the cleaner' (was in the win32proc.exe file on win
2000 machine) recently added on 7th April to the cleaner dbase.
just wondering what the nasty does, cleaner seemed to get rid of it but
wondering what it did/may still do in the future. cnat find anything on the
net about it...
Now having problems retaining the home page and search page as his network,
keeps defaulting to http://20y% and a heap more numbers (about 30-40) and
also has several pages from porn sites keep returning after we delete then
reboot, even gone through the registry and changed em all back to his
network...and they keep coming back, a/v finds nothing, cleaner is coming up
ok.
frustrating to say the least, left him downloading spybot last night to see
if the pages can be fixed, rather than a new install......
any advice/thoughts appreciated.


thanks
Gerry

 

[Heather]

Hi All, has anyone heard of this beast, I was at a friends place and we found
it on the machine using 'the cleaner' (was in the win32proc.exe file on win
2000 machine) recently added on 7th April to the cleaner dbase.
just wondering what the nasty does, cleaner seemed to get rid of it but
wondering what it did/may still do in the future. cnat find anything on the
net about it...
Now having problems retaining the home page and search page as his network,
keeps defaulting to http://20y% and a heap more numbers (about 30-40) and
also has several pages from porn sites keep returning after we delete then
reboot, even gone through the registry and changed em all back to his
network...and they keep coming back, a/v finds nothing, cleaner is coming up
ok.
frustrating to say the least, left him downloading spybot last night to see
if the pages can be fixed, rather than a new install......
any advice/thoughts appreciated.

It is probably a browser hijacker......download Hijack This from the link
below and follow the instructions. If this doesn't work, then use
CWShredder.....see link below......

http://www.spywareinfo.com/~merijn/files/hijackthis.zip
FAQ: Running Hijack This
~~~~
Unzip, double-click "HijackThis.exe" and Press "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log"
button.
Click: "Save Log" (generates: "hijackthis.log")

Next, go to: http://www.spywareinfo.com/forums/<
Sign in, or post as a guest, go to the "Spyware and Hijackware Removal"
section.
Press "New Topic", copy and paste "hijackthis.log" into your new message.
Let the Experts make the judgement call, and recommend, if running the
CWShredder is required, in some cases it is - others not -

http://www.spywareinfo.com/~merijn/cwschronicles.html is an explanation of
CWS....etc.

But I will put my money on a browser hijacker.

Cheers......Heather

 

[Gerry]

Hey, thanks muchly for that Heather, I shall get the info to the friends
place asap.

 

[null]

Hi All, has anyone heard of this beast, I was at a friends place and we found
it on the machine using 'the cleaner' (was in the win32proc.exe file on win
2000 machine) recently added on 7th April to the cleaner dbase.
just wondering what the nasty does, cleaner seemed to get rid of it but
wondering what it did/may still do in the future. cnat find anything on the
net about it...
Now having problems retaining the home page and search page as his network,
keeps defaulting to http://20y% and a heap more numbers (about 30-40) and
also has several pages from porn sites keep returning after we delete then
reboot, even gone through the registry and changed em all back to his
network...and they keep coming back, a/v finds nothing, cleaner is coming up
ok.
frustrating to say the least, left him downloading spybot last night to see
if the pages can be fixed, rather than a new install......
any advice/thoughts appreciated.

This Trojan is now being detected by some antivirus products. Here's a
description with removal instructions from Trend:

http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=TROJ_PLEUZ.B

Notice the different alias names, and the fact that there are variants
out there.

Insofar as finding info, all you have to do is Google the phrase pulez
trojan


Art
http://www.epix.net/~artnpeg

 

[Gerry]

Thanks for the trend link & tip Art,
but we did search on google for pulez and got one hit and that was in
russian, my grasp of russian was not so good and still is not so good, didnt
think about translation on the page either...

Google seems to have a bit more info on the trojan there now.

also have done all of what the Trend page suggested before seeing that page,

As I said in previous post, The cleaner picked it up in winproc32.exe, but
there must be something hidden in his system somewhere else,

I will send him the link you posted and see if it helps him,

thanks again.

 

[Richard Steven Hack]

network...and they keep coming back, a/v finds nothing, cleaner is coming up
ok.

Consider the possibility that a system file has been replaced by a
phoney that is undetectable by standard AV/trojan scans. In other
words, a "rootkit" (or a Windows versions thereof). Someone who
customizes a piece of system software and only uses it here and there
is not likely to be picked up by normal AV/trojan scanners (and
presumably wrote the thing so it's not detected by the OS itself.)

Of course, it could just be something new - somebody has to be the
first...