systemwarning.com Trojan ?

D

David H. Lipman

From: "RJK" <[email protected]>

| I'm still "itching" to get in front of Adrian's PC, (the one with the
| pop-out that wants him to download Spyaxe),
|
| I spoke to him on the 'phone this morning and he's got the flu, and I don't
| want to go over there and catch it !
| ...and particularly don't want to catch it and take bring it home to my
| household.
|
| I can't just drive past and throw a cd at him, he's not PC proficient enough
| to do a lot of "abnormal" PC tweaking, and I get very frsutrated and rude
| doing PC support over the phone !!!. Oh how I wish I'd remote/desk-topped
| him ages ago.
|
| ...and besides, the first thing I would do is boot from Norton Ghost cd and
| image his drive onto his 2nd hd before starting any tweaking, so that I
| could, if necessary, drop back to his infected platform.
|
| ...anyway, I will post a report on this thread in a couple of days, I want
| to be sure he's clear of his cold or flu, or whatever he's got.
|
| I pondered on asking him to place his system box in my porch, and leaving it
| out there in the cold for an hour or two but, it's winter here, ...I sort
| of siad on the 'phone that I would call in there tommorrow but, I think I've
| changed my mind because of his flu.
|
| ...I do go on a bit don't ! !!!!
|
| ...theremust be some irony in there somewhere, what with his PC infected and
| him infected with a cold or flu as well !!
|
| regards, Richard


Richard:

I'll be around. If you need to you can send me email.
Just remove ~nospam~ from; [email protected]
 
P

PCR

| From: "PCR" <[email protected]>
|
|
| |>
| |> Dammit!
| |> I can sit in front of my computers not even thinking of a cigarette for
| |> hours and now I'm smoking one because you brought it up.
| |>
| | I THINK thinking happy thoughts not only makes you fly but prevents cancer as well! Lipman
| | I'm sure is good for that other virus.
|
| Safe Hex is good for the other virus.

Huh? Oh, oh, yea. Yea.

|
| Remember...
|
| There is the soft-2-wear Trojan

Huh!

| and...
| There is the software Trojan.

Right. Yea.

|
| The former you use

I BEG your pardon?

| and the latter you prevent :)

Oh, oh, yea. That's right. Yea!

|
| --
| Dave
| http://www.claymania.com/removal-trojan-adware.html
| http://www.ik-cs.com/got-a-virus.htm
|
|
 
R

RJK

oooh! this is exciting ! ...no virus found on the standard Norton Ghost a/v
sweep but, thought I'd run the Norton "Run Update Locator" on my PC, six new
virus signatures were found, so burnt those to a cd, and slapped that cd-r
into his 2nd cd drive and ran the a/v sweep again, and "Number of files
infected" is showing "4"

....wonder if Norton'll be able to fix'em ? !

regards, Richard
 
R

RJK

....you're gonna snicker !! :) ....
I've now got his PC on my bench !!!
....'phoned him this morning - he's still sounding very bronchial ...and
nasal for that matter - so I suggested that he put a litre of warm water in
a jug along with a capful of Dettol and, after unplugging it, wipe over his
system box with a damp cloth, (wrung out in that solution), and place it
outside his back door with a towel over it, (it's lightly raining), and I'll
drive over to P******, (the village where he lives), which I did !!!!!!!
When I got there I put on a dust mask, (that looks like a surgical mask- for
fun), and tapped on the front door, ...wearing the mask to emphasize that
I don't want to contract their cold or flu virus, as I pick up the infected
system box. :)
....anyway, I've just spent an hour vacuuming and blowing it out, (preventing
fans spinning to prevent back voltages ...I though I'd mention that so that
people don't think I'm an idiot !), and it's now running a Ghost boot a/v
sweep, which I suspect probably won't be worth anything because I suspect
the ActiveX control he allowed on his PC was signaturised by Symantec in May
or June '05 , but, I thought I'd run it anyway. Files scanned is up to
77,000 + and I'm going downstairs for my lunch. :)

regards, Richard
 
R

RJK

....and YES!!!!!! ...it is the Trojan.Zlob virus

Norton is reporting that:-
Number of files scanned: 89064
Number of infections found : 4
Number of files repaired: 0
Number of files deleted: 4
Number of files left infected: 0

Details:
c:\windows\system32\nvctrl.exe was infected with Trojan.Zlob.
(DELETED)
c:\windows\system32 \ldE309.tmp was infected with Trojan.Zlob. (DELETED)
c:\windows\system32\hpE58A.tmp was infected with Trojan.Zlob. (DELETED)
c:\windows\system32\mssearchnet.exe was infected with Trojan.Zlob.D
(DELETED)

....which now leaves me wondering if I should let his PC boot to Windows XP
Home "normal" mode, I think I'll have a re-read of your post,
....and boot to Safe mode and uninstall his older Java first ?
....and should I then run the SmitRem.exe that you mention, or could Norton
have done the job ??

regards, Richard
 
R

RJK

mmm... just been having a rummmage around his PC in Safe Mode and "Spyaxe
3.0" is listed in Control Panel Add/Remove Programs.

....now beginning to implement your post !

regards, Richard
 
R

RJK

Thanx yet again :)

After running running that Norton sweep that found 4 infected files, I had
a rummage in Safe Mode and noticed that SpyAxe 3.0 was listed in Control
Panel "add/Remove" programs. I restarted, and missed my F8 opportunity, (to
go fo Safe mode again), and the damned thing started in Normal Mode and up
popped all the SpyAxe crap, so I'm running Ghost /av sweep again, (1
infected file found so far)

....oh what fun !

regards, Richard
 
D

David H. Lipman

From: "RJK" <[email protected]>

| ...and YES!!!!!! ...it is the Trojan.Zlob virus
|
| Norton is reporting that:-
| Number of files scanned: 89064
| Number of infections found : 4
| Number of files repaired: 0
| Number of files deleted: 4
| Number of files left infected: 0
|
| Details:
| c:\windows\system32\nvctrl.exe was infected with Trojan.Zlob.
| (DELETED)
| c:\windows\system32 \ldE309.tmp was infected with Trojan.Zlob. (DELETED)
| c:\windows\system32\hpE58A.tmp was infected with Trojan.Zlob. (DELETED)
| c:\windows\system32\mssearchnet.exe was infected with Trojan.Zlob.D
| (DELETED)
|
| ...which now leaves me wondering if I should let his PC boot to Windows XP
| Home "normal" mode, I think I'll have a re-read of your post,
| ...and boot to Safe mode and uninstall his older Java first ?
| ...and should I then run the SmitRem.exe that you mention, or could Norton
| have done the job ??
|
| regards, Richard


The Trojan ZLob is responsible for many malware outbreaks as of late.

The tools I suggested early into this thread are designed to remove many ogf the threats
associated together with the ZLob Trojan.

My particular solution...

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Adds the McAfee Command Line Scanner so not aonly will the associated malware be removed but
other possible infectors will also be detected via signature and heuristic detection.

NOTE: The above tool was updated last night. Make sure you use the latest version.
 
L

Lester Stiefel

RJK said:
Thanx yet again :)

After running running that Norton sweep that found 4 infected files, I had
a rummage in Safe Mode and noticed that SpyAxe 3.0 was listed in Control
Panel "add/Remove" programs. I restarted, and missed my F8 opportunity, (to
go fo Safe mode again), and the damned thing started in Normal Mode and up
popped all the SpyAxe crap, so I'm running Ghost /av sweep again, (1
infected file found so far)

...oh what fun !

regards, Richard
Click to expand...

What I do in these cases is to enable the boot menu, by
starting msconfig, and opening advanced properties. look for
enable boot time menu. That will force system to pause and
toss up boot menu. Takes the guesswork out of the t shoot
process.
 
D

David H. Lipman

D

David H. Lipman

From: "RJK" <[email protected]>

| ...along the way, (I've been in front of the thing nearly all day now), I've
| had to download and run
| http://securityresponse.symantec.com/avcenter/venc/data/adware.ndotnet.html
| to get rid of "NewDotNet" adware and a directory of the same name in
| "program files," that wouldn't delete,
|
| I wonder what on earth else I'm going to find in there ?
|
| ...what are all those explosions outside ...Oh Yeah ...HAPPY NEW YEAR
| everone !!! :)
|
| regards, Richard
|


New Dot Net inserts a Layered Service Provider (LSP). If you remove New Dot Net without
removing the LST plug-in, you will break the TCP/IP stack and you won't be able to access
the Internet.

You need LSP Fix -- http://www.cexx.org/lspfix.htm
http://www.cexx.org/LSPFix.exe

That will remove the LSP and is best used PRIOR to removing New Dot Net.

Aditionally, NAV software is NOT the best solution. The following are...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.
 
R

RJK

....you beat me to it. i.e. last night while rummaging around attempting to
get rid of New Dot Net, I noticed on the "Winsock2" branch (was rummaging
in the registry at the time), a "NewDotNet" entry and was going to ask how
to remove it without breaking the "daisy-chain" in there.

A year or so ago I tried a LSP fix on a machine with a broken Winsock,
....can't remember what was going on at the time but, after running it I got
loud click from the moonitor and screen, and a competely dead Windows
installation, ...and hard disk if I remember correctly, ...even though twas
more than a year ago. I also remember suspecting at the time that I'd
downloaded a rogue LSP fix.

....Am running Lavasoft in Safe Mode, ran it yesterday - it didn't find very
much.

Thanx for all your help. ...am still struggling along :).

regards, Richard
 
D

David H. Lipman

From: "RJK" <[email protected]>

| ...you beat me to it. i.e. last night while rummaging around attempting to
| get rid of New Dot Net, I noticed on the "Winsock2" branch (was rummaging
| in the registry at the time), a "NewDotNet" entry and was going to ask how
| to remove it without breaking the "daisy-chain" in there.
|
| A year or so ago I tried a LSP fix on a machine with a broken Winsock,
| ...can't remember what was going on at the time but, after running it I got
| loud click from the moonitor and screen, and a competely dead Windows
| installation, ...and hard disk if I remember correctly, ...even though twas
| more than a year ago. I also remember suspecting at the time that I'd
| downloaded a rogue LSP fix.
|
| ...Am running Lavasoft in Safe Mode, ran it yesterday - it didn't find very
| much.
|
| Thanx for all your help. ...am still struggling along :).
|
| regards, Richard

Anytime Richard !

BTW: Happy New Year.
 
R

RJK

....just did the LSP thing, ...no Norton, and IE come to that, can
connect....I feel like I'm going to be sat in front of this thing for a
week.

regards, Richard
 
R

RJK

...what on earth am I on about ?

....LSP remove the newsdotnet Winsock2 key and now IE etc is all OK :)

regards, Richard
 
C

cquirke (MVP Windows shell/user)

On Sun said:
...you beat me to it. i.e. last night while rummaging around attempting to
get rid of New Dot Net, I noticed on the "Winsock2" branch (was rummaging
in the registry at the time), a "NewDotNet" entry and was going to ask how
to remove it without breaking the "daisy-chain" in there.
Click to expand...

A valid concern :)
A year or so ago I tried a LSP fix on a machine with a broken Winsock,
...can't remember what was going on at the time but, after running it I got
loud click from the moonitor and screen, and a competely dead Windows
installation, ...and hard disk if I remember correctly, ...even though twas
more than a year ago. I also remember suspecting at the time that I'd
downloaded a rogue LSP fix.
Click to expand...

Wow - that's above & beyond expectations of badness. Normally, you'd
end up with something that looked like broken DNS, i.e. "PC works but
I can't access the Internet" sort of thing.

In those days, before LSPFix, the cause was often deleting a
Winsock-invader using one of the anti-cm tools - I think it was
AdAware, may have been before Spybot came out - and the "fix" was to
do an over-old re-installation of Windows. Ugly.

Now AdAware and others have built-in LSP management tools or add-ons,
and are far more aware of the issue when killing such malware, listing
them in read and so forth. Finally, XP grew an in-house fix in SP2.
Thanx for all your help. ...am still struggling along :).
Click to expand...

It's a pleasure!


---------- ----- ---- --- -- - - - -
Click to expand...
Don't pay malware vendors - boycott Sony
 
R

RJK

....final word on this thread ? , but first of course is a VERY big thankyou
to David H. Lipman for such brilliant help.

I took A****'s computer back to him in a much better state than I received
it ! I also gave him a MAJOR "dressing down" for allowing in the malware
that he'd allowed into his PC, ...for a second time ! ...last year he
allowed malware into his PC and got a vigorous telling off from myself !
He mentioned that his teenage sons are now using his computer, and I
suggested that he disallaw them from using it unless he's present. "iTunes"
music download software was installed and I suspect it was that which had
the NewsDotNet malware/marketing software attached to it. I tried
explaining to him that lots of "free" "TryBeforeYouBuy" software often has
malware attached to it, a fact which is sometimes clearly stated in the
Licensing details for such software, on which people are too quick to click
OK.

Thank you again.

regards, Richard
 
R

RJK

I'd forgotten one could do that ! Thankyou :) I'm getting older, ...and I
can't seem to remember as much as I used to !

regards, Richard
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

answerworks won't go away, and I have another virus already! 15
Black ops: how HBGary wrote backdoors for the government (Part 1) 0
My words 11
Dialup Lockup - HiddenFaxWindow 3
SOS uploads before the solstice 12
Make the Most of Your New PC 1
FWT Newsletter - Weekly - September 13, 2004 1
FWT Newsletter - Weekly - October 11, 2004 0

Top