systemwarning.com Trojan ?

  • Thread starter Thread starter RJK
  • Start date Start date
R

RJK

....long 'phone call, ...I haven't got in front of the following PC yet .....

A friend, (Adrian R*), has been hijacked, something has implanted itself
into his system tray and is presenting a pop out speech bubble as shown
here,
http://www.spynomore.com/trojan-zlob.htm PLEASE, anyone viewing this site
DO NOT download anything it, I haven't looked into it's "reputation." !!
....i.e. it could yet one more of the thousands of ant-spyware programs that
is itself riddled with spyware!

Adrian's IE6 Homepage has become www.systemwarning.com and the malware is
advising him to download more malware under the name of "SpyAxe,"
anti-spyware software.

I've had an initial Google around the web and suspect that he has the
Trojan.zlob.e trojan but, it's hard to pin down exactly what he's got, and
very hard locating a manual work through to remove it.

Can ayone point me to a more appropriate remedy other than
http://securityresponse.symantec.com/avcenter/venc/data/trojan.zlob.e.html
....or am I on the right track, ....in case I'm barking up the wrong tree.

....Left him running an a/v sweep in Safe Mode, will visit on site tommorrow.

....am continuing to research this on the web, will post details if I find my
own solution for him, in case it can help others.

regards, Richard
 
From: "RJK" <[email protected]>

| ...long 'phone call, ...I haven't got in front of the following PC yet .....
|
| A friend, (Adrian R*), has been hijacked, something has implanted itself
| into his system tray and is presenting a pop out speech bubble as shown
| here,
| http://www.spynomore.com/trojan-zlob.htm PLEASE, anyone viewing this site
| DO NOT download anything it, I haven't looked into it's "reputation." !!
| ...i.e. it could yet one more of the thousands of ant-spyware programs that
| is itself riddled with spyware!
|
| Adrian's IE6 Homepage has become www.systemwarning.com and the malware is
| advising him to download more malware under the name of "SpyAxe,"
| anti-spyware software.
|
| I've had an initial Google around the web and suspect that he has the
| Trojan.zlob.e trojan but, it's hard to pin down exactly what he's got, and
| very hard locating a manual work through to remove it.
|
| Can ayone point me to a more appropriate remedy other than
| http://securityresponse.symantec.com/avcenter/venc/data/trojan.zlob.e.html
| ...or am I on the right track, ....in case I'm barking up the wrong tree.
|
| ...Left him running an a/v sweep in Safe Mode, will visit on site tommorrow.
|
| ...am continuing to research this on the web, will post details if I find my
| own solution for him, in case it can help others.
|
| regards, Richard
|



Two part reply..

Perform Part 1 then perform Part 2.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.

If you are using any version of Sun Java that is prior to JRE Version 5.0, then
you are are strongly urged to remove any/all versions that are prior to JRE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.
It is possible that is how you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.

http://www.java.com/en/download/manual.jsp




Use the alternate if the first two parts are ineffective...
Note: Alternate only for Win2K, WinXP and Win2003 Server

Part 1
-----------

Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic36868.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.

Alternate:

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072



Please Copy and Paste the contents of the HTML Log file; C:\mcafee\ScanReport.HTML in your
reply.

* * * Please report back your results * * *
 
RJK said:
...long 'phone call, ...I haven't got in front of the following PC yet
.....

A friend, (Adrian R*), has been hijacked, something has implanted
itself into his system tray and is presenting a pop out speech bubble
as shown here,
http://www.spynomore.com/trojan-zlob.htm PLEASE, anyone viewing this
site DO NOT download anything it, I haven't looked into it's
"reputation." !! ...i.e. it could yet one more of the thousands of
ant-spyware programs that is itself riddled with spyware!

Adrian's IE6 Homepage has become www.systemwarning.com and the malware
is advising him to download more malware under the name of "SpyAxe,"
anti-spyware software.

I've had an initial Google around the web and suspect that he has the
Trojan.zlob.e trojan but, it's hard to pin down exactly what he's
got, and very hard locating a manual work through to remove it.

Can ayone point me to a more appropriate remedy other than
http://securityresponse.symantec.com/avcenter/venc/data/trojan.zlob.e.html
...or am I on the right track, ....in case I'm barking up the wrong
tree.
Click to expand...

Try noahdfear's SmitFraud and SpyAxe removal tool -
http://noahdfear.geekstogo.com/click counter/click.php?id=8
References - http://www.bleepingcomputer.com/forums/topic36868.html
http://malwareremoval.com/plog/index.php?op=ViewArticle&articleId=48&blogId=3

Malke
 
HUUUUGE thanx, will be working throught your post after a coffee and,
(ashamed to say it - a cigarrette), and collecting up the necessaries for
tommorrow.

regards, Richard
 
Oh My Oh My ! ...I trundled along to
http://www.java.com/en/download/manual.jsp
and clicked on "Windows Offline installation "download"" and my IE wants to
save/download a file called "CAMWLOL.exe", (I wonder if the LOL part of the
filename stands for "lots of laughs." !! :-) This filename differs from
the
http://www.java.com/en/download/help/5000010400.xml#download download
instructions, specifically:-

....just checked my "Java downloads" directory and
jre-1_5_0_01-windows-i586-p.exe is the last version I installed on my own
PC - 26th January 2005

"Download and Install

Go to java.com
Click Manual Download under Get Java Software.
Click Download next to Windows (Offline Installation).
The File Download dialog box appears.
Choose the folder location. (Save the file to a known location on your
computer, for example, to your desktop).
Click Save.
The Save As dialog box appears.
If you have previously downloaded this version of JRE, you may be prompted:
File jre-1_5_0_02-windows-i586-p.exe already exists. Do you want to replace
it?
Click Yes to replace.
Verify that the:
Name of the file is jre-1_5_0_02-windows-i586-p.exe
Size is approximately 15.2 MB
Close all applications including the browser.
Double-click on the saved file icon to start the installation process."

....Has Sun been hacked I wonder ?

regards, Richard

....I'm getting ever so suspicious of the web these days !!!!!
 
RJK said:
HUUUUGE thanx, will be working throught your post after a coffee and,
(ashamed to say it - a cigarrette), and collecting up the necessaries
for tommorrow.

regards, Richard
Click to expand...

Dammit!
I can sit in front of my computers not even thinking of a cigarette for
hours and now I'm smoking one because you brought it up.

--
Frank Saunders, MS-MVP OE
Please respond in Newsgroup. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com/security/protect/
 
ooops! missed out the filename. ***

Oh My Oh My ! ...I trundled along to
http://www.java.com/en/download/manual.jsp
and clicked on "Windows Offline installation "download"" and my IE wants to
save/download a file called "CAMWLOL.exe", (I wonder if the LOL part of the
filename stands for "lots of laughs." !! :-) This filename differs from
the
http://www.java.com/en/download/help/5000010400.xml#download download
instructions, specifically:-
*** jre-1_5_0_01-windows-i586-p.exe

....just checked my "Java downloads" directory and
jre-1_5_0_01-windows-i586-p.exe is the last version I installed on my own
PC - 26th January 2005

"Download and Install

Go to java.com
Click Manual Download under Get Java Software.
Click Download next to Windows (Offline Installation).
The File Download dialog box appears.
Choose the folder location. (Save the file to a known location on your
computer, for example, to your desktop).
Click Save.
The Save As dialog box appears.
If you have previously downloaded this version of JRE, you may be prompted:
File jre-1_5_0_02-windows-i586-p.exe already exists. Do you want to replace
it?
Click Yes to replace.
Verify that the:
Name of the file is jre-1_5_0_02-windows-i586-p.exe
Size is approximately 15.2 MB
Close all applications including the browser.
Double-click on the saved file icon to start the installation process."

....Has Sun been hacked I wonder ?

regards, Richard
 
oh ! I seem to get a different download filename every time I click on the
link, so perhaps it's because I haven't preset high enough security
permissions for the Sun web-site. ...CA5WC3DL.exe seems to be arriving from
"sdlc-esd.sun.com." !
I think I may go outside for another cigarrette !!

regards, Richard
 
From: "Frank Saunders, MS-MVP OE" <[email protected]>

|
| Dammit!
| I can sit in front of my computers not even thinking of a cigarette for
| hours and now I'm smoking one because you brought it up.
|

Dammit Janet ! :-)

BTW: Isn't Richard really smoking a fag ?
 
From: "Leythos" <[email protected]>

|
| I watched that movie in the Theater 73 times when I was a kid.
| Midnights, fun, hot-dogs, rice everywhere....
|

Sh!t yeah ! It wasn't just a movie, it was participatory theatre. TV could *never* match
its presence in a midnite showing.

I understand it and Fast Times at Ridgemont High is gouing into the Hall of Fame (or
whatever the call it).

Its just a jump to the left.... :-)
 
|
| I've got something to say.
| I really loved the skilful way
| You beat the other girls to the bride's bouquet!
|

:-)
 
| | > HUUUUGE thanx, will be working throught your post after a coffee and,
| > (ashamed to say it - a cigarrette), and collecting up the necessaries
| > for tommorrow.
| >
| > regards, Richard
|
| Dammit!
| I can sit in front of my computers not even thinking of a cigarette for
| hours and now I'm smoking one because you brought it up.
|

I THINK thinking happy thoughts not only makes you fly but prevents cancer as well! Lipman I'm sure is good for that other virus.
 
I'm still "itching" to get in front of Adrian's PC, (the one with the
pop-out that wants him to download Spyaxe),

I spoke to him on the 'phone this morning and he's got the flu, and I don't
want to go over there and catch it !
....and particularly don't want to catch it and take bring it home to my
household.

I can't just drive past and throw a cd at him, he's not PC proficient enough
to do a lot of "abnormal" PC tweaking, and I get very frsutrated and rude
doing PC support over the phone !!!. Oh how I wish I'd remote/desk-topped
him ages ago.

....and besides, the first thing I would do is boot from Norton Ghost cd and
image his drive onto his 2nd hd before starting any tweaking, so that I
could, if necessary, drop back to his infected platform.

....anyway, I will post a report on this thread in a couple of days, I want
to be sure he's clear of his cold or flu, or whatever he's got.

I pondered on asking him to place his system box in my porch, and leaving it
out there in the cold for an hour or two but, it's winter here, ...I sort
of siad on the 'phone that I would call in there tommorrow but, I think I've
changed my mind because of his flu.

....I do go on a bit don't ! !!!!

....theremust be some irony in there somewhere, what with his PC infected and
him infected with a cold or flu as well !!

regards, Richard
 
From: "PCR" <[email protected]>


|>
|> Dammit!
|> I can sit in front of my computers not even thinking of a cigarette for
|> hours and now I'm smoking one because you brought it up.
|>
| I THINK thinking happy thoughts not only makes you fly but prevents cancer as well! Lipman
| I'm sure is good for that other virus.

Safe Hex is good for the other virus.

Remember...

There is the soft-2-wear Trojan
and...
There is the software Trojan.

The former you use and the latter you prevent :-)
 
Back
Top