[nfbcs] Trojan aftermath: help needed.

Steve Jacobson steve.jacobson at visi.com
Fri Dec 12 16:33:02 UTC 2008 

Alan,

Hopefully I can save you a little time.  I did a search on this category of Trojans, and I am over my head on this one.  My interest in what Internet Explorer said was 
only whether you were getting the typical error that you could not be connected to the site or whether it was some other type of error that might point more 
specifically to Internet Explorer being corrupted.  I fear you may need to get some local help.  Someone suggested System Restore.  Unless you truly know when you 
got the virus, you may well restore the virus.  I see that one even needs to be careful of removal tools out there as they could be variations on the trojan itself.  I 
would be surprised if anybody's warranty would cover this but I suppose it is worth checking.  Also, if it is a Dell machine, asking Dell makes sense since they may 
have a tool.  This looks like a real bad one and I'm sorry to hear that you were infected.

On Fri, 12 Dec 2008 09:19:14 -0600, Alan Wheeler wrote:

>Steve,
>Okay, First of all, let's run down the programs:
>1. Internet Explorer: I open it, and no matter what page I go to, I get a page saying "Internet Explorer cannot display the page.  In a separate message I will copy 
and paste the entire page for you to review.
>2. iTunes and Juice: The programs open, but cannot, apparently, connect to download.  I discovered that Juice wasn't in my Firewall exceptions.  I added it, and it 
scanned the feeds but found nothing.  This leads me to suspect there is still a connectivity issue.  As for iTunes?  It doesn't seem to be able to connect to the proper 
servers at all.  I even ran a diagnostic on it, and had no luck.

>I have run Spybot search and destroy, AVG Free antivirus, and even system mechanic trying to rid myself of any and all remnants of this trojan.

>The trojan itself is a variant of the Zlob trojan.  It disguises itself as any number of antivirus/anti-spyware programs that claim to want to scan your system and then 
offer you a program to purchase to clean your computer.  This is merely a ploy to get credit card information.

>Plus, instead of scanning your computer, it is infecting it.

>Some of the examples of the fake program names include, but are not limited to:
>antivirus Protection 2009,
>AVP 2009,
>VRT 2009 (VRT standing for Virus Removal Tool), etc.

>Hope this helps.



>+-+-+-

>   For God so loved the world, that he gave his one and only Son, that whoever believes in him should not perish, but
> have eternal life. John 3:16
>~~~

>Alan D Wheeler
>awheeler at neb.rr.com
>IM me at: outlaw-cowboy at live.com
>Skype: redwheel1
>Check me out on the Q, Fridays from 10 AM to 1 PM eastern time at www.theqonline.net

>----- Original Message ----- 
>From: "Steve Jacobson" <steve.jacobson at visi.com>
>To: "NFBnet NFBCS Mailing List" <nfbcs at nfbnet.org>
>Sent: Friday, December 12, 2008 08:36
>Subject: Re: [nfbcs] Trojan aftermath: help needed.


>> Alan,
>> 
>> I don't have a lot of faith that we can help you via long distance, but what do you mean when you say that Internet Explorer, I Tunes, and Juice don't work.  Let's 
>> take Internet Explorer first.  What exactly happens when you run it?  All three of these application use your network so there could be network or firewall 
difficulties.  
>> How did you get the Trojan off?  I don't mean that we need complete instructions, only did someone help you or did you follow instructions from a web site or run 
a 
>> removal tool of some kind?  Are you using the same machine for e-mail and is that working all right?  Out of curiosity, do you know how you got this thing, I'd like 
to 
>> avoid it.  
>> 
>> On Fri, 12 Dec 2008 07:35:45 -0600, Gary Wunder wrote:
>> 
>>>Hi Alan. I thought part of buying Dell was ongoing customer support. Might 
>>>this be something that comes with your warranty? If worse comes to worse, do 
>>>you have your original installation disks or the image they place on a 
>>>protected part of the disk?
>> 
>>>Gary
>> 
>> 
>>>----- Original Message ----- 
>>>From: "Alan Wheeler" <awheeler at neb.rr.com>
>>>To: "NFBCS list" <nfbcs at nfbnet.org>
>>>Sent: Thursday, December 11, 2008 5:30 PM
>>>Subject: [nfbcs] Trojan aftermath: help needed.
>> 
>> 
>>>> Okay, so I got this zlob trojan/AntiVirus Protection 2009 trojan and 
>>>> cleaned it off my system, as best I could, anyway, but now I cannot get 
>>>> Internet Explorer to work, nor can I get iTunes or Juice Podcatcher to 
>>>> work, either.
>>>>
>>>> I am assuming there is something in the registry I need to fix, but have 
>>>> no clue what it is.  Can anyone help me with this?  Please bear in mind 
>>>> that I am a regedit virgin, so to speak, and need detailed step-by-step 
>>>> instructions and maybe some hand-holding, aftedr a fashion.  Can anyone 
>>>> help with this?
>>>>
>>>>
>>>> I am operating a Dell Optiplex 740; AMD Athlon 64 X2 Dual core processor 
>>>> 4200+
>>>> 1.79 Ghz, 1.93 GB of ram.  My OS is Windows XP Home, service pack 3.
>>>>
>>>> If you need any further info, please write me at awheeler at neb.rr.com and 
>>>> ask.
>>>>
>>>> +-+-+-
>>>>
>>>>   For God so loved the world, that he gave his one and only Son, that 
>>>> whoever believes in him should not perish, but
>>>> have eternal life. John 3:16
>>>> ~~~
>>>>
>>>> Alan D Wheeler
>>>> awheeler at neb.rr.com
>>>> IM me at: outlaw-cowboy at live.com
>>>> Skype: redwheel1
>>>> Check me out on the Q, Fridays from 10 AM to 1 PM eastern time at 
>>>> www.theqonline.net
>>>> _______________________________________________
>>>> nfbcs mailing list
>>>> nfbcs at nfbnet.org
>>>> http://www.nfbnet.org/mailman/listinfo/nfbcs_nfbnet.org
>>>> To unsubscribe, change your list options or get your account info for 
>>>> nfbcs:
>>>> http://www.nfbnet.org/mailman/options/nfbcs_nfbnet.org/gwunder%40earthlink.net
>>>> 
>> 
>> 
>>>_______________________________________________
>>>nfbcs mailing list
>>>nfbcs at nfbnet.org
>>>http://www.nfbnet.org/mailman/listinfo/nfbcs_nfbnet.org
>>>To unsubscribe, change your list options or get your account info for nfbcs:
>>>http://www.nfbnet.org/mailman/options/nfbcs_nfbnet.org/steve.jacobson%40visi.com
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> nfbcs mailing list
>> nfbcs at nfbnet.org
>> http://www.nfbnet.org/mailman/listinfo/nfbcs_nfbnet.org
>> To unsubscribe, change your list options or get your account info for nfbcs:
>> http://www.nfbnet.org/mailman/options/nfbcs_nfbnet.org/awheeler%40neb.rr.com


>--------------------------------------------------------------------------------



>No virus found in this incoming message.
>Checked by AVG - http://www.avg.com 
>Version: 8.0.176 / Virus Database: 270.9.17/1844 - Release Date: 12/11/2008 8:58 PM


>_______________________________________________
>nfbcs mailing list
>nfbcs at nfbnet.org
>http://www.nfbnet.org/mailman/listinfo/nfbcs_nfbnet.org
>To unsubscribe, change your list options or get your account info for nfbcs:
>http://www.nfbnet.org/mailman/options/nfbcs_nfbnet.org/steve.jacobson%40visi.com

More information about the NFBCS mailing list