[nfbcs] Trojan aftermath: help needed.
Steve Jacobson
steve.jacobson at visi.com
Fri Dec 12 21:23:15 UTC 2008
Alan,
I am using Internet Explorer 6, and while it has a similar error page, the wording is different. Are you using IE 7, and if you are, can anyone else confirm that this is
indeed an IE 7 page? If you are still on IE 6, I would be suspicious that this page has been altered even though it is functionally similar. Wow!
If you are able to send or receive e-mail from the machine that was infected, it would indicate that your network is still functioning and that a connection is being
made. There are various network components that could have been affected, though. Another possible simple cause is that this virus affects DNS lookups. If you
had to code DNS Server addresses for your internet service provider, you might check to see if they are still there. Going to a command prompt and typing
IPCONFIG might also yield some useful information about your connection. you might, unfortunately, need some local help on this.
On Fri, 12 Dec 2008 11:16:45 -0600, Alan Wheeler wrote:
From: "Alan Wheeler" <awheeler at neb.rr.com>
To: "NFBnet NFBCS Mailing List" <nfbcs at nfbnet.org>
References: <auto-000078298780 at mailfront1.g2host.com>
Date: Fri, 12 Dec 2008 11:16:45 -0600
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
x-mimeole: Produced By Microsoft MimeOLE V6.00.2900.5579
Subject: Re: [nfbcs] Trojan aftermath: help needed.
X-BeenThere: nfbcs at nfbnet.org
X-Mailman-Version: 2.1.11.cp2
Precedence: list
Reply-To: NFBnet NFBCS Mailing List <nfbcs at nfbnet.org>
List-Id: NFBnet NFBCS Mailing List <nfbcs_nfbnet.org.nfbnet.org>
List-Unsubscribe: <http://www.nfbnet.org/mailman/options/nfbcs_nfbnet.org>,
<mailto:nfbcs-request at nfbnet.org?subject=unsubscribe>
List-Archive: <http://www.nfbnet.org/pipermail/nfbcs_nfbnet.org>
List-Post: <mailto:nfbcs at nfbnet.org>
List-Help: <mailto:nfbcs-request at nfbnet.org?subject=help>
List-Subscribe: <http://www.nfbnet.org/mailman/listinfo/nfbcs_nfbnet.org>,
<mailto:nfbcs-request at nfbnet.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0571220145255270148=="
Sender: nfbcs-bounces at nfbnet.org
Errors-To: nfbcs-bounces at nfbnet.org
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - host.nfbnet.org
X-AntiAbuse: Original Domain - visi.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - nfbnet.org
X-Source:
X-Source-Args:
X-Source-Dir:
This is a multi-part message in MIME format.
--===============0571220145255270148==
Content-Type: multipart/related; type="text/plain";
boundary="----=_NextPart_000_023A_01C95C4B.1E3A9C70"
This is a multi-part message in MIME format.
------=_NextPart_000_023A_01C95C4B.1E3A9C70
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Steve,
Below is the page displayed in IE when I open it. As you can see, it's =
fairly typical and gives no hint that IE is corrupted.
Internet Explorer cannot display the webpage=20
=20
Most likely causes:
a.. You are not connected to the Internet.=20
b.. The website is encountering problems.=20
c.. There might be a typing error in the address.=20
=20
What you can try:=20
Diagnose Connection Problems =20
=20
More information=20
=20
+-+-+-
For God so loved the world, that he gave his one and only Son, that =
whoever believes in him should not perish, but
have eternal life. John 3:16
~~~
Alan D Wheeler
awheeler at neb.rr.com
IM me at: outlaw-cowboy at live.com
Skype: redwheel1
Check me out on the Q, Fridays from 10 AM to 1 PM eastern time at =
www.theqonline.net
----- Original Message -----=20
From: "Steve Jacobson" <steve.jacobson at visi.com>
To: "NFBnet NFBCS Mailing List" <nfbcs at nfbnet.org>
Sent: Friday, December 12, 2008 10:33
Subject: Re: [nfbcs] Trojan aftermath: help needed.
> Alan,
>=20
> Hopefully I can save you a little time. I did a search on this =
category of Trojans, and I am over my head on this one. My interest in =
what Internet Explorer said was=20
> only whether you were getting the typical error that you could not be =
connected to the site or whether it was some other type of error that =
might point more=20
> specifically to Internet Explorer being corrupted. I fear you may =
need to get some local help. Someone suggested System Restore. Unless =
you truly know when you=20
> got the virus, you may well restore the virus. I see that one even =
needs to be careful of removal tools out there as they could be =
variations on the trojan itself. I=20
> would be surprised if anybody's warranty would cover this but I =
suppose it is worth checking. Also, if it is a Dell machine, asking =
Dell makes sense since they may=20
> have a tool. This looks like a real bad one and I'm sorry to hear =
that you were infected.
>=20
> On Fri, 12 Dec 2008 09:19:14 -0600, Alan Wheeler wrote:
>=20
>>Steve,
>>Okay, First of all, let's run down the programs:
>>1. Internet Explorer: I open it, and no matter what page I go to, I =
get a page saying "Internet Explorer cannot display the page. In a =
separate message I will copy=20
> and paste the entire page for you to review.
>>2. iTunes and Juice: The programs open, but cannot, apparently, =
connect to download. I discovered that Juice wasn't in my Firewall =
exceptions. I added it, and it=20
> scanned the feeds but found nothing. This leads me to suspect there =
is still a connectivity issue. As for iTunes? It doesn't seem to be =
able to connect to the proper=20
> servers at all. I even ran a diagnostic on it, and had no luck.
>=20
>>I have run Spybot search and destroy, AVG Free antivirus, and even =
system mechanic trying to rid myself of any and all remnants of this =
trojan.
>=20
>>The trojan itself is a variant of the Zlob trojan. It disguises =
itself as any number of antivirus/anti-spyware programs that claim to =
want to scan your system and then=20
> offer you a program to purchase to clean your computer. This is =
merely a ploy to get credit card information.
>=20
>>Plus, instead of scanning your computer, it is infecting it.
>=20
>>Some of the examples of the fake program names include, but are not =
limited to:
>>antivirus Protection 2009,
>>AVP 2009,
>>VRT 2009 (VRT standing for Virus Removal Tool), etc.
>=20
>>Hope this helps.
>=20
>=20
>=20
>>+-+-+-
>=20
>> For God so loved the world, that he gave his one and only Son, that =
whoever believes in him should not perish, but
>> have eternal life. John 3:16
>>~~~
>=20
>>Alan D Wheeler
>>awheeler at neb.rr.com
>>IM me at: outlaw-cowboy at live.com
>>Skype: redwheel1
>>Check me out on the Q, Fridays from 10 AM to 1 PM eastern time at =
www.theqonline.net
>=20
>>----- Original Message -----=20
>>From: "Steve Jacobson" <steve.jacobson at visi.com>
>>To: "NFBnet NFBCS Mailing List" <nfbcs at nfbnet.org>
>>Sent: Friday, December 12, 2008 08:36
>>Subject: Re: [nfbcs] Trojan aftermath: help needed.
>=20
>=20
>>> Alan,
>>>=20
>>> I don't have a lot of faith that we can help you via long distance, =
but what do you mean when you say that Internet Explorer, I Tunes, and =
Juice don't work. Let's=20
>>> take Internet Explorer first. What exactly happens when you run it? =
All three of these application use your network so there could be =
network or firewall=20
> difficulties. =20
>>> How did you get the Trojan off? I don't mean that we need complete =
instructions, only did someone help you or did you follow instructions =
from a web site or run=20
> a=20
>>> removal tool of some kind? Are you using the same machine for =
e-mail and is that working all right? Out of curiosity, do you know how =
you got this thing, I'd like=20
> to=20
>>> avoid it. =20
>>>=20
>>> On Fri, 12 Dec 2008 07:35:45 -0600, Gary Wunder wrote:
>>>=20
>>>>Hi Alan. I thought part of buying Dell was ongoing customer support. =
Might=20
>>>>this be something that comes with your warranty? If worse comes to =
worse, do=20
>>>>you have your original installation disks or the image they place on =
a=20
>>>>protected part of the disk?
>>>=20
>>>>Gary
>>>=20
>>>=20
>>>>----- Original Message -----=20
>>>>From: "Alan Wheeler" <awheeler at neb.rr.com>
>>>>To: "NFBCS list" <nfbcs at nfbnet.org>
>>>>Sent: Thursday, December 11, 2008 5:30 PM
>>>>Subject: [nfbcs] Trojan aftermath: help needed.
>>>=20
>>>=20
>>>>> Okay, so I got this zlob trojan/AntiVirus Protection 2009 trojan =
and=20
>>>>> cleaned it off my system, as best I could, anyway, but now I =
cannot get=20
>>>>> Internet Explorer to work, nor can I get iTunes or Juice =
Podcatcher to=20
>>>>> work, either.
>>>>>
>>>>> I am assuming there is something in the registry I need to fix, =
but have=20
>>>>> no clue what it is. Can anyone help me with this? Please bear in =
mind=20
>>>>> that I am a regedit virgin, so to speak, and need detailed =
step-by-step=20
>>>>> instructions and maybe some hand-holding, aftedr a fashion. Can =
anyone=20
>>>>> help with this?
>>>>>
>>>>>
>>>>> I am operating a Dell Optiplex 740; AMD Athlon 64 X2 Dual core =
processor=20
>>>>> 4200+
>>>>> 1.79 Ghz, 1.93 GB of ram. My OS is Windows XP Home, service pack =
3.
>>>>>
>>>>> If you need any further info, please write me at =
awheeler at neb.rr.com and=20
>>>>> ask.
>>>>>
>>>>> +-+-+-
>>>>>
>_______________________________________________
>nfbcs mailing list
>nfbcs at nfbnet.org
>http://www.nfbnet.org/mailman/listinfo/nfbcs_nfbnet.org
>To unsubscribe, change your list options or get your account info for nfbcs:
>http://www.nfbnet.org/mailman/options/nfbcs_nfbnet.org/steve.jacobson%40visi.com
More information about the NFBCS
mailing list