From: pOTRice on 14 Apr 2006 06:28 More info - I've been trying to figure out how I got this malware - realised that the only thing that I had added knowingly recently was this . . http://www.media-codec.com/v4/mediacodec-v4.143.exe I found the path still in the recently accessed (dropdown list in IE) I still had the actual EXE (I always save them) I executed this again (on my copy system) and, lo and behold, it set up the Registry key and put back dfrgsrv.exe again! AVG didn't notice it originally - nor even when I asked it to specifically scan the codec EXE. I am wondering about my previously stated faith in the power of ZoneAlarm. Would the malware have tried to phone home in the guise of Explorer since the Reg Key was associated with that? If so, I might have allowed it! On Fri, 14 Apr 2006 09:07:27 GMT, pOTRice <potriceReMoVe(a)tHiSboltblue.com> wrote: >I've had a go . . > >Ghosted the partition onto another drive (I use removable caddies) and >tinkered with the copy. > >Tried SmitRem.exe didn't seem to do any good. >Started Disc clean up but got impatient. > >What the hell! - it's only a copy - Ran up in Safe mode - *deleted* >dfrgsrv.exe. >Ran up MS AntiSpyware - asked it to delete the 'Run' Registry entry - >it did! >Checked again with Regedit - yes it had gone. > >Ran up again in Normal mode - seems OK. > >Only negative impact so far is my Desktop icons are nicely arranged in >the top right hand corner of screen - I can live with that. > >Am I kidding myself? >Is it really much more complicated than that? > >I will be keeping a careful eye on each re-boot in future (not very >often - stays on for weeks) > >Many thanks David for your quick response and effort you put in to >help me - much appreciated. > >Now to fix the *real* disk . . > > > > >On Thu, 13 Apr 2006 18:04:37 GMT, "David H. Lipman" ><DLipman~nospam~@Verizon.Net> wrote: > >>From: "pOTRice" <potriceReMoVe(a)tHiSboltblue.com> >> >>| Many thanks for your comprehensive reply. >>| I will not have a chance to execute it till tomorrow. >>| >>| I hope I'm right in thinking that, as long as ZoneAlarm blocks it >>| going out, it can't do any real harm. >>| >> >>It depends on your definition but the FireWall is blocking any aspects of sending data >>"home" or to 3rd parties.
From: David H. Lipman on 14 Apr 2006 07:20 From: "pOTRice" <potriceReMoVe(a)tHiSboltblue.com> | More info - I've been trying to figure out how I got this malware - | realised that the only thing that I had added knowingly recently was | this . . | http://www.media-codec.com/v4/mediacodec-v4.143.exe | I found the path still in the recently accessed (dropdown list in IE) | I still had the actual EXE (I always save them) | I executed this again (on my copy system) and, lo and behold, it set | up the Registry key and put back dfrgsrv.exe again! | AVG didn't notice it originally - nor even when I asked it to | specifically scan the codec EXE. | I am wondering about my previously stated faith in the power of | ZoneAlarm. | Would the malware have tried to phone home in the guise of Explorer | since the Reg Key was associated with that? If so, I might have | allowed it! Yes, these utilities need to clean the LIVE PC to access both the disk files and the Registry of the affected OS. What you posted, "mediacodec-v4.143.exe", was another in a series new variants of the Zlob Trojan. Kaspersky 4.0.2.24 04.14.2006 Trojan-Downloader.Win32.Zlob.li -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
From: David H. Lipman on 14 Apr 2006 07:22 From: "pOTRice" <potriceReMoVe(a)tHiSboltblue.com> | More info - I've been trying to figure out how I got this malware - | realised that the only thing that I had added knowingly recently was | this . . < snip > BTW: In the future please obfuscate the URL of a malicious web site such that newbies will not click on the URL and get infected. For Example; hxxp://www.media-codec.com/v4/mediacodec-v4.143.exe -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
From: pOTRice on 14 Apr 2006 08:15 Sorry to be a pain - I found your comment about "LIVE pc" a bit ambiguous . . Have I done all that is needed to rid my PC of Zlob (removing Reg entry and the EXE it triggers) or do I still need to run the procedures you recommended? Thanks for your tip about obfuscating the URL - I'm so paranoid about my own safety I forgot about the danger I might cause to others. On Fri, 14 Apr 2006 11:22:47 GMT, "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote: >From: "pOTRice" <potriceReMoVe(a)tHiSboltblue.com> > >| More info - I've been trying to figure out how I got this malware - >| realised that the only thing that I had added knowingly recently was >| this . . > >< snip > > >BTW: In the future please obfuscate the URL of a malicious web site such that >newbies will not click on the URL and get infected. > >For Example; hxxp://www.media-codec.com/v4/mediacodec-v4.143.exe
From: David H. Lipman on 14 Apr 2006 08:24 From: "pOTRice" <potriceReMoVe(a)tHiSboltblue.com> | Sorry to be a pain - I found your comment about "LIVE pc" a bit | ambiguous . . | | Have I done all that is needed to rid my PC of Zlob (removing Reg | entry and the EXE it triggers) or do I still need to run the | procedures you recommended? | | Thanks for your tip about obfuscating the URL - I'm so paranoid about | my own safety I forgot about the danger I might cause to others. | What I mean by a live PC is booting ther affected PC and then running the utilities on that PC. Basically, running the PC "live". -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 4 Prev: AVG Uninstall/Install Problem Next: What is this, (TR/Dldr.small.cml.7) |