Archived from groups: alt.sys.pc-clone.dell (More info?)
I am not sure if this was a "legit" Trojan because after many Google
searches all the names of the .DLL's that were being created in my
windows\system32 directory provided no information, but maybe that is
how this beastie operates.
Last Sunday I visited a web page with Internet Explorer looking for
pictures of modern day assault weapons to use as a background template
so I could model a gun for use in a Doom 3 and HL2 modification.
What a mistake that was!
(You can find a render of the model I made here ...
http://www.clanicd.com/WF2/FN_Final.jpg and
http://www.clanicd.com/WF2/FN_2.jpg)
First thing I noted after visiting this web page was Norton's Firewall
going spastic letting certain files access to the Internet. Next
thing I know Startup Monitor is telling me several files want to
register themselves to start on boot up. My computer then locked up on
me several times as I refused these files access to the registry and
or the Internet. Scanning with everything I had plus downloading
Ad-aware and purchasing Spy Sweeper I started rooting out what I
could.
With a bunch of help from folks in the Newsgroup I managed to find out
several things...
This Trojan was creating bogus .DLL's or should I say .DLL's with
bogus names. Each file was the exact same size and could not be
deleted by normal means even doing so in safe mode. Hijackthis scans
kept showing a batch of .DLL's that it could not get rid of either.
From a link someone posted here (sorry I forgot who!) I ended up on a
web page with several utilities that led me to other pages with useful
information. One tool I found that helped me was the
VX2.BetterInternet Finder. This alerted me to the fact that Winlogon
was calling up "the" mystery .DLL. I had managed to get all the rest
off my system except this one. Even deleting the keys out of my
registry did nothing as the file and key would appear the next time I
opened RegEdit and or rebooted.
This afternoon I Googled for some more information namely how to
delete pesky files. I found this tool ... GiPo@MoveOnBoot. I had
tried Killbox, but it was not working, so I did not hold out much hope
for MoveOnBoot. But when I booted into safe mode, tagged the one .DLL
in question for deletion, and ran Hijackthis deleting it there too,
and running RegEdit and removing the Winlogon key with this .DLL;
WHAM! It was gone
One thing I also did was tag the vbscript.dll for deletion when I
tagged the others. Reason for this was it was the exact same file
size as all those bogus .DLL's. Figured if I really need it again I
could find it without to much hassle.
So far so good. I just hope that Trojan stays away seeing how
Norton's, Spy Sweeper, Ad-aware, and Spy Bot still can not find it.
Anyway, I would like to thank everyone for their assistance with my
Trojan problem Thanks!
Mike
I am not sure if this was a "legit" Trojan because after many Google
searches all the names of the .DLL's that were being created in my
windows\system32 directory provided no information, but maybe that is
how this beastie operates.
Last Sunday I visited a web page with Internet Explorer looking for
pictures of modern day assault weapons to use as a background template
so I could model a gun for use in a Doom 3 and HL2 modification.
What a mistake that was!
(You can find a render of the model I made here ...
http://www.clanicd.com/WF2/FN_Final.jpg and
http://www.clanicd.com/WF2/FN_2.jpg)
First thing I noted after visiting this web page was Norton's Firewall
going spastic letting certain files access to the Internet. Next
thing I know Startup Monitor is telling me several files want to
register themselves to start on boot up. My computer then locked up on
me several times as I refused these files access to the registry and
or the Internet. Scanning with everything I had plus downloading
Ad-aware and purchasing Spy Sweeper I started rooting out what I
could.
With a bunch of help from folks in the Newsgroup I managed to find out
several things...
This Trojan was creating bogus .DLL's or should I say .DLL's with
bogus names. Each file was the exact same size and could not be
deleted by normal means even doing so in safe mode. Hijackthis scans
kept showing a batch of .DLL's that it could not get rid of either.
From a link someone posted here (sorry I forgot who!) I ended up on a
web page with several utilities that led me to other pages with useful
information. One tool I found that helped me was the
VX2.BetterInternet Finder. This alerted me to the fact that Winlogon
was calling up "the" mystery .DLL. I had managed to get all the rest
off my system except this one. Even deleting the keys out of my
registry did nothing as the file and key would appear the next time I
opened RegEdit and or rebooted.
This afternoon I Googled for some more information namely how to
delete pesky files. I found this tool ... GiPo@MoveOnBoot. I had
tried Killbox, but it was not working, so I did not hold out much hope
for MoveOnBoot. But when I booted into safe mode, tagged the one .DLL
in question for deletion, and ran Hijackthis deleting it there too,
and running RegEdit and removing the Winlogon key with this .DLL;
WHAM! It was gone
One thing I also did was tag the vbscript.dll for deletion when I
tagged the others. Reason for this was it was the exact same file
size as all those bogus .DLL's. Figured if I really need it again I
could find it without to much hassle.
So far so good. I just hope that Trojan stays away seeing how
Norton's, Spy Sweeper, Ad-aware, and Spy Bot still can not find it.
Anyway, I would like to thank everyone for their assistance with my
Trojan problem Thanks!
Mike