From: pOTRice on
More info - I've been trying to figure out how I got this malware -
realised that the only thing that I had added knowingly recently was
this . .

http://www.media-codec.com/v4/mediacodec-v4.143.exe

I found the path still in the recently accessed (dropdown list in IE)

I still had the actual EXE (I always save them)

I executed this again (on my copy system) and, lo and behold, it set
up the Registry key and put back dfrgsrv.exe again!

AVG didn't notice it originally - nor even when I asked it to
specifically scan the codec EXE.

I am wondering about my previously stated faith in the power of
ZoneAlarm.
Would the malware have tried to phone home in the guise of Explorer
since the Reg Key was associated with that? If so, I might have
allowed it!



On Fri, 14 Apr 2006 09:07:27 GMT, pOTRice
<potriceReMoVe(a)tHiSboltblue.com> wrote:

>I've had a go . .
>
>Ghosted the partition onto another drive (I use removable caddies) and
>tinkered with the copy.
>
>Tried SmitRem.exe didn't seem to do any good.
>Started Disc clean up but got impatient.
>
>What the hell! - it's only a copy - Ran up in Safe mode - *deleted*
>dfrgsrv.exe.
>Ran up MS AntiSpyware - asked it to delete the 'Run' Registry entry -
>it did!
>Checked again with Regedit - yes it had gone.
>
>Ran up again in Normal mode - seems OK.
>
>Only negative impact so far is my Desktop icons are nicely arranged in
>the top right hand corner of screen - I can live with that.
>
>Am I kidding myself?
>Is it really much more complicated than that?
>
>I will be keeping a careful eye on each re-boot in future (not very
>often - stays on for weeks)
>
>Many thanks David for your quick response and effort you put in to
>help me - much appreciated.
>
>Now to fix the *real* disk . .
>
>
>
>
>On Thu, 13 Apr 2006 18:04:37 GMT, "David H. Lipman"
><DLipman~nospam~@Verizon.Net> wrote:
>
>>From: "pOTRice" <potriceReMoVe(a)tHiSboltblue.com>
>>
>>| Many thanks for your comprehensive reply.
>>| I will not have a chance to execute it till tomorrow.
>>|
>>| I hope I'm right in thinking that, as long as ZoneAlarm blocks it
>>| going out, it can't do any real harm.
>>|
>>
>>It depends on your definition but the FireWall is blocking any aspects of sending data
>>"home" or to 3rd parties.

From: David H. Lipman on
From: "pOTRice" <potriceReMoVe(a)tHiSboltblue.com>

| More info - I've been trying to figure out how I got this malware -
| realised that the only thing that I had added knowingly recently was
| this . .

| http://www.media-codec.com/v4/mediacodec-v4.143.exe

| I found the path still in the recently accessed (dropdown list in IE)

| I still had the actual EXE (I always save them)

| I executed this again (on my copy system) and, lo and behold, it set
| up the Registry key and put back dfrgsrv.exe again!

| AVG didn't notice it originally - nor even when I asked it to
| specifically scan the codec EXE.

| I am wondering about my previously stated faith in the power of
| ZoneAlarm.
| Would the malware have tried to phone home in the guise of Explorer
| since the Reg Key was associated with that? If so, I might have
| allowed it!


Yes, these utilities need to clean the LIVE PC to access both the disk files and
the Registry of the affected OS.

What you posted, "mediacodec-v4.143.exe", was another in a series new variants of
the Zlob Trojan.
Kaspersky 4.0.2.24 04.14.2006 Trojan-Downloader.Win32.Zlob.li

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


From: David H. Lipman on
From: "pOTRice" <potriceReMoVe(a)tHiSboltblue.com>

| More info - I've been trying to figure out how I got this malware -
| realised that the only thing that I had added knowingly recently was
| this . .

< snip >

BTW: In the future please obfuscate the URL of a malicious web site such that
newbies will not click on the URL and get infected.

For Example; hxxp://www.media-codec.com/v4/mediacodec-v4.143.exe


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


From: pOTRice on
Sorry to be a pain - I found your comment about "LIVE pc" a bit
ambiguous . .

Have I done all that is needed to rid my PC of Zlob (removing Reg
entry and the EXE it triggers) or do I still need to run the
procedures you recommended?

Thanks for your tip about obfuscating the URL - I'm so paranoid about
my own safety I forgot about the danger I might cause to others.


On Fri, 14 Apr 2006 11:22:47 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "pOTRice" <potriceReMoVe(a)tHiSboltblue.com>
>
>| More info - I've been trying to figure out how I got this malware -
>| realised that the only thing that I had added knowingly recently was
>| this . .
>
>< snip >
>
>BTW: In the future please obfuscate the URL of a malicious web site such that
>newbies will not click on the URL and get infected.
>
>For Example; hxxp://www.media-codec.com/v4/mediacodec-v4.143.exe

From: David H. Lipman on
From: "pOTRice" <potriceReMoVe(a)tHiSboltblue.com>

| Sorry to be a pain - I found your comment about "LIVE pc" a bit
| ambiguous . .
|
| Have I done all that is needed to rid my PC of Zlob (removing Reg
| entry and the EXE it triggers) or do I still need to run the
| procedures you recommended?
|
| Thanks for your tip about obfuscating the URL - I'm so paranoid about
| my own safety I forgot about the danger I might cause to others.
|

What I mean by a live PC is booting ther affected PC and then running the utilities on that
PC.
Basically, running the PC "live".

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm