From: YoKenny on
<pOTRice> typed:
> I have now carried out the procedures you recommended and here is the
> report . .
>
> Virus Scan Report File
> --------------------------------------------------------------------------------
<snip>
> Scanning C: [Main]
> Scanning C:\*.*
> C:\Documents and Settings\Administrator\My Documents\Installers\USB
> under DOS\LeakTest.exe ... Found potentially unwanted program
> LeakTest.
> The file or process has been deleted.
> Scanning D: [BACKUP]
> Scanning D:\*.*
> D:\060205_256A\LeakTest.exe ... Found potentially unwanted program
> LeakTest.
> The file or process has been deleted.
<snip>

> I was disappointed that this did not result in the deletion of the
> offending EXE - dfrgsrv. However, it did get rid of the Registry key.
>
> I noticed that it deleted LeakTest which I would have thought should
> have been recognised as the well known firewall test program from
> the "Shields Up" site.
>
> Is this another example of rivalry between the various Anti-Virus tool
> writers? I remember that Norton insisted that my AVG Pro-protected PC
> had no existing virus protection!
>
> Anyway - panic over - many thanks for all your help - I'll be more
> carefull next time. It's almost got to the point where you need a
> 'clone' PC to experiment with before risking the security of your
> 'real' PC.

pOTRice, this was discussed a lot over on the news.grc.com newsserver in
grc.leaktest a while back.
I believe Steve Gibson was going to release an updated version of Leaktest
to prevent this situation.

> On Fri, 14 Apr 2006 12:24:17 GMT, "David H. Lipman"
> <DLipman~nospam~@Verizon.Net> wrote:
>
>> From: "pOTRice" <potriceReMoVe(a)tHiSboltblue.com>
>>
>>> Sorry to be a pain - I found your comment about "LIVE pc" a bit
>>> ambiguous . .
>>>
>>> Have I done all that is needed to rid my PC of Zlob (removing Reg
>>> entry and the EXE it triggers) or do I still need to run the
>>> procedures you recommended?
>>>
>>> Thanks for your tip about obfuscating the URL - I'm so paranoid
>>> about my own safety I forgot about the danger I might cause to
>>> others.

>> What I mean by a live PC is booting ther affected PC and then
>> running the utilities on that PC.
>> Basically, running the PC "live".
--
See CoU at least weekly:
http://www.dozleng.com/updates/index.php?&act=calendar
I support the right to arm bears

From: David H. Lipman on
From: "pOTRice" <potriceReMoVe(a)tHiSboltblue.com>

| I have now carried out the procedures you recommended and here is the
| report . .
|
| Virus Scan Report File
|
| --------------------------------------------------------------------------------
| Virus Scan Information

< snip >

|
| I was disappointed that this did not result in the deletion of the
| offending EXE - dfrgsrv. However, it did get rid of the Registry key.
|
| I noticed that it deleted LeakTest which I would have thought should
| have been recognised as the well known firewall test program from
| the "Shields Up" site.
|
| Is this another example of rivalry between the various Anti-Virus tool
| writers? I remember that Norton insisted that my AVG Pro-protected PC
| had no existing virus protection!
|
| Anyway - panic over - many thanks for all your help - I'll be more
| carefull next time. It's almost got to the point where you need a
| 'clone' PC to experiment with before risking the security of your
| 'real' PC.
|
| pOTRice
|


The important think is if you are still infected with the ZLob Trojan and its friends and
famility components ?

As for the LeakTest utility... The McAfee AV scanner is set to a very aggressive scanning
mode to catch not only known viruses and Trojans but to catch non-viral malware and
"potentially
unwanted program" which could be adware/spyware or could be tools that can be used in a
malicious way. Some malware use legitimate tools to do malicious actions. It is best to
scan a remove malware and those that are not malware but can be used in a malicious way.
This way you can know that you are "clean".

As for the "clone" cocept, yes, that's a good idea.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm