I have client who :phone: to say he had his IE home page hijacked by topsecuritysite.com and had a popup window tell him he had the above mentioned virus. Of course, that popup message offered an OK button to click on to download officially approved security software.

A BitDefender.com online scan came up with:
C:\WINDOWS\system32\regperf.exe
Infected with: BehavesLike:Win32.ExplorerHijack
C:\WINDOWS\system32\regperf.exe
Disinfection failed
C:\WINDOWS\system32\regperf.exe
Delete failed


Also, the BitDefender scan claimed to have deleted the following Trojan from two different locations (which seems to indicate he needs to turn off System Restore:

C:\System Volume Information\_restore{32DB9CCA-FADE-4C31-9693-F047E49712C5}\RP500\A0018608.tlb


Infected with: Trojan.Downloader.Zlob.KH


and



C:\System Volume Information\_restore{32DB9CCA-FADE-4C31-9693-F047E49712C5}\RP500\A0018619.exe


Infected with: Trojan.Downloader.Zlob.KH


Any suggestions on how to tackle from here?

Turn off System Restore, boot to Safe Mode (use the F8 key when starting), run the virus scan again.
-td

I would run hijack this also:
http://www.majorgeeks.com/download3155.html

First of all, congradulations for getting Bit Defender Online to work. It always crashes IE on my machine. It sounds like this trojan opens in Startup. You have to shut it off first. Spybot can do that. Then reboot and do another scan.

Google had some pages:
http://forums.spywareinfo.com/index.php?showtopic=75760
http://castlecops.com/t154710-W32_Myzor_FK_yf.html
Dell Forums led me to this one:

http://www.precisesecurity.com/computer-virus/avmyzor-may01.htm


W32.Myzor.Fk procedures requires technical know-how on computer troubleshooting. It is better to consult your LAN Administrator or Technical Persons to avoid additional damage on your computer if modifications on Services and Registry have to be done.



MANUAL REMOVAL:

1. Disable System Restore (Windows Me/XP). [how to]

2. Download Webroot SpySweeper and save it a desired location.

3. After downloading, browse where the file was saved and double click to install it.

4. After installation, connect to internet and download all necessary updates.



5. Download SmitfraudFix (by S!Ri) and save it to a desired location. This will be in ZIP File.

6. Extract all the files to your Desktop, it will create a folder SmitfraudFix

Note: When extracting or executing, some files might be detected as Potential Threat or Harmful Script. Please disable AntiVirus or Any Script Blocking Software temporarily. It may harm or make the Fix incomplete.



5. Reboot your computer in SafeMode [how to]

6. Run Spysweeper and do a thorough scan. Delete all infected files.

7. Close SpySweeper and other open Applications.

8. Browse the folder SmitfraudFix on your Desktop and double-click on smitfraudfix.cmd

9. "Enter your Choice: (1,2,3,4,L,Q):" Press no. 2 on your keyboard to select Option 2

10. Wait for the process to finish.

11. If prompted for: Registry cleaning - Do you want to clean the registry? Press Y, as Yes

12. It will check if your wininet.dll file is damaged, if so it will ask you to Replace Infected File? Press Y as Yes and hit Enter


13. If it prompts you to Reboot your computer, Please do so.

14. Reboot your computer in SafeMode with Networking [how to]

15. After successful boot in SafeMode with Networking, connect to internet.



16. In order to make sure that W32.Myzor.Fk is completely eliminated from your computer, carry out a full scan of your computer using Online Virus Scanner. Scan at least on three different scanners.



FREE ON-LINE VIRUS SCANNER

Click here to proceed



DOWNLOAD SPYWARE REMOVAL TOOLS:

Download and run any of these Anti-Spyware:

Spy Sweeper

Spyware Doctor

Pest Patrol

Spy Hunter
I checked links on this sight and it looks legit.
This sounds like another Mob-style extortion racket to sell phony Spyware crap. One guy caught it from downloading Registry Mechanic(which always was spyware, anyway) from a Google link. You find more and more spoofed links around any more.

RAK,
Your IE closing down on Bit Defender scan is probably a tribute to your hybrid pc morphed construction? I have never heard of this before.
Even pc's loaded with virus usually can run this one, maybe your pc is too clean?

Nah, I actually just fixed it without knowing it yesterday . Did a search to get rid of Bit Defender files since my free license expired a while ago. I think it was a bad Temp or IE Temp file. Tried it after writing that and now it works. Clean so far. As for my MUTANT MACHINE, it takes a lot of delicate tweaking to keep it in tip-top shape:smash: Though I have upgraded from a rubber to a wooden mallet.:smash: More torque, of course:whistle:

fyi, W32.Myzor.FK@yf virus made it thru AVG. Fot another distress call last nite from another AVG user. That machine will come into shop this weekend.

I just can't install/recommend this av anymore.


Nod32 has never let me down, nor has BitDefender. Neither has been a drag on my system that I could tell. I haven't use Norton since '02, so I'm not qualified to comment on it. Of course, maybe Larry or Rich could help me form an opinion on NAV. Whatya think their, pals?

Those instructions are OK, but you might want to add ewido to the scans you do. I also recommend doing as much as possible in Safe Mode. Also, make sure you include Panda's ActiveScan in the scan list.

Then, post a HijackThis log and someone can check it out.

I thought I'd try and see just how dangerous these Viruses are so I tried entering them for an explaination.
I hope I had the right names....



Query:
Search in: All siteKnowledge BaseNewsVirus InfoProductsCareersMain
The search "W32.MYZOR.FK@YF (W32.MYZOR.FK@YF)" did not match any documents.

Search
Query:
Search in: All siteKnowledge BaseNewsVirus InfoProductsCareersMain

The search "Trojan.downloader.Zlob.kh" did not match any documents.

I guess they weren't do dangerous or else they are so new that they haven't been classified yet.

There are different names given by different vendors, and, it looks like at least the first is a fairly new variant of existing malware.

I thought that, but it seems that the most popular don't have them yet...

Search Keyword:
Any words All words Exact phrase
Ordering: Newest first Oldest first Most popular Alphabetical Section/Category
Search Keyword W32.MYZOR.FK@YF
Total 0 results found. Search for W32.MYZOR.FK@YF with


<< Start < Prev Next > End >>
Search
Search Keyword:
Any words All words Exact phrase
Ordering: Newest first Oldest first Most popular Alphabetical Section/Category
Search Keyword ZLOB.KH
Total 0 results found. Search for ZLOB.KH with

New or old, this system was screwed up by the virus. Hijacked home page, warning dialog boxes like crazy.

Description:
W32.Myzor.Fk is a browser hijacker that redirects a page to the following websites:
www.securityuptodate.com
www.securitybulletin.net www.pesttrap.com
www.malwarewipe.com
www.thespyguard.com

Trojan Downloaders (http://www.viruslist.com/en/virusesdescribed?chapter=153318100)

This family of Trojans downloads and installs new malware or adware on the victim machine. The downloader then either launches the new malware or registers it to enable autorun according to the local operating system requirements. All of this is done without the knowledge or consent of the user.
The names and locations of malware to be downloaded are either coded into the Trojan or downloaded from a specified website or other Internet location

Trojan.downloader,Zlob.kh

Removal Procedure:

W32.Myzor.Fk procedures requires technical know-how on computer troubleshooting. It is better to consult your LAN Administrator or Technical Persons to avoid additional damage on your computer if modifications on Services and Registry have to be done.


MANUAL REMOVAL:
1. Disable System Restore (Windows Me/XP). [how to]
2. Download Webroot SpySweeper and save it a desired location.
3. After downloading, browse where the file was saved and double click to install it.
4. After installation, connect to internet and download all necessary updates.

5. Download SmitfraudFix (by S!Ri) and save it to a desired location. This will be in ZIP File.
6. Extract all the files to your Desktop, it will create a folder SmitfraudFix
Note: When extracting or executing, some files might be detected as Potential Threat or Harmful Script. Please disable AntiVirus or Any Script Blocking Software temporarily. It may harm or make the Fix incomplete.

5. Reboot your computer in SafeMode [how to]
6. Run Spysweeper and do a thorough scan. Delete all infected files.
7. Close SpySweeper and other open Applications.
8. Browse the folder SmitfraudFix on your Desktop and double-click on smitfraudfix.cmd
9. "Enter your Choice: (1,2,3,4,L,Q):" Press no. 2 on your keyboard to select Option 2
10. Wait for the process to finish.
11. If prompted for: Registry cleaning - Do you want to clean the registry? Press Y, as Yes
12. It will check if your wininet.dll file is damaged, if so it will ask you to Replace Infected File? Press Y as Yes and hit Enter

13. If it prompts you to Reboot your computer, Please do so.
14. Reboot your computer in SafeMode with Networking [how to]
15. After successful boot in SafeMode with Networking, connect to internet.

16. In order to make sure that W32.Myzor.Fk is completely eliminated from your computer, carry out a full scan of your computer using Online Virus Scanner. Scan at least on three different scanners.

FREE ON-LINE VIRUS SCANNER
Click here to proceed

DOWNLOAD SPYWARE REMOVAL TOOLS:
Download and run any of these Anti-Spyware:
Spy Sweeper
Spyware Doctor
Pest Patrol
Spy Hunter

http://www.spywarebot.net/
Remove Spyware, Adware, Trojans, Dialers, and Other Dangerous SpyBot Parasites Today! DOWNLOAD IT FREE

I wouldn't download either of those, the second one is spyware and the first one you suggest larry is suspect!

What I think most are missing is that MOST of these new malware mutants are "invited" into the systems.

I had a system locked down and because the end user READ an article about a pop-up blocker on a web page, he downloaded it and it ended up bringing in SpyFalcon - which is the morphed SpyAxe, SpyStriker, and WinFixer.

It isn't the standard pop-ups or emails that are infecting the systems now - it is the user downloading them and allowing their firewalls, pop-up blockers, spyware, etc to PERMIT the programs. Then once in the systems they are disabling the "guards at the gate" in the registry. That is why there is always a registry cleaning process (smitfraudfix deep scans the registry to remove these).

On line scans find these because there is not a registry entry to be prohibited.

What I think most are missing is that MOST of these new malware mutants are "invited" into the systems.

I had a system locked down and because the end user READ an article about a pop-up blocker on a web page, he downloaded it and it ended up bringing in SpyFalcon - which is the morphed SpyAxe, SpyStriker, and WinFixer.

It isn't the standard pop-ups or emails that are infecting the systems now - it is the user downloading them and allowing their firewalls, pop-up blockers, spyware, etc to PERMIT the programs. Then once in the systems they are disabling the "guards at the gate" in the registry. That is why there is always a registry cleaning process (smitfraudfix deep scans the registry to remove these).

On line scans find these because there is not a registry entry to be prohibited.


Yup I could not agree more. Find a solution that keeps you free of spyware and virus and until it stops working, never add anyting to the mix...so simple!

It's the same old story, Dan; The one part of the machine you can't lock down is the User. These bugs aren't breaking down the door to get in; you're opening it up for them. Same thing with popups and email attachments. The User has to hit OK to let them in. Educate them that they already have most of the protection they will ever need on their computer. Most browsers have popup blockers these days. This is more a matter of personal responsibility on the part of the User. IF they know how to look both ways before crossing the street, they should get it.

It's the same old story, Dan; The one part of the machine you can't lock down is the User.

How true that is! Looks like that is what Vista security is all about... it does lock down the user, or at least put the brakes on and make them think before acting.

The best advice for the 'novice user' is to set them up with a "limited user" profile with downloading and all that other stuff disabled. Have them use that for general purpose surfing and only use an Aministrator privledged account when they specifically require a permission in that level.

2nd to that, a registry lock program is worth the price!
All of the malware requires generation of registry keys to function. Lock the registry, it can't install or execute.

While I don't often scan with AdAware, as nothing ever gets in to scan for, I absolutely rely upon SE Plus AdWatch as a serious registry lock. It simply will not let you modify the registry or mess with anything that wants to modify a reg key without a warning popup requesting permission.

There are other registry lock programs, freeware and paid, out there but I have never had need to try any of the others. Some only lock certain portions of the registry and not all (ie: Mike Lin Startup Monitor).
No matter which one you choose, a registry lock program can save you in spite of yourself! It offers a last chance out before a click of stupidity can't be undone.

The best advice for the 'novice user' is to set them up with a "limited user" profile with downloading and all that other stuff disabled. Have them use that for general purpose surfing and only use an Aministrator privledged account when they specifically require a permission in that level.


ROFLMAO

Doug, can tell you are NOT in the service field - you would be spending your days and nites at EVERYONE'S house.

Good suggestion - just dumb in application.

Would you like to go to Lina's EVERYTIME software needed to be installed? ? ? Antivirus need updated? ? ? Or She needed to change the screen resolution, screen saver timing, etc, etc, etc, (NOTHING personal Lina :) )

Now in a network environment (and I am NOT referring to a peer to peer network - I'm talking SERVER here), you can lock down the workstations because you can push needed software installations to the workstations at startup via Admin authentication rights. But at the home user level - not an option.

http://blogs.zdnet.com/Bott/?p=66

... Security

Security is one of the big selling points of Vista. One look at the new Security Center and you’ll see why. Where XP has three entries in its Security Center, Vista has six, including the most controversial feature in the OS: User Account Control. (See my series on UAC – Part 1, Part 2, and Part 3, for more details.) There’s no question that the new security features work as intended. The real test of Vista will be whether Windows users can be persuaded to keep UAC and other potentially disruptive features enabled. ...

As you said before..... Ka Ching!
Vista could be a real boon for the service industry.

Dan wrote:Would you like to go to Lina's EVERYTIME software needed to be installed? ? ? Antivirus need updated? ? ? Or She needed to change the screen resolution, screen saver timing, etc, etc, etc, (NOTHING personal Lina )

Dan, thanks for your concern. I could really use the company, .... :bored: .... but I don't think I can afford it. ;)

Lina

http://blogs.zdnet.com/Bott/?p=66

As you said before..... Ka Ching!
Vista could be a real boon for the service industry.

URL below is from article above.
Check out the 30 screenshots of Vista.
http://blogs.zdnet.com/Bott/?page_id=65

Screentshot#2...
Seems like a bad idea to have to scroll vertically through a small window
to locate a program to launch, as opposed to the fly-out menus.
http://blogs.zdnet.com/Bott/?page_id=65&page=2

Screenshot#7...
They still missed the mark on the search feature where you can't do google
advanced type searches on files. We need multi-keyword search capability
to locate content within the files on our computers.
http://blogs.zdnet.com/Bott/?page_id=65&page=7

Screenshot#10...
Full sysyem restore!
Excellent if it actually works and allows storing the images to CDs or DVDs.
http://blogs.zdnet.com/Bott/?page_id=65&page=10

Screenshot#14 & 15...
They missed the mark again with the Windows Firewall by not giving
adequate control over outbound traffic/threats.
http://blogs.zdnet.com/Bott/?page_id=65&page=14

Screenshot#18...
Seems like they made the GUI of TaskManager worse
by going away from TABBED selections.
http://blogs.zdnet.com/Bott/?page_id=65&page=18

Screenshot#21...
IE7 has tabbed browsing! Great!
http://blogs.zdnet.com/Bott/?page_id=65&page=21

Screenshot#22...
Perhaps the dumbest most confusing thing MS has recently done
is to add the status of a setting such as the one shown here.
__Enable Proteced Mode(not secure)
Try explaing that one to a newbie.
http://blogs.zdnet.com/Bott/?page_id=65&page=22

Out of the 30 screenshots, the above ones strike me most.
I don't see anything that really sells me on swiching to Vista.

I think MS has more work to do on those security features
before people will flock to Vista for the sake of security. People
will flock to Vista if, by default, it provides a secure enviroment
without the need for any 3rd party security software. At most,
a person should only have to pay MS $10/year or less for
subscription to any virus definitions and such.

---pete---