The single most god-awful virus my computer has ever had!

[Chance_the_Gardener]

So it was around the end of May that I picked up a virus. I’ve done a little research on it, and it’s apparently a keylogger that transmits what I’m typing to somewhere else. It opens invisible windows that I can’t see, and it downloads all sorts of porn for me, and I don’t even have to ask. It sometimes offers to add porn links to my favorites for me. Isn’t this just fantastic?

Anyway, I managed to catch the URL of one of those windows and went directly to it. At that URL, I got this message:

UNINSTALL for Enter key initiates contact to “XX.XXX.XXX.XXX”
Dear Everyone, I’m using Internet Explorer for my web browser. I recently noticed while using my webmail account that whenever I press the Enter key, the window I’m working on stops being the active window. When I press the ALT-TAB key to return to my webmail (Yahoo account), I noticed that there is another active Internet Explorer window, but it disappears before I can activate it. If I keep the ALT-TAB key pressed, I can see from the description that the new IE window points to “XX.XXX.XXX.XXX”. I tried to visit that site but it turned up blank. Whenever I use IE (even as I post this), I have trouble using the Enter key because I fear my keystrokes are being sent to some other site. I have searched Google using for “XX.XXX.XXX.XXX” but I have found very few references to this problem. It appears this is a new problem because no one else seems to have raised awareness about it. I have tried to use Spybot SD and CWShredder, but the problem remains. If there are other people out there who have had this problem, I’d like to know how they solved it. Thank you very much.
**If your computer do like this, so you must download (link not reproduced here) and run uninstall utility **

Of course, those Xs are where the URL appears, and I’m not giving that out on this message board because I’m not sure if it could cause problems if I do so. I do have that URL, if anyone’s interested. Email me at nuclearfurniture@yahoo.com, and I’ll gladly send it to you. But you’ve been warned.

It goes without saying that I never visited the link on the virus’s page where I can supposedly go to take care of the problem. I’ve searched on Google for some references to the problem, and they are very few. I tried some of the solutions that I found but to no avail. I’m not sure I understood the instructions that were given; after all, I’m not an l33t haXXor or anything, so I require plain English to work computer problems out. (My command of the English language is superb, by the way.)

I could reload my system disks, but I don’t want to resort to that quite yet. I’ve dug viruses out of my computer before, but this is the absolute worst one I’ve ever encountered. One of the boards I visited said that it’s probably Russian, if that means anything. Whatever the hell it is, it’s been slowing down my already-slow computer. I have no idea how I picked it up, but I’ve got to get rid of it. Any advice would be greatly appreciated.

Also, if anyone helps me work it out, I promise to write up the instructions in the plainest English possible and post them around the net so that people with marginal computer skills (like myself) or people with less-than-marginal skills can solve this problem. It’s the least I can do, as a good “netizen,” or whatever I’m supposed to call myself.

[Q.E.D]

Download and run the Security Task Manager. It’s a fantastic program that identifies, rates and helps you remove unwanted and dangerous processes, even if they’re invisible or disguised. It’s a fully-funtional trial version.

[Mort_Furd]

You might also go to www.moosoft.com and download the trial version of the Cleaner. It works wonders on stuff that other programs don’t get - especially trojans like what you’ve got.

[Daizy]

Have you tried doing an online scan at Housecall yet?

Some more info on what operating system you’re using would be helpful as well?

[Chance_the_Gardener]

I’m using Windows 98, with Internet Explorer 6.0. I tried the Security Task Manager that Q.E.D. recommended. It identified my virus, but when I restart my computer, the virus is still there. I’m going to try these others that have been recommended. Hopefully one of them will do the trick. This is one nasty trojan!

[Q.E.D]

Chance the Gardener:

It identified my virus, but when I restart my computer, the virus is still there.

Did you do the Remove and Quarantine thing? It won’t automatically remove suspect programs, you have to decide what is and what isn’t supposed to be there, and the security risk ratings and other tools are there to help you. If it identified the program, but cannot remove or quarantine it, then you can use the Registry Editor (carefully!!), and search for occurrences of the identified filename, and remove them manually. Be sure to bach up your registry prior to making any changes. You should also post the information that the Security Task Manager gives about the virus, so we can give you more specific removal instructions.

[Chance_the_Gardener]

Q.E.D.—Hey, it worked! There were some related files that needed to be removed, which I tore out of there. Once I did that, everything was fine! Granted, it did take a few restarts; it seems the virus knew what was happening and fought me every inch of the way. There were some crashes of Windows through the process, but everything appears to be fine now. Thanks, Q.E.D.! You’re my hero!

I’m so impressed by this liberation from this trojan that I’m going to buy this Security Task Manager product, and I’m going to recommend it to anyone who has a problem. I’ve been putting up with the crap from this virus for almost four months; you have no idea how good it feels to finally be rid of this pest.

Thanks again, Q.E.D.! And thanks to everyone else for your suggestions. I didn’t try those, so I can’t vouch for them, but I’m grateful for everyone who builds this crucial shareware. I still have no idea how I picked it up, but I’m glad to be rid of it! Ah, freedom!

[choie]

Ugh, that’s awful – my sympathies!

If you haven’t yet, go to the SpywareWarrior, Computer Cops and/or Spyware Info forums and do a search for your problem. Prior to posting your issue, you should download and run HijackThis!, which is an incredibly useful and free utility to spot anomalies in your registry file.

. . . . . Aaaannnnnd on preview, I see you’ve been successful in eliminating the beast! Woohoo, congrats! Sorry for the late reply.

[Ale]

Chance the Gardener:

I still have no idea how I picked it up, but I’m glad to be rid of it! Ah, freedom!

Read and cry

The critical flaw has to do with how Microsoft’s operating systems and other software process the widely used JPEG image format and could let attackers create an image file that would run a malicious program on a victim’s computer as soon as the file is viewed. Because the software giant’s Internet Explorer browser is vulnerable, Windows users could fall prey to an attack just by visiting a Web site that has affected images.

I´m not saying that´s how you got the spyware, just showing you a possibility.
Oh yes, use Firefox.

[Excalibre]

Yeah, I’m gonna second Ale on the idea of switching to another browser. I use Firefox as well; it’s just much nicer not to have to worry so much about these things. Sorry if people are getting sick of being told to switch browsers, but it’ll make a lot of your problems go away.

[DrDeth]

Have they figured out a cure for “about blank” yet? I mean, I can remove it with Hijack this, and for a while Symatec had it beat, but it is annoying as it doesn’t stay dead. :mad:

[Yeticus_Rex]

I too am victim to the about:blank virus/trojan…what to do?

[Fear_Itself]

Download AboutBuster and run it in safe mode. It is important that you close all other windows before you run this tool. Then run Adaware and Spybot in safe mode to remove any remaining vestiges. This should cure your about:blank issues.

[casdave]

Hmmm, I often get spam e-mails with the title “About ;_” but I never open any spam whatsoever.

Other Spams arrive with not a lot as the title, maybe just “Fwd;_”

Could it have arrived this way ?

[Bill_H]

Ale wrote

Read and cry (…) I´m not saying that´s how you got the spyware, just showing you a possibility.
Oh yes, use Firefox.

Excalibre concurred:

Yeah, I’m gonna second Ale on the idea of switching to another browser. I use Firefox as well; it’s just much nicer not to have to worry so much about these things. Sorry if people are getting sick of being told to switch browsers, but it’ll make a lot of your problems go away.

The thing is:
a) There’s no known exploit in place that takes advantage of this flaw.
b) The link (and thereby Ale’s quote) is inaccurate, in that going to a website won’t trigger this flaw. Rather you have to download and open a JPEG to be exposed.
c) (It naturally follows from #b) Firefox is just as vulnerable to this as IE. i.e. not vulnerable at all, yet in some sense completely vulnerable in that it can be a carrier for this problem.
One of the first lessons of Security is that the greatest dangers arise from lack of understanding. What a coincidence that this site is also dedicated to that principal. So in the interest of that greater good, truth, in a security thread on the SD, please don’t dispense nonsense.

[tracer]

The critical flaw has to do with how Microsoft’s operating systems and other software process the widely used JPEG image format and could let attackers create an image file that would run a malicious program on a victim’s computer as soon as the file is viewed.

:eek: How in … what the … how the heck does the JPEG format contain embedded executable code?!?

[Dragwyr]

tracer:

:eek: How in … what the … how the heck does the JPEG format contain embedded executable code?!?

It’s not really embedded executable code in a JPG file. Rather, it’s a buffer overrun issue in Micosoft Windows GDI processing the JPG file. Specifics can be found here at Microsoft’s web site.

[DrDeth]

Fear Itself:

Download AboutBuster and run it in safe mode. It is important that you close all other windows before you run this tool. Then run Adaware and Spybot in safe mode to remove any remaining vestiges. This should cure your about:blank issues.

That kills about:blank? Great, thank you. I have a computer guru- is it best to let him do it?

[Fear_Itself]

You should be able to do it yourself. It is a pretty straight forward tool, just follow the instructions, hit the scan button and it does the rest. Be sure you do not open a new browser window until you have rebooted after the scan.

[SpaceDog]

Bill H.:

The thing is:
a) There’s no known exploit in place that takes advantage of this flaw.
b) The link (and thereby Ale’s quote) is inaccurate, in that going to a website won’t trigger this flaw. Rather you have to download and open a JPEG to be exposed.
c) (It naturally follows from #b) Firefox is just as vulnerable to this as IE. i.e. not vulnerable at all, yet in some sense completely vulnerable in that it can be a carrier for this problem.

One of the first lessons of Security is that the greatest dangers arise from lack of understanding. What a coincidence that this site is also dedicated to that principal. So in the interest of that greater good, truth, in a security thread on the SD, please don’t dispense nonsense.

In the same vein …

a) There is now, I don’t have the link to the article but there’s at least one exploit out there (of course MS have already released the patch). To be fair your statement was correct when you posted it.

b) Going to a website could trigger this flaw if it has a JPG embedded. As could opening a JPEG via e-mail, a word doc, or anything really. Lots of websites have JPG images (most photos you see will be pictures).

c) As I understand it (and I may be wrong) because of the Microsoft license FireFox can’t use it’s JPG decoder library and so has to provide it’s own. Therefore most open-source (or open-source using or based) software needs to use it’s own JPG library (and uses one of the open source ones).

I should also note that there have been similar exploits discovered in some of the open source image libraries. So FireFox may still not be 100% safe (or safer), but I’m not getting into that fight at the moment.

SD