[dba-Tech] Nasty little trojan

John Bartow john at winhaven.net
Tue Jan 10 23:35:38 CST 2006


I thought I ran into your trojan tonight. I was working on a PC and cleaning
the typical junk off the desktop. I ran into this:
http://www.winhaven.net/security/ScreenShot.html

To the right you'll see a small quais-icon (scroll down and there's a blow
up of it beneath the large image)

If I clicked on it I could see that it had the image boundaries the same as
a typical icon but when clicked it would not do anything, I could get no
short cut menu form it when right clicking (got themenu for the desktop) and
I could not select it.

Anyone ever see anything that looked like that?

-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Jon Tydda
Sent: Tuesday, January 10, 2006 10:27 AM
To: 'Discussion of Hardware and Software issues'
Subject: Re: [dba-Tech] Nasty little trojan

Not a clue, but I'm hoping that the av companies start including it in their
updates, as it's a right pain to get rid of.


Jon

-----Original Message-----
From: John Bartow [mailto:john at winhaven.net]
Sent: 10 January 2006 16:16
To: 'Discussion of Hardware and Software issues'
Subject: Re: [dba-Tech] Nasty little trojan


Jon,
Good catch! It must be very new as I can't find any information on it
(including Trojan Hunter info). Have you found anything about how it was
delivered? 

-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Jon Tydda
Sent: Tuesday, January 10, 2006 8:55 AM
To: Dba-Tech (E-mail)
Subject: [dba-Tech] Nasty little trojan

Had some problems last night...
 
I turned my pc on, fired up Trillian, Outlook and Zmud, and waited a few
seconds for them to appear. Trillian and Zmud opened pretty quickly, and I
noticed that Outlook hadn't appeared. So I clicked the icon again, and a
message box appeared saying "Outlook failed to open correctly last time,
would you like to start in safe mode?" So I clicked no, and waited. Nothing.
I clicked it again, got the same error message and clicked on yes this time.
Again nothing happened. Then it asked if I'd like to do a detect and repair,
which I agreed to. The detect and repair started up, and failed halfway
through as it claimed to need the installation cd's, despite having the
install files on the hard drive...
 
It was at this point I got suspicious, and opened Internet Explorer to look
for information on a possible virus. IE closed about 2 seconds after
opening. So I opened McAfee virus scan in a vain attempt to scan my pc.
McAfee closed about a second after the splash screen appeared.
 
Fortunately, I had a copy of Stinger on my desk top, so I started that and
was relieved to see that it stayed open, although in the end, it didn't find
anything. Trend Micro's Sysclean didn't find anything either.
 
Sunday night I had run Spybot, Ad-Aware, Giant, and SpySweeper, as well as
diskcleanup and defrag, and had updated Windows to include the WMF patch on
Friday. The only thing I hadn't run was Trojan Hunter, so I started that up
and waited for it to disappear. It didn't. So I updated it, and ran a full
scan. This eventually picked up a file called "autoload.exe" and named it as
"Runner.100". I can't find information about this infection anywhere, but
removing it let me run Outlook and IE again, so I'm kinda pleased.
 
I am a little troubled at how easily my pc got infected despite having good
anti-virus software, lots of anti-spyware software, Zonealarm and the
hardware firewall in my router.
 
But I can thoroughly recommend Mischel's Trojan Hunter 4.2, available from
http://www.trojanhunter.com/ <http://www.trojanhunter.com/> 
 
 
Jon


The information in this e-mail is confidential and may also be legally
privileged. The contents are intended for recipient only and are subject to
the legal notice available on request from : webmaster at alcontrol.co.uk
ALcontrol Laboratories is a trading division of ALcontrol UK Limited.
Registered Office: Templeborough House, Mill Close, Rotherham, S60 1BZ.
Registered in England and Wales No 4057291
_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com

_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com


The information in this e-mail is confidential and may also be legally
privileged. The contents are intended for recipient only and are subject to
the legal notice available on request from : webmaster at alcontrol.co.uk
ALcontrol Laboratories is a trading division of ALcontrol UK Limited.
Registered Office: Templeborough House, Mill Close, Rotherham, S60 1BZ.
Registered in England and Wales No 4057291
_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com




More information about the dba-Tech mailing list