Warning

 

Close

Confirm Action

Are you sure you wish to do this?

Confirm Cancel
Member Login
Site Notices
Posted: 8/26/2004 9:48:08 AM EST
[Last Edit: 8/26/2004 9:53:27 AM EST by M4]
First off, I want to thank, once again, purplecheese for his HUGE assistance in helping my last issue with a renegade Norton product. Now, I have a trojan. Lucky me.

I installed McAfee Internet Security, and despite repeated attempts, I could not get it to update my virus definitions. The product installed fine, and everything appears to work as needed, however updates just will not happen.

After getting off the phone with McAfee, I was recommended to log on to their web page, and do a scan from there, to see if their up to date list of known threats might identify a virus/trojan that could be effecting my PC.

It ran a full system scan and turned up a single trojan, JV/Zaak.

This is the description of the trojan:

JV/Zaak

Trojan Information
Discovery Date: 10/13/2003
Origin: Unknown
Length: 13,151 bytes
Type: Trojan
SubType: -
Minimum DAT: 4299 (10/22/2003)
Updated DAT: 4299 (10/22/2003)
Minimum Engine: 4.2.40
Description Added: 11/04/2003
Description Modified: 11/06/2003 2:58 PM (PT)


Trojan Characteristics:
This Java Applet alters Internet Explorer settings and makes changes to the system HOSTS file.

Symptoms
The trojan modifies the registry values :

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
Internet Settings\Zones\1 "1C00" = 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
Internet Settings\Zones\2 "1C00" = 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
Internet Settings\Zones\3 "1C00" = 0
This has the effect of disabling Java for the Local Intranet, Trusted Sites and Internet security zones used by Internet Explorer.

The trojan also sets the search page, and start page of Internet Explorer to the following address: http://www.kazaa-lite.ws. It also creates 2 URL Shortcuts in the Favorites folder, pointing to the same site.(No start page changes ever occured, and I found no additions in my Favorites folder)

The HOSTS file is modified to redirect users to a specified site.(this part never effected my PC)

Aliases:
Trojan.Java.Kazlite (AVP)

-----------------------

The removal section is, from where I sit, non-existant.

" Removal Instructions
Use current engine and DAT files for detection. Delete any file which contains this detection."


I have no idea what this means.

Can anyone assist me in ridding my PC of this trojan? Any ideas, or tools to do so would be a big help. Thanks in advance.



Link Posted: 8/26/2004 11:43:26 AM EST
[Last Edit: 8/26/2004 12:01:34 PM EST by purplecheese]
Oooo... You've got one of those interesting trojans, that the big security companies don't seem too worried about.

From what I've read try this:
Run the virus scanner and make note of what files are infected. Delete those infected files from the machine (if you are running XP or ME you need to disable system restore Disable System Restore).

According to the instructions though, your Virus Scanner (the software you bought) should be able remove the trojan, as long as you have the update dated 11/4/2003.

I didn't find much more information about it though.

I'll keep looking for anything else.

ETA: You might want to try spybot and see if it will remove the trojan. Download it here.
Link Posted: 8/26/2004 6:33:58 PM EST
Purplecheese, again, you are the man.

Problem solved.

You ever travel to FL? If you come anywhere near Palm Beach County, you have a couple of cold ones on me waiting for you. Hope you take me up on that too. Thanks man!
Link Posted: 8/26/2004 7:37:48 PM EST
No prob M4. Always glad to help. If I ever do go to FL I will take you up on the cold ones.
Top Top