Topic: Trojan attack exploits Google typos

[Clive]

The Register
By John Leyden
Published Friday 29th April 2005 10:33 GMT

Hackers have set up malicious websites designed to infect the Windows boxes of surfers who mistype the name of popular search engine Google.com. If a user opens one of the malicious websites, such as googkle.com1, his PC box may be hijacked with malware including Trojan downloaders, backdoors and spyware.

Finnish anti-virus firm F-Secure reports that the site launches multiple pop-up Windows that lead to other sites harbouring malicious scripts. These scripts exploit a variety of vulnerabilities to automatically download code onto vulnerable boxes. Users are advised to keep their browser patches up to date - and to practice touch typing - in order to avoid infection. ®

http://www.theregister.co.uk/2005/04/29/googkle_trojan/

[cerebus]

hi again guys I'm back  :wink:

i have a problem with my comp too one tht i just cant seem to solve and i noticed clives "trojan attack" and wondered if i could get some help. u see a apllication extension file (in c:\windows\system32) called req.dll has a trojan.download and i found out it goes to websites and downloads other trojan droppers and stuff. well i have scanned my comp with norton 2005 and it didnt do much (abasoloutley naff all actually) so i ran live update and scanned again twice i also used microsoft antispyware too, niether of them did any thing. norton found the file but couldnt fix, quaretine OR delete the virus and left my comp infected. now i dont think i typed google qrong or ne thing so i may be in the wrong place. but i tlked to a friend and he told me to try and delete the file (req.dll) in safe mode and tht it souldnt destroy my comp, i have tryed various ways to delete the file but none have worked. i thought i could open the file in notepad and delete all the text then save over the file and basicly delete the file but leave the icon there, obviously this didnt work and i still have not got rid of the virus. if i try saving over the file it says "cannot create the file c:\windows\system32\req.dll p[lease make sure u typed it right" or summet like tht.

norton keeps teling me about the infection and i can not get rid of the box tht appears as wen i click ok it pops up again and each time it varies from "cannot repair the file"  and  "acces to the file was denied"

maybe just maybe you might be able to help me?? its really getting me down

[Sandra]

Have a try with Xoftspy, its solved a few problems for a few people lately since I came across it.
If you download the program and run it, it will detect anything nasty such as diallers, spyware and trojans.
Unfortunately it wont remove it until you register it but at least it wil identify what file is causing the problem and its location.
I have just run another scan and it found a dialler on mine  :shock:

http://www.paretologic.com/xoftspy/lp/14/

[cerebus]

well thnx for tht i might not be able to do tht as my computer is kinda full of other stuff as 3 ppl use it. by the way when i tryed to copy an image to a word document recently it said "not enough memory please save the document immediatley" ne idea wot memory it is i think it could be the RAM as i still have at least 20 summet gig in the harddrive (23.7 GB to be exact) i'm thinking of buildin a new one as this is gettin slow and then my dad can have this one for ebay an stuff

[Clive]

If you can't download Xoftspy then see if you have enough space to download Ad-Aware.  http://www.lavasoftusa.com/software/adaware/  Another useful program is http://www.x-raypc.com/  Try those and let us know how you get on.    

[cerebus]

wow well i d/l tht Xoftspy and it seems to be working pretty well thnx for tht  

as for the registering to get rid of them do i need to pay or ne thing? and same for the ones you gave me clive

[Simon]

Have you tried virus scanning with Norton in safe mode?  It may be able to remove the file if it's not active.  Also, turn off System Restore (temporarily), before going into safe mode, as viruses can lurk there, and once removed, can be reborn when you next start your PC.  To disable System Restore, right click your My Computer desktop icon, and select Properties, then the System Restore tab.  Untick the box, to switch off System Restore.  Don't forget to switch it back on again, once your computer is clean.  You could also try Spybot S&D, which can sometimes see stuff the others don't.  Also might be worth trying CoolWeb Shredder, in case it's a variant of that.

[cerebus]

well.. there good an all but  i need somthing to get rid of them (seeing as norton 2005 hasnt detected half as many things as those) sone thing else??  :?

[cerebus]

wow you guys really do know alot, do u all work with a mass computer company? lol well thnx for it i'll try tht stuff to see wot happens   thnx a bunch

[Clive]

All the software we've mentioned is free to download and use - apart from the one Sandra gave you.

[Sandra]

Have a look in your private messages on here too Cerebus  :wink:

[cerebus]

WOW :shock:  never knew y'all missed me so much (not). cant belive it only one pm from sandra w8ing for me .

ohh well.. ne way the spybot s&d seems to have got rid of a few of the problems too but norton keeps tellin me there is a download.trojan in the req.dll file STILL. hopefuly spybot s&d and nortond an other stuff may get rid of it soon enough if not i may have to reformatt my computer  :?  (or just try repairing it with the disk)

scaning the file in safe mode with norton an sys restore temporarily disabled didnt work either. hope i find a cure soon. but thnx for all the help you've been great   . i know i can always count on you guys, just wish i knew enough so tht i could ofer help back, maybe one day eh?  :wink:

[Simon]

Right, I found this on another forum:-

Download Killbox from http://www.downloads.subratam.org/KillBox.exe

Double-click killbox.exe on your desktop.
Select the option "Delete on reboot".
Now highlight and 'copy' the entire list of filepaths below:

C:\WINDOWS\System32\req.dll
C:\WINDOWS\System32\req.dat
C:\WINDOWS\System32\req.exe

Open 'file' in the killbox menu at the top and choose 'Paste from clipboard'

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines should be there together!

Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.
Click YES

When it asks if you would like to Reboot now, click YES
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

Hope that helps!

[Sandra]

. i know i can always count on you guys, just wish i knew enough so tht i could ofer help back, maybe one day eh?  :wink:

Everyone starts off knowing next to nothing and learns a bit day by day, so it wont be long before youre able to help someone through learning from your own and others problems and mistakes  

[cerebus]

thnx for tht i will learn from mostly my mistakes (seein as i have alot of them) and i will try the kill box too thnx simon    goin to comp fair right now so see you all l8er