11-8-09

Discussion in 'Blogs' started by tblount, Nov 8, 2009.

  1. tblount

    tblount New Member

    Joined:
    Sep 27, 2009
    Messages:
    3,537
    Likes Received:
    64
    There is a new, really tricky, Trojan making it's rounds. It places "Warning! Fatal error:" wallpaper on your desktop and if you select the Update Now option... well you just don't want to do that. The threat level is Critical. If you click on the “Update Nowâ€Â￾ button, you will automatically start the installation of WinCodecPRO, which is a hazardous application and should be avoided at all costs.

    There is a removal tool from Pctools.com here:
    http://remove-malware.net/spyware-doctor/warningfatalerror-wallpaper/download-warning-fatal-error-wallpaper-automatic-remover
    But as I have already mentioned, an ounce of prevention is worth more than a pound of cure.
    Read on...

    The Trojan replaces a system file called wextract.

    wextract.exe is a program in \windows\system32 that extracts the files inside of a cab file are further compressed. For example, a .dll or a .exe file may be
    listed as .dl_ or.ex_. This is where the extract utility comes in. You can't
    just use winzip to extract the file as it would still be in it's own compressed
    state, ie; .dl_ or.ex_ when "unzipped" by winzip. You run the extraction utility
    to "pull" it from the .cab file into it's full expanded state.

    Since there are no essential .CAB files on your hard drive, this program would
    probably never be called...even by SFC to restore files. Here is what I did.. first I copied it to \windows because \windows is also in the path and should something need it, it may find it as long as it's somewhere in the system's path.

    Copy \windows\system32\wextract.exe \windows

    Now you have to remove the trusted installer restrictions so you can rename
    it or delete it from the \windows\system32 folder with these two commands.

    takeown /f c:\windows\system32\wextract.exe /a

    icacls c:\windows\system32\wextract.exe /grant administrators:f

    Now you can use windows explorer and go to \windows\system32 and rename it.

    After it's renamed you can create a New Folder in \windows\system32 and
    name it wextract.exe ... making it impossible for the Trojan to install.
    This may cause SFC to be confused because it won't be able to
    restore wextract.exe .. but the virus won't be able to drop the Trojan
    either.

    What is "path" ?

    In the early days when software was installed manually, this was critical because if you did not put it in a folder that is listed in your path, or
    INCLUDE the program's folder in the path, windows could not find it and you
    could never get it to run. The install routine of almost all software today
    sets the path in the shortcut so you don't have to worry about windows finding it.

    The best way to understand path is to imagine you are a carpenter and you have an new assistant. When you tell him to get the saw he goes away for 20 mins then comes back and says he couldn't find it. So you have to set some ground rules. You'll tell him that when you want a tool, first look in the room you are working in, then in the toolbox in the last room you worked and if he can't find it, go to the service truck and look. If he doesn't find it there come right back and tell you.

    This saves a LOT of time if the tool was lost of left at home. When you tell windows to run xyz.exe the "path" is the list of locations to check before it comes back and tells you it's not found. If you didn't have a path windows would have to check every file on the computer before it gave up.

    ~~~~~

    Test of 16 Anti-Virus Products Says None Rates "Very Good"
    None of the products performed “very goodâ€Â￾ in malware removal or removal of leftovers, based on those 10 samples. eScan, Symantec and Microsoft (MSE) were the only products to be good in removal of malware AND removal of leftovers",
    http://www.net-security.org/malware_news.php?id=1137
     
  2. karachidude

    karachidude New Member

    Joined:
    Oct 2, 2009
    Messages:
    45
    Likes Received:
    0
    Brilliant as always..i only visit to read ur blogs..explaining unecessary services deserves a thank u :)
     
  3. tblount

    tblount New Member

    Joined:
    Sep 27, 2009
    Messages:
    3,537
    Likes Received:
    64
    Thank you... I've been working the past couple hours on a web page to round up EVERYTHING I turn off. This blog is good but there are many other tweaks scattered throughout the other blogs and I wanted to get them all in one place.
     

Share This Page

Loading...