Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Nasty Little Trojan

by timbosta Oct 31, 2008 7:07PM PDT

Is it possible? I downloaded a free version of WinRar from download.com (I think it was WinRar 3.80) - and it deposited a nasty little trojan which took some time to clear - AVG didn't get it - Malware Bytes didn't get it - HouseCall didn't Get it - in the end, I found a forum and was able (I hope) to eradicate it manually. But, hey - anybody got any observations? I trusted C.Net - But not any more....

Discussion is locked

11 Posts
- Collapse + Expand Details
- Collapse -
Hi. Curious to know,
by Tarq57 Oct 31, 2008 7:50PM PDT

What was the name of this trojan? And what detected it? (Or, how did you detect it and eradicate?)
Are you sure this wasn't a false positive?

- Collapse -
Nasty Little Trojan (continued)
by timbosta Oct 31, 2008 9:19PM PDT

Damn, I can't remember the name of it - I'm typing this at home, and the thing was on my work computer. AVG picked it up as a warning, but didn't pull the thing itself. Basically, it hijacked IE and Firefox, giving me a Cod Microsoft Page towards 'AntiSpyware.com' and put up a recurrent little VB Box with the message Hehehehehehe! which popped up over everything every ten seconds.
I ran AVG 8 - then Downloaded MalwareBytes - ran both of them - NOTHING! So I googled the details, and found a forum which had tales of a similar infestation - followed someone's advice on which registry keys to eradicate, uninstalled WinRar - turned off system restore, rebooted, ran Trend's HouseCall - turned system restore back on - and it seemed to have gone - BUT - for the rest of the day, Google kept warning me that something was attempting to hijack the browser, so I think there may be a trace left. Housecall, weirdly finished in about fifteen seconds, so I'm not sure what was going on there - I will run everything again on monday when I get in to work, and see what occurs - Wise Disc and Registry Cleaner, Windows Defender, and all the others. I'll also trawl the registry and get rid of any WinRar evidence. ZipGenius was recommended to me, so I will eradicate WinRar forever

- Collapse -
One More Step for Cleaning That One
by Bugbatter Oct 31, 2008 10:01PM PDT

That sounds like Trenderdia. I have cleaned several of these. One of the moderators here does not like us to post links to fixes at other sites, so I will just add that running HostsXpert may help.

Download HostsXpert
http://www.funkytoad.com
* And Save it to your Desktop
* Rt Click Hoster.zip->>Extract all->>Extract it to your Desktop (or your C:\ drive)
* Open The Hoster folder->>Double Click HostsXpert.exe
* When the program Opens Click The "Restore MS Hosts File" button in the left pane.
* Then select "Restore Original Hosts" when prompted.
* Close the Hoster program when complete
* Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

If I were you, I'd stay away from Registry Cleaners.
Here are some good discussions on those:
http://aumha.net/viewtopic.php?t=28099
http://www.whatthetech.com/2007/11/25/do-i-need-a-registry-cleaner/
http://billpstudios.blogspot.com/2007/04/do-i-need-registry-cleaner.html

Good luck in keeping your work computer clean.
Regards,
Bugbatter

- Collapse -
Nasty little Trojan etc.
by timbosta Nov 1, 2008 12:54AM PDT

Thanks Bugbatter. I think you are right - Trenderdia rings a memory bell. And I recall that one of the fix instructions was to replace the Hosts file, which I did by copying the one from my Laptop.
Very interesting threads re: Registry Cleaners - must admit, I have never had the slightest trouble with them - Registry First Aid, CCleaner - Wise - and a couple of others - but in future, I think I may take it under advisement....

- Collapse -
Just a note.
by MarkFlax Former Forum moderator Nov 1, 2008 6:42AM PDT

Your comment that, "One of the moderators here does not like us to post links to fixes at other sites", deserve a reply.

You are mistaken, and your comment is misguided.

These forums are available for all members to help each other with their knowledge and expertise, and if that includes links to articles or advice on other web sites, such posts are always welcome. But only as the post and the links apply to the problem being discussed. Blatant advertising is prohibited, and soliciting members to leave CNET and join other forums is not allowed.

While suggesting to members they use specific software, and providing the links to that software is quite acceptable if it helps resolve problems, if a member has any sort of affiliation with that software, or with the web site, products or services, that member must clearly state their connection or affiliation. Continuous reference to such software, products or services will be treated as spam.

If you have run into difficulties with other Moderators because of links you provide in your posts, then you need to reconsider the content of your posts.

We will continue to monitor members' posts for any content that contravenes Forum Policy, and treat them accordingly. Your link to Forum Policy is in the left hand sidebar.

Mark

- Collapse -
Hi Mark
by Bugbatter Nov 1, 2008 7:33AM PDT

Mark, on this forum I posted a link to a fix for a Windows Update redirect that was being handled at a HijackThis forum. My post was deleted. The fix was for an identical problem that an OP here was having trouble with. If I remember correctly, the fix was not one of mine, and was at a site that has no advertising and no soliciting for donations. I am a member at many security sites.
For future reference, here are most of my affiliations:
https://mvp.support.microsoft.com/profile=59F83A39-27B1-4D11-8472-0CB3C9E4D49C
Shall I not post links to fixes or articles at any of these sites, including Dell and Microsoft?

- Collapse -
Are you SURE you didn't download it from a sponsored link?
by Carol~ Oct 31, 2008 10:10PM PDT

Have a look at the below post at our "CNET Download.com site" forum.

It reads:

"Got me too"
"I downloaded from the sponsored link titled: WinRAR free forever. and have been infected by the Browser hijacker as well."

http://forums.cnet.com/5208-12543_102-0.html?forumID=141&threadID=314336&messageID=2896986#2896986

The member in the above post was quite sure he downloaded it from a sponsored link. Do you think it's possible, you did the same? If you are 100% sure it was CNET, I would suggest reporting.

Carol

- Collapse -
Nasty Little Trojan etc etc
by timbosta Nov 1, 2008 1:01AM PDT

The page is still there - http://www.wintechaiitm.org.cn/winrar.htm
it's masquerading as a C.Net page - I wish I could send a quantum torpedo right back at them, the rotten lot. Who are these morons? Do they sit in their rooms congratulating themselves at putting one over on the enormous anonymous human race? Is it a social inadequacy thing?
More important, can someone shut this site down? - Dear C.Net. this site is not doing your brand name any favours

- Collapse -
I forwarded this to Lee Koo (Admin)
by roddy32 Nov 1, 2008 2:00AM PDT

in the CNET forums and I'm sure he will let the appropriate people know. I don't know if they can do anything about it or not but at least they know now. Thanks for reporting it.

- Collapse -
(NT) Thank You, Roddy
by Bugbatter Nov 1, 2008 9:08AM PDT
- Collapse -
Thanks for reporting this.
by Lee.Koo Nov 4, 2008 3:00AM PST

I have contacted the appropriate team and they are in the process of removing that ad.

Thanks again!
-Lee

Back to Spyware, Viruses, & Security forum

CNET Forums

Operating Systems
Software
Electronics & Gadgets
Hardware
Tablets & Mobile Devices
General Help
Brand Forums
Roadshow Autos
Off Topic

Other Forums

Forum Info