Virus / Trojan elimination... Win 7 64 - registry questions

Discussion in 'Operating Systems' started by DarkSideA8, Jun 2, 2012.

  1. DarkSideA8

    DarkSideA8 Limp Gawd

    Messages:
    254
    Joined:
    Apr 13, 2005
    I got a java exploit virus/trojan recently - either through a fake update or hitting the "x" on one of those annoying pop-ups.

    Anyway, I've run Trend Micro & Security Essentials and both tell me they've found the problem & have cleaned it... daily.

    Meaning, there is something hiding which those programs cannot find.

    I found a couple of suspicious entries in "hkey_current_user software microsoft windows currentversion internet settings\zonemap\domains" - and want to be sure they're configured corrrectly - or whether I should delete them.

    The sites listed are ones I plugged into the restricted cookies section under IE - but they are not all of the sites listed in IE.

    The registry DWord value is "4" (0x00000004 (4)), but I am not certain that means "block" or not - and, I am not sure why only these 5 sites show up in the 'Domains' registry, and not all of the sites on my IE restrictions page (suspicious).

    Thoughts?
     
  2. daglesj

    daglesj [H]ardness Supreme

    Messages:
    5,020
    Joined:
    May 7, 2005
    Take the HDD out and scan it on another PC. Once it's cleaned off all it can find then put the HDD back in, boot up and run Combofix on it to clean up the last bits and any app/Registry changes.

    Nigh on impossible to clean virus/trojans off a running PC once infected. You dont get everything.
     
  3. Snowknight26

    Snowknight26 [H]ardness Supreme

    Messages:
    4,153
    Joined:
    May 8, 2005
    Zone 4 is 'Restricted Sites Zone,' obviously. If you see other sites there, check under HKLM as well.
     
  4. DarkSideA8

    DarkSideA8 Limp Gawd

    Messages:
    254
    Joined:
    Apr 13, 2005
    Thanks, guys.

    Any idea how to find information on these:

    " Exploit:Java/CVE-2012-0507.BR!ldr
    ~or~
    TrojanDownloader:Java/OpenStream.BO

    I tried googling, but it seems like a lot, if not most of the sites talking about viruses are highly suspicious themselves. Prior to HackThis getting snatched up by (and languishing under) Trend, there used to be good sites that helped figure where these things were hiding...

    @ daglesj: I'll try your suggestion, thanks.