What is this "015 - Trusted Zone"?

[ron040401]

I am seeing a lot of these "015 - Trusted Zone" entries appearing in HiJackThis logs. I just worked on an XP Pro system where this entry keeps reappearing after being removed. Other things happen as well... Notepad has disappeared, the Sites button on IE6 is greyed out and the Hosts file fills up with various sites as soon as I clean it out. In fact, if I delete Hosts, it reappears in two or three seconds.
I have run through the usual gambit of repairs (Norton AV, HiJackThis, Ad-Aware, manual cleanups and registry edits). I am preparing to install SP2 but wondered if this entry will cause any problems. Also, the popups continue to appear whether I use IE or Firefox. THe other entries that continuously returns are the iesearchupdate entries. Anyone have a fix for this? Appears to be relatively new. Oh, and one mmore odd thing... the user swears he never assigned a password to Administrator but now he has one. I cannot get into Administrator login.
Thanks for your help.

 

[bcastner]

This particular malware is new, and truely a pain to manually remove.

Moreover, an upgrade to Service Pack 2 is not going to help.

On section 015 entries in Hijack This:

http://www.bleepingcomputer.com/forums/tutorial42.html#O15Diag

I have not seen a good manual removal process for this new malware. Restore from backups. Then do the SP2 upgrade.

 

[eyec]

don't forget to DISABLE the restore point before doing a restore or you wil be back to square one.

 

[ron040401]

Oh, I don't know if I can restore... that would be like running away without a fight. No, I think I'll meet the challenge instead. Time for some serious mallbutt kicking.
Thanks for the info. I'll post if I find anything.

 

[bcastner]

Then see faq608-4650 for serious mallbut kicking.

 

[ron040401]

Well, it took over 9 hours but I came out with most of me intact. At first, I would perform one step then carry on to the next then realize that the whole thing had come back again. So, it seemed that the order in which I ran the fixes was significant.
Here are the tools I used:
- AboutBuster
- ServiceFilter
- Ad-Aware
- HiJackThis
- CWShredder
- UninstallNewDotNet
- Regedit
- Norton Internet Security
- Microsoft XP Service Pack 2 CD

Here are the steps I followed:
a) Removed a downloader trojan using TrendMicro's Online Virus scan.
b) Disconnected the Internet cable then started in Safe Mode.
c) Used Run command to run "control userpasswords2" to reset the Administrator password.
d) Restarted in Safe Mode, logged in as Administrator.
e) Ran UninstallNewDotNet.
f) Ran HiJackThis.
g) Ran CWShredder.
h) Ran AboutBuster.
i) Ran ServiceFilter.
j) Ran Ad-Aware.
k) Installed Norton AntiVirus and Norton Firewall trials (they are 2004 versions).
l) Made changes to the Internet ZoneMap settings in the registry similar to the changes listed in Symantec's removal instructions for Adware.CDT.
m) Emptied all the Temp and Temporary Internet File folders.
n) Reset Hosts to its default but the hijacking sites added themselves in a matter of seconds.
o) Plugged the Internet cable back in and rebooted.
p) Ran Norton LiveUpdate four times. The problems started to come back again but at a controlled pace.
q) Restarted in Safe Mode and ran steps (e) to (m) again except for the Norton installations.
r) Rebooted.
s) Ran Norton Antivirus scan and removed nine other trojans.
t) Reset Hosts to its defaults. This time it stayed.

I think the step that made the difference was the manual removal process from Symantec. That seemed to be the only reinstallation that did not fully transpire between the two block processes.

I hope I never see this guy again.