how-to block ads
|
trparky
Bite My Shiny Metal Ass
Premium,MVM
join:2000-05-24
Cleveland, OH
clubs:
 ·AT&T U-Verse
| [ZLOB] I think I have all of it but I want to make sure...
Yes, I got infected. Yep, I thought I was immune.
»I was infected. I stand humbled.
And the prior...
»Came close to being infected...
This is Windows Vista 64-bit so I'm a bit limited in the tools that I can run on this. Programs like Spybot won't run on it. Norton Internet Security 2009 has already been run on this machine and has removed a good chunk of the trace of ZLOB that it found.
Mainly I'm looking for reassurance that this crap has been removed.
Malwarebytes' Anti-Malware Scan Results
Malwarebytes' Anti-Malware 1.36
Database version: 2135
Windows 6.0.6002 Service Pack 2
5/15/2009 10:04:21 PM
mbam-log-2009-05-15 (22-04-21).txt
Scan type: Full Scan (C:\|S:\|)
Objects scanned: 466084
Time elapsed: 3 hour(s), 28 minute(s), 51 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
HijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:41 PM, on 5/15/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files (x86)\TrueCrypt\TrueCrypt.exe
C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Users\Tom\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files (x86)\Unlocker\UnlockerAssistant.exe
C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files (x86)\GetRight\GetRight.exe
C:\Program Files (x86)\HP\QuickPlay\QPService.exe
C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
C:\Program Files (x86)\Hamachi\hamachi.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\JGsoft\EditPadPro6\EditPadPro.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »ie.redirect.hp.com/svs/rdr?TYPE=···&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »ie.redirect.hp.com/svs/rdr?TYPE=···&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »ie.redirect.hp.com/svs/rdr?TYPE=···&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »ie.redirect.hp.com/svs/rdr?TYPE=···&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files (x86)\IEPro\iepro.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files (x86)\GetRight\xx2gr.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\16.5.0.134\IPSBHO.DLL
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Advertising Cookie Opt-out - {8E425EB4-ADBD-4816-B1E8-49BB9DECF034} - C:\Program Files (x86)\Google\Advertising Cookie Opt-out\opt_out.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files (x86)\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files (x86)\Google\Google Gears\Internet Explorer\0.5.19.0\gears.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O4 - HKLM\..\Run: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files (x86)\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files (x86)\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
O4 - HKCU\..\Run: [Aero Controller] C:\Users\Tom\Aero Controller.exe
O4 - HKCU\..\Run: [TrueCrypt] "C:\Program Files (x86)\TrueCrypt\TrueCrypt.exe" /q preferences /a favorites
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Tom\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Belkin Network USB Hub Control Center.lnk = C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
O4 - Startup: hamachi.lnk = C:\Program Files (x86)\Hamachi\hamachi.exe
O4 - Startup: Virtual Desktops.lnk = C:\Program Files (x86)\Virtual Desktop\Virtual Desktops.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: GetRight.lnk = C:\Program Files (x86)\GetRight\GetRight.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Customize Menu - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files (x86)\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files (x86)\IEPro\iepro.dll
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files (x86)\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files (x86)\IEPro\iepro.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files (x86)\Google\Google Gears\Internet Explorer\0.5.19.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files (x86)\Google\Google Gears\Internet Explorer\0.5.19.0\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files (x86)\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {EF3CEDAA-71DE-494f-A700-9648BD0F0BA9} - C:\Program Files (x86)\ieHTTPHeaders\ieHTTPTrace.dll
O9 - Extra 'Tools' menuitem: Display ieHTTPHeaders... - {EF3CEDAA-71DE-494f-A700-9648BD0F0BA9} - C:\Program Files (x86)\ieHTTPHeaders\ieHTTPTrace.dll
O13 - Gopher Prefix:
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - »www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - »https://transfers.ds.microsoft.com/FTM/T···Ctrl.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - »https://secure.logmein.com/activex/ractr···?lmi=100
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files (x86)\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Unknown owner - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_bd5387da\AESTSr64.exe (file missing)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Unknown owner - C:\Windows\system32\agr64svc.exe (file missing)
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files (x86)\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: AT&T Con App Svc (CAATT) - PCTEL - C:\Program Files (x86)\AT&T\Communication Manager\ConAppsSvc.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: DFS Replication (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Update Service (gupdate1c98621104e2f0) (gupdate1c98621104e2f0) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hamachi Service (HamachiService) - LogMeIn Inc. - C:\Program Files (x86)\Hamachi\hamachi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: CNG Key Isolation (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Netlogon - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files (x86)\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files (x86)\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files (x86)\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Software Licensing (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: SNMP Trap (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Audio Service (STacSV) - Unknown owner - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_bd5387da\STacSV64.exe (file missing)
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files (x86)\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - Unknown owner - C:\Windows\System32\TuneUpDefragService.exe (file missing)
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - Unknown owner - C:\Windows\System32\TUProgSt.exe (file missing)
O23 - Service: Interactive Services Detection (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Virtual Disk (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
Tom | |
trparky
Bite My Shiny Metal Ass
Premium,MVM
join:2000-05-24
Cleveland, OH
clubs: | Norton IS 2009 came back clean. Still running MSRT.
--
Tom | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to trparky
It would be more helpful if you could post the scan log from Norton 2009 where it found and removed the infection. I'd like to determine if your machine was truly infected or simply Norton detecting exploits on a webpage.
Then finish running the steps that will work on Vista 64bit systems in our FAQ page here
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
(did you scan with Windows Defender, for example?)
and also be sure to run this online AV scanner to get a second opinion and it will produce a log for review
Go here: »www.eset.com/onlinescan to run an online scannner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at:
C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic, along a description of any remaining problems
AND I also want to review the Norton Scan log (from the scan where the infection was found...not the clean one)
ESET Online Scanner requires the following minimum system components:
Hardware:
133MHz Intel Pentium processor or equivalent
At least 32MB of available RAM
At least 15MB of available disk space
Operating System:
Microsoft Windows 98/ME/NT 4.0/2000/XP and Windows Vista
Software:
Microsoft Internet Explorer (IE) 5.0 or later
User Permissions:
Administrator privileges required for installation.
And it IS compatible with the 64bit versions listed
Q8: Does the ESET Online Scanner work with 64-bit versions of Microsoft Windows?
A8: Yes, the ESET Online Scanner works with x64 (AMD64 and EMT64) versions of Microsoft Windows—it does not work with Itanium (IA64) versions of Microsoft Windows. The ESET Online Scanner is a 32-bit application, which means it must be run through in the 32-bit version of Internet Explorer, and as an Administrator (see Q7, above). To do so, right-click on the Internet Explorer (32-bit) icon in the Start Menu and select "Run as administrator" from the popup context menu.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2009
Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | reply to trparky
Also, a quick question. Spybot IS Vista compatible. What error did you get trying to run it? | |
trparky
Bite My Shiny Metal Ass
Premium,MVM
join:2000-05-24
Cleveland, OH
clubs:
·AT&T U-Verse
| REGISTRY
HKEY_USERS\S-1-5-21-3150281172-1218314323-312748870-1000\Software\Microsoft\Inrernet Explorer\New Windows\->PopupMgr:yes
HKEY_USERS\S-1-5-21-3150281172-1218314323-312748870-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\->Hidden:1
HKEY_USERS\S-1-5-21-3150281172-1218314323-312748870-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\->Hidden:1
HKEY_USERS\S-1-5-21-3150281172-1218314323-312748870-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\Advance\->HideFileExt:0
HKEY_USERS\S-1-5-21-3150281172-1218314323-312748870-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\Advance\->HideFileExt:0
HKEY_USERS\S-1-5-21-3150281172-1218314323-312748870-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\Advance\->SuperHidden:1
HKEY_USERS\S-1-5-21-3150281172-1218314323-312748870-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\Advance\->SuperHidden:1
HKEY_USERS\S-1-5-21-3150281172-1218314323-312748870-1002\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\->NoFolderOptions:0
HKEY_USERS\S-1-5-21-3150281172-1218314323-312748870-1006\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\->NoFolderOptions:0
HKEY_USERS\S-1-5-21-3150281172-1218314323-312748870-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\->NoFolderOptions:0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\->aux1:wdmaud.drv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\->aux2:wdmaud.drv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon->UserInit:C:\Windows\SysWOW64\Userinit.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system->DisableTaskManager:0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\->System
HKEY_USERS\S-1-5-21-3150281172-1218314323-312748870-1002\Software\Microsoft\Internet Explorer\New Windows\->PopupMgr:yes
HKEY_USERS\S-1-5-21-3150281172-1218314323-312748870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\->Hidden:1
1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\->HideFileExt:0
1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\->SuperHidden:1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\->midi2:wdmaud.drv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\->mixer2:wdmaud.drv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\->wave2:wdmaud.drv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\->wave1:wdmaud.drv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\->midi1:wdmaud.drv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\->mixer1:wdmaud.drv
FILES
c:\users\tom\appdata\local\temp\~df5ddd.tmp
c:\users\public\desktop\best bdsm p0rn.url
c:\users\public\desktop\gay fetish sex.url
I don't know how I got those pr0n links, I don't even go to pr0n sites. Seriously, I don't.
SpyBot is Vista compatible but only 32-bit, not 64-bit. It is known that it get stuck in a Wow64 directory scan loop.
Ran another full scan with NIS2009, nothing found. MSRT is still scanning from last night and is about 80% through the scan and still hasn't found anything.
--
Tom | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to trparky
Thanks, trparky!
Ok, the registry items only look like a listing of your settings (it didn't actually says those are infected)
and the URLs, you can delete those files. They may be leftovers from a prior infection or something, but they aren't an indication of any active infection.
Let's see how the MSRT comes out and then if I could ask you to take the time to get a second option from eset online scan? If Norton missed anything, it might show there. And if not, I would assume those old links are not part of any active infection. I would see a lot more files listed (not just links)
As for Spybot, it's compatible for 64bit systems. If it won't run for you, I think they'd appreciate it if you could report any problems on their support forums 
»forums.spybot.info/index.php
Here is a thread thoroughly explaining the difference between 64bit compatible and 64bit native.
»forums.spybot.info/showthread.php?t=30810
However, I haven't see the hangup you mentioned. Do you have a link for one? (just wondering).
I'd like to get that resolved since maintaining the FAQ pages here in Security we want to make sure to note (and use) only programs that work on recommended systems. Therefore if it won't run for some reason on Vista 64bit I would want to have that listed. Right now it's my understanding that it works fine on Vista 64bit. So help me here if I am wrong.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2009
Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to trparky
Ok, further searching over at Spybot forums I found where Patrick posted back in 07 that Spybot was compatible with 64bit Vista
»forums.spybot.info/showpost.php?···tcount=2
So, if it is hanging up on you, you may need some troubleshooting and I'm sure they'll help you over there.
We do want to be sure it works for you.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2009
Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
trparky
Bite My Shiny Metal Ass
Premium,MVM
join:2000-05-24
Cleveland, OH
clubs:
·AT&T U-Verse
1 edit | MSRT is still scanning, I started Spybot on this thing along with AdAware AE free.
Things seem like they are fine now but I definitely want some more opinions from other programs.
Honestly, I'm a bit disturbed by this. I've never been infected in over four years. This is the first time and it scared the hell out of me.
--
Tom | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| Gosh, I hope you aren't running all of them at once.
The eset online AV scan is the important one. It will look for both infected system files and any others possibly missed, but I honestly don't think this machine was infected. What Norton found was really negligable traces (legit traces yes, but nothing indicating a system infection at all). Ad-Aware and Spybot might find traces, but I would expect MBAM would have already found something if so.
An online scanner can't be "fooled" or damaged by malware. That's why I want the 2nd AV opinion.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2009
Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to trparky
Oh, but do the eset scan only after the MSRT is done (I wonder why that is taking so long?) We use the MSRT to rule out any of the major nasties and some of the more common rootkits.
Just because Norton "found something" doesn't mean your machine was infected. Sometimes there are traces in the Java cache or in your web browser cache, etc - doesn't mean you were actually infected. I think that is going to be the case here FYI
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2009
Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
trparky
Bite My Shiny Metal Ass
Premium,MVM
join:2000-05-24
Cleveland, OH
clubs: | I am running them all at once, the system is still responsive even with all of that activity going on.
--
Tom | |
trparky
Bite My Shiny Metal Ass
Premium,MVM
join:2000-05-24
Cleveland, OH
clubs: | SpyBot found CouponBar, I'm having it remove it.
--
Tom | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to trparky
Arg - well really not a good idea to run them all at once. You are asking all 3 to do the same job at the same time and they might get confused when one "touches" a file, then the other 2 also see it. It's really best to only run one scan at a time.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2009
Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
trparky
Bite My Shiny Metal Ass
Premium,MVM
join:2000-05-24
Cleveland, OH
clubs:
·AT&T U-Verse
| MSRT found nothing.
AdAware found some cookies and two trojan type things.
Win32AdwareBHO
c:\Windows\CouponPrinter.ocx (This I'm not so sure of since I remember this was installed to get some kind of online coupon)
Win32TrojanSpy
C:\Users\Tom\Desktop\..tfraudFix\VACFix.exe
C:\Windows\SysWOW64\VACFix.exe
--
Tom | |
trparky
Bite My Shiny Metal Ass
Premium,MVM
join:2000-05-24
Cleveland, OH
clubs:
·AT&T U-Verse
1 edit | Logfile created: 5/16/2009 13:44:7
Lavasoft Ad-Aware version: 8.0.4
Extended engine version: 8.1
User performing scan: Tom
*********************** Definitions database information ***********************
Lavasoft definition file: 148.31
Extended engine definition file: 8.1
******************************** Scan results: *********************************
Scan profile name: Full Scan (ID: full)
Objects scanned: 441207
Objects detected: 7
Type Detected
==========================
Processes.......: 0
Registry entries: 0
Hostfile entries: 0
Files...........: 3
Folders.........: 0
LSPs............: 0
Cookies.........: 4
Browser hijacks.: 0
MRU objects.....: 0
Removed items:
Description: *live365* Family Name: Cookies Clean status: Success Item ID: 408844 Family I D: 0
Description: *unicast* Family Name: Cookies Clean status: Success Item ID: 409281 Family I D: 0
Description: *live365* Family Name: Cookies Clean status: Success Item ID: 408844 Family I D: 0
Description: *live365* Family Name: Cookies Clean status: Success Item ID: 408844 Family I D: 0
Quarantined items:
Description: C:\Windows\CouponPrinter.ocx Family Name: Win32.Adware.BHO Clean status: Succ ess Item ID: 766344 Family ID: 61
Description: C:\Users\Tom\Desktop\temp\SmitfraudFix\VACFix.exe Family Name: Win32.Trojan.S py Clean status: Success Item ID: 556307 Family ID: 983
Description: C:\Windows\SysWOW64\VACFix.exe Family Name: Win32.Trojan.Spy Clean status: Su ccess Item ID: 556307 Family ID: 983
Scan and cleaning complete: Finished correctly after 14675 seconds
************ Settings *****************
Scan profile:
ID: full, enabled:1, value: Full Scan
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: true
ID: scanhostsfile, enabled:1, value: true
ID: scanmru, enabled:1, value: true
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: folderstoscan, enabled:1, value: C:\,D:\,S:\
ID: scanrootkits, enabled:1, value: true
ID: usespywareheuristics, enabled:1, value: true
ID: extendedengine, enabled:0, value: true
ID: useheuristics, enabled:0, value: true
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: filescanningoptions, enabled:1
ID: archives, enabled:1, value: true
ID: onlyexecutables, enabled:1, value: false
ID: skiplargerthan, enabled:1, value: 20480
Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav
Scheduled scan settings:
Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: normal, domain: normal,off,silently
ID: displaystatus, enabled:1, value: false
ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: autodetectproxy, enabled:1, value: false
ID: useautoconfigscript, enabled:1, value: false
ID: autoconfigurl, enabled:0, value:
ID: useproxy, enabled:1, value: false
ID: proxyserver, enabled:0, value:
ID: softwareupdates, enabled:1, value: downloadandinstall, domain: dontcheck,downloadand install
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandi nstall
ID: schedules, enabled:1, value: true
ID: updatedaily, enabled:1, value: Daily
ID: time, enabled:1, value: Sat May 16 13:38:00 2009
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekl y
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updateweekly, enabled:1, value: Weekly
ID: time, enabled:1, value: Sat May 16 13:38:00 2009
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,week ly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: true
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: true
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavaso ft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad -Aware\Language
Realtime protection settings:
ID: realtime, enabled:1
ID: processprotection, enabled:1, value: true
ID: registryprotection, enabled:0, value: false
ID: networkprotection, enabled:0, value: false
ID: loadatstartup, enabled:1, value: true
ID: usespywareheuristics, enabled:0, value: true
ID: extendedengine, enabled:0, value: false
ID: useheuristics, enabled:0, value: false
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimport ant
****************************** System information ******************************
Computer name: TOMSNOTEBOOK
Processor name: Intel(R) Core(TM)2 Duo CPU T5800 @ 2.00GHz
Processor identifier: Intel64 Family 6 Model 15 Stepping 13
Raw info: processorarchitecture 0, processortype 586, processorlevel 6, processor revision 3853, number of processors 2
Physical memory available: 2149236736 bytes
Physical memory total: 4259336192 bytes
Virtual memory available: 1954856960 bytes
Virtual memory total: 2147352576 bytes
Memory load: 49%
Microsoft Windows Vista Home Premium Edition, 64-bit Service Pack 2 (build 6002)
Windows startup mode:
{Mod edit: snipped log for easier reading}
--
Tom | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to trparky
Thanks for the report - no Zlob there
quote:
Win32AdwareBHO
c:\Windows\CouponPrinter.ocx (This I'm not so sure of since I remember this was installed to get some kind of online coupon)
This is probably a minor item and can be ignored if you are using the coupons - definitely not ZLOB
These are False detections:
quote:
Win32TrojanSpy
C:\Users\Tom\Desktop\..tfraudFix\VACFix.exe
C:\Windows\SysWOW64\VACFix.exe
Those two files are part of Smitfraudfix which isn't Zlob either. In fact, it is a tool sometimes used to find and remove Zlob types. The AV heuristics in Ad-Aware AE find them as suspicious because of their behavior can sometimes be similar to trojan behavior. In this case they are not trojans and can be ignored.
I'm really interested in the eset scan at this point?
We still haven't found any active ZLOB infection.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2009
Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
trparky
Bite My Shiny Metal Ass
Premium,MVM
join:2000-05-24
Cleveland, OH
clubs: | reply to CalamityJane
Re: [ZLOB] I think I have all of it but I want to make sure...
ESET came back clean.
--
Tom | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to trparky
Sorry for the late reply...was away on a business trip.
Final verdict, trparky - you weren't a victim of infection. This time. A few harmless remnants found - but there wasn't any active Zlob.
You must be doing something right and that is a pleasure to say
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2009
Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
trparky
Bite My Shiny Metal Ass
Premium,MVM
join:2000-05-24
Cleveland, OH
clubs:
·AT&T U-Verse
2 edits | Thank God for that.
I try to do everything right, you know... watch what I run/execute, avoid Internet Explorer like the plague, use AdBlock Plus with a good filter list, keep UAC enabled so that if things that are trying to install won't install unless I tell it to, etc.
--
Tom | |
-
|
