skydog
12-21-2007, 05:17 AM
Is anyone familar with this virus? I did a search on Google and didn't find it. I've run numerous removal programs and thus far it is still there. Does anyone know its function?
| View Full Version : Virus skydog 12-21-2007, 05:17 AM Is anyone familar with this virus? I did a search on Google and didn't find it. I've run numerous removal programs and thus far it is still there. Does anyone know its function? Alison 12-21-2007, 05:48 AM Hi Skydog, Found this - What is Obfuscated? (Description): Obfuscated Remover Keep your computer safe from spyware & malware attacks. 90% of the computers connected to the Web are infected. Obfuscated is a Trojan downloader. Trojans are distinguished by their ability to be contracted and installed without the user's noticing. Downloaders in particular pose a variable threat because once they're installed, they're designed to contact the resident internet connection and download whatever programs have been written into their objectives. Subsequently, downloaders can facilitate the spread of Adware and other Trojans. Obfuscated uses HTTP to download its payload. at this website - http://www.adwarealert.com/glossary_details.php?ID=3135 skydog 12-21-2007, 05:55 AM so...how do I remove it... Swampy 12-21-2007, 05:56 AM >>>>90% of the computers connected to the Web are infected. The other 10% are Macs. LOL Sorry, I just had to do that...:devil::devil: Gary Richardson 12-21-2007, 09:23 AM Post me a HJT log please Skydog, many viruses have randomly generated filenames which is why you're not able to get a result from Google, your HJT log may provide more information on what is on your computer. Download HJTInstall.exe (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to your Desktop. Doubleclick HJTInstall.exe to install it. By default it will install to C:\Program Files\Trend Micro\HijackThis . Click on Install. It will create a HijackThis icon on the desktop. Once installed, it will launch Hijackthis. Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad. Copy/Paste the log to your next reply please. Don't use the Analyse This button, its findings are dangerous if misinterpreted. Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required. I'm a bit tied for time at the moment, so I may not have time to fully resolve your virus problems, but I can do a quick analysis of the log and if it looks like it might be a long job to remove the infection I can direct you to where you'll get good advice. If it looks like being a quick job I'll talk you through it myself. Any other symptoms other than the flag from AVG? skydog 12-21-2007, 10:02 AM Thanks Gary... not sure what that dll file is all about. I haven't noticed anything different about the computer or operation, but I keep getting a pop up that I have this virus. I tried to heal it with no result. I have an installation disk for windows home xp and I did a seach on the dll file and it wasn't on the disk to I put the file in the virus vault. Swampy...low low blow...the only thing I can think of in response..."Go Wildcats" Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:50:57 AM, on 12/21/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Sony\Giga Pocket\shwserv.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\PSIService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe C:\Program Files\Sony\Giga Pocket\GPVSvr.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe C:\Program Files\Sony\Giga Pocket\RM_SV.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Jasc Software Inc\Paint Shop Pro 9\Paint Shop Pro 9.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe C:\WINDOWS\SoftwareDistribution\Download\Install\IE7-WindowsXP-x86-enu.exe i:\39889d8599f8bce7881f\update\iesetup.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe i:\39889d8599f8bce7881f\update\nlsdl.exe i:\33186b4796cc8ababf83b0d1\update\update.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {19777B64-C146-4007-8DDD-A1CB8AE5BF0F} - c:\windows\system32\dsauthg.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Remocon Driver.lnk = ? O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184536128578 O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: rbhgyche - C:\WINDOWS\SYSTEM32\dsauthg.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\Sony\Giga Pocket\shwserv.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Giga Pocket\GPVSvr.exe O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 11309 bytes Swampy 12-21-2007, 12:02 PM >>> Swampy...low low blow...the only thing I can think of in response..."Go Wildcats" Skydogie, I'll be surprised if FSU can field a team with all their problems. Gawd, kids are so stupid! Gary Richardson 12-21-2007, 02:45 PM Looks like you've got a Vundo infection. Download combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) by sUBs to your Desktop. Alternate Download (http://subs.geekstogo.com/ComboFix.exe) (If you already have a previous version, delete it and download a new version). Double click combofix.exe & follow the prompts. When finished, it will produce a log for you. (it can also be found at C:\Combofix.txt) Post that log in your next reply please, along with a new HJT log. IMPORTANT Do not use your computer while Combofix is running. Do not mouseclick combofix's window whilst it's running. That may cause it to stall. plugsnpixels 12-21-2007, 03:53 PM See how the US Army (http://www.forbes.com/home/technology/2007/12/20/apple-army-hackers-tech-security-cx_ag_1221army.html) handles such problems... Swampy 12-21-2007, 03:57 PM I read that earlier today, PnP. Interesting article. Maybe my stock will go up even more! :-) skydog 12-22-2007, 05:16 AM ComboFix 07-12-21.4 - Dad 2007-12-22 7:03:56.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1050 [GMT -5:00] Running from: C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\QPV9AMJN\ComboFix[1].exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\drivers\rhhaiofb.dat C:\WINDOWS\system32\dsauthg.dll C:\WINDOWS\Tasks.\At1.job . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_KDARJMBC -------\LEGACY_RXIZZUXA -------\LEGACY_ZBKRFHCQ -------\kdarjmbc -------\rxizzuxa -------\zbkrfhcq ((((((((((((((((((((((((( Files Created from 2007-11-22 to 2007-12-22 ))))))))))))))))))))))))))))))) . 2007-12-20 22:22 . 2007-12-20 22:22 <DIR> d-------- C:\Documents and Settings\Dad\Lightroom 2007-12-20 09:44 . 2007-12-21 15:56 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2007-12-20 09:44 . 2007-12-20 09:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-12-20 09:44 . 2007-12-20 09:44 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\SUPERAntiSpyware.com 2007-12-20 09:44 . 2007-12-20 09:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2007-12-20 09:30 . 2007-12-22 06:37 <DIR> d-------- C:\WINDOWS\system32\CatRoot2 2007-12-20 09:21 . 2007-12-20 09:22 <DIR> d-------- C:\Program Files\RogueRemover FREE 2007-12-20 09:18 . 2007-12-20 09:18 <DIR> d-------- C:\Program Files\Microsoft Easy Assist 2007-12-20 07:53 . 2007-12-20 07:53 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\Lavasoft 2007-12-20 07:38 . 2007-12-20 07:39 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\AdwareAlert 2007-12-19 19:31 . 2007-12-19 19:31 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\iolo 2007-12-19 19:31 . 2007-12-19 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo 2007-12-19 19:31 . 2007-12-19 19:31 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg 2007-12-19 19:12 . 2007-12-19 19:12 <DIR> d-------- C:\Program Files\ZoneAlarmSB 2007-12-19 18:54 . 2007-12-19 18:57 <DIR> d-------- C:\Program Files\Windows Live Safety Center 2007-12-19 18:37 . 2004-08-03 23:14 359,040 --a------ C:\WINDOWS\tcpip.sy_ 2007-12-19 18:10 . 2003-04-11 05:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MSN6 2007-12-19 18:10 . 2003-04-11 04:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust 2007-12-19 16:25 . 2007-12-19 16:25 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7 2007-12-19 13:29 . 2007-12-19 13:29 8,192 --ahs---- C:\WINDOWS\Thumbs.db 2007-12-19 06:41 . 2007-12-19 06:41 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll 2007-12-19 06:41 . 2007-12-19 06:41 741,632 --a------ C:\WINDOWS\system32\qtijcbnr.dat 2007-12-19 06:41 . 2007-12-19 06:41 246,545 --a------ C:\WINDOWS\system32\libssl32.dll 2007-12-19 06:41 . 2007-12-19 06:41 119,552 --a------ C:\WINDOWS\system32\plqiiten.dat 2007-12-19 06:41 . 2007-12-19 06:41 42,240 --a------ C:\WINDOWS\system32\ocuygllh.dat 2007-12-19 06:41 . 2007-12-19 06:41 36,096 --a------ C:\WINDOWS\system32\wowwmiqt.dat 2007-12-19 06:41 . 2007-12-19 06:41 35,072 --a------ C:\WINDOWS\system32\yxanswll.dat 2007-12-19 06:30 . 2007-12-19 06:30 28 --a------ C:\WINDOWS\DustKleen.INI 2007-12-19 06:20 . 2007-12-19 06:20 1,396 --a------ C:\WINDOWS\system32\wpa.bak 2007-12-18 23:34 . 2004-08-04 07:00 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winzm.ime 2007-12-18 23:34 . 2004-08-04 07:00 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winsp.ime 2007-12-18 23:34 . 2004-08-04 07:00 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winpy.ime 2007-12-18 23:34 . 2004-08-04 07:00 79,360 --a--c--- C:\WINDOWS\system32\dllcache\winar30.ime 2007-12-18 23:34 . 2004-08-04 07:00 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime 2007-12-18 23:34 . 2004-08-04 07:00 65,536 --a--c--- C:\WINDOWS\system32\dllcache\winime.ime 2007-12-18 23:34 . 2004-08-04 07:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls 2007-12-18 23:32 . 2004-08-04 07:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll 2007-12-18 23:31 . 2004-08-04 07:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll 2007-12-18 23:30 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll 2007-12-18 23:29 . 2007-12-18 23:29 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest 2007-12-18 23:28 . 2007-12-18 23:28 749 -rah----- C:\WINDOWS\WindowsShell.Manifest 2007-12-18 23:28 . 2007-12-18 23:28 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest 2007-12-18 23:28 . 2007-12-18 23:28 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest 2007-12-18 23:28 . 2007-12-18 23:28 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest 2007-12-18 22:05 . 2004-08-03 23:04 134,912 --a------ C:\WINDOWS\ipnat.sy_ 2007-12-16 11:31 . 2007-12-16 11:31 12,288 --ahs---- C:\WINDOWS\system32\Thumbs.db 2007-12-15 12:05 . 2007-12-15 12:05 119,552 --a------ C:\WINDOWS\system32\qhxosowh.dat 2007-12-15 11:59 . 2002-08-29 07:00 83,456 --a------ C:\WINDOWS\system32\dsauthg.dll.bak 2007-11-23 08:05 . 2007-11-24 10:11 156 --a------ C:\WINDOWS\Twunk001.MTX 2007-11-23 08:05 . 2007-11-24 10:11 4 --a------ C:\WINDOWS\Twain001.Mtx 2007-11-23 08:05 . 2007-11-23 08:05 0 --a------ C:\WINDOWS\Twunk002.MTX 2007-11-22 21:54 . 2004-08-04 02:10 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys 2007-11-22 21:54 . 2004-08-04 02:10 38,912 --a------ C:\WINDOWS\system32\drivers\avc.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-22 12:10 6,533,152 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2007-12-22 12:09 78,656 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2007-12-21 20:17 --------- d-----w C:\Documents and Settings\Dad\Application Data\LumaPix 2007-12-21 20:04 279,334 ----a-w C:\WINDOWS\FotoFusionV4 Uninstaller.exe 2007-12-21 20:02 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2007-12-21 13:00 --------- d-----w C:\Documents and Settings\Dad\Application Data\AVG7 2007-12-19 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2007-12-16 12:42 --------- d-----w C:\Documents and Settings\Other\Application Data\AVG7 2007-11-24 13:00 --------- d-----w C:\Documents and Settings\Dad\Application Data\Canon 2007-11-14 21:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-10-30 01:20 --------- d-----w C:\Documents and Settings\Dad\Application Data\Move Networks . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}] 2007-12-19 19:12 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} [HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2007-12-19 19:12 262144] [HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 11:24] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="RUNDLL32.exe" [2004-08-04 07:00 C:\WINDOWS\system32\rundll32.exe] "nwiz"="nwiz.exe" [2003-03-03 21:44 C:\WINDOWS\system32\nwiz.exe] "ATIModeChange"="Ati2mdxx.exe" [2001-09-04 16:24 C:\WINDOWS\system32\Ati2mdxx.exe] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-02-28 23:00] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 13:24] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 13:11] "ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 12:29] "CreateCD_Reminder"="C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe" [2003-04-17 19:51] "AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 12:38 C:\WINDOWS\AGRSMMSG.exe] "StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-17 23:01] "VAIO Recovery"="C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 00:08] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-29 11:09] "Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 10:38] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24] "HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 10:24] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 09:43] "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-04-11 14:25] "DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 17:37] "Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exe" [2007-08-30 05:32] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-29 11:09] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26] Remocon Driver.lnk - C:\Program Files\Sony\USBSircs\usbsircs.exe [2007-07-16 17:49:52] TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2007-07-19 21:09:11] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll R3 SONYWBMS;Sony Memory Stick controller(WB);C:\WINDOWS\system32\DRIVERS\SonyWBMS.SYS [2002-12-18 10:03] . Contents of the 'Scheduled Tasks' folder "2007-12-22 08:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job" - C:\Program Files\AdwareAlert\AdwareAlert.ex - C:\Program Files\AdwareAlert "2007-12-19 18:38:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2007-12-11 21:19:07 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#deskjet5100#MY3923M2ZD7A.job" - C:\Program Files\HP\hpcoretech\comp\hpdarc.exe+/#Hewlett-Packard#deskjet5100#MY3923M2ZD7A . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-22 07:12:31 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-22 7:13:47 - machine was rebooted . 2007-12-22 08:00:49 --- E O F --- skydog 12-22-2007, 05:17 AM Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:16:33 AM, on 12/22/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Sony\Giga Pocket\shwserv.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\PSIService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe C:\Program Files\Sony\Giga Pocket\GPVSvr.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe C:\Program Files\Sony\Giga Pocket\RM_SV.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\ezSP_Px.exe C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe C:\WINDOWS\AGRSMMSG.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Messenger\MSMSGS.EXE C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Sony\USBSircs\usbsircs.exe C:\WINDOWS\system32\WTablet\TabUserW.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Remocon Driver.lnk = ? O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184536128578 O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\Sony\Giga Pocket\shwserv.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Giga Pocket\GPVSvr.exe O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 12236 bytes skydog 12-22-2007, 05:47 AM Gary...it appears the virus is gone. What exactly did combo fix do and what did it correct? Swampy..you have an Apple...thank God I have Gary! Actually, I need to replace my computer. It is ~ 5 years old and I'm concerned of a complete failure at some point. My concern with the apple is the cost of converting all of my software to the apple environment and how many of my applications will work in this environment. Any thoughts? For those of you that use windows, what is the lastest on vista? Initially it received a lot of bad press like the recent launch of the Canon Mark III. Can most applications now run in this environment? Most of my friends say stick with XP. Gary Richardson 12-22-2007, 06:41 AM Hi Skydog, Combofix was specifically written for removing the infection you had (plus some others) so is more effective than a general anti-virus or anti-malware programme. It does have a whole lot more functions than the simple scan and clean you used, but these are not for the use of the general public and need trained guidance to use. It is however a very powerful programme, and if used inappropriately can damage your computer. It is updated regularly to deal with the latest versions of the infections it targets, and for this reason the programme becomes inoperative after 10 days of it first being loaded to the server. I do not recommend its use by untrained persons. OK, most of the infection is removed, just a little cleaning up to do. Download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) by OldTimer to your Desktop. Double click OTMoveIt.exe to launch it. Copy/Paste the contents of the box below into the left hand pane of OTMoveIt. C:\WINDOWS\system32\qtijcbnr.dat C:\WINDOWS\system32\plqiiten.dat C:\WINDOWS\system32\ocuygllh.dat C:\WINDOWS\system32\wowwmiqt.dat C:\WINDOWS\system32\yxanswll.dat C:\WINDOWS\system32\qhxosowh.dat C:\WINDOWS\system32\dsauthg.dll.bak Click the Move It button. The list will be processed and the results will appear in the right hand pane. If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. When finished click Exit to exit the programme. A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created). Post the log back here please. Click Start > Run and type cleanmgr then click OK. This will bring up the Disk Cleanup window. Check the following entries. Temporary Internet Files. Recycle Bin. Temporary Files. Click OK. When a prompt pops up click Yes. I'd like you to do online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner). Combofix is good at what it does, but it only targets certain functions, I'd like a general scan of your system to make sure there's nothing else hiding on it. Kaspersky is one of the best scanners, and has the advantage that it doesn't try to fix anything. It also gives a very good log which I'm familiar with. Note: You must be using Internet Explorer as your browser as it will be necessary to install an Active X component to your computer. Important If you have previously used Kaspersky Online Scanner (before 8th Aug 2006), you will have to uninstall the old version using Add/Remove Programs in Control Panel before you can use the new version. Click on Kaspersky Online Scanner You will be promted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then start to download the latest definition files. Once the scanner is installed and the definitions downloaded, click Next. Now click on Scan Settings. In the scan settings make sure that the following are selected: Scan using the following Anti-Virus database: Extended (If available otherwise Standard) Scan Options: Scan Archives Scan Mail Bases Click OK. Now under select a target to scan select My Computer. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted. Summary of the logs I need from you in your next post: OTMoveIt Kaspersky Please post each log separately to prevent them being cut off by the forum post size limiter. Dave.Cox 12-22-2007, 07:16 AM Post your question here. http://forum.kaspersky.com/ Kaspersky.com specializes in protection and removals. Last time that I had a virus that I couldn't seem to remove, even with their own software, I searched this forum and found the answer in short order. You probably won't even have to ask, just search for current solutions. skydog 12-22-2007, 07:20 AM Gary...may be later today before I can get to this...what exactly do you do? Are computers a hobby or your job...your knowledge/experience amazes me... skydog 12-22-2007, 09:49 AM C:\WINDOWS\system32\qtijcbnr.dat moved successfully. C:\WINDOWS\system32\plqiiten.dat moved successfully. C:\WINDOWS\system32\ocuygllh.dat moved successfully. C:\WINDOWS\system32\wowwmiqt.dat moved successfully. C:\WINDOWS\system32\yxanswll.dat moved successfully. C:\WINDOWS\system32\qhxosowh.dat moved successfully. C:\WINDOWS\system32\dsauthg.dll.bak moved successfully. Created on 12/22/2007 11:48:20 skydog 12-22-2007, 11:45 AM ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Saturday, December 22, 2007 1:36:23 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 22/12/2007 Kaspersky Anti-Virus database records: 491787 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ Scan Statistics: Total number of scanned objects: 114551 Number of viruses found: 1 Number of infected objects: 1 Number of suspicious objects: 0 Duration of the scan process: 01:24:51 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.ldb Object is locked skipped C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.mdb Object is locked skipped C:\Documents and Settings\Dad\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Dad\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Dad\Local Settings\Temp\~DF5510.tmp Object is locked skipped C:\Documents and Settings\Dad\Local Settings\Temp\~DF5544.tmp Object is locked skipped C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Dad\ntuser.dat Object is locked skipped C:\Documents and Settings\Dad\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\Sony\Photo Server\db\vpdb.ldb Object is locked skipped C:\Program Files\Sony\Photo Server\db\vpdb.mdb Object is locked skipped C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\rhhaiofb.dat.vir Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{543848E5-A971-4387-BA47-9852573A650F}\RP19\change.log Object is locked skipped C:\System Volume Information\_restore{543848E5-A971-4387-BA47-9852573A650F}\RP9\A0000068.dll Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\Downloaded Program Files\PerfomanceOptimizerPre_Installer.exe Infected: not-a-virus:FraudTool.Win32.PerfomanceOptimizer.a skipped C:\WINDOWS\Internet Logs\APPLE.ldb Object is locked skipped C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\JETDC85.tmp Object is locked skipped C:\WINDOWS\Temp\JETDDAE.tmp Object is locked skipped C:\WINDOWS\Temp\ZLT019ca.TMP Object is locked skipped C:\WINDOWS\Temp\ZLT019cd.TMP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped D:\System Volume Information\_restore{543848E5-A971-4387-BA47-9852573A650F}\RP19\change.log Object is locked skipped Scan process completed. plugsnpixels 12-22-2007, 12:44 PM Skydog, I run Windows on my Macs as needed, and it works just fine. Actually, it's extremely easy to keep drag-and-drop backups (the Windows environment is just a set of files whether you're using Boot Camp or Parallels), so if a virus ever did come to visit (which I haven't had happen yet), you simply replace your files with the most recent backup and continue on your way in the time it takes to copy them. Then as time goes by, you can migrate your apps as you're able and leave this Windows virus nonsense behind! Gary Richardson 12-22-2007, 01:50 PM Hi skydog, what exactly do you do? Are computers a hobby or your job...your knowledge/experience amazes me... I assist at a couple of Malware Removal forums where I help people clear infections from their computers. With the increasing prevalance of Malware on the web these days we feel it's necessary for people to have somewhere to go when they need help. All helpers are volunteers, so yes, this is a kind of hobby for me. I've been doing it for about 3 years or so now. http://malwareremoval.com http://spywarewarrior.com http://forums.whatthetech.com/forums.html I was trained at the first of the sites listed above, which has a dedicated school for that kind of thing, I teach there now a little. I also moderate at the second forum. The third is just one I help out at. OK, as far as I can see your computer looks pretty much clear now, just one more removal to make. Double click OTMoveIt.exe to launch it. Copy/Paste the contents of the box below into the left hand pane of OTMoveIt. C:\WINDOWS\Downloaded Program Files\PerfomanceOptimizerPre_Installer.exe Click the Move It button. The list will be processed and the results will appear in the right hand pane. If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. When finished click Exit to exit the programme. A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created). No need to send me the log, have a look at the log, if the file moves OK, then do the following. Double click OTMoveIt.exe to launch the programme. Click on the CleanUp! button. OTMoveIt will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access. You will be prompted to allow the clean up procedure, click Yes When finished exit out of OTMoveIt Now delete OTMoveIt.exe (if present). This will clean out the programmes we've installed for the Vundo removal, and all associated files. If PerfomanceOptimizerPre_Installer.exe fails to be moved, let me know. Gary Richardson 12-22-2007, 02:04 PM Skydog, I run Windows on my Macs as needed, and it works just fine. Actually, it's extremely easy to keep drag-and-drop backups (the Windows environment is just a set of files whether you're using Boot Camp or Parallels), so if a virus ever did come to visit (which I haven't had happen yet), you simply replace your files with the most recent backup and continue on your way in the time it takes to copy them. Then as time goes by, you can migrate your apps as you're able and leave this Windows virus nonsense behind! What do you do if your System Files have been Rooted? Not all infections announce their presence, so you may have been infected for some time without your knowledge, and therefore your backups too will be tainted. By the way, Macs are no more difficult to infect than a Windows system, it's just that nobody has really bothered to try yet as the returns aren't big enough. When/if they become so, you'll find the help available for you is very, very limited. Personally I hope that Macs remain as an untargeted system, we've got more than enough work to do as is, but don't make the mistake of thinking that Macs are somehow uninfectable, because that just is not the case. skydog 12-22-2007, 04:03 PM Gary...thanks...everything worked fine. Now to maintain what I have what do you recommend? I currently use AVG, Zone Alarm, Cleanup and Superantispyware, but all of that didn't keep me from being infected. How often should I run "highjack this" and submit the finding? thanks again...maybe Swamp has no idea what's lurking on her computer? Gary Richardson 12-22-2007, 04:53 PM OK, basically the programmes you have are fine, but they're only half the picture. The biggest defensive system you've got is the squidgy grey matter keeping your ears apart. Most people browse the web blythely unaware of the basic mechanisms of infection and as a result it doesn't come as too much of a surprise when they pick one up. Most modern infections get onto your machine by you installing them, and because of this your defensive systems are usually not effective. In effect you're telling your systems "this is OK because I'm installing it" and therefore to a large extent they'll ignore things until the infection "activates" by which time it's too late. How do you install them, basically you're conned into doing so. There's a whole number of ways this is done, but the following are just a few. 1. You receive an e-mail from a friend which has an attachment with it. Being as it's from a friend, and because your anti-virus hasn't flagged it you open the attachment and you're infected. Turns out your friends computer was infected and it was the infection that sent the e-mail and attachment to you. The attachment is an installer. Once it's installed on your box, the first thing it does is e-mail everyone in your address book, and the propogation of the infection progresses. Never open attachments even if from a friend unless you've checked with the friend that he/she has sent you one. 2. You're surfing the web and you see a great new utility you must have, so you download and install it. Turns out it comes "packaged" with other extra functions you didn't expect and you're infected. Another variation on this is you land on a website which tells you that to view the content you need to download and install a codec, and you guessed it the codec comes with "friends" and once again you're infected. 3. You get hit by a worm. Someone has crafted a specific infection which can bypass your defences by means of an "exploit", usually some form of buffer overrun. Once through your defences the worm's payload activates and you're infected. Best way to defeat these is by keeping your Windows updates current. Also consider this, once a "patch" for an exploit comes out in the form of a windows update, the bad guys will create a bug specifically for the exploit that patch fixes. They know that not everyone will update, so there will be a window of opportunity foe them, in effect Microsoft by creating the fix are telling them how to infect people. That's why it's essential you keep Windows updated. 4. You land on an infected website. The owner of the website may or may not be be aware that sections of his/her webpage have been replaced with malicious code. Again like a worm an exploit is usually used as the vector for infection. 5. P2P (Peer to Peer) file sharing programmes. These are one of the most used methods for infection spreading. Even if you've got one of the "clean" programmes you can't be sure that the stuff you're downloading is clean. By using P2P you bypass your defensive systems and the in built protections of the programme are relatively easy to circumvent, most of the major malware peddlers love to use P2P. One other thing about them, if you've not configured them correctly you're likely broadcasting a whole lot more about your computer than you'd like others to know. Passwords, credit card numbers and bank account details have all been stolen from users computers by a badly configured P2P programme. As I said there's a whole lot more, but they're generally variations on the basic methods described above. By being aware of the above, you can be a deal more cautious in your browsing habits and what programmes you "allow" on your machine. There are a few things I can recommend that will beef up your defences a bit, but it's getting a bit late here (nearly midnight) so I'll post them in the morning. Gary Richardson 12-23-2007, 02:10 AM Hi skydog, OK, before I get into giving you a few hints on bolstering your defences, I just want to mak a comment on a couple of entries in your HJT log. O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL These came with the latest version of Zone Alarm, and indicate you also installed Zone Alarm Spy Blocker this is really nothing more than a thinly disguised version of the Ask Toolbar (Ask Jeeves), I don't know why ZA have included this with their install, but many in the Security forums see this as a really negative step, aimed only at getting money from the manufacturers of that useless search add on. http://www.castlecops.com/modules.php?name=CLSID&query=F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA ZoneAlarm Spy Blocker BHO {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} O BHO SPYBLOCK.DLL ZoneAlarm Spy Blocker Toolbar, now installed as an optional with Zonealarm. Uses the Ask.com searchengine. More info here - also see this_note Please read http://www.benedelman.org/spyware/installations/askjeeves-banner/ I don't know quite how tied into ZA it is, so if you wish to remove it, do the following. Uninstall Zone Alarm. Reboot your computer. Re-install Zone Alarm, but when you do so, then uncheck the option for Zone Alarm Spy Blocker which is checked by default. There have also been a number of reports of problems with the latest version of ZA causing crashes on people's computers, but if you've had no problems with your install you should not be unduly concerned. But it's as well to be aware that others have had problems, so if you do start to have unexplained issues with your computer it may be ZA that is the cause. Right, now to get down to a few additions to your defences. Updating Windows and Internet Explorer It is essential you keep your Operating System up to date with all the latest patches. The bad guys watch for the latest exploits, as soon as Microsoft brings out a patch, the bad guys will bring out an infection to exploit that vulnerability. If you don't have all the latest patches your computer is vulnerable. Please go to the windows update site (http://windowsupdate.microsoft.com/) and get the critical updates. Use a "secure" browser Install Internet Explorer 7 (http://www.microsoft.com/netherlands/windows/ie/ie7/about/default.mspx) or an alternative browser like Firefox (http://www.mozilla-europe.org/nl/) or Opera (http://www.opera.com/) for more secure surfing. Please remember that there is no such thing as a totally secure browser. Your browsing habits will be the major factor in determining just how safe you are online. If you visit, Crack/Warez sites, Porn sites, or other sites of a questionable nature, you still run a severe risk of getting infected. IE Spyad (http://www.spywarewarrior.com/uiuc/resource.htm) It puts many bad webpages on your restricted zones LIST. This means that you can still view the "bad" webpages, but the webpages can't do certain things (such as use javascripts and cookies). Use IE Spyad for single account computers, and IE Spyad 2 for multi account computers. Hosts file: (http://www.mvps.org/winhelp2002/hosts.htm) Make sure you read the instructions on how to install the hosts file, here (http://www.mvps.org/winhelp2002/hosts2.htm). Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps: Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok Site Advisor (http://www.siteadvisor.com/) This is a utility that can be downloaded and installed. It loads an icon to the taskbar of your browser (versions for IE and Firefox), indicating the trustworthiness of the site you are on. Green for safe, Red for suspicious. Click on the icon to access details that SiteAdvisor has about the site. Old Canoeist 12-23-2007, 07:01 AM Gary: I updated free Zonealarm and unknowingly got the Spyblocker but I found that it is listed separately in the WinXPHome Add/Remove list. When I clicked Uninstall it was removed after a restart. Zonealarm was still present & OK. Gary Richardson 12-23-2007, 08:00 AM Thanks for the info Old Canoeist, nice to know it can be removed easily. It's only the latest version of ZA that has this "addition", and as I don't have it I wasn't entirely sure quite how it was integrated into things. skydog 12-24-2007, 06:18 AM swamp..just read this at another site: "Posted: 2:08 PM on 12.22.07 ->> I just had "Mac Sweeper detect" a bunch of viruses on my mac powerbook. It popped up automatically in my web browser window and asked if I wanted to download the program to clear out the cookies. When I clicked ignore, it started downloading something. Obviously, I stopped it, but it took me four times to close the window. Once I was able to get out of the window, I trashed everything in my downloads folder and shut my computer down. I just spoke with a few friends, who did a cursory google search and found a few "legitimate mac sweeper pages" and a few message board postings with stories similar to mine. Unfortunately, no one replied to these postings. Additionally, there is a two hour wait for Apple tech support...happy holidays. So, I'm wondering if anyone has heard of this. Or perhaps, folks have some general thoughts on this matter. Thanks for the help. " Swampy 12-24-2007, 07:22 AM Skydog... I've seen the popup window you have referred to and from what I can tell, it's a java script that if you touch it, it downloads an .exe file to the desktop. I don't know what the resulting .exe file does, but obviously it can't be run on the Mac (unless you are running XP/Vista under Bootcamp, Paralells, or Fusion). plugsnpixels 12-24-2007, 07:12 PM Gary, thanks for the info (obviously you know your Windows security!), though I must say in all my years of using Macs and traveling all over the internet's main roads and back alleys (plus running 4 higher-ed computer labs full of Macs with no virus protection for nearly a decade), I have yet to be affected negatively by a virus. Back around 1998/9 I saw the AutoStart virus appear, but it did no real harm was literally the last Mac virus I saw. I'm not saying it can't happen, but perhaps the Mac OS is a bit better than Windows at protecting itself, besides being the smaller target. It's almost sad that Windows users need all the add-on security products. The OS should be handling that itself. Maybe it does with Vista (?). But thankfully my Parallels Windows seems safe thus far--I do have protection running (MacAfee) and try to keep Windows itself updated. My main point is, I just can't imagine having to hassle with everything you describe--I'd toss the computer first. Swampy, an .exe downloaded to the Mac desktop can only get into Parallels/Boot Camp if you dragged it into the Windows environment and double-clicked it, or *possibly* if you double-clicked it on the Mac desktop and indirectly activated Windows in that manner (I'd have to test to see if that would even work). In either case, the user would have to purposely interact with such a mystery file, and if they did, they get what they deserve! Alison 12-24-2007, 11:51 PM Gary...it appears the virus is gone. What exactly did combo fix do and what did it correct? Swampy..you have an Apple...thank God I have Gary! Actually, I need to replace my computer. It is ~ 5 years old and I'm concerned of a complete failure at some point. My concern with the apple is the cost of converting all of my software to the apple environment and how many of my applications will work in this environment. Any thoughts? For those of you that use windows, what is the lastest on vista? Initially it received a lot of bad press like the recent launch of the Canon Mark III. Can most applications now run in this environment? Most of my friends say stick with XP. Hi Skydog, From what I've been told, you will need at least 2gig of ram on your computer just for vista - add a couple of extra for photoshop etc., Apparently this is one of the main reasons why some folks ran into trouble with vista. Next upgrade will see me install vista, although I have been more than happy with XP. Gary Richardson 12-25-2007, 01:25 AM Hi plugsnpixels, Macs OS is not in and of itself secure, no OS is, but you are right that you are highly unlikely to come across any infections. The simple answer is that the bad guys just don't write them for Macs because there is insufficient payback for them. Modern malware is written by highly skilled and educated professional programmers, it has long ceased to be the activity of kiddies in their bedrooms, but is organised by well funded criminal gangs. The reason being that they can make huge amounts of cash from these activities, in some cases running into billions of dollars. Were they to be interested in Macs, then there is absolutely no doubt that they could develop infections to penetrate their defences. However they want the biggest return for their effort, and that means targeting Windows, a system that is much more prevalent and with which they are so far more familiar. The current trend is towards identity theft, and the more and more infections are being written to install backdoors and keyloggers. Most are rooted (cloaked by a rootkit), so generally the user does not know that they are infected, many times they come to us with other problems, and it's only when/if we run a rootkit scan that their "guests" are discovered. With a backdoor/keylogger, the attacker has as much (and in most cases more) control over your computer as you do. They can install programmes to distribute porn, distribute spam, use your computer for DDoS attacks and a whole lot of other criminal activities. These programmes are rooted, so the victim will be unaware that they are present, as they are not seen by the OS. The only thing the victim notices usually is a reduction in their computer's performance. Just how long Macs remain untargeted I couldn't say, as I said earlier I hope it stays that way indefinitely, but at some time or other it seems logical to assume that these criminals will want to expand their interests, and when/if they do, you probably won't know, because all you'll notice is decreased performance which you'll probably attribute to something else, just like all the Windows users did. Swampy 12-25-2007, 08:48 AM >>>Actually, I need to replace my computer. It is ~ 5 years old and I'm concerned of a complete failure at some point. My concern with the apple is the cost of converting all of my software to the apple environment and how many of my applications will work in this environment. Any thoughts? For the cost of Parallels or Fusion you can turn your Mac into a full blown PC. Run your old software using XP or Vista OS. Do your surfing, email etc. on the Mac "side" to avoid internet born virus/malware. No need to buy new versions of your software. :-) It's an Intel chip after all. plugsnpixels 12-25-2007, 12:19 PM This is funny! Just this very moment, for the first time ever (with this thread open), I got the pop-up window Swampy described (see attached), and this web page--CAREFUL, it's one big hyperlink (http://scanner.online-guard-adv.net/scan/3/?advid=2650) loaded (titled "Online Guard")! I'm also attaching a screenshot of the page so you don't have to visit it to see it. Nothing else happened until I tried to select/copy the web header to post here, then the .exe (Install2650.exe) began to download. I'm on a Mac, so I just cancelled it. (Here's (http://spywarefiles.prevx.com/spywarefiles.asp?FXC=DIDE044121916) some info on the .exe file from Prevx, which appears to be legit (http://www.castlecops.com/f146-Prevx1.html), but who knows...) The Online Guard page is obviously bogus; it says I have 14 spywares with 5519 files infected... I bet if anyone else looked at this page it would say the same thing. So maybe this thread is infected-! Swampy 12-25-2007, 12:38 PM P&P good catch. If I were on a PC, I'd never click the link. Geeez... it sends you to aome obscure web page and offers to check your computer for malware, Just click the link and get infected and pass it on... No way Jose HroadhogD1 12-25-2007, 03:33 PM My question is, after somebody gets this type of pop-up-and you click cancel, is it still downloaded? What if you just click the red X? All of this seems to be getting worse. What can we do? Add software, and watch what we do, but even then..... With the Macs getting more popular, it seems to be just a matter of time.....guess there are people out there staying one step ahead or at least a half step. I just wish there was more we could do!! plugsnpixels 12-25-2007, 03:57 PM Depends on how far along the way you cancel. Even if it fully downloads, it would probably just there sit until you double-click it. On the Mac a .dmg or .pkg couldn't install itself without your password, or so I understand. Not sure about XP. plugsnpixels 12-25-2007, 11:42 PM Here's an example of how Mac OX-X Leopard handles stuff you downloaded. Gary Richardson 12-26-2007, 03:16 AM My question is, after somebody gets this type of pop-up-and you click cancel, is it still downloaded? What if you just click the red X? All of this seems to be getting worse. What can we do? Add software, and watch what we do, but even then..... With the Macs getting more popular, it seems to be just a matter of time.....guess there are people out there staying one step ahead or at least a half step. I just wish there was more we could do!! Can't speak for Macs as I'm not familiar enough with their OSs to say. For Windows it will depend on what "permissions" are set. If you are browsing using an account with Administrator privileges (Windows XP accounts are Administrator by default), and your browser is set to allow scripts, then you can be fully infected without any human interaction. If you are using an account that is set to Limited, then the file would not be installed as Limited accounts do not permit file installation. I recommend that everyone creates a Limited account and uses it for browsing. If you know you're going to want to DL and install something then use your Administrator account, otherwise by using a Limited account you are much safer. Similarly if your browser was set not to allow scripts to run, then it's unlikely the rogue installer will operate. I use Firefox as my browser with the NoScript add on. This allows me to block scripts from all sites except those to which I give permission. I don't want people to get paranoid about picking up really nasty infections, despite them being more widespread than they were formerly, they are still relatively uncommon for people who browse normally. They are mostly contracted by people looking for freebies and those visiting crack and porn sites. For those of us who are a bit more selective on what we click, the chances of getting an infection are very much reduced. Just remember to be cautious of anything that's being given away and check things out before you install it, remember there's no such thing as a free lunch. DWThomp 12-26-2007, 06:07 AM Gary - thank you for all this valuable information. I just added the No Script extension to Firefox. Are the default settings ok or are there some options that need to be selected? Thanks again. skydog 12-26-2007, 06:09 AM Gary...how/where for explorer do I indicate "no script"? Within the Tools of explorer do I change or just use the security settings provided? Gary Richardson 12-26-2007, 07:36 AM Hi Dennis, The default settings for NoScript are fine, though you can customise them if you wish. I have Flash blocked as well, but then I visit some rather "risky" sites when I'm researching Malware (yes they can use Flash as an "in" to your system). If you have this set you'll get a notification if a Flash object tries to open, you can right click it and select to let it run from the NoScript menu if you think it's OK. When you land on a site if you look in your taskbar there will be an icon (red circle with a diagonal line through it and a blue S inside), this indicates that scripts are disabled for that site, because of this some site functions will not work. Once you've established a site is OK such as for here at RetouchPRO, you simply right click the icon and select Allow or Temporarily Allow as you require. Allow will permit scripts on that site on a permanent basis, Temporarily Allow will allow scripts for your current session only. Right click on the icon and select Options and you can customise which site options you wish to block, you can also view the list of sites you've allowed. A site can be removed from the Whitelist (allowed sites) if you no longer wish to give them script permissions, or alternatively you can visit the site then Forbid it using the right-click menu. Skydog, For IE6, the following settings will improve security (but you may find the number of prompts you get a little inconvenient), personally if you're going to use IE as your browser I'd just upgrade to IE7 where the default settings are more secure. IE7 also has tabbed browsing which is a distinct improvement. Most of the teething problems with earlier renditions of IE7 have now been resolved so you shouldn't have any issues with it. For IE6 From within Internet Explorer click on Tools > Options > Security > Internet > Custom Level. Make sure these options are set as follows: Download signed ActiveX controls to Prompt Download unsigned ActiveX controls to Disable Initialize and script ActiveX controls not marked as safe to Disable Java permissions to High Safety Installation of desktop items to Prompt Launching programs and files in an IFRAME to Prompt Navigate sub-frames across different domains to Prompt When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Press the Apply button and then the OK to exit the Internet Properties page. pixelzombie 12-26-2007, 06:37 PM Hi plugsnpixels, Macs OS is not in and of itself secure, no OS is, but you are right that you are highly unlikely to come across any infections. The simple answer is that the bad guys just don't write them for Macs because there is insufficient payback for them. Modern malware is written by highly skilled and educated professional programmers, it has long ceased to be the activity of kiddies in their bedrooms, but is organised by well funded criminal gangs. The reason being that they can make huge amounts of cash from these activities, in some cases running into billions of dollars. Were they to be interested in Macs, then there is absolutely no doubt that they could develop infections to penetrate their defences. However they want the biggest return for their effort, and that means targeting Windows, a system that is much more prevalent and with which they are so far more familiar. it is true that no OS is completely secure, but Windows so much easier to break into and create problems for..a lot of the well know virus' were written by teenagers just learning to program..Apple has always made it as difficult as possible for a virus to infect the mac and that is the main reason you don't see a lot of malware being written for the mac, it can be done but by the time a person aquires such knowledge and skill they could have a very rewarding job as a programmer..there may not be a lot of money in writing malware for the mac, but i'm sure there is some hack out there that would love the notoriety of creating the 1st virus that actually did some serious damage on the mac platform... Gary Richardson 12-27-2007, 03:01 AM it is true that no OS is completely secure, but Windows so much easier to break into and create problems for.. Macs are no more difficult to hack than Vista, but there are already Vista infections because it's a more popular OS than those on Macs. a lot of the well know virus' were written by teenagers just learning to program. Practically no modern viruses are written by teenagers, they are written by criminals who wish to make money from you. Apple has always made it as difficult as possible for a virus to infect the mac and that is the main reason you don't see a lot of malware being written for the mac, it can be done but by the time a person aquires such knowledge and skill they could have a very rewarding job as a programmer. Macs may have once been more difficult to penetrate than Windows, but that is not the case now. The rewards from computer crime far exceed those that can be made legitimately. The guys writing modern infection codes are not at all interested in Notoriety, cash is what motivates them and nothing else. You can hold to your naive belief that Macs are secure because of their design if you wish, but it really is not the case. Their true security is due to the paucity of their number and little else. Like most Mac users, I don't expect you to believe me, and I sincerely hope you continue to have infection free browsing. Gary Richardson 12-28-2007, 03:30 AM For those who don't think Macs have any vulnerabilities, this might make interesting reading. http://blogs.zdnet.com/security/?p=758 pixelzombie 12-28-2007, 01:30 PM that report relies on reports from the actual companies themselves, not what has been discovered by an independent party... Gary Richardson 12-28-2007, 02:24 PM From what I read the statistics were supplied by Secunia http://secunia.com/ an independent 3rd party vendor. Secunia compiles its statistics from a wide range of sources inside the security community and has reporting facilities that anyone can use. http://secunia.com/report_vulnerability/ But whatever the source the vulnerabilities exist, and if you think they are known to only a small circle of programmers employed by Microsoft and Apple then I'm afraid you are being seriously optimistic. Historically most vulnerabilities have not been discovered by the writers of programmes, but by external "testers", some with benevolent intentions, many with entirely different motives. My intention with posting these statistics is not to show that Macs are prone to infection, but to show that if malware writers wished to target them, then they would have no more problems crafting an infection for that OS than they have creating something to run on Windows. But you believe what you wish, I've said all I intend to on the subject. :happy: Swampy 12-28-2007, 02:45 PM Gary, I would never say that a Mac or OSX is not vulnerable to any malware. The important thing is exploitation. To date, no one has exploited the vulnerabilities for the Mac. Small user base, little "joy".. who knows why, but the fact remains, the Mac is "safer". Gary Richardson 12-29-2007, 01:51 AM You'll get no argument from me about the number of infections you're likely to come across if you use a Mac, though I wouldn't use the words safer, just less targeted. I can't give statistics as to the level of exploitation of Macs vulnerabilities, as I don't deal with that OS. I don't think we can for sure say they have not been exploited, only that you are highly unlikely to come across an infection if using a Mac. However since the modern trend is to Rootkit infections to hide them from users, it is quite possible that there are infected Macs out there that are not being reported as such. Good browsing habits are necessary whatever OS you use, which is of course the point I was trying to convey. Kraellin 01-01-2008, 08:39 PM gary, i know java can be used to create malicious invasion of one's computer, but how about some of the other things we are asked to click on from time to time, like scripts, activex and cookies? can any of those be used to invade our windows machines? also, you might make mention of winpatrol for a good anti-install defense. Gary Richardson 01-02-2008, 02:00 AM Hi Craig, Both scripts and Active-X can be used as vectors to install infection, as can Flash and other such presentations. It's because Firefox does not support Active-X that many consider it a safer browser, but really that's not the case. The guys who write modern infections usually install a great deal of flexibility into the infection "warhead", and if one method fails they usually have a number of alternative methods to try. If the account you're using to browse has Administrator privileges, then a script is able to do pretty much anything it wants. Scripting tools are very powerful, and if there's no need to escalate privileges, then the sky's the limit. With a Limited account it's a different story, and although the infection can make initial contact, it is more difficult (but not impossible) for you to get a full infection. Your AV programmes will usually have a much greater chance of protecting you if you're browsing using a Limited account. Cookies cannot infect you. Though many are flagged as "spy cookies" by AV programmes, all this really means is that the cookie flagged contains information that can be read by sites other than the one that installed it. Some people see that as an invasion of privacy as they can't control just exactly who sees the data. WinPatrol is indeed a very useful utility to have, the newest versions have a great deal of inbuilt functionality. I had a Scottie in my taskbar for quite some time, only disposing of it when I installed a full HIPS protection suite (two programmes doing similar things is always a likely source of conflict). skydog 01-02-2008, 06:15 AM What do you mean by limited account? What is an AV program. What is HIPS protection suite? I know infections can affect the functionality of one's operating system, but what other purposes do these infections pose? At the end of the day when I run adware I may end up with 35 cookies that I must erase. What exactly is happening while they are there. If I remove them and they appear again later, is it an accumulated effect? Gary Richardson 01-02-2008, 04:31 PM Windows XP has two types of accounts, (the options are different in Vista) Administrator and Limited and each has different "permissions". An Administrator account can basically do anything including install new files, alter system settings and a whole lot more, whereas a Limited account does not have permission to either change files or alter system settings. When an infection penetrates your system, it does so with the permissions of the account that was running when it entered. If it is a Limited account, its scope for doing damage is circumscribed by the reduced permissions of that account. Which is why browsing using a Limited account is a much safer option. Windows accounts however are Administrator by default (not so in Vista), so it's necessary for you to create a Limited account. This is done within Control Panel > User Accounts. (just create a new account and follow the prompts, choosing Limited as the account type) HIPs is a (Host Infection Protection System), basically it's a process firewall, which controls all process operation within your computer. You use it to make a set of rules permitting or blocking the operation of those processes. It's kind of difficult to describe in just a few words, they require quite a lot of interaction and therefore knowledge of your computer, and because of that I do not recommend them to other than experienced users, though they are very secure. There have been moves made to simplify their use, but they still require a deal of knowledge to set up and use effectively. AV is just shorthand for Anti-Virus, sorry forgot not everyone talks this stuff all the time. As for cookies, all they are is an encrypted text file which contains data set by the issuing site. They usually contain brief profile details including site preferences and sometimes site history records as well. Mostly they are site specific and other sites cannot read the data upon them. Because they are text files they cannot contain active elements, and therefore pose no infection threat. Some cookies however can be read by more than one site, usually sites within the same commercial group, but some can be read by sites which have come to some form of association. These are flagged by many anti-virus programmes as "spy cookies" and are considered a low level threat, in as much as you may be transmitting details of your browsing behaviour by having them on board. If you're not bothered by this leave them alone, if you are allow your anti-virus to remove them. Once removed, any new cookies do not have access to the info accumulated by the ones deleted. Hope this explains things, if you've still any questions just ask, if I can explain further I will. pixelzombie 01-02-2008, 05:04 PM Y Good browsing habits are necessary whatever OS you use, which is of course the point I was trying to convey. i agree, you have to be careful when browsing as that's where the bulk of problems occur as noted by this article: http://www.wired.com/politics/security/news/2007/11/mac_trojan# so for those on a mac here are some ways to safeguard their machines: http://www.pocopico.com/rants/osx_hardening.php http://blog.cocoia.com/2007/03/10/howto-a-more-secure-os-x-before-leopard/ the latter deals with some advanced topics so if you're uneasy about some of the information offered it would be best to ask your local mac expert... Gary Richardson 01-03-2008, 02:55 AM Interesting link pixelzombie. I see the Mac trojan you linked to seems to be associated with Zlob, this is one of the most prevelant infections for Windows (there's a whole number of varieties of it), so if the Mac version has any success you can expect to see a lot, lot more of it very soon. As you can see, the infection is not auto installed, but is actually installed by conning the User into installing a codec. This same method is used with Windows. Despite it seeming to be an obvious ruse, it's actually been a very effective way of distributing the infection. It's amazing how little some people think before installing things from unknown sources on their computers. That and the distributers of this junk have a very polished sales pitch. My fear is that because Mac users have traditionally not been targetted, that they may be more ready to install unknown programmes, I hope this does not prove to be the case. You'll notice that the security advice given for Macs in your other two links bears a deal of similarity to the advice I gave earlier for Windows. Not so surprising really, the two systems despite their many differences also have a great many similarities in function. skydog 01-03-2008, 04:25 AM sorry Gary...what is codec? Gary Richardson 01-03-2008, 06:21 AM Codec (Coder/Decoder), a device used to interpret/view data. Because data comes in a number of different formats, it's necessary to have a codec that's designed for the particular data form the programme uses. In most cases programmes use a "standard" format, and the codecs are built in, or supplied by an outside "viewer" like Real, Flash, Windows Media Player etc. However some programmes use non standard file formats, and special codecs may be needed. If this is from a legit manufacturer which you have sought out yourself, it's fine to install them. However it's a common infection vector as well. You land on a site which has advertised something you want to see, and when you try to view the content you get a pop-up saying you haven't got the required viewer, and that you need to install special software to do so, or it may be sold to you as a plug in for one of the more mainstream viewers. Whichever way they sell the scam, once you install the codec/plug-in/programme, you're infected. Any site with content that can't be viewed with the standard viewers should be avoided. pixelzombie 01-03-2008, 12:58 PM a codec(compressor/decompressor) is a piece of software required to view certain video formats and should only be installed from a reputable source... Swampy 01-03-2008, 01:51 PM Yeah, I wouldn't install something from a port site. LOL pixelzombie 01-03-2008, 04:55 PM i've also seen sites with sports footage try to get the user to install some sort of codec as well... plugsnpixels 01-04-2008, 02:04 PM Here's (http://www.macintouch.com/readerreports/security/index.html#d04jan2008) an interesting discussion from MacInTouch on the subject. Among the info about Mac-related issues is why Windows users better stay away from Sears (bottom of page)! Gary Richardson 01-04-2008, 03:00 PM Bit more info on the Sears issue. http://news.yahoo.com/s/pcworld/140918;_ylt=AlzxDKW8RQn9sej_Qz9qvBIDW7oF skydog 01-06-2008, 07:37 PM Gary...not a good month. I went over my girl friend's house tonight and now she can't get on the internet . I called the cable company and we checked the connection. I went to run>cmd and checked for an IP number and had a good one. When in did a "ping" I had no connection/response. I reset the computer to an earlier date when I know there was a connection and still no connection. Any ideas? Gary Richardson 01-07-2008, 02:33 AM Which browser are you using, do you get a connection if you use an alternate browser? Have you altered your hosts file at all? (some infections do this). Easiest just to re-set it to default as follows. Download HostsXpert (http://www.funkytoad.com/download/HostsXpert.zip) and unzip it to your computer, somewhere where you can find it. Double click on HostsXpert.exe (the icon that's an orange circle with a big letter h) to launch the programme. Check to see if top button on left hand side says Make Writable ? If it does. click on it then proceed to next instruction. If not, just proceed to next instruction Click on Restore MS Hosts File to restore your Hosts file to its default condition. When prompted to confirm, click OK. Click on Make Read Only ? to secure it against further infection. Exit the programme. Her Firewall could be blocking her, check Firewall settings. Alternately switch off her Firewall (if it's a 3rd Party installation) and switch on Windows Firewall, then see if you can connect. (Don't try to connect without a Firewall). Her LSP (Layered Service Protocols) could be corrupted. Can you run HJT on her computer and send me a log please. Download HJTInstall.exe (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to your Desktop. Doubleclick HJTInstall.exe to install it. By default it will install to C:\Program Files\Trend Micro\HijackThis . Click on Install. It will create a HijackThis icon on the desktop. Once installed, it will launch Hijackthis. Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad. Copy/Paste the log to your next reply please. Don't use the Analyse This button, its findings are dangerous if misinterpreted. Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required. Note: As you are unable to DL the programmes using your GF's computer, you'll have to DL them yourself to a USB disk (or CD/DVD) and transfer them to her computer. skydog 01-07-2008, 04:10 AM I'll do as you say. I did look at control panel>Network Internet Connections>Nework Connections and found the connections locked. I also thought I had a firewall problem. I started up in safemode and still locked. I went to windows security and turned off the firewall and was now unlocked. I tried to connect and still no connection but I still had an IP address...just no ping. The computer is using XP (Swamp I know I know) and explorer (I need to check the version) but I suspect the latest because there is a Favorite center on the top. Gary Richardson 01-07-2008, 06:13 AM OK, reset her hosts and send me a HJT log, that'll give me the chance to see if her problem is virus related or not, and whether her LSP stack looks OK. Gary Richardson 01-08-2008, 09:39 AM Here's a worrying thought for you all, is your Camera/MP3 player/Memory Card or any other USB memory device carrying an infection? http://www.informationweek.com/news/showArticle.jhtml?articleID=205210426 They are not practical for mass attacks (you have to buy, prep, and distribute the drives). We don't believe it's a significant trend. It's not cost effective." The bigger fear, said Haley, would be that a manufacturer might unwittingly put malware on a device of some sort. That appears to be just what happened to the maker of the Victory LT-200 MP3 player, according to a blog post published on Friday by Kaspersky Lab researcher Roel Schouwenberg. The manufacturer "told us they were aware that a few months ago there was a partially infected batch of these MP3 players, and that they'd taken steps to fix the problem," he said. Gary Richardson 01-16-2008, 02:55 AM Report of first Rogue Anti-Spyware programme for Macs http://www.f-secure.com/weblog/archives/00001362.html I hope that no one here would be foolish enough to fall for this, but please be aware that this kind of thing exists, and knowing the writers of this thing, there will be a whole lot more appearing. skydog 01-16-2008, 04:32 AM Gary...thanks for the support. By the time I got back to the computer the problem had been fixed. Her daughter had spend six hours on the phone with microsoft customer support and the problem was fixed. She has no idea what they did, but fortunately the problem was resolved. I have no idea what that cost either. Gary Richardson 01-16-2008, 06:08 AM Glad the problem got resolved, hope it didn't cost her too much, the one thing M$ do know how to do is make money. :grin: Thanks for the update. :bigthmb: |