Jump to content

Trojan.zlob


Recommended Posts

Hi there,

I`ve been redirected here from the general forum. Each time I scan with Malwarebytes I get the same result, three files infected with Trojan.zlob and no action taken. I get the option to remove will be done after re-boot. I`v done it several times and still they come back. The infected files have no data in other than the samples that came with the laptop when new.

Malwarebytes' Anti-Malware 1.28

Database version: 1268

Windows 6.0.6001 Service Pack 1

15/10/2008 00:31:12

mbam-log-2008-10-15 (00-31-04).txt

Scan type: Quick Scan

Objects scanned: 43414

Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\Default\My Documents\My Music\My Music.url (Trojan.Zlob) -> No action taken.

C:\Users\Default\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> No action taken.

C:\Users\Default\My Documents\My Videos\My Video.url (Trojan.Zlob) -> No action taken.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:13:21, on 14/10/2008

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v8.00 (8.00.6001.18241)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\AVG\AVG8\avgtray.exe

C:\Program Files\Glary Utilities\memdefrag.exe

C:\Windows\system32\taskeng.exe

C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE

C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE

C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE

C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\ehome\EHTray.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe

C:\Users\kevin\Desktop\HiJackThis.exe

O16 - DPF: {678940D3-080C-4FCE-A54D-D443E1177F01} - https://www.coolroom.com/ActiveX/ax.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: AgereModemAudio - Agere Systems - C:\Windows\system32\agrsmsvc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe

O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe

O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe

O23 - Service: FolderProtectService - Unknown owner - C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--

End of file - 2740 bytes

I`m not sure what happened with Panda scan but I got no log at the end, all I got was this.............

Congratulations!

Today you are not infected.

If this needs to be done again, I`ll do it later, its really late here 1:10am and time for bed.

Cheers to all......

Kev

Link to post
Share on other sites

Have you instructed mbam to remove the files?

  • Launch Malwarebytes' Anti-Malware and run a manual update
    If you encounter any problems while downloading the updates, manually download them from here
    and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.

    [*]If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.

    [*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.

    [*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".

    [*]Click OK to close the message box and continue with the removal process.

    [*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.

    [*]Make sure that everything is checked, and click Remove Selected.

    [*]When removal is completed, a log report will open in Notepad.

    [*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

    [*]Copy and paste the contents of that report in your next reply and exit MBAM...also, please post a fresh HijackThis log. Thanks!

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process.

Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Link to post
Share on other sites

Hi there,

Thanks very much for responding, yes I always ask for removal of the found malware and re-boot when asked. Thats the problem, when I reboot and do another scan the same three files are there again. Can I add that there is actually no data in the places the malware is found, only samples that came with the laptop. Its only about 8 weeks old. I`ve done the scan again and the malware is indicated again, I`ll reboot after I attach the requested logs..

Malwarebytes' Anti-Malware 1.28

Database version: 1271

Windows 6.0.6001 Service Pack 1

15/10/2008 08:41:58

mbam-log-2008-10-15 (08-41-58).txt

Scan type: Quick Scan

Objects scanned: 43395

Time elapsed: 2 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\Default\My Documents\My Music\My Music.url (Trojan.Zlob) -> Delete on reboot.

C:\Users\Default\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Delete on reboot.

C:\Users\Default\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Delete on reboot.

C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\ehome\EHTray.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe

C:\Users\kevin\Desktop\HiJackThis.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Users\kevin\Desktop\Security\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [Glary Memory Optimizer] "C:\Program Files\Glary Utilities\memdefrag.exe" /autostart

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - Global Startup: Empowering Technology Launcher.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O13 - Gopher Prefix:

O16 - DPF: {678940D3-080C-4FCE-A54D-D443E1177F01} - https://www.coolroom.com/ActiveX/ax.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: AgereModemAudio - Agere Systems - C:\Windows\system32\agrsmsvc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe

O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe

O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe

O23 - Service: FolderProtectService - Unknown owner - C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--

End of file - 5734 bytes

Thankyou,

Kev

Can I add, I `ve re-booted and scanned again and the infected files are there again. When you select show results the three files are shown, again you can remove, but only after re-boot.........

C:\Users\Default\My Documents\My Music\My Music.url (Trojan.Zlob) -> No action taken.

C:\Users\Default\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> No action taken.

C:\Users\Default\My Documents\My Videos\My Video.url (Trojan.Zlob) -> No action taken.

If I right click on any of the files within Malwarebytes I get the option to jump to the location. I do this then right click on the suspect file I get the option to scan with Malwarbytes again. I do this and nothing is found. I`ve done this on each one in turn and nothing is found. I find this very strange.

A quick scan by malwarebytes shows the same three files as infected with Trojan.Zlob. A direct scan on the suspect file with Malwarebytes comes up clean.

I also have Windows defender, scans are clean. AVG professional, scans are clean. Spybot S&D, scans are clean.

Thanks again,

Kev.

Link to post
Share on other sites

Hi there 1972Vet,

Thanks for the response again. I have no other ongoing issues, all seems ok. Just one thing, item 16 in my HJT log is that alright, don`t recognise what it is and just wondered if you knew?

If the original files I queried do turn out to be false positives how to I stop them from showig after every scan?

Thanks very much,

Kev.

Link to post
Share on other sites

Update mbam again. The data base version is now 1274. I've a feeling the issue is resolved as a quick scan of my own system yields no complaints from mbam. If you want me to review your log, please post the entire thing. That particular O16 entry you point to may be harmless but I have no idea what it is. If you don't know either, you should remove it. If it turns out that you need it, you will just have to install it again...but removing the active X does no harm.

Link to post
Share on other sites

Hi again 1972vet

I`ve already done an update to that version you mention 1274. A new scan found the same three issues. I tried the remove/re-boot. Another scan and they still show again, very frustrating.

Regarding the item I mention in my HJT log, it is harmless, its to do with a genuine site for downloading LEGAL music & films, you can check it out here.... https://www.coolroom.com I think its part of the Media set up of my system, but then again I could be wrong.............

Cheers,

Kev

Link to post
Share on other sites

The typical file path to the music folder in a Vista installation by default is different from what your log shows...I just assumed you either set that up yourself as most folks prefer to name and locate their files differently, or it's by some oem version that sells with the system you purchased.

The mbam scan of my system still isn't complaining but I don't have any items tucked in those folders. I probably don't have the same type set up that you have either. The other interesting connection to this is the O16 entry that you identified as an item that came with your system as a means for you to review music/video files before purchase. I'm curious now if mbam is finding the download link for that feature as a trojan. To test this, run hjt again and check/fix that O16 entry. Don't forget to Close all windows before clicking the Fix Checked button...then reboot to properly record that change to the hard disk. You can download and install that active x again by visiting the "coolroom" site you mentioned previously but please don't until we determine what's triggering the mbam scan alert. I DO know there were some others having similar issues and in SOME cases the problem was indeed zlob...but those were windows me and xp folks.

When the system comes back up, run another quick scan to see if you get the same findings. Please post back your results. Thanks!

Link to post
Share on other sites

Thanks for responding again, I`ve followed your instructions and HJT and then check/fix item 016. Rebooted laptop and ran quick scan with Malwarebytes. Have opted to remove the found again infected files on re-boot. Ran quick scan again, same three files showing as infected.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:46:50, on 16/10/2008

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v8.00 (8.00.6001.18241)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\AVG\AVG8\avgtray.exe

C:\Program Files\Glary Utilities\memdefrag.exe

C:\Windows\ehome\ehtray.exe

C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE

C:\Windows\ehome\ehmsas.exe

C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE

C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE

C:\Program Files\Apoint2K\ApMsgFwd.exe

C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE

C:\Program Files\Apoint2K\Apntex.exe

C:\Users\kevin\Desktop\Security\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [Glary Memory Optimizer] "C:\Program Files\Glary Utilities\memdefrag.exe" /autostart

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - Global Startup: Empowering Technology Launcher.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O13 - Gopher Prefix:

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: AgereModemAudio - Agere Systems - C:\Windows\system32\agrsmsvc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe

O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe

O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe

O23 - Service: FolderProtectService - Unknown owner - C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--

End of file - 5222 bytes

New log from Malwarebytes after remove re-boot of infected files...........

Malwarebytes' Anti-Malware 1.28

Database version: 1276

Windows 6.0.6001 Service Pack 1

16/10/2008 17:58:02

mbam-log-2008-10-16 (17-57-57).txt

Scan type: Quick Scan

Objects scanned: 43069

Time elapsed: 3 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\Default\My Documents\My Music\My Music.url (Trojan.Zlob) -> No action taken.

C:\Users\Default\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> No action taken.

C:\Users\Default\My Documents\My Videos\My Video.url (Trojan.Zlob) -> No action taken.

These infected file/folders are not the default ones in Vista, they are separate ones.

Kev

Link to post
Share on other sites

I`ve finally managed to get rid of my problem files, my log from malwarebytes is now clean.............. I have explained in the False positive forum what I did, maybe this will also help the other poster Lilstormcloud at that forum.

Malwarebytes' Anti-Malware 1.28

Database version: 1276

Windows 6.0.6001 Service Pack 1

16/10/2008 23:29:50

mbam-log-2008-10-16 (23-29-50).txt

Scan type: Quick Scan

Objects scanned: 43165

Time elapsed: 2 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:46:46, on 16/10/2008

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v8.00 (8.00.6001.18241)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\AVG\AVG8\avgtray.exe

C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe

C:\Program Files\Glary Utilities\memdefrag.exe

C:\Windows\ehome\ehtray.exe

C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE

C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE

C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE

C:\Windows\ehome\ehmsas.exe

C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE

C:\Program Files\Apoint2K\ApMsgFwd.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE

C:\Windows\system32\taskmgr.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Users\kevin\Desktop\Security\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"

O4 - HKCU\..\Run: [Glary Memory Optimizer] "C:\Program Files\Glary Utilities\memdefrag.exe" /autostart

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - Global Startup: Empowering Technology Launcher.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O13 - Gopher Prefix:

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: AgereModemAudio - Agere Systems - C:\Windows\system32\agrsmsvc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe

O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe

O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe

O23 - Service: FolderProtectService - Unknown owner - C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--

End of file - 5588 bytes

Thanks,

Kev

Link to post
Share on other sites

I`ve finally managed to get rid of my problem files, my log from malwarebytes is now clean.............. I have explained in the False positive forum what I did, maybe this will also help the other poster Lilstormcloud at that forum.

I took a look at the fp forum where you posted the steps you took to resolve this. I'd be curious as to what those problem files were that you removed if indeed they were files and not the url's you mentioned here:

C:\Users\Default\My Documents\My Music\My Music.url

C:\Users\Default\My Documents\My Pictures\My Pictures.url

C:\Users\Default\My Documents\My Videos\My Video.url

I scanned the web site "coolroom" and found no issues either with that site or the scripts that Dr.Web found there. The url's themselves may have been the reason for the complaint as I have found from experience, most oem installations shake hands with third party contributors who find their way clear to either add links or software nags on preinstalled systems. Hewlett Packard is a good example of this type of agreement.

For the benefit of other forum readers who may stumble upon this thread researching their own similar issue, I should say to clear up any misconceptions that the mbam findings in the log you posted was complaining of those url's and no mention of any particular files was made.

One other note of curiosity is that I found with my own Vista installation, the file path to the "Default" users folder is hidden...which means, it won't even show up in your windows folder tree until you change system settings to "Show hidden files and folders". All that should show up under your "C:\Users" file path would be All Users and Your User Account Name.

The confusing data is that you imply you WERE able to view those folders but found no data inside them...just the sample music/video/pictures that came with the installation. Yet, your post in the fp forum states that you weren't able to see the files until you changed settings to show hidden files and folders.

What I expected was that you would not have even been able to see those folders much less what's in them until AFTER you made the system settings change to show hidden files and folders.

...At any rate, I'm glad to see that you have resolved your issue. :blink:

Link to post
Share on other sites

Hi 1972Vet,

Thanks for the response, I`ve probably confused things a bit. Originally when Malwarebyte scan found the 3 references to malware if I right clicked on any one I got the option to jump to that file. If i took that option and opened say the video one inside was two samples, one was an excerpt about Apollo 13 the other was a short excerpt about nature.

After fixing 016 in HJT this stopped happening. After a quick scan with Malwarebytes the three references still came up, however, if you right clicked on one, say the video again, this time there was nothing just a document file with nothing inside. I took a note of the address C: > user > data I couldn`t find that file, thats why I chose to show hidden files/folders. When i`d done that i went to it and there was the three files. this time they looked like shortcuts, you know what i mean, a little file icon with an arrow in. When I selected any of the three they went nowhere, thats why I deleted them. After that I re-booted and carried out another scan, this time all was clear.. Does that make sense?

If you do reply again will you leave the thread open, I going away later and wont be back until Sunday about 5pm GMT.

Thanks very much for all of you help, I appreciate it a lot,

Kev.

Link to post
Share on other sites

I see. Thanks for clarifying this.

I'm told that the mbam find was indeed malicious however I have no idea why it was unable to remove it. This entire issue is still a bit foggy for me since I trust that the developer of mbam has confirmed the find as malware but I can't find any evidence from your logs or from your description of issues (or absence of issues I should say).

I've taken the site "coolroom" to the web sniffer and find no harmfull scripts or invasive software on the page...likewise, I've scanned the site with Dr. Web and it too finds nothing to complain about. I personally find nothing wrong with a web site that recommends viewing samples of videos or music before you purchase and download them...msn has something very similar to this.

I suspect the active x you installed from that page was the software that allowed your shortcuts to work properly and by removing it the shortcuts were rendered useless since they pointed nowhere as a result.

This may also be why mbam complained, as the software may have been downloading for you without your knowledge or consent. Some developers think that's just fine behavior. I disagree but their logic is usually geared towards the claim that they want to be certain to serve you the types of video and music that evidence from your web search indicates is your preference. I'd rather be in control of what the system downloads.

Another piece of software that comes to mind which behaves this way is "WildTangent"...that's the one that I know HP used to include with their pre-installed systems. With that software loaded, I would scan with PestPatrol and it would scream about more than one thousand problems and that was on a fresh install, while other scanners, spybot search and destroy for example, would only complain about the "wildTangent" manger and leave the other files alone.

Eventually I uninstalled the software. I'm not a gamer anyway so it was no problem for me since I didn't really use it. I did notice as I recall, the system did perform better once I removed that software so you may also notice some improvement in performance if that software was indeed looking for stuff to download for you (this is by the way, trojan behavior).

Had you downloaded the samples you spoke of from that web page or were the pre-installed with your system?

Link to post
Share on other sites

Hi again,

As far as I can recall i`ve not d/loaded anything from that site, I did have a look at it and obviousily installed the active x control to allow this to happen. I`m practically certain that the samples were already there, so must have come with the bundled software.

I do feel that my system is a bit more responsive especially browsing since fixing item 016 in HJT as you recommended. It still seems a little odd to me that mbam would still flag up an item as malware even though it was only a shortcut that actually went nowhere.

I`ve worked with computers for maybe 30 years, but only in a job specific way. I come from an Engineering background within the Petrochemical Industry. I used computers daily, but more like a tool in my job.

Its only recently that i`ve started using them in a personal way, hence my naive realism with my approach to computers in general.

Not to worry, I`m sure I`ll learn as I go. Cheers for all your help,

Kev.

Link to post
Share on other sites

It's not uncommon at all that web sites become infected. Sometimes web sites are hacked and some spurious malicious code injected, which is more common and in fact infuriates both web masters and visitors, but other times it's debatable whether there is some sort of agenda for which their purpose serves out. Who's to say which is which and really, for the victim, who really cares at that point...they just want to get the system cleaned up and understandably so.

In your case, and after studying this issue recently, I am now convinced that mbam did you a good service by finding the culprit and reporting it for you. Remember, I visited the site but had no problems...then, I didn't install any active X software. Had it not been for the active X control, mbam would have removed the problem and been done with it. The Active X control, acting out it's trojan like behavior, would redownload the problem for you...which is why upon reboot, you would see the return of the same logged complaint from mbam.

Since you've resolved this issue and now that your system is clean and running the way you expect, let's create a new restore point you can refer to should the need arise at some point in the future.

Please click "Start->Programs->Accessories->System Tools->System Restore". In the new window, check the 'Create a restore point' in the right pane and click "Next". In the "Restore point description" textbox, name your restore point to something you will easily recognize. I recommend something like yyyymmdd_Clean (ex. 20060101_Clean) Click "Create" and reboot your computer.

To assist in the prevention of spyware infections:

Immunize your browser by installing Spywareblaster. What does it do?

  • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restricts the actions of potentially unwanted sites in Internet Explorer.

Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

Windows Vista has a software firewall built in and activated by default. And, just as with Windows XP, it's not quite the best defense, although it is a little better than it's predecessor.

For those Vista users concerned about web safety, consider using the free software firewall by

Comodo. It is, in my opinion, the best free firewall for Vista to date.

Stay updated with the most recent Windows patches using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

Using an alternate browser can reduce your chance of certain infections installing themselves. We recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup.

Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:

Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files.

Don't forget to check your system's "defragmenter" settings. With Windows Vista, you have the option to set this as a scheduled event. It is best to have your system's "defrag" function scheduled for at least once a week.

So how did I get infected in the first place?

Regards, and Happy Surfing!

Link to post
Share on other sites

This issue appears resolved and the thread is closed to prevent others from posting here.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.