kevinf80 Posted October 15, 2008 ID:30907 Share Posted October 15, 2008 Hi there,I`ve been redirected here from the general forum. Each time I scan with Malwarebytes I get the same result, three files infected with Trojan.zlob and no action taken. I get the option to remove will be done after re-boot. I`v done it several times and still they come back. The infected files have no data in other than the samples that came with the laptop when new.Malwarebytes' Anti-Malware 1.28Database version: 1268Windows 6.0.6001 Service Pack 115/10/2008 00:31:12mbam-log-2008-10-15 (00-31-04).txtScan type: Quick ScanObjects scanned: 43414Time elapsed: 3 minute(s), 21 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 3Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Users\Default\My Documents\My Music\My Music.url (Trojan.Zlob) -> No action taken.C:\Users\Default\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> No action taken.C:\Users\Default\My Documents\My Videos\My Video.url (Trojan.Zlob) -> No action taken.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 23:13:21, on 14/10/2008Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v8.00 (8.00.6001.18241)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exeC:\Program Files\Apoint2K\Apoint.exeC:\Program Files\AVG\AVG8\avgtray.exeC:\Program Files\Glary Utilities\memdefrag.exeC:\Windows\system32\taskeng.exeC:\Acer\Empowering Technology\ENET\ENMTRAY.EXEC:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXEC:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXEC:\Acer\Empowering Technology\eRecovery\ERAGENT.EXEC:\Program Files\Apoint2K\Apntex.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\ehome\EHTray.exeC:\Windows\ehome\ehmsas.exeC:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exeC:\Users\kevin\Desktop\HiJackThis.exeO16 - DPF: {678940D3-080C-4FCE-A54D-D443E1177F01} - https://www.coolroom.com/ActiveX/ax.dllO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - AppInit_DLLs: avgrsstx.dllO23 - Service: AgereModemAudio - Agere Systems - C:\Windows\system32\agrsmsvc.exeO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exeO23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exeO23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exeO23 - Service: FolderProtectService - Unknown owner - C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exeO23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exeO23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe--End of file - 2740 bytesI`m not sure what happened with Panda scan but I got no log at the end, all I got was this.............Congratulations!Today you are not infected.If this needs to be done again, I`ll do it later, its really late here 1:10am and time for bed.Cheers to all......Kev Link to post Share on other sites More sharing options...
1972vet Posted October 15, 2008 ID:30908 Share Posted October 15, 2008 Have you instructed mbam to remove the files? Launch Malwarebytes' Anti-Malware and run a manual updateIf you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.[*]If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.[*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.[*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".[*]Click OK to close the message box and continue with the removal process.[*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.[*]Make sure that everything is checked, and click Remove Selected.[*]When removal is completed, a log report will open in Notepad.[*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.[*]Copy and paste the contents of that report in your next reply and exit MBAM...also, please post a fresh HijackThis log. Thanks!Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. Link to post Share on other sites More sharing options...
kevinf80 Posted October 15, 2008 Author ID:30936 Share Posted October 15, 2008 Hi there,Thanks very much for responding, yes I always ask for removal of the found malware and re-boot when asked. Thats the problem, when I reboot and do another scan the same three files are there again. Can I add that there is actually no data in the places the malware is found, only samples that came with the laptop. Its only about 8 weeks old. I`ve done the scan again and the malware is indicated again, I`ll reboot after I attach the requested logs..Malwarebytes' Anti-Malware 1.28Database version: 1271Windows 6.0.6001 Service Pack 115/10/2008 08:41:58mbam-log-2008-10-15 (08-41-58).txtScan type: Quick ScanObjects scanned: 43395Time elapsed: 2 minute(s), 45 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 3Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Users\Default\My Documents\My Music\My Music.url (Trojan.Zlob) -> Delete on reboot.C:\Users\Default\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Delete on reboot.C:\Users\Default\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Delete on reboot.C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXEC:\Program Files\Apoint2K\Apntex.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Windows\ehome\EHTray.exeC:\Windows\ehome\ehmsas.exeC:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exeC:\Users\kevin\Desktop\HiJackThis.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\kevin\Desktop\Security\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhostO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLLO3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLLO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exeO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptO4 - HKCU\..\Run: [Glary Memory Optimizer] "C:\Program Files\Glary Utilities\memdefrag.exe" /autostartO4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exeO4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')O4 - Global Startup: Empowering Technology Launcher.lnk = ?O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO13 - Gopher Prefix: O16 - DPF: {678940D3-080C-4FCE-A54D-D443E1177F01} - https://www.coolroom.com/ActiveX/ax.dllO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - AppInit_DLLs: avgrsstx.dllO23 - Service: AgereModemAudio - Agere Systems - C:\Windows\system32\agrsmsvc.exeO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exeO23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exeO23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exeO23 - Service: FolderProtectService - Unknown owner - C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exeO23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exeO23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe--End of file - 5734 bytesThankyou,KevCan I add, I `ve re-booted and scanned again and the infected files are there again. When you select show results the three files are shown, again you can remove, but only after re-boot.........C:\Users\Default\My Documents\My Music\My Music.url (Trojan.Zlob) -> No action taken.C:\Users\Default\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> No action taken.C:\Users\Default\My Documents\My Videos\My Video.url (Trojan.Zlob) -> No action taken.If I right click on any of the files within Malwarebytes I get the option to jump to the location. I do this then right click on the suspect file I get the option to scan with Malwarbytes again. I do this and nothing is found. I`ve done this on each one in turn and nothing is found. I find this very strange. A quick scan by malwarebytes shows the same three files as infected with Trojan.Zlob. A direct scan on the suspect file with Malwarebytes comes up clean.I also have Windows defender, scans are clean. AVG professional, scans are clean. Spybot S&D, scans are clean.Thanks again,Kev. Link to post Share on other sites More sharing options...
1972vet Posted October 15, 2008 ID:30961 Share Posted October 15, 2008 There's an ongoing discussion regarding these files in the FP thread. I DO believe they are a false positive reading...you can check that by scanning at VirusTotal if you like. Are you having any other issues? Link to post Share on other sites More sharing options...
kevinf80 Posted October 15, 2008 Author ID:30967 Share Posted October 15, 2008 Hi there 1972Vet,Thanks for the response again. I have no other ongoing issues, all seems ok. Just one thing, item 16 in my HJT log is that alright, don`t recognise what it is and just wondered if you knew?If the original files I queried do turn out to be false positives how to I stop them from showig after every scan?Thanks very much,Kev. Link to post Share on other sites More sharing options...
1972vet Posted October 15, 2008 ID:31022 Share Posted October 15, 2008 Update mbam again. The data base version is now 1274. I've a feeling the issue is resolved as a quick scan of my own system yields no complaints from mbam. If you want me to review your log, please post the entire thing. That particular O16 entry you point to may be harmless but I have no idea what it is. If you don't know either, you should remove it. If it turns out that you need it, you will just have to install it again...but removing the active X does no harm. Link to post Share on other sites More sharing options...
kevinf80 Posted October 15, 2008 Author ID:31033 Share Posted October 15, 2008 Hi again 1972vetI`ve already done an update to that version you mention 1274. A new scan found the same three issues. I tried the remove/re-boot. Another scan and they still show again, very frustrating. Regarding the item I mention in my HJT log, it is harmless, its to do with a genuine site for downloading LEGAL music & films, you can check it out here.... https://www.coolroom.com I think its part of the Media set up of my system, but then again I could be wrong.............Cheers,Kev Link to post Share on other sites More sharing options...
1972vet Posted October 16, 2008 ID:31094 Share Posted October 16, 2008 The typical file path to the music folder in a Vista installation by default is different from what your log shows...I just assumed you either set that up yourself as most folks prefer to name and locate their files differently, or it's by some oem version that sells with the system you purchased.The mbam scan of my system still isn't complaining but I don't have any items tucked in those folders. I probably don't have the same type set up that you have either. The other interesting connection to this is the O16 entry that you identified as an item that came with your system as a means for you to review music/video files before purchase. I'm curious now if mbam is finding the download link for that feature as a trojan. To test this, run hjt again and check/fix that O16 entry. Don't forget to Close all windows before clicking the Fix Checked button...then reboot to properly record that change to the hard disk. You can download and install that active x again by visiting the "coolroom" site you mentioned previously but please don't until we determine what's triggering the mbam scan alert. I DO know there were some others having similar issues and in SOME cases the problem was indeed zlob...but those were windows me and xp folks. When the system comes back up, run another quick scan to see if you get the same findings. Please post back your results. Thanks! Link to post Share on other sites More sharing options...
kevinf80 Posted October 16, 2008 Author ID:31099 Share Posted October 16, 2008 Thanks for responding again, I`ve followed your instructions and HJT and then check/fix item 016. Rebooted laptop and ran quick scan with Malwarebytes. Have opted to remove the found again infected files on re-boot. Ran quick scan again, same three files showing as infected.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 17:46:50, on 16/10/2008Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v8.00 (8.00.6001.18241)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Windows\Explorer.EXEC:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exeC:\Program Files\Apoint2K\Apoint.exeC:\Program Files\AVG\AVG8\avgtray.exeC:\Program Files\Glary Utilities\memdefrag.exeC:\Windows\ehome\ehtray.exeC:\Acer\Empowering Technology\ENET\ENMTRAY.EXEC:\Windows\ehome\ehmsas.exeC:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXEC:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXEC:\Program Files\Apoint2K\ApMsgFwd.exeC:\Acer\Empowering Technology\eRecovery\ERAGENT.EXEC:\Program Files\Apoint2K\Apntex.exeC:\Users\kevin\Desktop\Security\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhostO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLLO3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLLO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exeO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKCU\..\Run: [Glary Memory Optimizer] "C:\Program Files\Glary Utilities\memdefrag.exe" /autostartO4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exeO4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')O4 - Global Startup: Empowering Technology Launcher.lnk = ?O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO13 - Gopher Prefix: O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - AppInit_DLLs: avgrsstx.dllO23 - Service: AgereModemAudio - Agere Systems - C:\Windows\system32\agrsmsvc.exeO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exeO23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exeO23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exeO23 - Service: FolderProtectService - Unknown owner - C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exeO23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exeO23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe--End of file - 5222 bytesNew log from Malwarebytes after remove re-boot of infected files...........Malwarebytes' Anti-Malware 1.28Database version: 1276Windows 6.0.6001 Service Pack 116/10/2008 17:58:02mbam-log-2008-10-16 (17-57-57).txtScan type: Quick ScanObjects scanned: 43069Time elapsed: 3 minute(s), 12 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 3Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Users\Default\My Documents\My Music\My Music.url (Trojan.Zlob) -> No action taken.C:\Users\Default\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> No action taken.C:\Users\Default\My Documents\My Videos\My Video.url (Trojan.Zlob) -> No action taken.These infected file/folders are not the default ones in Vista, they are separate ones.Kev Link to post Share on other sites More sharing options...
kevinf80 Posted October 16, 2008 Author ID:31147 Share Posted October 16, 2008 I`ve finally managed to get rid of my problem files, my log from malwarebytes is now clean.............. I have explained in the False positive forum what I did, maybe this will also help the other poster Lilstormcloud at that forum.Malwarebytes' Anti-Malware 1.28Database version: 1276Windows 6.0.6001 Service Pack 116/10/2008 23:29:50mbam-log-2008-10-16 (23-29-50).txtScan type: Quick ScanObjects scanned: 43165Time elapsed: 2 minute(s), 10 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 23:46:46, on 16/10/2008Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v8.00 (8.00.6001.18241)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Windows\Explorer.EXEC:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exeC:\Program Files\Apoint2K\Apoint.exeC:\Program Files\AVG\AVG8\avgtray.exeC:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exeC:\Program Files\Glary Utilities\memdefrag.exeC:\Windows\ehome\ehtray.exeC:\Acer\Empowering Technology\ENET\ENMTRAY.EXEC:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXEC:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXEC:\Windows\ehome\ehmsas.exeC:\Acer\Empowering Technology\eRecovery\ERAGENT.EXEC:\Program Files\Apoint2K\ApMsgFwd.exeC:\Program Files\Apoint2K\Apntex.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXEC:\Windows\system32\taskmgr.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\system32\SearchProtocolHost.exeC:\Users\kevin\Desktop\Security\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhostO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLLO3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLLO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exeO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"O4 - HKCU\..\Run: [Glary Memory Optimizer] "C:\Program Files\Glary Utilities\memdefrag.exe" /autostartO4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exeO4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')O4 - Global Startup: Empowering Technology Launcher.lnk = ?O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO13 - Gopher Prefix: O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - AppInit_DLLs: avgrsstx.dllO23 - Service: AgereModemAudio - Agere Systems - C:\Windows\system32\agrsmsvc.exeO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exeO23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exeO23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exeO23 - Service: FolderProtectService - Unknown owner - C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exeO23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exeO23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe--End of file - 5588 bytesThanks,Kev Link to post Share on other sites More sharing options...
1972vet Posted October 17, 2008 ID:31152 Share Posted October 17, 2008 I`ve finally managed to get rid of my problem files, my log from malwarebytes is now clean.............. I have explained in the False positive forum what I did, maybe this will also help the other poster Lilstormcloud at that forum.I took a look at the fp forum where you posted the steps you took to resolve this. I'd be curious as to what those problem files were that you removed if indeed they were files and not the url's you mentioned here:C:\Users\Default\My Documents\My Music\My Music.url C:\Users\Default\My Documents\My Pictures\My Pictures.urlC:\Users\Default\My Documents\My Videos\My Video.urlI scanned the web site "coolroom" and found no issues either with that site or the scripts that Dr.Web found there. The url's themselves may have been the reason for the complaint as I have found from experience, most oem installations shake hands with third party contributors who find their way clear to either add links or software nags on preinstalled systems. Hewlett Packard is a good example of this type of agreement.For the benefit of other forum readers who may stumble upon this thread researching their own similar issue, I should say to clear up any misconceptions that the mbam findings in the log you posted was complaining of those url's and no mention of any particular files was made. One other note of curiosity is that I found with my own Vista installation, the file path to the "Default" users folder is hidden...which means, it won't even show up in your windows folder tree until you change system settings to "Show hidden files and folders". All that should show up under your "C:\Users" file path would be All Users and Your User Account Name.The confusing data is that you imply you WERE able to view those folders but found no data inside them...just the sample music/video/pictures that came with the installation. Yet, your post in the fp forum states that you weren't able to see the files until you changed settings to show hidden files and folders. What I expected was that you would not have even been able to see those folders much less what's in them until AFTER you made the system settings change to show hidden files and folders....At any rate, I'm glad to see that you have resolved your issue. Link to post Share on other sites More sharing options...
kevinf80 Posted October 17, 2008 Author ID:31216 Share Posted October 17, 2008 Hi 1972Vet,Thanks for the response, I`ve probably confused things a bit. Originally when Malwarebyte scan found the 3 references to malware if I right clicked on any one I got the option to jump to that file. If i took that option and opened say the video one inside was two samples, one was an excerpt about Apollo 13 the other was a short excerpt about nature. After fixing 016 in HJT this stopped happening. After a quick scan with Malwarebytes the three references still came up, however, if you right clicked on one, say the video again, this time there was nothing just a document file with nothing inside. I took a note of the address C: > user > data I couldn`t find that file, thats why I chose to show hidden files/folders. When i`d done that i went to it and there was the three files. this time they looked like shortcuts, you know what i mean, a little file icon with an arrow in. When I selected any of the three they went nowhere, thats why I deleted them. After that I re-booted and carried out another scan, this time all was clear.. Does that make sense? If you do reply again will you leave the thread open, I going away later and wont be back until Sunday about 5pm GMT.Thanks very much for all of you help, I appreciate it a lot,Kev. Link to post Share on other sites More sharing options...
1972vet Posted October 17, 2008 ID:31251 Share Posted October 17, 2008 I see. Thanks for clarifying this. I'm told that the mbam find was indeed malicious however I have no idea why it was unable to remove it. This entire issue is still a bit foggy for me since I trust that the developer of mbam has confirmed the find as malware but I can't find any evidence from your logs or from your description of issues (or absence of issues I should say).I've taken the site "coolroom" to the web sniffer and find no harmfull scripts or invasive software on the page...likewise, I've scanned the site with Dr. Web and it too finds nothing to complain about. I personally find nothing wrong with a web site that recommends viewing samples of videos or music before you purchase and download them...msn has something very similar to this.I suspect the active x you installed from that page was the software that allowed your shortcuts to work properly and by removing it the shortcuts were rendered useless since they pointed nowhere as a result. This may also be why mbam complained, as the software may have been downloading for you without your knowledge or consent. Some developers think that's just fine behavior. I disagree but their logic is usually geared towards the claim that they want to be certain to serve you the types of video and music that evidence from your web search indicates is your preference. I'd rather be in control of what the system downloads.Another piece of software that comes to mind which behaves this way is "WildTangent"...that's the one that I know HP used to include with their pre-installed systems. With that software loaded, I would scan with PestPatrol and it would scream about more than one thousand problems and that was on a fresh install, while other scanners, spybot search and destroy for example, would only complain about the "wildTangent" manger and leave the other files alone.Eventually I uninstalled the software. I'm not a gamer anyway so it was no problem for me since I didn't really use it. I did notice as I recall, the system did perform better once I removed that software so you may also notice some improvement in performance if that software was indeed looking for stuff to download for you (this is by the way, trojan behavior).Had you downloaded the samples you spoke of from that web page or were the pre-installed with your system? Link to post Share on other sites More sharing options...
kevinf80 Posted October 19, 2008 Author ID:31505 Share Posted October 19, 2008 Hi again,As far as I can recall i`ve not d/loaded anything from that site, I did have a look at it and obviousily installed the active x control to allow this to happen. I`m practically certain that the samples were already there, so must have come with the bundled software. I do feel that my system is a bit more responsive especially browsing since fixing item 016 in HJT as you recommended. It still seems a little odd to me that mbam would still flag up an item as malware even though it was only a shortcut that actually went nowhere. I`ve worked with computers for maybe 30 years, but only in a job specific way. I come from an Engineering background within the Petrochemical Industry. I used computers daily, but more like a tool in my job. Its only recently that i`ve started using them in a personal way, hence my naive realism with my approach to computers in general.Not to worry, I`m sure I`ll learn as I go. Cheers for all your help,Kev. Link to post Share on other sites More sharing options...
1972vet Posted October 20, 2008 ID:31578 Share Posted October 20, 2008 It's not uncommon at all that web sites become infected. Sometimes web sites are hacked and some spurious malicious code injected, which is more common and in fact infuriates both web masters and visitors, but other times it's debatable whether there is some sort of agenda for which their purpose serves out. Who's to say which is which and really, for the victim, who really cares at that point...they just want to get the system cleaned up and understandably so. In your case, and after studying this issue recently, I am now convinced that mbam did you a good service by finding the culprit and reporting it for you. Remember, I visited the site but had no problems...then, I didn't install any active X software. Had it not been for the active X control, mbam would have removed the problem and been done with it. The Active X control, acting out it's trojan like behavior, would redownload the problem for you...which is why upon reboot, you would see the return of the same logged complaint from mbam. Since you've resolved this issue and now that your system is clean and running the way you expect, let's create a new restore point you can refer to should the need arise at some point in the future.Please click "Start->Programs->Accessories->System Tools->System Restore". In the new window, check the 'Create a restore point' in the right pane and click "Next". In the "Restore point description" textbox, name your restore point to something you will easily recognize. I recommend something like yyyymmdd_Clean (ex. 20060101_Clean) Click "Create" and reboot your computer.To assist in the prevention of spyware infections:Immunize your browser by installing Spywareblaster. What does it do? Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restricts the actions of potentially unwanted sites in Internet Explorer.Keep your anti-virus and spyware definitions up to date. Be sure to scan often.Windows Vista has a software firewall built in and activated by default. And, just as with Windows XP, it's not quite the best defense, although it is a little better than it's predecessor. For those Vista users concerned about web safety, consider using the free software firewall by Comodo. It is, in my opinion, the best free firewall for Vista to date.Stay updated with the most recent Windows patches using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.Using an alternate browser can reduce your chance of certain infections installing themselves. We recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup.Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to check your system's "defragmenter" settings. With Windows Vista, you have the option to set this as a scheduled event. It is best to have your system's "defrag" function scheduled for at least once a week.So how did I get infected in the first place?Regards, and Happy Surfing! Link to post Share on other sites More sharing options...
1972vet Posted October 20, 2008 ID:31579 Share Posted October 20, 2008 This issue appears resolved and the thread is closed to prevent others from posting here. Other members who need assistance please start your own topic in a new thread. Thanks!The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you. Link to post Share on other sites More sharing options...
Recommended Posts