Spybot S&D > MySoft result

[bazcook]

Hey there,

Updated my Spybot today and at the end of scan it said it found something called MySoft. It tried to remove it, but said it could not remove it all and would try at next boot. This, if we believe Spybot, failed too.

Curious, I did a search online for MySoft and was directed to something called W32.Zori.B

Symantec (for example) has some info about this - dated April 4 at -

http://securityresponse.symantec.com...32.zori.b.html

Made sure I had the most recent definitions to Ad-Aware, AVG 7 and a-squared and ran them - they found no reference to either MySoft or W32.Zori.B, while neither Symantec nor Grisoft (AVG) have individual removal tools for this listed.

Then I went into Safe Mode and checked the Registry at the points noted by the Symantec info and found nothing.

So....has anyone else had this show up and have they found it lurking in their computer? And, if so, where? Or is this a false positive? This has only come up in Spybot since the update today.

Hmmmm...

[shamus]

Assuming your running XP make sure system restore is disabled when you run your AV.
ctrl+alt+del and see what's running in taskmanager. See if you can stop the process there, then run your AV again.
Download and run HiJackThis here: http://www.spywareinfo.com/~merijn/downloads.html
check what is under the 04 entries. There will be reg entries that are recreating the virus.

[Mayet]

Spybots been a bit of a let down for a while now in anti spyware try downloading the ms anti spyware progy and running that

Adaware also seems to fair better than spybot to get rid of those unwanted pesky annoyances.

http://www.lavasoftusa.com
Ad Aware

http://www.microsoft.com/athome/secu...e/default.mspx
MS Anti Spy

AVG Free does not stop viruses from invading, it seems to only tell you after infection and I have found it not to be able to delete, quarantine or acces many viruses.

Go somewhere like http://housecall.trendmicro.com and do an online full scan, both spyware and virus to see just what has invaded your sys and hopefully clean it off.

[bazcook]

Assuming your running XP make sure system restore is disabled when you run your AV.
ctrl+alt+del and see what's running in taskmanager. See if you can stop the process there, then run your AV again.
Download and run HiJackThis......
check what is under the 04 entries. There will be reg entries that are recreating the virus.

Sorry, I should have mentioned that after ensuring I had the most recent reference files to the mentioned scanners, I turned off System Restore, deleted my Prefetch and *then* went to safe Mode to do the scans and check regedit. As noted, nothing found by anything.

My AVG had a Priority Update today (11 April) which I installed, again turned off System Restore and went into Safe Mode - same result.

Spybot syill shows MySoft as a problem, with a + mark opening up the note -

Redirected Host
sitefinder.verisign.com =127.0.0.1

I'll take some time and see what HiJackThis has to say and maybe do an online scan, too - just to see what comes of that.

I am usually very circumspect about what comes into my machine and rarely open (even expected) attachments - and never without an AV scan first, but if its new I guess the various programs may not have caught up yet. Still, like I say, at least in a cursory glance, it's markers don't seem to be there.

Hmmm.

[TechZ]

http://www.tasklist.org/task_winexplor_exe_5334.html
This site lists it as a Homepage Hijacker.

Are you sure youve run all three free spyware cleaners?

Also try Panda Online Scan: http://www.pandasoftware.com/activescan

[bazcook]

I've got my homepage locked, so I've not seen a try there.

I got an updated reference file from Ad-Aware today and ran that - it doesn't see it. In fact, so far, only Spybot makes any reference to it at all. I've not got MS AntiSpyware at the moment, but I'm not entirely sure that additional software that may/may not be able see it (but not remove it) is of any real value.

Trend Micro's online scan found zip, too.

I guess I'll go with HiJackThis and see what it says. Can't help wondering if this is a false positive....

[bazcook]

And unless I'm incredibly dense (no comments please) I don't think I'm seeing anything that surprises me here. Not dead keen about the references to Messenger, but I believe I've turned that off via Steve Gibson's software...

Logfile of HijackThis v1.99.1
Scan saved at 10:45:49 AM, on 11/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\KlipFolio\KlipFolio.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\Barry\Desktop\HijackThis v1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lite.rogers.yahoo.com/p/1.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Barry's IE6
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 193.86.103.19 guru.grisoft.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BBE59AF5-EE22-4A3A-AB26-3F774D1B4216} - C:\PROGRA~1\FOLDER~1\FOLDER~1.DLL
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [KlipFolio] "C:\Program Files\KlipFolio\KlipFolio.exe" /BOOT
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\MRU-Blaster\indexcleaner.exe -CACHE
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Send to Sunrise - C:\Program Files\Sunrise\sts\sts.html
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

So, thoughts and ideas? Thanks!

[shamus]

Nothing jumps out at me either. On the Symantec page you posted it does mention uninstalling and reinstalling NAV.Have you tried that? Seeing how this thing attaches itself to exe files that would make sense. The fact that it starts deleting files 9 days after infection would worry me...

[bazcook]

Yeah, I'm not dead keen on that possibility, either.

I don't actually run Symantec - that's just one of the obvious places a Google offered me. I use AVG. For what it's worth, I've posted to their Forum and am waiting a response.

I don't know whether uninstalling / reinstalling AVG would have the same effect. I don't get that connection at any rate. OK, I am dense....

Again, I haven't experienced the bmp image nor any of the registry changes that the Symantec noted, so... strange, n'est pas?

[shamus]

Very. If you have a cd burner there's a great download @ http://nyquil-kid.dyndns.org/ you can boot from the cd and it will search for viruses. Another thought would be to try Stinger from McAfee - http://vil.nai.com/vil/stinger/

[bazcook]

I'll give a thought to nyquil should nothing else pan out - while I note the Stinger webpage dates it to the beginning of March - about a month behind the variant's date according to the Symantec info - and no note of it in the included list.

Rats!

[shamus]

Rats is right. You could give this a shot -http://www.microsoft.com/security/ma...e/default.mspx

[bazcook]

Double rats!

Downloaded, run and - no malicious software was found.....

[shamus]

ooookay. Give this a shot -http://www.microsoft.com/downloads/d...displaylang=en

update the definitions then run it.

[bazcook]

Downloaded but haven't done anything about it yet.

Meanwhile, a bit of a surprise from elsewhere - I happened to post a query on the Maxthon browser forum about this (I had just updated that this weekend too and just *wondered*) and, as it happens, there are others - and it happened to some on an earlier version of Maxthon last month, using TrojanHunter as their spyware scanner.

Seems TrojanHunter blamed something in Maxthon, while the recent one is less-specific but as reported by Spybot only.

So, could be false positives after all - and some tidying up needed in Maxthon. One can hope.

http://forum.maxthon.com/forum/index...st=0&p=122760&

I won't simply rely on these reports but will keep myself open to other potential sources, but it is moderately comforting to note others are suffering too and we may know the (benign) source.

Schadenfreude modified.