-
April 10th, 2005, 05:17 PM
#1
Spybot S&D > MySoft result
Hey there,
Updated my Spybot today and at the end of scan it said it found something called MySoft. It tried to remove it, but said it could not remove it all and would try at next boot. This, if we believe Spybot, failed too.
Curious, I did a search online for MySoft and was directed to something called W32.Zori.B
Symantec (for example) has some info about this - dated April 4 at -
http://securityresponse.symantec.com...32.zori.b.html
Made sure I had the most recent definitions to Ad-Aware, AVG 7 and a-squared and ran them - they found no reference to either MySoft or W32.Zori.B, while neither Symantec nor Grisoft (AVG) have individual removal tools for this listed.
Then I went into Safe Mode and checked the Registry at the points noted by the Symantec info and found nothing.
So....has anyone else had this show up and have they found it lurking in their computer? And, if so, where? Or is this a false positive? This has only come up in Spybot since the update today.
Hmmmm...
-
April 10th, 2005, 07:34 PM
#2
Registered User
Assuming your running XP make sure system restore is disabled when you run your AV.
ctrl+alt+del and see what's running in taskmanager. See if you can stop the process there, then run your AV again.
Download and run HiJackThis here: http://www.spywareinfo.com/~merijn/downloads.html
check what is under the 04 entries. There will be reg entries that are recreating the virus.
-
April 10th, 2005, 08:35 PM
#3
Registered User
Spybots been a bit of a let down for a while now in anti spyware try downloading the ms anti spyware progy and running that
Adaware also seems to fair better than spybot to get rid of those unwanted pesky annoyances.
http://www.lavasoftusa.com
Ad Aware
http://www.microsoft.com/athome/secu...e/default.mspx
MS Anti Spy
AVG Free does not stop viruses from invading, it seems to only tell you after infection and I have found it not to be able to delete, quarantine or acces many viruses.
Go somewhere like http://housecall.trendmicro.com and do an online full scan, both spyware and virus to see just what has invaded your sys and hopefully clean it off.
Last edited by Mayet; April 10th, 2005 at 08:38 PM.
-
April 11th, 2005, 07:34 AM
#4
Originally Posted by shamus
Assuming your running XP make sure system restore is disabled when you run your AV.
ctrl+alt+del and see what's running in taskmanager. See if you can stop the process there, then run your AV again.
Download and run HiJackThis......
check what is under the 04 entries. There will be reg entries that are recreating the virus.
Sorry, I should have mentioned that after ensuring I had the most recent reference files to the mentioned scanners, I turned off System Restore, deleted my Prefetch and *then* went to safe Mode to do the scans and check regedit. As noted, nothing found by anything.
My AVG had a Priority Update today (11 April) which I installed, again turned off System Restore and went into Safe Mode - same result.
Spybot syill shows MySoft as a problem, with a + mark opening up the note -
Redirected Host
sitefinder.verisign.com =127.0.0.1
I'll take some time and see what HiJackThis has to say and maybe do an online scan, too - just to see what comes of that.
I am usually very circumspect about what comes into my machine and rarely open (even expected) attachments - and never without an AV scan first, but if its new I guess the various programs may not have caught up yet. Still, like I say, at least in a cursory glance, it's markers don't seem to be there.
Hmmm.
-
April 11th, 2005, 07:48 AM
#5
Registered User
http://www.tasklist.org/task_winexplor_exe_5334.html
This site lists it as a Homepage Hijacker.
Are you sure youve run all three free spyware cleaners?
Also try Panda Online Scan: http://www.pandasoftware.com/activescan
-
April 11th, 2005, 09:11 AM
#6
I've got my homepage locked, so I've not seen a try there.
I got an updated reference file from Ad-Aware today and ran that - it doesn't see it. In fact, so far, only Spybot makes any reference to it at all. I've not got MS AntiSpyware at the moment, but I'm not entirely sure that additional software that may/may not be able see it (but not remove it) is of any real value.
Trend Micro's online scan found zip, too.
I guess I'll go with HiJackThis and see what it says. Can't help wondering if this is a false positive....
-
April 11th, 2005, 09:54 AM
#7
OK, here's the HiJackThis log...
And unless I'm incredibly dense (no comments please) I don't think I'm seeing anything that surprises me here. Not dead keen about the references to Messenger, but I believe I've turned that off via Steve Gibson's software...
Logfile of HijackThis v1.99.1
Scan saved at 10:45:49 AM, on 11/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\KlipFolio\KlipFolio.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\Barry\Desktop\HijackThis v1.99.1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lite.rogers.yahoo.com/p/1.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Barry's IE6
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 193.86.103.19 guru.grisoft.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BBE59AF5-EE22-4A3A-AB26-3F774D1B4216} - C:\PROGRA~1\FOLDER~1\FOLDER~1.DLL
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [KlipFolio] "C:\Program Files\KlipFolio\KlipFolio.exe" /BOOT
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\MRU-Blaster\indexcleaner.exe -CACHE
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Send to Sunrise - C:\Program Files\Sunrise\sts\sts.html
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
So, thoughts and ideas? Thanks!
Last edited by bazcook; April 11th, 2005 at 11:00 AM.
-
April 11th, 2005, 10:21 AM
#8
Registered User
Nothing jumps out at me either. On the Symantec page you posted it does mention uninstalling and reinstalling NAV.Have you tried that? Seeing how this thing attaches itself to exe files that would make sense. The fact that it starts deleting files 9 days after infection would worry me...
-
April 11th, 2005, 10:58 AM
#9
Yeah, I'm not dead keen on that possibility, either.
I don't actually run Symantec - that's just one of the obvious places a Google offered me. I use AVG. For what it's worth, I've posted to their Forum and am waiting a response.
I don't know whether uninstalling / reinstalling AVG would have the same effect. I don't get that connection at any rate. OK, I am dense....
Again, I haven't experienced the bmp image nor any of the registry changes that the Symantec noted, so... strange, n'est pas?
Last edited by bazcook; April 11th, 2005 at 11:02 AM.
-
April 11th, 2005, 11:52 AM
#10
Registered User
Very. If you have a cd burner there's a great download @ http://nyquil-kid.dyndns.org/ you can boot from the cd and it will search for viruses. Another thought would be to try Stinger from McAfee - http://vil.nai.com/vil/stinger/
-
April 11th, 2005, 12:20 PM
#11
I'll give a thought to nyquil should nothing else pan out - while I note the Stinger webpage dates it to the beginning of March - about a month behind the variant's date according to the Symantec info - and no note of it in the included list.
Rats!
-
April 11th, 2005, 12:56 PM
#12
Registered User
-
April 11th, 2005, 01:02 PM
#13
Double rats!
Downloaded, run and - no malicious software was found.....
-
April 11th, 2005, 01:06 PM
#14
Registered User
ooookay. Give this a shot -http://www.microsoft.com/downloads/d...displaylang=en
update the definitions then run it.
-
April 11th, 2005, 02:00 PM
#15
Downloaded but haven't done anything about it yet.
Meanwhile, a bit of a surprise from elsewhere - I happened to post a query on the Maxthon browser forum about this (I had just updated that this weekend too and just *wondered*) and, as it happens, there are others - and it happened to some on an earlier version of Maxthon last month, using TrojanHunter as their spyware scanner.
Seems TrojanHunter blamed something in Maxthon, while the recent one is less-specific but as reported by Spybot only.
So, could be false positives after all - and some tidying up needed in Maxthon. One can hope.
http://forum.maxthon.com/forum/index...st=0&p=122760&
I won't simply rely on these reports but will keep myself open to other potential sources, but it is moderately comforting to note others are suffering too and we may know the (benign) source.
Schadenfreude modified.
Similar Threads
-
By sethfp in forum Hard Drive/IDE/SCSI Drivers
Replies: 6
Last Post: October 11th, 2004, 07:00 AM
-
By Shard92 in forum Tech-To-Tech
Replies: 4
Last Post: May 6th, 2004, 12:59 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Bookmarks