Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware: Sandlot Shared, Detetected By Comodo


  • Please log in to reply
13 replies to this topic

#1 tobyo

tobyo

  • Members
  • 703 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 01 March 2008 - 08:30 AM

Looking for advice please. I recently switched my firewall to Comodo and have been pretty happy with it. one day a pop-up told me to upgrade and when I did I got the version where it asks me to okay every single thing that I did(defense + alert? I think). every email I sent, every web page I visited. so I decided to uninstall then reinstall the version where I don't have to answer whether it's okay or not. well, upon reinstalling, Comodo ran a scan and to my surprise there was a malware listed!! the path:

c:\program files\common files\sandlot shared\slghex.dll

it gave me the option to delete which I did. but the message was still there. hmmmm, next I ran super antispyware and removed a bunch more adware. that malware did not appear. went to look at that path and the folder was still there. I didn't look at the exact files in there until this morning. I just ran another Comodo scan and it came up clean. I looked in that sandlot shared folder and the "slghex.dll" file is not in there.

so....is my system OK then? thanks in advance for any replies.

Edit: Moved topic to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,912 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:14 PM

Posted 01 March 2008 - 10:46 PM

Hello tobyo,

What is your operating system: Windows XP, Vista, etc.?

Can you post the SAS log please?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 tobyo

tobyo
  • Topic Starter

  • Members
  • 703 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 02 March 2008 - 07:54 AM

Windows XP.

what's an SAS log? from Comodo's scan? if so, how do I do that?

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,912 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:14 PM

Posted 02 March 2008 - 01:23 PM

Hello tobyo,

Sorry about confusing you with the abbreviation. SAS log stands for SUPERAntiSpyware log.

I ran super antispyware and removed a bunch more adware


That is the log I'm referring to. To get it, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log and choose the date you did the scan you referred to in your initial post.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, (To highlight everything either click Edit then Select All in the menu, or right click on the log, then click Select All on the menu that pops up) then right-click and click Copy.
Click close and close again to exit the program.

Paste the log into the text area of your next reply.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 tobyo

tobyo
  • Topic Starter

  • Members
  • 703 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 02 March 2008 - 11:24 PM

aha! thanks for the explanation. and thanks for the help! here's my log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/29/2008 at 07:37 PM

Application Version : 3.9.1008

Core Rules Database Version : 3390
Trace Rules Database Version: 1383

Scan type : Complete Scan
Total Scan Time : 00:40:44

Memory items scanned : 472
Memory threats detected : 0
Registry items scanned : 5920
Registry threats detected : 0
File items scanned : 41690
File threats detected : 81

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@ad.outerinfoads[1].txt
C:\Documents and Settings\Owner\Cookies\owner@edge.ru4[2].txt
C:\Documents and Settings\Owner\Cookies\owner@traffic[2].txt
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.cnn[1].txt
C:\Documents and Settings\Owner\Cookies\owner@oasc02.247realmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@247realmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@viacomedycentralrl.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@media.adrevolver[1].txt
C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[2].txt
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tremor.adbureau[1].txt
C:\Documents and Settings\Owner\Cookies\owner@sales.liveperson[3].txt
C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt
C:\Documents and Settings\Owner\Cookies\owner@realmedia[2].txt
C:\Documents and Settings\Owner\Cookies\owner@sales.liveperson[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.vegas[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt
C:\Documents and Settings\Owner\Cookies\owner@bluestreak[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.monster[2].txt
C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt
C:\Documents and Settings\Owner\Cookies\owner@specificclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt
C:\Documents and Settings\Owner\Cookies\owner@eas.apm.emediate[1].txt
C:\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt
C:\Documents and Settings\Owner\Cookies\owner@click.adlbrite[2].txt
C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.traffic[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[1].txt
C:\Documents and Settings\Owner\Cookies\owner@eb.adbureau[2].txt
C:\Documents and Settings\Owner\Cookies\owner@interclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[1].txt
C:\Documents and Settings\Owner\Cookies\owner@indextools[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Cookies\owner@anat.tacoda[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.bridgetrack[1].txt
C:\Documents and Settings\Owner\Cookies\owner@rotator.adjuggler[1].txt
C:\Documents and Settings\Owner\Cookies\owner@rotator.dex.adjuggler[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adbrite[2].txt
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adinterax[1].txt
C:\Documents and Settings\Owner\Cookies\owner@metacafe.122.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[2].txt
C:\Documents and Settings\Owner\Cookies\owner@media.adrevolver[2].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[1].txt
C:\Documents and Settings\Owner\Cookies\owner@s.clickability[2].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[2].txt
C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
C:\Documents and Settings\Owner\Cookies\owner@overture[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ehg-ccbn.hitbox[1].txt
C:\Documents and Settings\Owner\Cookies\owner@track.bestbuy[2].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
C:\Documents and Settings\Owner\Cookies\owner@anad.tacoda[1].txt
C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt
C:\Documents and Settings\Owner\Cookies\owner@serving-sys[2].txt
C:\Documents and Settings\Owner\Cookies\owner@imrworldwide[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tripod[1].txt
C:\Documents and Settings\Owner\Cookies\owner@thunderbolt.adjuggler[2].txt
C:\Documents and Settings\Owner\Cookies\owner@media6degrees[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ehg-medtronic.hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.revsci[1].txt
C:\Documents and Settings\Owner\Cookies\owner@statcounter[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adlegend[1].txt
C:\Documents and Settings\Owner\Cookies\owner@richmedia.yahoo[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.charlestonbay[2].txt
C:\Documents and Settings\Owner\Cookies\owner@collective-media[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.burstnet[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices[1].txt
C:\Documents and Settings\Owner\Cookies\owner@nielsen.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@partner2profit[1].txt
C:\Documents and Settings\Owner\Cookies\owner@buildabear.122.2o7[1].txt

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,912 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:14 PM

Posted 03 March 2008 - 12:19 AM

Hello tobyo,

What SUPERAntiSpyware found were tracking cookies. These are not a threat, but there are privacy concerns. Tracking cookies are a kind of third party cookie. You can read more about the kind of cookies and how to block unwanted cookies in IE in the in this post: http://www.bleepingcomputer.com/forums/ind...st&p=702871

The links he provides will tell you how to block third party cookies in IE.

You can set up Firefox to block unwanted and unneeded cookies this way:

Click on Tools --> Options --> Privacy

Make sure there is a check mark by "Accept Cookies from Sites." Then in the box just below, make sure the window says "Ask me every time."

What this will do is that every time a site wants to put a cookie on your computer, a little window will pop up asking you if you want to accept it. The first time it shows up, click on "Show details". From then on, except when you reinstall Firefox or in some instances update it, the details will always be shown. There you can see who wants to put it on your computer and whether it is a session cookie or a permanent cookie.

You can add the site to your black list or white list by putting a check mark Use my choice for all cookies from this site and clicking on Deny which adds it to the black list or Allow for session or Allow. The latter choice means that any permanent cookies will stay on your computer until they expire or you delete them. The former choice means that the cookies will always go away when you close your browser. Either way, the sites will be added to the white list.

You can see what cookies are installed by clicking on the Show Cookies button on the privacy screen where you set the cookie options. When you click on Exceptions you will see the list of sites blocked from or permitted to set cookies. You can manually add sites to the block or allow list here, and you can also remove sites from the list.

Security programs such as Spywareblaster - prevents spyware from being installed on your PC. - Tutorial: [url=http://www.bleepingcomputer.com/tutorials/use-spywareblaster-to-protect-your-computer/]Using SpywareBlaster will add many sites to the block list to protect you from tracking cookies.

Go ahead and delete the Sandbox folder if you haven't done so already.

In rereading your initial post, I became puzzled about something. You say that you changed your Comodo firewall, but then you said you did a scan with Comodo. Are you referring to a different program here? You can't do scans with firewalls.

What is your anti-virus program?

Are you experiencing any issues with your computer?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#7 tobyo

tobyo
  • Topic Starter

  • Members
  • 703 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 03 March 2008 - 07:16 AM

thanks for the cookies information. I will read more at the link you provided.

Yep, Comodo does have a scan. it's in the "defense +" section and when I reinstalled there was an option to scan my computer and that's what I did. and that's when that malware showed up.

I just deleted that sandlot shared folder. and I'm using AVG for antivirus protection.

as for my computer, there was one time about two weeks ago when my cursor seemed to have disappeared. I don't remember the circumstances and I think I simply closed that internet session and started over. I haven't experienced that again. other than that, everything seems normal.

#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,912 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:14 PM

Posted 03 March 2008 - 12:15 PM

Hi tobyo,

It seems that your security programs protected you from most of what might have trundled along with the sandbox.

Some of the malware may have been saved in System Restore. To prevent possible reinfection, lets flush the restore points.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Let us know when you've done that, and we'll provide you with some additional suggestions for keeping malware free. There's always new ways to protect the computer against the baddies.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#9 tobyo

tobyo
  • Topic Starter

  • Members
  • 703 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 03 March 2008 - 05:36 PM

Well.....I don't have WinXP Pro so the directions in that link were not the same. I did however do the disk cleanup since after I selected drive C it went right into it. It did not give me the option with the tabs. so, I removed some temporary internet files and cleaned out the recycle bin. is there something more I should do? thank you.

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,912 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:14 PM

Posted 03 March 2008 - 08:44 PM

Hello tobyo,

I use XP Home myself. When you click on the program Disk Clean-up, it will calculate space that might be saved by deleting temp. files etc. After it has finished doing that, then you will see the tab for More Options. I've posted a couple screen shots for you.

This is the window that pops up when it finishes the calculation. I have boxed in the More Options tab. That is the one to click on.

Posted Image

This is what you will see after you click on More Options. I have boxed in System Restore. Click on the button in the box-in area and choose okay or yes when the next little window pops up.

Posted Image

Note: Please be sure to create the new System Restore point first as stated in my previous post.

Removing the old system restore points is important.

Let me know when you have finished that.

Orange Blossom :thumbsup:

Edited by Orange Blossom, 03 March 2008 - 08:45 PM.
Correct second link

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#11 tobyo

tobyo
  • Topic Starter

  • Members
  • 703 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 03 March 2008 - 10:16 PM

oh gee, DUH!! sorry about that. novice here, obviously.

Okay, I did all that and the window closed. and yep, I did create the new system restore point beforehand.

#12 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,912 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:14 PM

Posted 03 March 2008 - 10:21 PM

Hi tobyo,

I'm glad you got it to work. Don't feel bad about missing the Other Options tab. I remember a time I looked for my keys for two hours and found them in my hand where they'd been the entire time.

Now that your computer is clean, to protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"Best Practices - Internet Safety for 2008".
"Hardening Windows Security - Part 1".
"Hardening Windows Security - Part 2".
"IE Recommended Minimal Security Settings".

Good luck with everything and see you around the boards.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#13 tobyo

tobyo
  • Topic Starter

  • Members
  • 703 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 03 March 2008 - 10:42 PM

thanks. yea, I did that keys thing just the other day, but not for 2 hours ;) it was about 2 minutes.

thanks for your help!

#14 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,912 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:14 PM

Posted 03 March 2008 - 11:03 PM

You're welcome. :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users