Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ran Several Online Scans


  • Please log in to reply
12 replies to this topic

#1 Dennis H

Dennis H

  • Members
  • 893 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 10 May 2009 - 03:47 PM

Howdy,

I ran several online scans which I do on a weekly bases to see if my computer has picked up any monsters.

Today I ran Bitdefender, Housecall, SuperAntiSpyware(full scan), Malwarebytes (full scan), Windows Live Care and F-Secure(full scan). All scans were done in normal mode.

F-Secure was the only scanner that detected trouble.

Here is the log.

Scanning Report
Sunday, May 10, 2009 15:18:46 - 15:57:28
Computer name: DENNIS
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\


--------------------------------------------------------------------------------

1 malware found
W32/Zlob.gen123 (virus)
C:\WINDOWS\SYSTEM32\AGENT.OMZ.FIX.EXE (Not cleaned & Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 39974
System: 2976
Not scanned: 6
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
Not cleaned: 1
Submitted: 1
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 3.0.0
F-Secure Hydra: 3.8.9080, 2009-05-09
F-Secure AVP: 7.0.171, 2009-05-09
F-Secure Pegasus: 1.20.0
F-Secure Blacklight
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use advanced heuristics

When I scanned with F-Secure a couple of weeks ago it found this same infection and said it was deleted. Today it says that it can't delete it.

Any information on how to rid my computer of this virus would be MOST appreciated !

Thanks for your time.

Dennis :flowers:


XP Home, IE-8, SP-3

Edit: Moved topic from AntiVirus, Firewall and Privacy Products and Protection Methods to the more appropriate forum. ~ Animal

Thanks Animal ! I meant to post it in this forum but clicked on the wrong fourm. :thumbsup:

Edited by Dennis H, 10 May 2009 - 03:59 PM.


BC AdBot (Login to Remove)

 


#2 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:23 PM

Posted 10 May 2009 - 08:21 PM

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program.
  • Cancel any prompts to download the latest CureIt version and click Start.
  • At the prompt to "Start scan now", click Ok. Allow the setup.exe/driver to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)


#3 Dennis H

Dennis H
  • Topic Starter

  • Members
  • 893 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 10 May 2009 - 08:42 PM

Thanks for the reply xblindx.


I will follow through with your instructions the first thing in the morning.


Dennis :thumbsup:

EDIT: Is there a chance that this is a false/positive alert ?
I gave it ( F-Secure) a try after finding it here on BleepingComputer as a recommended scanner.

Edited by Dennis H, 11 May 2009 - 12:05 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:23 PM

Posted 11 May 2009 - 10:23 AM

Anytime you come across a suspicious file for which you cannot find any information about, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.

Have you ever used SmitfraudFix? Agent.OMZ.Fix.exe tool was added to SmitfraudFix in December 2008 to remove a Zlob hidden folder.

If so be aware that certain embedded files that are part of legitimate programs or specialized fix tools such as SmitfraudFix may at times be detected by some anti-virus and anti-malware scanners as a "Risk Tool", "Hacking Tool", "Potentially Unwanted Program", or even "Malware" (virus/trojan) when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, registry fixes and malware strings it contains.

Such programs have legitimate uses in contexts where a Malware Removal Expert asked you to use the tool or when an authorized user/administrator has knowingly installed it. When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or it can potentially be used for malicious purposes. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others or that it was simply detected as suspicious due to the security program's Heuristic analysis engine which provides the ability to detect possible new variants of malware. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "False Positive".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Dennis H

Dennis H
  • Topic Starter

  • Members
  • 893 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 11 May 2009 - 10:28 AM

Thanks for the information quietman7. I do not think that I have ever used SmithfraudFix.

Dr. Web Log.


A0047787.exe;C:\System Volume Information\_restore{FE207931-BAFB-435E-9182-8C603D7314F8}\RP747;Tool.Prockill;;
A0047790.exe;C:\System Volume Information\_restore{FE207931-BAFB-435E-9182-8C603D7314F8}\RP747;Tool.ShutDown.14;;
A0047814.exe;C:\System Volume Information\_restore{FE207931-BAFB-435E-9182-8C603D7314F8}\RP747;Tool.Prockill;;
A0047817.exe;C:\System Volume Information\_restore{FE207931-BAFB-435E-9182-8C603D7314F8}\RP747;Tool.ShutDown.14;;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;



Dennis :thumbsup:

Edited by Dennis H, 11 May 2009 - 10:41 AM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:23 PM

Posted 11 May 2009 - 10:40 AM

Common false detections of SmitfraudFix also include process.exe. Did you use SDFix as well? ShutDown.exe is related to it and sometimes detected for the same reasons as SmitFruadFix.

Please download OTCleanIt.exe and save to your Desktop.
  • Connect to the Internet and double-click on the file to launch the program.
  • Click on the green CleanUp! button.
  • If you get a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the Internet, please allow the connection.
  • When it has finished, OTCleanIt will ask you to reboot so it can remove itself.
-- Note: Doing this will remove any specialized tools (including this one) downloaded and used.

The detected _restore{GUID}\RP***\A00*****.xxx file(s) (related to the above specialized fix tools) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after RP represents a sequential number automatically assigned by the operating system. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:System Restore is the feature that protects your computer by creating backups (snapshots saved as restore points) of vital system configurations and files. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. The SVI folder is protected by permissions that only allow the system to have access and is hidden by default on the root of every drive, partition or volume including most external drives, and some USB flash drives. For more detailed information, read System Restore Overview and How it works and How antivirus software and System Restore work together.

System Restore is enabled by default and will back up the good as well as malicious files, so when malware is present on the system it gets included in restore points as an A00***** file. In this case the detected files are related to specialized fix tools and not actually malicious.

In order to avoid future detections and remove all these file(s), the easiest thing to do is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point. Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

If your anti-virus or anti-malware tool was able to move the file(s), I still recommend creating a new restore point and using disk cleanup.

Edited by quietman7, 11 May 2009 - 10:44 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Dennis H

Dennis H
  • Topic Starter

  • Members
  • 893 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 11 May 2009 - 10:59 AM

Thanks for the reply and information.

Ok, I ran CleanUp, created a new System Restore Point and ran Disk Cleanup.

Anything elese I should do ?


Dennis :thumbsup:

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:23 PM

Posted 11 May 2009 - 11:01 AM

You can double-check by repeated your F-Secure scan since that was the program that detected the files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Dennis H

Dennis H
  • Topic Starter

  • Members
  • 893 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 11 May 2009 - 12:03 PM

I ran a full F-Secure scan and the infection still shows up.

1 malware found
W32/Zlob.gen123 (virus)
C:\WINDOWS\SYSTEM32\AGENT.OMZ.FIX.EXE (Not cleaned & Submitted)


I am not experiencing any type of problems with my computer (at least that I know about).

If this virus is on my computer would it not make itself known by causing me trouble ?


Dennis :thumbsup:

Edited by Dennis H, 11 May 2009 - 12:04 PM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:23 PM

Posted 11 May 2009 - 12:19 PM

As I already explained the file is not a virus or any type of malware. It was part of a tool you used and some security scanners will falsely detected it as a threat.

Just open Windows Explorer, navigate to the C:\Windows\system32\ folder, right-click on and delete the file. Then empty the Recylce Bin afterwards.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Dennis H

Dennis H
  • Topic Starter

  • Members
  • 893 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 11 May 2009 - 12:43 PM

I misunderstood you earlier. I thought you were talking about the items that showed up on the Dr. Web scan as not being a problem. I did not realize that you also meant the Zlob that F-Secure picked up.


Anyway, I deleted the file.


Thank You for helping me with this quiteman7.


Thanks again for your help xblindx.


Dennis :thumbsup:

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:23 PM

Posted 11 May 2009 - 12:58 PM

You're welcome.

Tips to protect yourself against malware:Keep Windows and Internet Explorer current with all critical updates from Microsoft which will patch many of the security holes through which attackers can gain access to your computer. If you're not sure how to do this, see Microsoft Update helps keep your computer current.

Avoid gaming sites, porn sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:Many security experts recommend disabling this feature as a method of prevention. Microsoft recommends doing the same.

...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...

Microsoft Security Advisory (967940): Update for Windows Autorun
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:23 PM

Posted 11 May 2009 - 03:10 PM

As I already explained the file is not a virus or any type of malware. It was part of a tool you used and some security scanners will falsely detected it as a threat.

Just open Windows Explorer, navigate to the C:\Windows\system32\ folder, right-click on and delete the file. Then empty the Recylce Bin afterwards.


I was going to suggest doing that since the scanner wouldn't remove it, but since I didn't know if the file was legitimate or an actual infection, I held my...errr....fingers?

Edited by xblindx, 11 May 2009 - 03:10 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users