Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked and Spywared... A little help please


  • This topic is locked This topic is locked
2 replies to this topic

#1 iam777

iam777

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 05 November 2009 - 07:57 PM

I'm a new poster, having a challenge with my wonderful computer via a hijacking/rootkit. I would appreciate advisement, thanks for your cooperation and help. Now go rock!!

Robert




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:59 PM, on 11/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Razer\Lachesis\razerhid.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Razer\Lachesis\OSD.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Razer\Lachesis\razertra.exe
C:\Program Files\Razer\Lachesis\razerofa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Lachesis] C:\Program Files\Razer\Lachesis\razerhid.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [LogitechCommunicationsManager] rem "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] rem "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKCU\..\Run: [MRC] "C:\Program Files\PC Tune-Up\PCTuneUp.exe" /MBRSTART
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238515282406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1257289777281
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: ZoneAlarm ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6682 bytes


StartupList report, 11/5/2009, 3:37:30 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v8.00 (8.00.6001.18702)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Razer\Lachesis\razerhid.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Razer\Lachesis\OSD.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Razer\Lachesis\razertra.exe
C:\Program Files\Razer\Lachesis\razerofa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ZoneAlarm Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
Lachesis = C:\Program Files\Razer\Lachesis\razerhid.exe
StartCCC = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
LogitechCommunicationsManager = rem "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
LogitechQuickCamRibbon = rem "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MRC = "C:\Program Files\PC Tune-Up\PCTuneUp.exe" /MBRSTART
Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{10880D85-AAD9-4558-ABDC-2AB1552D831F}] *
StubPath = "C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------







S Name Microsoft Windows XP Home Edition
Version 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer Microsoft Corporation
System Name E
System Manufacturer Dell Computer Corporation
System Model DIM4400
System Type X86-based PC
Processor x86 Family 15 Model 1 Stepping 2 GenuineIntel ~1594 Mhz





Hi,

I know this is a very long post but it is required to explain my challenge accurately, and maybe it can help others. If your not ZA is meant for instructional purposes.

I am a customer deploying the Extreme Security ZA suite, in a private home occupied by myself and my girlfriend. I am having major Trojan virus, spy/malware, hijack, and operational issues. On Oct 22, 2009, I noticed my computer slowing and performing sluggish. I contacted Kelly your ZA tech about this issue, citing isw and lsw issues and was told these are logging files, its normal (see below). Furthermore I contacted Bill, ZA tech, about an unauthorized password change, (that was protected by Identity Guard) that disallowed myself from interacting with ZA (see below). Realize I have hardcopyís of ZA passwords that I use daily, and had used that specific one the night before, multiple times. Within the past few days, I initiated, 2xs daily, ZAís rootkit/ultra-deep scans revealing nothing. Yesterday ZA toolbar, browser security, and the extreme security application were crashing, nullifying and/or deleting security features and protections. Websites, along with ZA were apparently opening ZAís identity vault secured password protected applications, (see previous weekís failed attempts below by Google, etc.) the two current examples being my Windows Logon password and almost ALL Zone Alarm Custom Program Control Centers protections, which were rendered useless, unknown to myself for approx 3-4 hourís in the trusted and internet zones. Internet Explorer 8 features, were changed, (which does not function correctly now) and was locking up. I reinitiated program control, all additional ZA security were already high, and ran scans again, as this unfolded, with no abnormal results. I had purchased and initiated ZAís third party Large PC tune up cleaner as well as the registry cleanup application C.C. cleaner and Windows Advance Systems 3 registry, spyware removal and blocker application all revealing no Trojans or abnormal activity at the time. Note these utilities are employed daily and have not conflicted with ZA via alerts or logs.

At approx 21:05 to 21:16 (still yesterday, evening) I received approx 8 little punk (please excuse the language) Trojans in quick succession (self-regenerating see below) named JS.Ramif.a, emanating from Zone Alarms virtualization application #ISW.FS# from C\:DocumentsandSettings\RobertMoreno\ApplicationData\#ISW.FS#\Normal\fffffffffffff931.isw (see documentation below). ZAís anti virus failed to repair or treat them all, but they were quarantined, although other elements of the Trojan file was still attempting to regenerate itself through Zone Alarmís virtualization, quickly, and after approx four or five attempts, I was able to delete fffffffffffXX.isw files but the remaining files, isw.sect.state, state.isw, inuse.lck, were exhibiting corrupted behavior via the virtual (?) Trojan, which according to multiple website Trojan verifiersí is not a Trojan, even according to your own online website, although obviously ZAís On Access Scan has determined it is a Trojan. It appears it is a shadow or mask program exhibiting Trojan behavior but in reality maybe a hijacker or root kit corrupter, or combination of all three. Anyway they were deleted, had their entire permissions revoked, modified to read only, and hidden in WinXp safe mode, which has stopped the Trojan from multiplying and spreading, if it still exists in the files. I am not taking that chance, until Iím sure.


My status at the moment:

Zone Alarm is consuming massive resources, especially when I engage shortcuts, or in-window links, especially ZA links or buttons, causing lockups.
I canít download any updates including window updates and the Internet Options panel, when I have ZA up, has locked me out and ZAís ďlock the hosts fileĒ feature and its entire window has disappeared entirely.
Occasionally this morning websites were opening themselves, it hasnít happened for the last couple hours.
When I clear the Virtual file only a very few are deleted.
Accessing the internet, ZA automatically places my network in the trusted zone, rather than the internet zone. And if I switch it, it switches back, although inconsistently.
My networks gateway is not operational.
My fontís change from page to page.
Email protection is not operational, I cant configure Outlook express to Zone Alarm.
My usual program alerts are not operational, with the exception of Microsoftís IE8; there have been MANY requests to access the internet from them, displayed as normal access protocols that havenít been issued previously (some of them) and /or havenít been requested for a long time, as logged, via ZA.
Before today, Identity lock id alerts and many program alerts were not being logged at all, this occurred after I started to copy the logs to a different folder (See below).
The on access scanner is and has been operational inconsistently, returning errors. (See log below).
The Forcefield application works inconsistently, displaying vastly conflicting data. One moment there is zero (0) harmful data blocked coming from the internet the next moment its 30 MB or more. Private Browser, and Status, only work occasionally. In addition I have never been able to update from the Browser security window, nor does it attempt to.
My identity vault, set to high is set to off from time to time when reviewed.
Microsoft Internet Explorer 8 in definitely not functioning properly by itself and more importantly in relation to Zone Alarm.
Zone Alarm Extreme Security is turning itself off as I am surfing the web to combat these problems, although I can turn it back on quickly.
This morning an apparent Zone Alarm technical support pop-up appeared stating my browser was unstable and requested I upload to unnamed ZA support staff via a ZA dialog box, between 0-5 and 0-50 MBís worth of ďunstable ZA toolbar dataĒ on my computer, or my computers protected application data, or my computers protected system data. I note this because the same dialog box event transpired via my ZA records, the last time my computer was infected (?) like this, a few years ago, with the exact same (non) virus, exhibiting very similar, as well as elevated damage then, to my computer and its peripherals via the virus engine from my Zone Alarm Internet Security Suite. Was the Dialog box this morning from Zone Alarm?


Updated Status 11/04/09 1:37pm

While running a ZA Virus Scan under a different Windows Logon User without Administrative rights, the virus HiddenObject.Multi.Generic was found. I tried to repair it via ZA but that failed as well as the attempted Quarantine. It locked up my computer for quite a long time and when I finally rebooted and ran 3 scans as well as other security, utilities, and registry protocols it canít be found anywhere. In a new development I canít disable, my network connections, I have to disable the adapter itself. What is going on? Why didnít ZA at least quarantine and what can be done since obviously this rootkit is still here. Virus Documenation as follows:

Description Anti-virus detected an infected file
Date / Time 2009-11-04 13:37:20-5:00
Type Treat
Virus name HiddenObject.Multi.Generic
Filename C:\Documents and Settings\Brian Moreno\Application Data\#ISW.FS#\Privacy\ffffffffffffff4a.isw
Action Infected
Mode Manual
E-mail

Description Anti-virus attempted but failed to quarantine a virus or viruses
Date / Time 2009-11-04 13:37:20-5:00
Type Treat
Virus name HiddenObject.Multi.Generic
Filename C:\Documents and Settings\Brian Moreno\Application Data\#ISW.FS#\Privacy\ffffffffffffff4a.isw
Action Quarantine failed
Mode Manual
E-mail



Rectification Request:

I need immediate stop-gap protocols please from ZA tech support staff to mitigate Trojan/hijack/Spyware/Malware (?) damage, and reverse it.
The re-establishment of Extreme Zone Alarm Security, Forcefield protection, and Zone Alarm browser toolbar, Identity protection and all its features.
Help in relation to IE8.
Since this apparently is a virtual app, HOW and why or in what way could it be infected/hijacked? Realize I am not blaming ZA. Your product has worked very well much of the time, I just want a detailed diagnosis, explanation, and resolution.
What is the optimal configuration to prevent this?

Supporting Documentation:
My Zone Alarm
ZoneAlarm Extreme Security version:9.1.008.000
TrueVector version:9.1.008.000
Driver version:9.1.008.000
Anti-virus engine version:8.0.2.42
Anti-virus signature DAT file version:996345216
AntiSpam version:6.0.0.2383
ZoneAlarm ForceField 1.5.53.4
ZoneAlarm ForceField Spyware Scanner 1.5.53.33
ZoneAlarm ForceField Anti-Phishing Database 1.2.104.0
ZoneAlarm ForceField Spyware Sites Database 03.990




The following is a small portion of Unauthorized attempted identity retrievals by online website applications. With the exception of Zone Alarm and Large PC, which are known and acceptable as ID Security was set to high.


Description Your [Windows Logon] was blocked from being sent to [www.google.com].
Rating Medium
Date / Time 2009-10-28 19:22:38-4:00
Type IDLock
Program iexplore.exe
Source IP
Destination IP
Direction Outgoing
Action Taken Blocked
Count 1
Source DNS
Destination DNS
Policy Personal Policy
Google.com web browser.

Description Your [Windows Logon] was blocked from being sent to [www.friendconnect.gmodules.com].
Rating Medium
Date / Time 2009-10-28 19:22:38-4:00
Type IDLock
Program iexplore.exe
Source IP
Destination IP
Direction Outgoing
Action Taken Blocked
Count 1
Source DNS
Destination DNS
Policy Personal Policy

Google Friend Connect is an online service by Google that allows users on the internet to connect with their friends on different websites. Google Friend Connect is an Open Social ... Google Friend Connect is an Open Social application offered by Google that started in May 2008. Google Friend Connect main focus is to simplify the connection between social and non-social websites and standardize the handling and presentation of social applications and contacts.




Description Your [Large PC Tune Up] was blocked from being sent to [update.zonelabs.com].
Rating Medium
Date / Time 2009-10-28 19:03:58-4:00
Type IDLock
Program zlclient.exe
Source IP
Destination IP
Direction Outgoing
Action Taken Blocked
Count 1
Source DNS
Destination DNS
Policy Personal Policy

Description Your [Windows Logon] was blocked from being sent to [nmmclatchy.112.2o7.net].
Rating Medium
Date / Time 2009-10-28 20:13:56-4:00
Type IDLock
Program iexplore.exe
Source IP
Destination IP
Direction Outgoing
Action Taken Blocked
Count 1
Source DNS
Destination DNS
Policy Personal Policy

112.2o7.net ---Omniture, An Adobe Company, funny, I canít copy information from this website. Opted out of their cookie process, revisit site later. Critics have accused Omniture of attempting to hide the fact they are collecting data.[8] Critics claim they do this by sending the information to a domain name that looks and sounds similar to an IP address used to connect to devices on the local network and not the Internet. This has led to speculation that the domain name is used to trick users or firewall rules.[9] Omniture's SiteCatalyst and SearchCenter products use the 2o7.net domain name.[10]Omniture has been known to have recurring delays of up to one to two days in reporting the web traffic data back to the businesses buying their service. [11]Omniture collects data from Apple[8] and Adobe, who use Omniture to collect usage statistics across their products.It is possible to stop tracking by using the hosts file. Omniture is a publicly held online marketing and web analytics company. On September 15, 2009, Omniture agreed to be purchased by Adobe Systems.Omniture's latest offerings include SiteSearch and some social media tracking capabilities. Integrations with other systems are offered under the title Genesis.

Description Your [Zone Alarm License] was blocked from being sent to [www.google-analytics.com].
Rating Medium
Date / Time 2009-10-28 21:58:14-4:00
Type IDLock
Program iexplore.exe
Source IP
Destination IP
Direction Outgoing
Action Taken Blocked
Count 3
Source DNS
Destination DNS
Policy Personal Policy

Google Analytics is the enterprise-class web analytics solution that gives you rich insights into your website traffic and marketing effectiveness. Powerful, flexible and easy-to-use features now let you see and analyze your traffic data in an entirely new way.



Description Your [Zone Alarm License] was blocked from being sent to [leadback.advertising.com].
Rating Medium
Date / Time 2009-10-28 21:58:14-4:00
Type IDLock
Program iexplore.exe
Source IP
Destination IP
Direction Outgoing
Action Taken Blocked
Count 1
Source DNS
Destination DNS
Policy Personal Policy

Access Denied
You don't have permission to access "http://leadback.advertising.com/" on this server.
Reference #18.f961160.1256782257.2967ae1
LeadBack.com is owned by Advertising.com, a wholly owned subsidiary of AOL. The following statement describes the overall company practices of Advertising.com,
© 2008 LeadBack.com is a product of Advertising.com, a Platform-A company
Advertising.com delivers advertisements across multiple channels and media, including to web surfers who visit the largest third-party network in the industry Ė AOL's Advertising.com.


Description Your [Zone Alarm License] was blocked from being sent to [pa1.zonealarm.com].
Rating Medium
Date / Time 2009-10-28 21:58:06-4:00
Type IDLock
Program iexplore.exe
Source IP
Destination IP
Direction Outgoing
Action Taken Blocked
Count 25
Source DNS
Destination DNS
Policy Personal Policy

************************************************************************
Status report: message description. The request sent by the client was syntactically incorrect ().----Apache Tomcat/6.0.16 ,We did not find any results for pa1.zonealarm. A Zone Alarm dialog box popped up with this alert indicating I did not have the extreme security control center features available, and prompted me to buy Zone Alarm Extreme Security Again.

************************************************************************





Zone Alarm Virus Information:
Note there are only 5 quarantined Trojans. There were actually 8 present.


Description Anti-virus attempted but failed to repair a virus or viruses
Date / Time 2009-11-02 21:05:54-5:00
Type On-Access scan
Virus name Trojan.JS.Ramif.a
Filename C:\Documents and Settings\Robert Moreno\Application Data\#ISW.FS#\Normal\fffffffffffff931.isw
Action File repair failed
Mode Auto
E-mail




Description Anti-virus successfully quarantined a virus or viruses
Date / Time 2009-11-02 21:16:26-5:00
Type Treat
Virus name Trojan.JS.Ramif.a
Filename C:\Documents and Settings\Robert Moreno\Application Data\#ISW.FS#\Normal\fffffffffffff92b.isw
Action Quarantined
Mode Manual
E-mail


Description Anti-virus attempted but failed to repair a virus or viruses
Date / Time 2009-11-02 21:05:54-5:00
Type On-Access scan
Virus name Trojan.JS.Ramif.a
Filename C:\Documents and Settings\Robert Moreno\Application Data\#ISW.FS#\Normal\fffffffffffff931.isw
Action File repair failed
Mode Auto
E-mail

Description Anti-virus successfully quarantined a virus or viruses
Date / Time 2009-11-02 21:16:24-5:00
Type Treat
Virus name Trojan.JS.Ramif.a
Filename C:\Documents and Settings\Robert Moreno\Application Data\#ISW.FS#\Normal\fffffffffffff995.isw
Action Quarantined
Mode Manual

The fifth is the same as the previous four.




I receive these On-Access Scan Errors periodically, especially within the first minutes of Zone Alarm initiating.

Description
Date / Time 2009-11-03 13:11:14-5:00
Type On-Access scan
Virus name
Filename
Action Error
Mode
E-mail
Description
Date / Time 2009-11-03 02:22:24-5:00
Type On-Access scan
Virus name
Filename
Action Error
Mode
E-mail

Description
Date / Time 2009-11-03 02:15:46-5:00
Type On-Access scan
Virus name
Filename
Action Error
Mode
E-mail

Description
Date / Time 2009-11-03 01:29:44-5:00
Type On-Access scan
Virus name
Filename
Action Error
Mode
E-mail

Description
Date / Time 2009-11-02 22:50:26-5:00
Type On-Access scan
Virus name
Filename
Action Error
Mode
E-mail

Description
Date / Time 2009-11-02 22:33:58-5:00
Type On-Access scan
Virus name
Filename
Action Error
Mode
E-mail

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:42 AM

Posted 10 November 2009 - 07:24 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:42 AM

Posted 16 November 2009 - 09:33 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users