Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MWAV logs


  • Please log in to reply
2 replies to this topic

#1 Susan528

Susan528

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 07 August 2005 - 09:22 AM

Sat Aug 06 09:38:26 2005 => Scanning HKLM\SYSTEM\CurrentControlSet\Services\VxD

Sat Aug 06 09:38:26 2005 => ***** Scanning Registry and File system for Adware/Spyware *****
Sat Aug 06 09:38:26 2005 => Loading Spyware Signatures from FIXED Database...
Sat Aug 06 09:38:28 2005 => Offending value found in HKLM\System\CurrentControlSet\Services\xloader !!!
Sat Aug 06 09:38:28 2005 => Object "XLoader Spyware/Adware" found in File System! Action Taken: No Action Taken.

Sat Aug 06 09:38:29 2005 => Offending value found in HKLM\Software\microsoft\downloadmanager !!!
Sat Aug 06 09:38:29 2005 => Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.

Sat Aug 06 09:39:01 2005 => System found infected with CWS.therealsearch Spyware/Adware (waol.exe)! Action taken: No Action Taken.
Sat Aug 06 09:39:01 2005 => System found infected with iSearch Spyware/Adware (patch.exe)! Action taken: No Action Taken.

How do the experts treat the results of MWAV logs when what is left is File System errors and antivirus scans find nothing? waol.exe is leftover from Add/Remove AOL.

BC AdBot (Login to Remove)

 


m

#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:14 PM

Posted 08 August 2005 - 01:14 PM

Well, I'm not sure I understand what you want to know here. Do you want help to clean up an infection or just curious as to how the experts do it.

I'm no expert, tho I have been called that from time to time, but I'll try to answer your question as best I can.

First, we don't use mwav all that often here at BC for malware removal. It's an excelllent scanner but the problem is it is so thorough that it takes forever to download and run. We use tools like HijackThis and Silent Runners to find how malware is set in the registry to start running. HJT is small and quick. Silent Runners and some other tools that look for some other hidden and undocumented areas of the registry and for hidden files are not so fast.

And just to oversimplify malware removal and try to boil it down to basics--it is extremely difficult to remove everything that has been changed when a malicious or rogue file has been executed. A bad file can be on your system but won't affect you as long as it is not executed or started. When malware installs itself, it makes change(s) to the registry so that it autostarts--usually when Windows starts. HJT mostly looks for only the documented areas of the registry where this will occur. Mwav will look for all registry changes made by the malware--not all changes cause the malware to start. And that is why it takes so long.

Using HijackThis, we seldom if ever get a person's system 100% clean and spotless. We try to remove all bad files and registry entries that we can. But the main goal is to stop malicious files from running and it is more of a quick fix. There will be some orphaned registry entries and some bad files that will get missed. But as long as we find and fix those one or two reg entries per malware that cause it to start, they won't affect you. Run AV and antivirus scans, including free online scans to clean up as best you can.

antivirus scans find nothing

mwav is an antivirus scanner, so it has found something. Not all AV's will find everything and a lot of the adware we deal with lately aren't technically viruses. And even if AV vendors have definitions to deal with adware, they are not always able to clean it. That is why it is better to get a second opinion from online scanners and programs like mwav.

Cleaning up all the registry entries has to be done by the end user. We don't usually advise this be done because as you have probably heard over and over again, you shouldn't edit the registry unless you know what you are doing and always make a backup first. The HJT Teams's advise about what should be deleted or altered comes from a great deal of research and experience. And again, we're looking mainly for how the malware gets started.

Now, looking at what you have posted, I see several things, mainly that this system is suffering from multiple infections. Mwav has found what others haven't. I would strongly urge you to submit a HijackThis log so you can get this taken care of. There is not quite enough information in the log you have posted to give you effective advice (and it appears to have been edited).

To do this:
-----------------------
Click on the link below and follow the steps in that tutorial so you can get a log posted:
How to post a HijackThis Log

You can of course skip step 1. But be sure to follow all the other steps and use the links in the tutorial to:

1. Download the self-extracting HijackThis.
2. Open the HijackThis Logs and Analysis forum to start a new Topic in that forum. It is important that you post your log into a new topic in that forum. If you have any problems here is a link again:
http://www.bleepingcomputer.com/forums/ind...?act=SF&s=&f=22

It may be a day or two before you get an answer. But it is also important that you not post again to the topic you started asking for help or wondering if you will get help or otherwise "bumping" your thread/topic. In order to work on a first come-first served basis, helpers look for the oldest topics with zero replies.

BUT, once you receive a reply, stay in the topic that you have started. Do not start another thread.
------------------
What are the indications?

HKLM\System\CurrentControlSet\Services\xloader

That's malware set to start as a service, so it will start when Windows starts.

HKLM\Software\microsoft\downloadmanager

As far as I know this is not a reg entry that will start the malware, but it tells you thata trojan is present and needs to be gotten rid of.

Sat Aug 06 09:39:01 2005 => System found infected with CWS.therealsearch Spyware/Adware (waol.exe)! Action taken: No Action Taken.
Sat Aug 06 09:39:01 2005 => System found infected with iSearch Spyware/Adware (patch.exe)! Action taken: No Action Taken.

These are two files (not reg startups) that could either be legitimate or malware, depending on what folder they are in. It is common practice for malware to use legitimate file names and run them from a different location to trick people into thinking they shouldn't be removed. I wish mwav would tell where these files are located, then it would be easy to tell you whether they are bad or not. But both files, if they are legit, should be in a subdirectory of Program Files: waol.exe in the AOL subdirectory and patch.exe in the TrendMicro subdirectory of Program Files folder. If not in those locations, these files are known to be bad and should be removed.

I think this is the crux of your question--how do you know these files are bad and not the legit ones? Research to determine where the files should be located. That takes a little bit of time. A quicker way to confirm is to have the file scanned by jotti.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#3 Susan528

Susan528
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 08 August 2005 - 01:49 PM

Thank you for your reply.

Love your quote from Will Rogers. I used to live near Claremore, Oklahoma where the Will Rogers Memorial is. He was quite a cowboy and humorist.

Susan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users