Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Rid Pc Of Trojan-downloader-zlob


  • Please log in to reply
3 replies to this topic

#1 birds_on_the_bat

birds_on_the_bat

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 22 February 2007 - 03:05 PM

Hello, I am using Windows XP Home, Windows IE 7.
On Sunday, Feb. 18, I was trying to download codecs to view a movie. This triggered warnings to my Webroot SpySweeper program to allow or block the changes for isadd.dll. I thought I had blocked them. I then had SpyDawn Ver 3.1 appear on my screen and other advertisements for anti-spyware programs. My homepage was hijacked sending me to hxxp://asafetynotice.com. I received popup messages at the system tray of
System Alert: Tojan-Spy.Win32@mx
Type: Spyware/Trojan
Vulnerable: Windows 95/98/ME/NT/203/Windows XP
Description: Spyware program that sends confidential
information to a remote attacker
Protection: Click this baloon to download official security
software.

Other warnings would popup in the middle of the screen

Critical System Warning!
Your system is probably infected with latest versionof Spyware.Cyberlog-X
Type: Spyware
Infection Length: 266,129 bytes
Risk: High
Systems Affected: Windows 95,98, 2000, NT, 2003 Server, Windows XP
Behavior: Spyware.Cyberlog-X is a spyware program that monitors user
activity, logs, keystrokes, and tracks websites visited
Symptoms: Low internet connection speeds
Low system performance
Security Center Alerts
Strange popup windows
Protection: Click OK to donwload (sic) antispyware software




I then ran a sweep from Spysweeper and received these results:

4:18 PM: Quarantining All Traces: spyware quake
4:18 PM: Quarantining All Traces: antivermins
4:18 PM: HKLM: software\classes\clsid\{67982bb7-0f95-44c5-92dc-e3af3dc19d6d}\ is in use. It will be removed on reboot.
4:18 PM: C:\Program Files\Video Access ActiveX Object\isadd.dll is in use. It will be removed on reboot.
4:18 PM: BHO Shield: found: -- BHO installation denied at user request
4:17 PM: trojan-downloader-zlob is in use. It will be removed on reboot.
4:17 PM: BHO Shield: found: -- BHO installation denied at user request
4:16 PM: Quarantining All Traces: trojan-downloader-zlob
4:16 PM: Removal process initiated
4:11 PM: Traces Found: 17
4:11 PM: Full Sweep has completed. Elapsed time 04:43:32
4:11 PM: File Sweep Complete, Elapsed Time: 04:00:28
4:06 PM: Warning: SweepDirectories: Cannot find directory "e:". This directory was not added to the list of paths to be scanned.
4:06 PM: Warning: SweepDirectories: Cannot find directory "d:". This directory was not added to the list of paths to be scanned.
3:26 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\data\settings.dat". The process cannot access the file because it is being used by another process
3:26 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
3:26 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
3:26 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
3:26 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
3:26 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
3:26 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
3:26 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
3:26 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
3:22 PM: ApplicationMinimized - EXIT
3:22 PM: ApplicationMinimized - EXIT
3:22 PM: ApplicationMinimized - ENTER
3:22 PM: ApplicationMinimized - ENTER
3:21 PM: ApplicationMinimized - EXIT
3:21 PM: ApplicationMinimized - ENTER
3:21 PM: ApplicationMinimized - EXIT
3:21 PM: ApplicationMinimized - ENTER
3:15 PM: Warning: Failed to open file "c:\documents and settings\windows user\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
3:15 PM: Warning: Failed to open file "c:\documents and settings\windows user\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
2:48 PM: Warning: Failed to open file "c:\documents and settings\windows user\local settings\temp\~dfdad2.tmp". The process cannot access the file because it is being used by another process
2:48 PM: Warning: Failed to open file "c:\documents and settings\windows user\local settings\temp\~dfdaba.tmp". The process cannot access the file because it is being used by another process
2:48 PM: Warning: Failed to open file "c:\documents and settings\windows user\ntuser.dat.log". The process cannot access the file because it is being used by another process
2:48 PM: Warning: Failed to open file "c:\documents and settings\windows user\ntuser.dat". The process cannot access the file because it is being used by another process
2:44 PM: Warning: Failed to open file "c:\recycled\nprotect\nprotect.log". The process cannot access the file because it is being used by another process
1:20 PM: ApplicationMinimized - EXIT
1:20 PM: ApplicationMinimized - ENTER
1:12 PM: Warning: Failed to open file "c:\program files\common files\symantec shared\ccpd-lc\symlcrst.dll". The process cannot access the file because it is being used by another process
12:58 PM: IE Tracking Cookies Shield: Removed tacoda cookie
12:58 PM: IE Tracking Cookies Shield: Removed tacoda cookie
12:58 PM: IE Tracking Cookies Shield: Removed tacoda cookie
12:46 PM: IE Tracking Cookies Shield: Removed hitslink cookie
12:41 PM: IE Tracking Cookies Shield: Removed tacoda cookie
12:41 PM: IE Tracking Cookies Shield: Removed tacoda cookie
12:32 PM: Warning: Failed to open file "c:\windows.000\system32\config\default". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows.000\system32\config\software". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows.000\system32\config\system". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows.000\system32\config\security.log". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows.000\system32\config\sam.log". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows.000\system32\config\sam". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows.000\system32\config\security". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows.000\system32\config\default.log". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows.000\system32\config\software.log". The process cannot access the file because it is being used by another process
12:32 PM: Warning: Failed to open file "c:\windows.000\system32\config\system.log". The process cannot access the file because it is being used by another process
12:30 PM: IE Tracking Cookies Shield: Removed tacoda cookie
12:30 PM: IE Tracking Cookies Shield: Removed tacoda cookie
12:30 PM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
12:30 PM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
12:29 PM: IE Tracking Cookies Shield: Removed tacoda cookie
12:25 PM: IE Tracking Cookies Shield: Removed yieldmanager cookie
12:15 PM: IE Tracking Cookies Shield: Removed tacoda cookie
12:15 PM: IE Tracking Cookies Shield: Removed tacoda cookie
12:14 PM: IE Tracking Cookies Shield: Removed tacoda cookie
12:10 PM: Warning: Failed to open file "c:\hiberfil.sys". Access is denied
12:10 PM: Warning: Failed to open file "c:\pagefile.sys". Access is denied
12:10 PM: Starting File Sweep
12:10 PM: Warning: SweepDirectories: Cannot find directory "a:". This directory was not added to the list of paths to be scanned.
12:10 PM: Cookie Sweep Complete, Elapsed Time: 00:04:31
12:09 PM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
12:09 PM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
12:07 PM: ApplicationMinimized - EXIT
12:07 PM: ApplicationMinimized - ENTER
12:07 PM: ApplicationMinimized - EXIT
12:07 PM: ApplicationMinimized - ENTER
12:07 PM: ApplicationMinimized - EXIT
12:07 PM: ApplicationMinimized - ENTER
12:06 PM: Starting Cookie Sweep
12:06 PM: Registry Sweep Complete, Elapsed Time:00:05:29
12:04 PM: HKU\S-1-5-21-854245398-152049171-1060284298-1004\software\internet security\ (ID = 1553896)
12:04 PM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || user32.dll (ID = 1985800)
12:04 PM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || rare (ID = 1985799)
12:04 PM: HKLM\software\classes\clsid\{84938242-5c5b-4a55-b6b9-a1507543b418}\ (ID = 1935602)
12:04 PM: HKCR\clsid\{84938242-5c5b-4a55-b6b9-a1507543b418}\ (ID = 1935583)
12:04 PM: HKLM\software\classes\clsid\{67982bb7-0f95-44c5-92dc-e3af3dc19d6d}\ (ID = 1918561)
12:04 PM: HKCR\clsid\{67982bb7-0f95-44c5-92dc-e3af3dc19d6d}\ (ID = 1918533)
12:04 PM: HKLM\software\classes\videoaxobject.chl\ (ID = 1918121)
12:04 PM: HKCR\videoaxobject.chl\ (ID = 1918118)
12:04 PM: HKLM\software\microsoft\windows\currentversion\uninstall\system alert popup\ (ID = 1895397)
12:04 PM: Found Adware: antivermins
12:04 PM: HKLM\software\microsoft\windows\currentversion\uninstall\public messenger ver 2.03\ (ID = 1553911)
12:04 PM: HKLM\software\classes\typelib\{661173ee-fa31-4769-97d4-b556b5d09bda}\ (ID = 1218883)
12:04 PM: HKCR\typelib\{661173ee-fa31-4769-97d4-b556b5d09bda}\ (ID = 1218844)
12:04 PM: Found Adware: spyware quake
12:00 PM: Starting Registry Sweep
12:00 PM: Memory Sweep Complete, Elapsed Time: 00:32:41
12:00 PM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
12:00 PM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:59 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:59 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:58 AM: IE Tracking Cookies Shield: Removed tacoda cookie
11:58 AM: IE Tracking Cookies Shield: Removed tacoda cookie
11:58 AM: IE Tracking Cookies Shield: Removed tacoda cookie
11:41 AM: IE Tracking Cookies Shield: Removed tacoda cookie
11:41 AM: IE Tracking Cookies Shield: Removed tacoda cookie
11:41 AM: IE Tracking Cookies Shield: Removed tacoda cookie
11:38 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:37 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:37 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:37 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:36 AM: IE Tracking Cookies Shield: Removed sextracker cookie
11:35 AM: IE Tracking Cookies Shield: Removed sextracker cookie
11:28 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:28 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:28 AM: Starting Memory Sweep
11:28 AM: C:\Program Files\Video Access ActiveX Object\isadd.dll (ID = 1993070)
11:28 AM: HKCR\clsid\{67982bb7-0f95-44c5-92dc-e3af3dc19d6d}\inprocserver32\ (ID = 1993070)
11:28 AM: C:\Program Files\Video Access ActiveX Object\iesplugin.dll (ID = 1985803)
11:28 AM: HKCR\clsid\{84938242-5c5b-4a55-b6b9-a1507543b418}\inprocserver32\ (ID = 1985803)
11:28 AM: Found Trojan Horse: trojan-downloader-zlob
11:27 AM: Start Full Sweep
11:27 AM: Sweep initiated using definitions version 861
11:27 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:27 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:27 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:27 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:27 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:27 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:27 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:27 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:27 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:27 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:27 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:26 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:26 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:26 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:26 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:25 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:25 AM: Spy Installation Shield: found: Adware: virusburst fakealert, version 1.0.0.0
11:24 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:24 AM: IE Security Shield: found: C:\DOCUMENTS AND SETTINGS\WINDOWS USER\LOCAL SETTINGS\TEMP\LAF29F.TMP -- IE Security modification denied
11:24 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:24 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:23 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:23 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:23 AM: BHO Shield: found: iesplugin.dll-- BHO installation denied at user request
11:23 AM: BHO Shield: found: isadd.dll-- BHO installation denied at user request
11:05 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
11:05 AM: IE Tracking Cookies Shield: Removed realmedia cookie
11:04 AM: IE Tracking Cookies Shield: Removed pointroll cookie
11:04 AM: IE Tracking Cookies Shield: Removed realmedia cookie
11:04 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
11:04 AM: IE Tracking Cookies Shield: Removed realmedia cookie
11:04 AM: IE Tracking Cookies Shield: Removed realmedia cookie
10:51 AM: IE Tracking Cookies Shield: Removed yieldmanager cookie
10:28 AM: IE Tracking Cookies Shield: Removed tacoda cookie
10:28 AM: IE Tracking Cookies Shield: Removed tacoda cookie
10:28 AM: IE Tracking Cookies Shield: Removed tacoda cookie
10:24 AM: IE Tracking Cookies Shield: Removed yieldmanager cookie
10:20 AM: IE Tracking Cookies Shield: Removed yieldmanager cookie
10:19 AM: IE Tracking Cookies Shield: Removed yieldmanager cookie
10:19 AM: IE Tracking Cookies Shield: Removed yieldmanager cookie
10:19 AM: IE Tracking Cookies Shield: Removed yieldmanager cookie
10:18 AM: IE Tracking Cookies Shield: Removed addynamix cookie
10:18 AM: IE Tracking Cookies Shield: Removed addynamix cookie
Keylogger: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: On
10:06 AM: Shield States
10:06 AM: Spyware Definitions: 861
10:04 AM: Spy Sweeper 5.3.1.2344 started
10:04 AM: Spy Sweeper 5.3.1.2344 started
10:04 AM: | Start of Session, Sunday, February 18, 2007


I did an uninstall on SpyDawn and it appeared to leave the system.
I did a search for isadd.dll and found it in folder Video Access ActiveX Object 2.07, I tried to uninstall it but said I had to reboot. I went to Add/Remove Programs to delete the folder and it also said to reboot.

On Tuesday, I took the computer to a local repair shop and he was able to delete some of the trojan (traces went from 8 to 4 after a sweep), but I was still getting the popup System Alerts. He said I should do a reformat of the harddrive, I hought that was extreme. I did a search on the internet on how to remove the trojan zlob and followed the instructions from Symantec

Disable System Restore (Windows Me/XP).
Update the virus definitions.
Run a full system scan and delete all the files detected asTrojan.Zlob.
Delete any values added to the registry.

The Virus Scan Ran Clean.

One thing I noticed when I went into Spysweeper BHO Shield there was a checkmark next to a product name Unknown File Name C:\Program Files\Video Access ActiveX Object\isadd.dll, I removed the checkmark and my websurfing is no longer hijacked.

I then ran another Sweep checkinG Windows Registry, Memory Objects, Cookes, Compressed Files, System Restore Folder, All User Accounts, Direct Disk Sweeping, Rootkits and Verify Executable Programs and received these results

8:15 PM: trojan-downloader-zlob is in use. It will be removed on reboot.
8:15 PM: Quarantining All Traces: trojan-downloader-zlob
8:15 PM: Traces Found: 3
8:15 PM: Custom Sweep has completed. Elapsed time 04:10:42
8:15 PM: File Sweep Complete, Elapsed Time: 03:43:08
7:18 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\data\settings.dat". The process cannot access the file because it is being used by another process
7:18 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
7:18 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
7:18 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
7:18 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
7:18 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
7:18 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
7:18 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
7:18 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
7:06 PM: Warning: Failed to open file "c:\documents and settings\windows user\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
7:06 PM: Warning: Failed to open file "c:\documents and settings\windows user\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
7:04 PM: Warning: Failed to open file "c:\documents and settings\windows user\ntuser.dat.log". The process cannot access the file because it is being used by another process
7:04 PM: Warning: Failed to open file "c:\documents and settings\windows user\ntuser.dat". The process cannot access the file because it is being used by another process
7:00 PM: Warning: Failed to open file "c:\recycled\nprotect\nprotect.log". The process cannot access the file because it is being used by another process
6:21 PM: ApplicationMinimized - EXIT
6:21 PM: ApplicationMinimized - ENTER
5:12 PM: Warning: Failed to open file "c:\program files\common files\symantec shared\ccpd-lc\symlcrst.dll". The process cannot access the file because it is being used by another process
4:44 PM: Warning: Failed to open file "c:\windows.000\system32\config\default". The process cannot access the file because it is being used by another process
4:44 PM: Warning: Failed to open file "c:\windows.000\system32\config\software". The process cannot access the file because it is being used by another process
4:44 PM: Warning: Failed to open file "c:\windows.000\system32\config\system". The process cannot access the file because it is being used by another process
4:44 PM: Warning: Failed to open file "c:\windows.000\system32\config\security.log". The process cannot access the file because it is being used by another process
4:44 PM: Warning: Failed to open file "c:\windows.000\system32\config\sam.log". The process cannot access the file because it is being used by another process
4:44 PM: Warning: Failed to open file "c:\windows.000\system32\config\sam". The process cannot access the file because it is being used by another process
4:44 PM: Warning: Failed to open file "c:\windows.000\system32\config\security". The process cannot access the file because it is being used by another process
4:44 PM: Warning: Failed to open file "c:\windows.000\system32\config\default.log". The process cannot access the file because it is being used by another process
4:44 PM: Warning: Failed to open file "c:\windows.000\system32\config\software.log". The process cannot access the file because it is being used by another process
4:44 PM: Warning: Failed to open file "c:\windows.000\system32\config\system.log". The process cannot access the file because it is being used by another process
4:32 PM: Warning: Failed to open file "c:\hiberfil.sys". Access is denied
4:32 PM: Warning: Failed to open file "c:\pagefile.sys". Access is denied
4:32 PM: Starting File Sweep
4:32 PM: Cookie Sweep Complete, Elapsed Time: 00:02:13
4:30 PM: Starting Cookie Sweep
4:30 PM: Registry Sweep Complete, Elapsed Time:00:03:20
Trace marked as Always Remove
4:29 PM: HKU\S-1-5-21-854245398-152049171-1060284298-1004\software\internet security\ (ID = 1553896)
Trace marked as Always Remove
4:29 PM: HKLM\software\classes\clsid\{67982bb7-0f95-44c5-92dc-e3af3dc19d6d}\ (ID = 1918561)
Trace marked as Always Remove
4:29 PM: HKCR\clsid\{67982bb7-0f95-44c5-92dc-e3af3dc19d6d}\ (ID = 1918533)
4:29 PM: Threat marked as Always Remove
4:29 PM: Found Trojan Horse: trojan-downloader-zlob
4:26 PM: Starting Registry Sweep
4:26 PM: Memory Sweep Complete, Elapsed Time: 00:25:44
4:01 PM: Starting Memory Sweep
4:00 PM: Start Custom Sweep
4:00 PM: Sweep initiated using definitions version 845
4:00 PM: IE Favorites Shield: Entry Allowed: http://www.capmag.com/index.asp
4:00 PM: IE Favorites Shield: Entry Allowed: http://www.mises.org/
Operation: File Access
Target:
Source: C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVW32.EXE
3:36 PM: Tamper Detection
12:33 PM: ApplicationMinimized - EXIT
12:33 PM: ApplicationMinimized - ENTER
12:32 PM: Sent error log: C:\Documents and Settings\Windows User\Application Data\Webroot\Spy Sweeper\Logs\bugreport.txt
Keylogger: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: On
12:31 PM: Shield States
12:31 PM: Error: Access violation at address 004821FA in module 'SpySweeper.exe'. Read of address 00000000.
12:31 PM: Spyware Definitions: 845
12:29 PM: Spy Sweeper 5.3.1.2344 started
12:29 PM: Spy Sweeper 5.3.1.2344 started
12:29 PM: | Start of Session, Wednesday, February 21, 2007 |
***************
10:39 PM: IE Tracking Cookies Shield: Removed ask cookie
10:39 PM: IE Tracking Cookies Shield: Removed ask cookie
10:39 PM: IE Tracking Cookies Shield: Removed ask cookie
10:39 PM: IE Tracking Cookies Shield: Removed ask cookie
10:39 PM: IE Tracking Cookies Shield: Removed ask cookie
10:38 PM: IE Tracking Cookies Shield: Removed ask cookie
10:38 PM: IE Tracking Cookies Shield: Removed specificclick.com cookie
10:36 PM: IE Tracking Cookies Shield: Removed server.iad.liveperson cookie
10:36 PM: IE Tracking Cookies Shield: Removed server.iad.liveperson cookie
10:35 PM: IE Tracking Cookies Shield: Removed server.iad.liveperson cookie
10:35 PM: IE Tracking Cookies Shield: Removed server.iad.liveperson cookie
10:35 PM: IE Tracking Cookies Shield: Removed server.iad.liveperson cookie
10:35 PM: IE Tracking Cookies Shield: Removed server.iad.liveperson cookie
10:35 PM: IE Tracking Cookies Shield: Removed server.iad.liveperson cookie
10:34 PM: IE Tracking Cookies Shield: Removed clickbank cookie
10:31 PM: IE Tracking Cookies Shield: Removed addynamix cookie
10:24 PM: IE Tracking Cookies Shield: Removed 2o7.net cookie
10:13 PM: ApplicationMinimized - EXIT
10:13 PM: ApplicationMinimized - ENTER
10:12 PM: IE Tracking Cookies Shield: Removed 2o7.net cookie
10:03 PM: ApplicationMinimized - EXIT
10:03 PM: ApplicationMinimized - ENTER
10:03 PM: None
10:03 PM: Traces Found: 0
10:03 PM: Context Folder Sweep has completed. Elapsed time 00:00:14
10:03 PM: File Sweep Complete, Elapsed Time: 00:00:09
10:03 PM: Starting File Sweep
10:03 PM: Start Context Folder Sweep
10:03 PM: Sweep initiated using definitions version 845
Keylogger: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: On
10:02 PM: Shield States
10:02 PM: Spyware Definitions: 845
9:59 PM: Spy Sweeper 5.3.1.2344 started
9:59 PM: Spy Sweeper 5.3.1.2344 started
9:59 PM: | Start of Session, Wednesday, February 21, 2007

I found a forum that said to use the following dataset to clean up the problem

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip

when clicking on the cmd extension I receive an alert saying it may contain a malicious script, so far thats the extent of my problem.

Mod Edit: Disabled active link to malware site.

Edited by quietman7, 22 February 2007 - 10:27 PM.


BC AdBot (Login to Remove)

 


#2 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:10:43 PM

Posted 22 February 2007 - 03:37 PM

Go thru thisguide
and see whether it will remedy your infection

#3 birds_on_the_bat

birds_on_the_bat
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 22 February 2007 - 05:06 PM

Fozzie,

Thanks, it looks like the little icons have disappeared along with Video Access ActiveX folder.
I'll run a sweep later on

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:43 PM

Posted 22 February 2007 - 10:28 PM

Smitfraudfix is not malicious so ignore the alert and run option #2 in safe mode.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users