RickJ
Jun 22, 2007, 06:43 AM
Some of you know my Paypal and adSense accounts were compromised a couple weeks ago. Sorry for the long one, but here's my latest:
I tried a few products since then and settled on running ZoneAlarm Free for firewall and AVG Free for antivirus. Also running Malware Sweeper Free, Windows Defender and Spyware Blaster in the background.
This morning the Malware Sweeper notification window was up saying I had 18 infections. Neither of the other two malware products had notifications, but just in case, I ran scans.
Did full scan with Spybot Search & Destroy: It found nothing.
Did full scan with AVG: It found nothing.
Did full scan with Windows Defender: It found nothing.
Did full scan with MS Malware Removal Tool: It found nothing.
So the whimpy Malware Sweeper Free product finds what none of the others find?? Can that be right?
The below is what Malware Sweeper found. Are they really problems? If so, how can we trust any of these malware finders knowing one product may find what many others don't?
The stuff that is supposedly logging what I do is quite concerning!
Malware Sweeper found:
13 Registry Items
** Block-Checker, Severe
hkey_local_machine\software\microsoft\windows\curr entversion\internet settings\p3p\history\bfast.com
hkey_local_machine\software\microsoft\windows\curr entversion\internet settings\p3p\history\bfast.com
Block-checker is a program which is used to check if your frInternet Explorernds are blocking you on MSN, Yahoo or AOL. This program hijacks your messenger services by automatically sending messages such as ;I know who's blocking me on MSN because I use http://www.block-checker.com;. It also adds itself to the firewall exclusion policInternet Explorers.
** systemprocess, severe
hkey_local_machine\software\microsoft\windows\curr entversion\internet settings\p3p\history\qksrv.net
hkey_local_machine\software\microsoft\windows\curr entversion\internet settings\p3p\history\qksrv.net
is an advertising-oriented spyware that downloads and displays advertisements in a popup window while a user is browsing the Web
** CoolWebSearch, severe
hkey_local_machine\software\microsoft\windows\curr entversion\internet settings\zonemap\domains\coolwwwsearch.com
hkey_local_machine\software\microsoft\windows\curr entversion\internet
settings\zonemap\domains\coolwwwsearch.com=*
CoolWebSearch is a wide range of browser redirection tools. All variants redirect you to specific Web sites.
** uncategorized hijacker, moderate
hkey_local_machine\software\microsoft\windows\curr entversion\internet settings\zonemap\domains\xxxtoolbar.com
hkey_local_machine\software\microsoft\windows\curr entversion\internet settings\zonemap\domains\xxxtoolbar.com=*
A hijackjer is is software that resets your browser's settings to point to other sites. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower.
** surveil, severe
hkey_classes_root\.zlg
hkey_classes_root\.zlg
hkey_classes_root\.zlg=original extension
Surveil logs all system activity. The person who installed it can then watch all the logged activity.
5 Files/Folders
** CooKies, moderate
c:\cocuments and settings\rick jackson\cookies\rick [email protected][1].txt
c:\cocuments and settings\rick jackson\cookies\rick [email protected][1].txt
(I know what these are. Cookies not a problem)
A CooKie is an information file that some web servers use to identify you in the internet, but other CooKies might be spyware because of the information they hold.
** passdumper, high
c:\docume~1\rickja!1\locals~1\temp\rarsfx20
PassDumper is a tool which steals windows login name and passwords from windows NT/2000 and saves them into a pass.txt in windows directory.
** achiles, high
c:\windows\system32\catroot2\tmp.edb
is a self-replicating virus that does not alter files but resides in active memory and duplicates itself. Worms use parts of an operating system that are automatic and usually invisible to the user. It is common for worms to be noticed only when their uncontrolled replication consumes system resources, slowing or halting other tasks.
** dssdoor.c, severe
c:\windows\system32\\msinet.ocx
malicious user with access to the victim machine. It is a Windows PE EXE file. The file is 419 969 bytes in size. It is packed using UPX. The unpacked file is approximately 890KB in size. This Trojan is written in Visual Basic.
Should I go back in with Malware Sweeper and remove all the stuff above?
Any suggestions? I know I've asked similar before, but this new info sure changes things in my mind.
I tried a few products since then and settled on running ZoneAlarm Free for firewall and AVG Free for antivirus. Also running Malware Sweeper Free, Windows Defender and Spyware Blaster in the background.
This morning the Malware Sweeper notification window was up saying I had 18 infections. Neither of the other two malware products had notifications, but just in case, I ran scans.
Did full scan with Spybot Search & Destroy: It found nothing.
Did full scan with AVG: It found nothing.
Did full scan with Windows Defender: It found nothing.
Did full scan with MS Malware Removal Tool: It found nothing.
So the whimpy Malware Sweeper Free product finds what none of the others find?? Can that be right?
The below is what Malware Sweeper found. Are they really problems? If so, how can we trust any of these malware finders knowing one product may find what many others don't?
The stuff that is supposedly logging what I do is quite concerning!
Malware Sweeper found:
13 Registry Items
** Block-Checker, Severe
hkey_local_machine\software\microsoft\windows\curr entversion\internet settings\p3p\history\bfast.com
hkey_local_machine\software\microsoft\windows\curr entversion\internet settings\p3p\history\bfast.com
Block-checker is a program which is used to check if your frInternet Explorernds are blocking you on MSN, Yahoo or AOL. This program hijacks your messenger services by automatically sending messages such as ;I know who's blocking me on MSN because I use http://www.block-checker.com;. It also adds itself to the firewall exclusion policInternet Explorers.
** systemprocess, severe
hkey_local_machine\software\microsoft\windows\curr entversion\internet settings\p3p\history\qksrv.net
hkey_local_machine\software\microsoft\windows\curr entversion\internet settings\p3p\history\qksrv.net
is an advertising-oriented spyware that downloads and displays advertisements in a popup window while a user is browsing the Web
** CoolWebSearch, severe
hkey_local_machine\software\microsoft\windows\curr entversion\internet settings\zonemap\domains\coolwwwsearch.com
hkey_local_machine\software\microsoft\windows\curr entversion\internet
settings\zonemap\domains\coolwwwsearch.com=*
CoolWebSearch is a wide range of browser redirection tools. All variants redirect you to specific Web sites.
** uncategorized hijacker, moderate
hkey_local_machine\software\microsoft\windows\curr entversion\internet settings\zonemap\domains\xxxtoolbar.com
hkey_local_machine\software\microsoft\windows\curr entversion\internet settings\zonemap\domains\xxxtoolbar.com=*
A hijackjer is is software that resets your browser's settings to point to other sites. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower.
** surveil, severe
hkey_classes_root\.zlg
hkey_classes_root\.zlg
hkey_classes_root\.zlg=original extension
Surveil logs all system activity. The person who installed it can then watch all the logged activity.
5 Files/Folders
** CooKies, moderate
c:\cocuments and settings\rick jackson\cookies\rick [email protected][1].txt
c:\cocuments and settings\rick jackson\cookies\rick [email protected][1].txt
(I know what these are. Cookies not a problem)
A CooKie is an information file that some web servers use to identify you in the internet, but other CooKies might be spyware because of the information they hold.
** passdumper, high
c:\docume~1\rickja!1\locals~1\temp\rarsfx20
PassDumper is a tool which steals windows login name and passwords from windows NT/2000 and saves them into a pass.txt in windows directory.
** achiles, high
c:\windows\system32\catroot2\tmp.edb
is a self-replicating virus that does not alter files but resides in active memory and duplicates itself. Worms use parts of an operating system that are automatic and usually invisible to the user. It is common for worms to be noticed only when their uncontrolled replication consumes system resources, slowing or halting other tasks.
** dssdoor.c, severe
c:\windows\system32\\msinet.ocx
malicious user with access to the victim machine. It is a Windows PE EXE file. The file is 419 969 bytes in size. It is packed using UPX. The unpacked file is approximately 890KB in size. This Trojan is written in Visual Basic.
Should I go back in with Malware Sweeper and remove all the stuff above?
Any suggestions? I know I've asked similar before, but this new info sure changes things in my mind.