Ask Experts Questions for FREE Help !
Ask
    RickJ's Avatar
    RickJ Posts: 7,762, Reputation: 864
    Uber Member
     
    #1

    Jun 22, 2007, 06:43 AM
    Going nuts! Is it really malware?
    Some of you know my Paypal and adSense accounts were compromised a couple weeks ago. Sorry for the long one, but here's my latest:

    I tried a few products since then and settled on running ZoneAlarm Free for firewall and AVG Free for antivirus. Also running Malware Sweeper Free, Windows Defender and Spyware Blaster in the background.

    This morning the Malware Sweeper notification window was up saying I had 18 infections. Neither of the other two malware products had notifications, but just in case, I ran scans.

    Did full scan with Spybot Search & Destroy: It found nothing.
    Did full scan with AVG: It found nothing.
    Did full scan with Windows Defender: It found nothing.
    Did full scan with MS Malware Removal Tool: It found nothing.

    So the whimpy Malware Sweeper Free product finds what none of the others find?? Can that be right?

    The below is what Malware Sweeper found. Are they really problems? If so, how can we trust any of these malware finders knowing one product may find what many others don't?

    The stuff that is supposedly logging what I do is quite concerning!

    Malware Sweeper found:

    13 Registry Items
    ** Block-Checker, Severe
    hkey_local_machine\software\microsoft\windows\curr entversion\internet settings\p3p\history\bfast.com
    hkey_local_machine\software\microsoft\windows\curr entversion\internet settings\p3p\history\bfast.com

    Block-checker is a program which is used to check if your frInternet Explorernds are blocking you on MSN, Yahoo or AOL. This program hijacks your messenger services by automatically sending messages such as ;I know who's blocking me on MSN because I use http://www.block-checker.com;. It also adds itself to the firewall exclusion policInternet Explorers.

    ** systemprocess, severe
    hkey_local_machine\software\microsoft\windows\curr entversion\internet settings\p3p\history\qksrv.net
    hkey_local_machine\software\microsoft\windows\curr entversion\internet settings\p3p\history\qksrv.net

    is an advertising-oriented spyware that downloads and displays advertisements in a popup window while a user is browsing the Web

    ** CoolWebSearch, severe
    hkey_local_machine\software\microsoft\windows\curr entversion\internet settings\zonemap\domains\coolwwwsearch.com
    hkey_local_machine\software\microsoft\windows\curr entversion\internet
    settings\zonemap\domains\coolwwwsearch.com=*

    CoolWebSearch is a wide range of browser redirection tools. All variants redirect you to specific Web sites.

    ** uncategorized hijacker, moderate
    hkey_local_machine\software\microsoft\windows\curr entversion\internet settings\zonemap\domains\xxxtoolbar.com
    hkey_local_machine\software\microsoft\windows\curr entversion\internet settings\zonemap\domains\xxxtoolbar.com=*

    A hijackjer is is software that resets your browser's settings to point to other sites. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower.

    ** surveil, severe
    hkey_classes_root\.zlg
    hkey_classes_root\.zlg
    hkey_classes_root\.zlg=original extension

    Surveil logs all system activity. The person who installed it can then watch all the logged activity.

    5 Files/Folders

    ** CooKies, moderate
    c:\cocuments and settings\rick jackson\cookies\rick jackson@maxis.112.2o7[1].txt
    c:\cocuments and settings\rick jackson\cookies\rick jackson@server.iad.liveperson[1].txt
    (I know what these are. Cookies not a problem)

    A CooKie is an information file that some web servers use to identify you in the internet, but other CooKies might be spyware because of the information they hold.

    ** passdumper, high
    c:\docume~1\rickja!1\locals~1\temp\rarsfx20

    PassDumper is a tool which steals windows login name and passwords from windows NT/2000 and saves them into a pass.txt in windows directory.

    ** achiles, high
    c:\windows\system32\catroot2\tmp.edb

    is a self-replicating virus that does not alter files but resides in active memory and duplicates itself. Worms use parts of an operating system that are automatic and usually invisible to the user. It is common for worms to be noticed only when their uncontrolled replication consumes system resources, slowing or halting other tasks.

    ** dssdoor.c, severe
    c:\windows\system32\\msinet.ocx

    malicious user with access to the victim machine. It is a Windows PE EXE file. The file is 419 969 bytes in size. It is packed using UPX. The unpacked file is approximately 890KB in size. This Trojan is written in Visual Basic.

    Should I go back in with Malware Sweeper and remove all the stuff above?

    Any suggestions? I know I've asked similar before, but this new info sure changes things in my mind.
    Superfly999's Avatar
    Superfly999 Posts: 235, Reputation: 14
    Full Member
     
    #2

    Jun 22, 2007, 07:32 AM
    Hmmm I did a search on a few of those last files and those seem like they are needed for the system to function. I don't think I would trust that malware sweeper program. Try this website (in IE not Firefox or myie2) housecall.trendmicro.com it is a free virus/spyware scan site that works really well. If anyone has more info over this please list it.

    *EDIT* OK I did a search over a few of the first files this time and it said they were in fact spyware. I still don't know about this program though because those last files that I search for seemed necessary. Again if anyone else can provide more info please do.
    benn11's Avatar
    benn11 Posts: 1,036, Reputation: 43
    Ultra Member
     
    #3

    Jun 22, 2007, 07:40 AM
    You do wonder why sometimes this free programs picks up all sorts of malicious code? For example I have trend micro at work that doesn't pick up anything but when I go to my personal machine installed with AVG it picks up all this viruses..

    I would recommend you to backup your data or set a restore point but give the program a go and let us know what happen...
    RickJ's Avatar
    RickJ Posts: 7,762, Reputation: 864
    Uber Member
     
    #4

    Jun 22, 2007, 11:38 AM
    Thank you, anyone who reads this windy thing.

    The plot thickens:

    This is becoming quite interesting... and still a bit worrysome:

    TrendMicro found only 2 items:

    1. SPYWARE_TRAK_CULREMOT.11 (no info about it found by googling)
    And
    2. a profiling cookie (liveperson, same as found by Malware Sweeper).
    I ran the cleaner/remover.

    I then checked PCMag. They name the best anti-spyware/malware programs as Webroot Spy Sweeper, Norton Internet Security and Spyware Doctor as the tops... so I ran Spy Sweeper and Spyware Doctor:

    Webroot Spy Sweeper found just 2 relatively harmless spy cookies:
    2o7.net server.iad.liveperson (interesting that trend micro did not remove it even though it said it did). The free version of Spy Sweeper does not remove items.

    Spyware Doctor only found 2 Advertising items and 3 Tracking items.
    The free version of Spyware Doctor does not remove items.

    ... so then I did another system restore point just in case, then ran Malware Sweeper again and used it to remove the items it found. It said it removed them all but another scan shows that dssdoor.c and achiles are still there.

    Clicking on Take Action results in the program saying they're removed, but scanning again shows they're still there.

    I don't find anything on the net about achiles.

    dssdoor.c is another story, though. I read that it

    * Allows others to access the computer
    * Downloads code from the internet
    * Installs itself in the Registry

    It was recognized in 2005 so why the other apps could not find it sort of blows me away.

    ... and for a look back at the other stuff that Malware Sweeper, but not the others, found:

    Passdumper seems quite serious. Again, how the little freebie found it but not the other big name ones concerns me.

    ... does any of this lead anyone else to be very concerned about the big name products?
    biggsie's Avatar
    biggsie Posts: 1,267, Reputation: 125
    Ultra Member
     
    #5

    Jun 27, 2007, 07:28 AM
    I usually go to Pal Talk (chat site) if I have computer problems -- Room Name -- and link below... They usually point me in the right direction...

    Personal Computers and High Tech Help

    Personal Computers & High Tech Help

    I had to clean my computer, because of a Pay Pal incident, someone charged
    Jewelry to my PAY PAY account $2300 worth... They could not tell me how it happened.

    Two years ago someone got my Pay Pal account number and drained our bank
    Account in three days -- straightened out the mess --- once...

    This time I closed my account, money is tight, I'm now retired and don't need the stress...

    Not sure who to believe when checking for spyware, think some make it
    Look like they found something, or planted something to sell their product!!
    SajidBhai's Avatar
    SajidBhai Posts: 2, Reputation: 1
    New Member
     
    #6

    Nov 27, 2007, 01:01 AM
    Comment on biggsie's post
    I agree with u... most of the "anti-spyware" usually plots a spyware and pops up saying I found a spyware I found spyware... much like Mr. Bean putting chrismas cards in his house and enters and say "AAAH :-)"

Not your question? Ask your question View similar questions

 

Question Tools Search this Question
Search this Question:

Advanced Search

Add your answer here.


Check out some similar questions!

How to remove RVHOST.EXE malware ? [ 15 Answers ]

Does anyone have idea about the RVHOST.EXE malware, and how to remove this permanently, or Patch the OS in order not to get infected again in future? Mcafee version 8.0 + Antispyware + Patch 14 cannot remove this malware :o :o The only software that can remove this is PREVX, but it's a trial...

Help I am going nuts with this [ 1 Answers ]

I am looking for a movie I saw on TV years ago about a woman who find out from the doctor she is dying so she hires a hitman to kill her she then find out the tests were wrong and she doesn't know how to contact the hitman to cancel the hit I don't rememeber the title or the actress but I have been...

Driving me nuts [ 2 Answers ]

Can anyone help me figure out what this movie is called? The story line is something like this guy has a friend that is a real a$$ , so the guy, his girlfriend and a few other friends come up with a plan to kill him. I know they all get caught. I think its based on a true story. The only other...

SpyLocked Malware Invasion of my O.S. [ 1 Answers ]

When using my space.com I got infected with a bogus spyware program that is counterfeit And I can't get rid of it. I used SpyHunter and it got rid of other malware but I can't shake SpyLocked out of my operating system. When I try to delete it I get a message that I can't because Windows is...

Annoying computer noises - malware [ 2 Answers ]

I repeatedly have noises coming from my computers: door slamming, door creaking open, women's screams. Seems that malware audio files are playing intermittently. Norton and Spybot have no effect. These have now spread over my entire home network. Anyone heard of this or know how to remove them?


View more questions Search