PDA

View Full Version : heaps of detections - then spybot crashes :(


Argus
2007-04-30, 12:05
Hi, I have been trying to run a full scan with spybot, and spybot gets as far as detecting smitfraud C, mediamotor, Sgrunt, Coolwebsearch, and guardian monitor, and then crashes.
The first time, I left the computer for a bit, (as you do, whilst scanning), and came back to find a "windows has shut down this program to protect your computer" message. I put spybot in the DEP ignore list, and tried again.
Again, spybot crashed, no error message from windows or anything, it just disappeared. :(
I tried a third time, with the same result. This time, however I had the foresight to save spybot's scan report before it crashed, but also before it has completed the scan, so it may be missing the vital detection which is causing the crash.

That said, I do not really believe that there is an infection of any kind, but it may of course be possible. I have read about the fp involving guardian monitor, which is one of the things detected. However, the fact that spybot cannot complete a scan has me a leetle worried.

Anyway, here is as much of the report as I was able to save. I have included the entire log in the attachment. Thanks.

--- Search result list ---
Sgrunt: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-606747145-1343024091-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sgrunt.biz\*!=W=4

CoolWWWSearch.BadZoneMap: Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-606747145-1343024091-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ysbweb.com\*!=W=4

CoolWWWSearch.BadZoneMap: Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-606747145-1343024091-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net\*!=W=4

MediaMotor: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-606747145-1343024091-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\elitemediagroup.net\*!=W=4

MediaMotor: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-606747145-1343024091-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\media-motor.net\*!=W=4

MediaMotor: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-606747145-1343024091-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mmohsix.com\*!=W=4

Smitfraud-C.: Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-606747145-1343024091-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\asdbiz.biz\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-606747145-1343024091-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\greg-tut.com\*!=W=4

GuardianMonitor: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{0E34D615-66A0-11D4-AB49-00105A6F87AB}

GuardianMonitor: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{26FA5DE7-1C96-11D3-9CA6-00500411B995}

GuardianMonitor: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{64CCFDB7-6428-11D3-A957-00105A6F87AB}

GuardianMonitor: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{6A4B26F5-14D0-11D3-9C9A-00500411B995}

GuardianMonitor: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{6B50EFC4-F324-11D2-9C6B-00500411B995}

GuardianMonitor: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{6E6520E9-13F1-11D3-9C98-00500411B995}

GuardianMonitor: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{7C801DCD-ECC8-11D2-9C5C-00500411B995}

GuardianMonitor: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{94D298C9-B76D-11D3-AA25-00105A6F87AB}

GuardianMonitor: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{E38F2E7A-A621-11D3-9CBA-00500411B995}

GuardianMonitor: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\TreeList.dxStrings

GuardianMonitor: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{64CCFDB7-6428-11D3-A957-00105A6F87AB}

GuardianMonitor: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\TreeList.dxStrings.1

GuardianMonitor: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\TreeList.dxTreeList

GuardianMonitor: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\TreeList.dxTreeList.2

GuardianMonitor: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7C801DCD-ECC8-11D2-9C5C-00500411B995}

GuardianMonitor: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\TreeList.dxTreeLocalizer

GuardianMonitor: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0E34D615-66A0-11D4-AB49-00105A6F87AB}

GuardianMonitor: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\TreeList.dxTreeLocalizer.1

GuardianMonitor: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\TreeList.xATLBand

GuardianMonitor: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6E6520E9-13F1-11D3-9C98-00500411B995}

GuardianMonitor: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\TreeList.xATLBand.1

GuardianMonitor: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\TreeList.xATLColumn

GuardianMonitor: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6A4B26F5-14D0-11D3-9C9A-00500411B995}

GuardianMonitor: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\TreeList.xATLColumn.1

GuardianMonitor: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\TreeList.xATLOptions

GuardianMonitor: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E38F2E7A-A621-11D3-9CBA-00500411B995}

GuardianMonitor: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\TreeList.xATLOptions.1

GuardianMonitor: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\TreeList.xATLRowStyle

GuardianMonitor: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{94D298C9-B76D-11D3-AA25-00105A6F87AB}

GuardianMonitor: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\TreeList.xATLRowStyle.1

GuardianMonitor: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\TreeList.xATLTreeNode

GuardianMonitor: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{26FA5DE7-1C96-11D3-9CA6-00500411B995}

GuardianMonitor: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\TreeList.xATLTreeNode.1

GuardianMonitor: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\TreeList.xTransferObject

GuardianMonitor: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\TreeList.xTransferObject.1

GuardianMonitor: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6B50EFC4-F324-11D2-9C6B-00500411B995}

XPreload: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-606747145-1343024091-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sxload.com\*!=W=4


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2006-11-24 TeaTimer.exe (1.5.0.0)
2005-05-31 TeaTimer_original.exe (1.4.0.2)
2007-02-14 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-04-18 advcheck.dll (1.5.1.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-04-04 Includes\Beta.sbi (*)
2005-02-16 Includes\Beta.uti (*)
2007-04-25 Includes\Cookies.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2007-04-25 Includes\DialerC.sbi (*)
2007-04-04 Includes\Hijackers.sbi (*)
2007-04-25 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-04-25 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-03-21 Includes\Malware.sbi (*)
2007-04-25 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-04-25 Includes\PUPSC.sbi (*)
2007-04-25 Includes\Revision.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-04-25 Includes\SecurityC.sbi (*)
2007-03-21 Includes\Spybots.sbi (*)
2007-04-25 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti (*)
2007-04-25 Includes\Trojans.sbi (*)
2007-04-25 Includes\TrojansC.sbi (*)
spybotsandra
2007-04-30, 14:30
Hello,

Please run a scan in safe mode:
http://www.computerhope.com/issues/chsafe.htm
That should fix it.

Best regards
Sandra
Team Spybot
md usa spybot fan
2007-04-30, 15:11
Argus:

Caution!!!

The detections for GuardianMonitor may be false positives. See the following threads:
GuardianMonitor FP?
http://forums.spybot.info/showthread.php?t=13239
GuardianMonitor
http://forums.spybot.info/showthread.php?t=13232
I personally would not fix the GuardianMonitor detections until after the next set of updates to make sure the detections are valid.
Argus
2007-05-01, 03:58
Hi Spybotsandra and md usa spybot fan,
I am pretty sure that all the detections made by spybot are false positives. (except for a firefox bookmark entry, which is for the lop uninstaller)

I have also scanned with both super antispyware, and AVG AS (ex ewido), and neither of those detected anything at all.

I'll try scanning with spybot in safe mode in a little while, and see if it can complete a scan, and upload the report to this thread, to see if that provides any answers.

Thanks, Argus :)
Argus
2007-05-01, 04:39
Now I'm not so sure....

I just ran a scan with ad-aware, which found 46 possible browser hijack attempts. the detail it gives are trusted zone presumably compromised.

However, when I actually look in the trusted zone in IE tools -> internet options -> security tab -> trusted zone, there are no entries at all.

When I run HJT (no, I'm not asking for a log analysis), the only suspect entries are
F3- REG:win.ini: LOAD=
F3- REG:win.ini: RUN=

So, at this stage I have 2 for infection (spybot, ad-aware), and 2 against (SAS, AVG AS), I know that at least one of spybots detections was a false positive, and I'm pretty reluctant to "fix" anything at all, without knowing more...

One thing I should perhaps note is that when I last ran spyware blaster the restricted sites protection had disabled itself.

I just ran it again, and the restricted sites protection was still active, so I just don't know.

IE has not been hijacked, it opens at the home page that I set it to, there are no popups, there are no strange processes running in process explorer, and comodo firewall is alerting to no unusual connection attempts.
Zenobia
2007-05-01, 08:25
XPreload: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-606747145-1343024091-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sxload.com\*!=W=4

Those type of detections would seem to be that Spybot is picking up that those websites(*!=W=4) are not placed in the restricted sites zone,as they do not have a value of 4.!=W=4 would be does not equal dword 4(in a nutshell,anyways.)That may be what Ad-aware is picking up on.

There was a post by Yodama here,from quite some time ago,if it still applies:
http://forums.spybot.info/showpost.php?p=43131&postcount=6
From this thread:
http://forums.spybot.info/showthread.php?t=7443
You have Spywareblaster,do you have anything else that would place sites into the restricted zone?If you feel you are not infected,you could temporarily disable Spywareblaster restricted sites protection and/or any other programs you have that place sites into the restricted zone,then run a scan with Spybot,and see if the *!=W=4 type detections are still being picked up,maybe it would bring you closer to knowing what is going on.It might help you find out whether it is the same as what Yodama posted,or if the sites being detected are actually in the wrong Internet Zone(if you are actually able to scan with Spybot and get another report again,where Spybot is crashing.)

Or,you could follow the path in the registry to see what value those sites that are detected by Spybot actually are in the registry,but you should only do that if you're comfortable going into the registry,and are familiar with it,just to have a look.This should be right,I think:Value of 2 would be trusted sites Zone,a value of 3 would be the Internet Zone,a value of 4(0x00000004) would mean it is in the restricted sites zone.
Argus
2007-05-01, 11:10
Hi Zenobia,
I looked under the key you quoted, under the sxload.com key it said.

[ab] (default) REG_SZ (value not set)
[binary] * REG_DZ (invalid DWORD value)

and under sxload.com's subkey www

[ab] (default) REG_SZ (value not set)
[binary] * REG_DZ 0x00000004 (4)

Spyware blaster and spybot's immunization are the only things that would be placing anything in the restricted sites zone.

Does this mean it's safe for me to have ad aware delete them?
Argus
2007-05-01, 13:06
I just disabled spyware blaster's immunization, and ad aware still detects the same 46 possible browser hijack attempts. :(
I'll try disabling spybots immunization, and see if that makes any difference.
Argus
2007-05-01, 13:41
Strangely enough, it was spybot's immunization which caused all of ad-aware's detections, after I removed the immunization, ad-aware came up clean.

I must admit this surprised me, as I've never had this happen before. :(

Another odd thing I noticed: when I went to disable the immunization, it said that there were about 3000 entries that were not protected against, although I re- did the immunization after the last update.

removing spybots / spyware blasters immunization also seems to have cured spybot of all the detections, other than the guardian monitor fp that others have reported, which still was found.

I have no idea if it's relevant or not, but spybot disappears when scanning the zlob videoactiveX object.( 63889 )

EDIT- I wish I could edit these posts.
Zenobia
2007-05-01, 14:52
Undoing Spybot's immunization may have removed all the 'invalid Dword value' ones in the registry,now you could reimmunize to see if Spybot's immunization adds them back in properly,with a dword value of 4.

I know there's no weird happenings on your computer,but it's odd Spybot is disappearing on you.If you feel you may be infected,you could ask for help in the malware removal forum(your call).

The Instructions are here:
http://forums.spybot.info/showthread.php?t=288

Malware Removal:
http://forums.spybot.info/forumdisplay.php?f=22
Argus
2007-05-02, 04:03
Hi Zenobia,
Now that I've got rid of those false detections in spybot and adaware, plus SAS and AVG AS showing me as clean, I'm pretty convinced that my problem is actually the same as This (http://forums.spybot.info/showthread.php?t=13347) with the guardian monitor fp thrown in.

It was all the detections that I was getting that made me think it was malware related.
Thanks for your help and advice :)
Argus
2007-05-02, 11:50
AHA! I think I may have worked out how all the immunization entries got corrupted...
I have recently installed BOClean, which has an option to reset security zones when it detects a trojan. I tested it against leaktest.exe, which may explain how they all got corrupted.

If that's the case, I feel kinda stupid for not thinking of it earlier. :oops: