View Full Version : trojan.win32.dialer.hc
Arctic Wolf
2005-11-07, 18:38
Hi,
I'm new here but maybe someone can help me. When I boot my pc I inevitably get a spysweeper alert that svchost.exe is trying to reset my security settings to allow a website called sgrunt.biz to be accessed. (This appears to be a malicious website)
Spysweeper shuts down the action and recommends a sweep of my system. Sweep does not reveal reveals anything. At roughly the same time my AOLspyware tells me it has found and blocked tojan.win32.dialer.hc and I go into the blocked items area of the program and remove it. (I do not actually believe it is removed)
I run spybot, lavasoft adaware, AOl spyware, Webroot Spysweeper, Macafee Antivirus, Macafee Firewall, and cwshredder. All applications find rogue crapola on my system regularily except Macafee. COOLWEBSEARCH seems to be prevalent and may be related to the trojan. Everytime I update definitions a new version of COOLWEBSEARCH is found. (again I suspect that CWS is not really removed by the anti spyware programs I have or has a way of restarting itself next boot up)
I also cannot use the right click of my mouse button in windows explorer anymore. If I rightclick an item in windows explorer, then explorer shuts down momentarily and Dr. Watson Postmotem debugger pops up sometimes; When it does it will not close properly. I go to the task manager. Two files called Drwatsn.exe are present and both must be closed to shut down the debugger program.
On a final note I have found a hidden folder called JITI in my AOL folder with the program Jiti_mm.exe. This program is unfamiliar to my and its creation date of May 2005 is suspicious although not neccessarily impossible. (AOL updates itself regualrily with new features)
Someone please help or provide advise
Thank You
Hello Arctic Wolf. :)
If here:
c:\program files\america online 9.0\jiti\jiti_mm.exe <--apprantly belongs to AOL.
Of interest re: sgrunt.biz
http://www.wilderssecurity.com/showthread.php?p=600503
We should look at a log; please make sure you have Spybot-S&D version 1.4
Uninstalling Previous Spybot-S&D (http://www.safer-networking.org/en/faq/27.html)
Spybot-S&D Version 1.4 Download (http://www.spybot.info/en/download/index.html)
Tutorial (http://www.spybot.info/en/tutorial/index.html)
Then:
Open SpyBot, check for and get any updates available, close all browsers, check for problems and fix everything found. Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools, and view report, ensure all the options are selected near the bottom except
Uncheck[ ] do not report disabled or known legitimate Items.
uncheck[ ] Include a list of services in report.
Uncheck[ ] Include uninstall list in report.
Attach or copy paste the log into this topic. :)
Make sure you update the program after installing and before scanning. (If you receive a Bad Checksum Error please try another download mirror.)
Cheers.
Arctic Wolf
2005-11-08, 02:50
Coincidentally while reading your reply tashi I got the SpySweeper and Aol Spyware messages again.
This is the shortened SpySweeper Security Message:
IE Security Shield found C:|Program Files\Common Files\AOL\AOLSERVICEHOST.EXE
The full message in the alert only lasts for a little while but basically says that aolservicehost.exe tried to reset the securities settings to allow for SGrunt.biz to be placed in my safe zone.
Again about 12 seconds after the spysweeper alert I get the Trojan alert from AOLspyware warning me that the trojan.win32.dialer.hc has been blocked.
I looked at the link you gave me and realized I had already found that info which did not seem to make any sense to me. Another link at Geeks to Go http://www.geekstogo.com/forum/index.php?act=ST&f=37&t=76123
seems to indicate an identical problem to mine. I do not have the knowledge base to grasp the answer given but it seems to indicate a larger problem.
I will initiate the steps you suggest and post the results.
Should I perhaps be doing the scans in safe mode?
Arctic Wolf
2005-11-08, 03:14
Here is the log report requested:
--- Search result list ---
Congratulations!: No immediate threats were found. ()
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-11-06 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-11-04 Includes\Cookies.sbi (*)
2005-11-04 Includes\Dialer.sbi (*)
2005-11-04 Includes\Hijackers.sbi (*)
2005-11-04 Includes\Keyloggers.sbi (*)
2005-11-04 Includes\Malware.sbi (*)
2005-11-04 Includes\PUPS.sbi (*)
2005-11-04 Includes\Revision.sbi (*)
2005-11-04 Includes\Security.sbi (*)
2005-11-04 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-11-04 Includes\Trojans.sbi (*)
--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB886903)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ Windows XP / SP3: Windows XP Hotfix - KB834707
/ Windows XP / SP3: Windows XP Hotfix - KB867282
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Security Update for Windows XP (KB883939)
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB887797
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Hotfix for Windows XP (KB896344)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Security Update for Windows XP (KB896688)
/ Windows XP / SP3: Update for Windows XP (KB896727)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899588)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Update for Windows XP (KB900930)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB903235)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP OOB / SP10: High Definition Audio Driver Package - KB835221
Arctic Wolf
2005-11-08, 03:16
--- Startup entries list ---
Located: HK_LM:Run, Alcmtr
command: ALCMTR.EXE
file: C:\WINDOWS\ALCMTR.EXE
size: 69632
MD5: 8b4cbba1ea526830c7f97e7822e2493a
Located: HK_LM:Run, AlcWzrd
command: ALCWZRD.EXE
file: C:\WINDOWS\ALCWZRD.EXE
size: 2807808
MD5: 057c8f39c09f60216c452eed19ad3cb2
Located: HK_LM:Run, AOL Spyware Protection
command: "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
file: C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
size: 79448
MD5: 217697c43bff8d740cfbb9ad87621519
Located: HK_LM:Run, AOLDialer
command: C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
file: C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
size: 34904
MD5: 25d2aa5a7ca01db369a39149a1ab2f30
Located: HK_LM:Run, CARPService
command: carpserv.exe
file: C:\WINDOWS\system32\carpserv.exe
size: 4608
MD5: 9aaf44fdf3a5517066b286b80c4a149f
Located: HK_LM:Run, High Definition Audio Property Page Shortcut
command: HDAudPropShortcut.exe
file: C:\WINDOWS\system32\HDAudPropShortcut.exe
size: 61952
MD5: 3e7a11c1c4ebd2c3c52197238df4e14b
Located: HK_LM:Run, HostManager
command: C:\Program Files\Common Files\AOL\1107544306\ee\AOLHostManager.exe
file: C:\Program Files\Common Files\AOL\1107544306\ee\AOLHostManager.exe
size: 159832
MD5: f272c718d0a1608f04e66cad9af43d46
Located: HK_LM:Run, Imonitor
command: "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
file: C:\Program Files\McAfee\QuickClean\Plguni.exe
size: 98304
MD5: 3c246a878620c3393d17e92baae05afd
Located: HK_LM:Run, MCAgentExe
command: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
file: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
size: 278528
MD5: c9a041d6e5211ca48aeba3ac1987d837
Located: HK_LM:Run, MCUpdateExe
command: C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
file: C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
size: 180224
MD5: c7d0c96ad30cfafc37f621c75fad6252
Located: HK_LM:Run, MPFExe
command: C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
file: C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
size: 1380352
MD5: 40ea79a23fce6aa3976d0e6cd0a009d9
Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 33280
MD5: da285490bbd8a1d0ce6623577d5ba1ff
Located: HK_LM:Run, NvMediaCenter
command: RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 33280
MD5: da285490bbd8a1d0ce6623577d5ba1ff
Located: HK_LM:Run, nwiz
command: nwiz.exe /install
file: C:\WINDOWS\system32\nwiz.exe
size: 1519616
MD5: 60d44ef1cb5f41160e9d0a7e637cc8aa
Located: HK_LM:Run, RealTray
command: C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
file:
Located: HK_LM:Run, SoundMan
command: SOUNDMAN.EXE
file: C:\WINDOWS\SOUNDMAN.EXE
size: 86016
MD5: e44cf0ab3dafb101971b6d7bc811bc51
Located: HK_LM:Run, SpySweeper
command: "C:\Program Files\Spyware\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
file: C:\Program Files\Spyware\Webroot\Spy Sweeper\SpySweeper.exe
size: 3296256
MD5: d56c4031c94f7dc9567b53d54d92d0d2
Located: HK_LM:Run, type32
command: "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
file: C:\Program Files\Microsoft IntelliType Pro\type32.exe
size: 172032
MD5: 05e10c2c3736e52fe33d16d2f9c73c04
Located: HK_LM:Run, VirusScan Online
command: "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
file: c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
size: 163840
MD5: 3fe1e841ed8483f7a75a1e86f6fc2216
Located: HK_LM:Run, VSOCheckTask
command: "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
file: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
size: 122880
MD5: 1330323afadf53f9fd1fd428fbaf8e2b
Located: HK_CU:Run, AOL Fast Start
command: "C:\Program Files\AOL 9.0\AOL.EXE" -b
file: C:\Program Files\AOL 9.0\AOL.EXE
size: 50776
MD5: 79c12b112b75a8a4c337857c5e99a219
Located: HK_CU:Run, McAfee.InstantUpdate.Monitor
command: "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
file: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
size: 122948
MD5: 4bfc3d39305984c6583a042628956d84
Located: HK_CU:Run, PopUpWasher
command: C:\Program Files\Spyware\Webroot\PopUpWasher\PopUpWasher.exe
file: C:\Program Files\Spyware\Webroot\PopUpWasher\PopUpWasher.exe
size: 396288
MD5: 9883bead2245253c1a8d76abffe0c134
Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll
Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll
Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll
Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll
Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, WRNotifier
command: WRLogonNTF.dll
file: WRLogonNTF.dll
--- Browser helper object list ---
{4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} (Popup Killer)
BHO name:
CLSID name: Popup Killer
description: Pop-Up Washer, Pop-Up Washer
classification: Legitimate
known filename: PopUpWasher21.dll
info link: http://www.popup-killer.info/popup-washer/
info source: TonyKlein
Path: C:\WINDOWS\
Long name: PopUpWasher21.dll
Short name: POPUPW~1.DLL
Date (created): 21/10/2005 12:44:28 PM
Date (last access): 07/11/2005 5:22:00 PM
Date (last write): 08/09/2004 1:19:42 PM
Filesize: 126976
Attributes: archive
MD5: 9603AFC1041B5EDE8D88A016708B959F
CRC32: 1007037E
Version: 2.1.0.1
{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\Program Files\Spybot - Search & Destroy\
Long name: SDHelper.dll
Short name:
Date (created): 06/11/2005 2:00:00 PM
Date (last access): 07/11/2005 5:22:00 PM
Date (last write): 31/05/2005 1:04:00 AM
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0
Arctic Wolf
2005-11-08, 03:17
--- ActiveX list ---
{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Installer: C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf
Codebase: http://go.microsoft.com/fwlink/?linkid=39204
description:
classification: Legitimate
known filename: LegitCheckControl.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: LegitCheckControl.DLL
Short name: LEGITC~1.DLL
Date (created): 12/07/2005 5:04:22 PM
Date (last access): 07/11/2005 8:46:00 AM
Date (last write): 29/08/2005 12:27:12 PM
Filesize: 520968
Attributes: archive
MD5: 679088DD42AFB105A6DA3F5E876D69B6
CRC32: 80D21320
Version: 1.3.272.0
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class)
DPF name:
CLSID name: McAfee.com Operating System Class
Installer: C:\WINDOWS\Downloaded Program Files\mcinsctl.inf
Codebase: http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
description:
classification: Open for discussion
known filename: mcinsctl.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: mcinsctl.dll
Short name:
Date (created): 11/09/2005 3:27:22 PM
Date (last access): 07/11/2005 5:20:40 PM
Date (last write): 09/06/2004 5:24:10 PM
Filesize: 341088
Attributes: archive
MD5: 51C1F2F0034A18C9CB562F12CD392A30
CRC32: 904D5FFB
Version: 4.0.0.83
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
DPF name:
CLSID name: MUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\muweb.inf
Codebase: http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129219796406
description:
classification: Legitimate
known filename: muweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: muweb.dll
Short name:
Date (created): 26/05/2005 3:19:32 AM
Date (last access): 07/11/2005 5:49:42 PM
Date (last write): 26/05/2005 3:19:32 AM
Filesize: 178408
Attributes: archive
MD5: EE37AA2C0700221CD8B02FADCD4C7FB5
CRC32: F5494B06
Version: 5.8.0.2469
{BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class)
DPF name:
CLSID name: DwnldGroupMgr Class
Installer: C:\WINDOWS\Downloaded Program Files\McGDMgr.inf
Codebase: http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
description:
classification: Open for discussion
known filename: McGDMgr.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: McGDMgr.dll
Short name:
Date (created): 11/09/2005 3:27:22 PM
Date (last access): 07/11/2005 5:20:40 PM
Date (last write): 14/06/2004 4:02:08 PM
Filesize: 279640
Attributes: archive
MD5: E8074DB73A77854CD588B08398BE4FC2
CRC32: C5AFD416
Version: 1.0.0.20
Arctic Wolf
2005-11-08, 03:18
--- Process list ---
PID: 0 ( 0) [System]
PID: 696 ( 4) \SystemRoot\System32\smss.exe
PID: 752 ( 696) \??\C:\WINDOWS\system32\csrss.exe
PID: 776 ( 696) \??\C:\WINDOWS\system32\winlogon.exe
PID: 820 ( 776) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 832 ( 776) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 976 ( 820) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1036 ( 820) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1076 ( 820) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1160 ( 820) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1176 ( 820) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1396 ( 820) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 1568 (1520) C:\WINDOWS\Explorer.EXE
size: 1032192
MD5: A0732187050030AE399B241436565E64
PID: 1620 ( 820) C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
size: 100016
MD5: 7FB54900AA9792AB6307C699EC1859D4
PID: 1724 (1620) C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
size: 46768
MD5: CAF7C2FDDADF73A02AC84C6FB6030BBF
PID: 1732 ( 820) c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
size: 106496
MD5: B1E94B3ED8AF23AEBBC2CCFCCADBA104
PID: 1780 ( 820) C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
size: 503808
MD5: B4569B83EAC67EFF8CB136A7D756F0E4
PID: 1796 ( 820) C:\WINDOWS\system32\nvsvc32.exe
size: 131139
MD5: 0B24AB7CC5B7ED2AA7F438A4072459F4
PID: 1848 ( 820) C:\WINDOWS\System32\snmp.exe
size: 32768
MD5: D923BF27723E28E3C121B77F52DB4BCE
PID: 1964 ( 820) C:\Program Files\Spyware\Webroot\Spy Sweeper\WRSSSDK.exe
size: 2116096
MD5: 8DCB6BD13899E1629DA2FFDC054D396C
PID: 212 (1568) C:\WINDOWS\system32\carpserv.exe
size: 4608
MD5: 9AAF44FDF3A5517066B286B80C4A149F
PID: 224 (1568) C:\Program Files\Microsoft IntelliType Pro\type32.exe
size: 172032
MD5: 05E10C2C3736E52FE33D16D2F9C73C04
PID: 228 ( 820) C:\WINDOWS\system32\wdfmgr.exe
size: 38912
MD5: C81B8635DEE0D3EF5F64B3DD643023A5
PID: 240 (1568) C:\Program Files\Real\RealPlayer\RealPlay.exe
size: 26112
MD5: 849D97FE4CC09CFC2772D10F641E1BAF
PID: 408 ( 820) C:\WINDOWS\wanmpsvc.exe
size: 65536
MD5: ADBF8F672C871B606E94730BE4217B14
PID: 436 (1568) C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
size: 163840
MD5: 3FE1E841ED8483F7A75A1E86F6FC2216
PID: 528 ( 436) c:\progra~1\mcafee.com\vso\mcvsescn.exe
size: 417849
MD5: C87CCFAC151DA6D88F50608F2E3C8DC2
PID: 532 ( 436) c:\program files\mcafee.com\agent\mcagent.exe
size: 278528
MD5: C9A041D6E5211CA48AEBA3AC1987D837
PID: 604 (1568) C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
size: 1380352
MD5: 40EA79A23FCE6AA3976D0E6CD0A009D9
PID: 620 (1568) C:\WINDOWS\SOUNDMAN.EXE
size: 86016
MD5: E44CF0AB3DAFB101971B6D7BC811BC51
PID: 632 (1568) C:\WINDOWS\ALCWZRD.EXE
size: 2807808
MD5: 057C8F39C09F60216C452EED19AD3CB2
PID: 736 (1568) C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
size: 79448
MD5: 217697C43BFF8D740CFBB9AD87621519
PID: 796 (1568) C:\Program Files\Spyware\Webroot\Spy Sweeper\SpySweeper.exe
size: 3296256
MD5: D56C4031C94F7DC9567B53D54D92D0D2
PID: 880 (1568) C:\WINDOWS\system32\RUNDLL32.EXE
size: 33280
MD5: DA285490BBD8A1D0CE6623577D5BA1FF
PID: 1104 (1568) C:\Program Files\McAfee\QuickClean\Plguni.exe
size: 98304
MD5: 3C246A878620C3393D17E92BAAE05AFD
PID: 1120 (1568) C:\Program Files\Spyware\Webroot\PopUpWasher\PopUpWasher.exe
size: 396288
MD5: 9883BEAD2245253C1A8D76ABFFE0C134
PID: 1148 (1568) C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
size: 122948
MD5: 4BFC3D39305984C6583A042628956D84
PID: 1320 ( 976) C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
size: 569344
MD5: 308E0DC5A1849F4529D8B6AB5871841F
PID: 2068 ( 636) c:\program files\common files\aol\1107544306\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
size: 1536
MD5: F04DD4A47D7672E8E0F861BD3EE12EFD
PID: 2216 ( 976) C:\WINDOWS\system32\wbem\wmiprvse.exe
size: 218112
MD5: 075EA6C849AB0FE416A3D6DD65C3CF41
PID: 2420 ( 820) c:\PROGRA~1\mcafee.com\vso\mcshield.exe
size: 225375
MD5: 97ADDEE4DC70929A8B482A7AE7842920
PID: 2652 ( 820) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 1864 (1568) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 3872 (1568) C:\Program Files\Windows NT\Accessories\wordpad.exe
size: 214528
MD5: F0543ACEEB5CD8821469958C9F3DD9A4
PID: 4072 (4004) C:\Program Files\Common Files\AOL\1107544306\ee\AOLHostManager.exe
size: 159832
MD5: F272C718D0A1608F04E66CAD9AF43D46
PID: 3892 (4072) C:\Program Files\Common Files\AOL\1107544306\ee\AOLServiceHost.exe
size: 151128
MD5: 44A2EDD53616FD034FFFB9CBC4193E8E
PID: 1112 (3892) C:\Program Files\Common Files\AOL\1107544306\ee\AOLServiceHost.exe
size: 151128
MD5: 44A2EDD53616FD034FFFB9CBC4193E8E
PID: 4 ( 0) System
Arctic Wolf
2005-11-08, 03:19
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 07/11/2005 6:04:00 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://home.microsoft.com/search/search.asp
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 5: MSAFD Tcpip [TCP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 6: MSAFD Tcpip [UDP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 7: MSAFD Tcpip [RAW/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{EEF30111-2845-498A-AC84-12C1F44E10F8}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{EEF30111-2845-498A-AC84-12C1F44E10F8}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{40497661-2C46-4977-A8CA-D7F75D69C269}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{40497661-2C46-4977-A8CA-D7F75D69C269}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EEF30111-2845-498A-AC84-12C1F44E10F8}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EEF30111-2845-498A-AC84-12C1F44E10F8}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{86126D7A-97F3-47E7-B660-B21FE109268D}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{86126D7A-97F3-47E7-B660-B21FE109268D}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A81AA565-27CA-4DB6-95D6-4762DE8F98D0}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A81AA565-27CA-4DB6-95D6-4762DE8F98D0}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B5819D3A-BC61-4B76-816B-FD82E46CF7DB}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B5819D3A-BC61-4B76-816B-FD82E46CF7DB}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7A93AAA4-D005-49E1-984C-A47A4AD950C0}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7A93AAA4-D005-49E1-984C-A47A4AD950C0}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Arctic Wolf
2005-11-08, 03:20
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
--- Process list ---
PID: 0 ( 0) [System]
PID: 696 ( 4) \SystemRoot\System32\smss.exe
PID: 752 ( 696) \??\C:\WINDOWS\system32\csrss.exe
PID: 776 ( 696) \??\C:\WINDOWS\system32\winlogon.exe
PID: 820 ( 776) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 832 ( 776) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 976 ( 820) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1036 ( 820) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1076 ( 820) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1160 ( 820) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1176 ( 820) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1396 ( 820) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 1568 (1520) C:\WINDOWS\Explorer.EXE
size: 1032192
MD5: A0732187050030AE399B241436565E64
PID: 1620 ( 820) C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
size: 100016
MD5: 7FB54900AA9792AB6307C699EC1859D4
PID: 1724 (1620) C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
size: 46768
MD5: CAF7C2FDDADF73A02AC84C6FB6030BBF
PID: 1732 ( 820) c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
size: 106496
MD5: B1E94B3ED8AF23AEBBC2CCFCCADBA104
PID: 1780 ( 820) C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
size: 503808
MD5: B4569B83EAC67EFF8CB136A7D756F0E4
PID: 1796 ( 820) C:\WINDOWS\system32\nvsvc32.exe
size: 131139
MD5: 0B24AB7CC5B7ED2AA7F438A4072459F4
PID: 1848 ( 820) C:\WINDOWS\System32\snmp.exe
size: 32768
MD5: D923BF27723E28E3C121B77F52DB4BCE
PID: 1964 ( 820) C:\Program Files\Spyware\Webroot\Spy Sweeper\WRSSSDK.exe
size: 2116096
MD5: 8DCB6BD13899E1629DA2FFDC054D396C
PID: 212 (1568) C:\WINDOWS\system32\carpserv.exe
size: 4608
MD5: 9AAF44FDF3A5517066B286B80C4A149F
PID: 224 (1568) C:\Program Files\Microsoft IntelliType Pro\type32.exe
size: 172032
MD5: 05E10C2C3736E52FE33D16D2F9C73C04
PID: 228 ( 820) C:\WINDOWS\system32\wdfmgr.exe
size: 38912
MD5: C81B8635DEE0D3EF5F64B3DD643023A5
PID: 240 (1568) C:\Program Files\Real\RealPlayer\RealPlay.exe
size: 26112
MD5: 849D97FE4CC09CFC2772D10F641E1BAF
PID: 408 ( 820) C:\WINDOWS\wanmpsvc.exe
size: 65536
MD5: ADBF8F672C871B606E94730BE4217B14
PID: 436 (1568) C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
size: 163840
MD5: 3FE1E841ED8483F7A75A1E86F6FC2216
PID: 528 ( 436) c:\progra~1\mcafee.com\vso\mcvsescn.exe
size: 417849
MD5: C87CCFAC151DA6D88F50608F2E3C8DC2
PID: 532 ( 436) c:\program files\mcafee.com\agent\mcagent.exe
size: 278528
MD5: C9A041D6E5211CA48AEBA3AC1987D837
PID: 604 (1568) C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
size: 1380352
MD5: 40EA79A23FCE6AA3976D0E6CD0A009D9
PID: 620 (1568) C:\WINDOWS\SOUNDMAN.EXE
size: 86016
MD5: E44CF0AB3DAFB101971B6D7BC811BC51
PID: 632 (1568) C:\WINDOWS\ALCWZRD.EXE
size: 2807808
MD5: 057C8F39C09F60216C452EED19AD3CB2
PID: 736 (1568) C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
size: 79448
MD5: 217697C43BFF8D740CFBB9AD87621519
PID: 796 (1568) C:\Program Files\Spyware\Webroot\Spy Sweeper\SpySweeper.exe
size: 3296256
MD5: D56C4031C94F7DC9567B53D54D92D0D2
PID: 880 (1568) C:\WINDOWS\system32\RUNDLL32.EXE
size: 33280
MD5: DA285490BBD8A1D0CE6623577D5BA1FF
PID: 1104 (1568) C:\Program Files\McAfee\QuickClean\Plguni.exe
size: 98304
MD5: 3C246A878620C3393D17E92BAAE05AFD
PID: 1120 (1568) C:\Program Files\Spyware\Webroot\PopUpWasher\PopUpWasher.exe
size: 396288
MD5: 9883BEAD2245253C1A8D76ABFFE0C134
PID: 1148 (1568) C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
size: 122948
MD5: 4BFC3D39305984C6583A042628956D84
PID: 1320 ( 976) C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
size: 569344
MD5: 308E0DC5A1849F4529D8B6AB5871841F
PID: 2068 ( 636) c:\program files\common files\aol\1107544306\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
size: 1536
MD5: F04DD4A47D7672E8E0F861BD3EE12EFD
PID: 2216 ( 976) C:\WINDOWS\system32\wbem\wmiprvse.exe
size: 218112
MD5: 075EA6C849AB0FE416A3D6DD65C3CF41
PID: 2420 ( 820) c:\PROGRA~1\mcafee.com\vso\mcshield.exe
size: 225375
MD5: 97ADDEE4DC70929A8B482A7AE7842920
PID: 2652 ( 820) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 1864 (1568) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 3872 (1568) C:\Program Files\Windows NT\Accessories\wordpad.exe
size: 214528
MD5: F0543ACEEB5CD8821469958C9F3DD9A4
PID: 4072 (4004) C:\Program Files\Common Files\AOL\1107544306\ee\AOLHostManager.exe
size: 159832
MD5: F272C718D0A1608F04E66CAD9AF43D46
PID: 3892 (4072) C:\Program Files\Common Files\AOL\1107544306\ee\AOLServiceHost.exe
size: 151128
MD5: 44A2EDD53616FD034FFFB9CBC4193E8E
PID: 1112 (3892) C:\Program Files\Common Files\AOL\1107544306\ee\AOLServiceHost.exe
size: 151128
MD5: 44A2EDD53616FD034FFFB9CBC4193E8E
PID: 4 ( 0) System
Arctic Wolf
2005-11-08, 03:21
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 07/11/2005 6:04:00 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://home.microsoft.com/search/search.asp
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 5: MSAFD Tcpip [TCP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 6: MSAFD Tcpip [UDP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 7: MSAFD Tcpip [RAW/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{EEF30111-2845-498A-AC84-12C1F44E10F8}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{EEF30111-2845-498A-AC84-12C1F44E10F8}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{40497661-2C46-4977-A8CA-D7F75D69C269}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{40497661-2C46-4977-A8CA-D7F75D69C269}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EEF30111-2845-498A-AC84-12C1F44E10F8}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EEF30111-2845-498A-AC84-12C1F44E10F8}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{86126D7A-97F3-47E7-B660-B21FE109268D}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{86126D7A-97F3-47E7-B660-B21FE109268D}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A81AA565-27CA-4DB6-95D6-4762DE8F98D0}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A81AA565-27CA-4DB6-95D6-4762DE8F98D0}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B5819D3A-BC61-4B76-816B-FD82E46CF7DB}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B5819D3A-BC61-4B76-816B-FD82E46CF7DB}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7A93AAA4-D005-49E1-984C-A47A4AD950C0}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7A93AAA4-D005-49E1-984C-A47A4AD950C0}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
Arctic Wolf
2005-11-08, 22:52
Hopefully I cut and pasted the report properly. Unfortunately the posts must be 10000 characters long but the report was much longer.
Here is some new information. The AOLspyware now generates blockages of the Trojan more often, not just after I boot up the PC. It seems to be trying more persistantly to change my settings. Also now when I go online (with AOL) I get a message from AOL saying the form I requested is not available. This has happened the last three times I have went online. I get the message as soon as I connect properly. (I am not to my knowledge requesting any forms from AOL)
:confused:
LonnyRJones
2005-11-09, 03:15
Hi Arctic Wolf
Your logs looks fine
The full message in the alert only lasts for a little while but basically says that aolservicehost.exe tried to reset the securities settings to allow for SGrunt.biz to be placed in my safe zone.
Again about 12 seconds after the spysweeper alert I get the Trojan alert from AOLspyware warning me that the trojan.win32.dialer.hc has been blocked.
Its best to only have one resident type antispyware program running,
same goes for antivirus program shields.
I suggest turning off aols protections and relying on Spysweeper or SpyBots resident > tea timer.
Resident programs often get confused about what other security programs are adding to the restricted zones and often think its being added to trusted instead, common problem.
Regards
Arctic Wolf
2005-11-09, 05:29
Hi Arctic Wolf
Your logs looks fine
Its best to only have one resident type antispyware program running,
same goes for antivirus program shields.
I suggest turning off aols protections and relying on Spysweeper or SpyBots resident > tea timer.
Resident programs often get confused about what other security programs are adding to the restricted zones and often think its being added to trusted instead, common problem.
Regards
I will reluctantly turn off AOLspyware (After I figure out how to do that) but I must admit that I have had very good luck with it. AOL updates their spyware almost daily and I have been impressed with it. But since I am requesting your help it seems obvious to me to trust your expertise and leave SPYSWEEPER as the resident program.
I strongly believe that something malicious is in my system for two reasons.
1) While I am online I experience problems with the rightclick feature of my mouse. I download lots of photographs from various astronomical sights (Hubble Telescope shots are the best) however after about 50 rightclicks on about 50 different photos I experience a freezing up of my system usually followed by a message saying I am out of memmory. I changed from serial to usb mouse to usb opticl mouse with no change in this behaviour. Something is eating away at my memmory when I rightckick my mouse. (This problem has plaugued me since I bought this system a few months ago and I suspect it to be some sort of malware I picked up on the initial install.
2) More recently I have experienced a ton of problems with windows explorer crashing when I try to rightclick a file.
As a test I went into safe mode and while in safe mode the windows explorer problem goes away so I deduce that something that loads in the initial start up is to blame rather than a currupt windows explorer.
Don't know if that helps or not but I shall figure out how to disable AOLspyware and report back.
Arctic Wolf
2005-11-09, 06:57
Hi Guys
BAd News and maybe Good News:
First the Bad News:
I disabled AOLspyware and ran into some very unexpected prolems. First off I didn't want to eliminate AOLspyware just shut off the resident scanning. So I did and then restarted my computer. To be sure I did it right I opened AOLspyware and indeed it said it was turned off. I wanted to check if I could still run manual scans so I did. Wham! SPYSWEEPER goes crazy and gives me that message I have come to hate. Ok... Spysweeper thinks AOLspyware is a problem and we do have a cross connectivity problem between the scanners. I turn off the ALO scan. Wham! I get an AOl notification about that nasty Trojan Win32.Dialer.hc. Now this is odd. AOLspyware was doing a manual scan (which I turned off) but the notification comes from the resident scanner which should also be off. Hmmm! Then I investigate by trying to load SPYBOT. Spybot won't load???
I Try Lavasoft Adaware. It wont Load???? I try Quake II. (This may seem crazy but I'm trying to determine whether anything will load.) Quake II loads fine. I kill thie final boss again and shut off Quake II.
Okay maybe something is screwed up that has nothing to do with what I just did so I try to shut down the computer. It will not shut down. The menu appears but my cursor does the timeout thing for a sec and then the screen goes back to Windows XP. Now I am a little panicked as i suspect that by turning off AOLspyware I turned off the only program that actually said it blocked the trojan and maybe I have unwittingly unleashed all manner of horrors upon my machine so I do a forced shutdown. After 30 seconds I start up again. Now I decide that I should perhaps test if my anti-spyware programs work. I turn on AOLspyware. Nope doesn't work. SPYBOT....Nope. Lavasoft....Uh Uh. Quake II.....still okay. Okay I'm really in trouble right? Maybe not. I force a shutdown again and restart. Using Macafee Cleansweep I uninstall AOLspyware completely. Shut down and restart.
Now Spybot works. Lavasoft Works and QuakeII works. Okay Quake II always worked but just to be consistant I tried it anyway. Now for the really startling news......................................
AOLSPYWARE is still resident on my computor!!??
In my Icontray at the bottom of my screen the AOL icon still lists AOL spyware and when I click it voila up pops the AOLspyware screen. Now my suspicions are starting to zero in upon an apparent truth. I HAVE HAD TWO DIFFERENT VERSIONS OF AOL SPYWARE ON MY SYSTEM. I stress the term DIFFERENT!?
I suspect that when AOL upgraded their spyware from the beta version to the regular version the beta version did not get unistalled properly. I should have seen this long ago as the two menus are different. The update file is outdated. I remember now thinking it odd that I got a different menu if I launched the program from the icontray than when I launched it from the start menu. I also remeber that my laptop has the same oddity and so does my business computor. All of my systems with AOLspyware have the two versions running simutaneously!
So now the Maybe Good news:
The Trojan Dialer does indeed appear to be a crossconnected foul up causing a false positive on both antispyware systems. But this is only a maybe good news because now I don't know what is causing my problems with my windows exporer, and the rightclick of my mouse. Oh Yeah and also why do I now get a "The form you requested is not available" message from AOl whenever I start it up???
If you have any suggested answers here let me know.
Arctic Wolf
2005-11-09, 06:59
How do I get rid of AOL spyware beta?? It doesn't show up in any menu and does not appear to have an uninstall feature. (I did let it run a scan and it claims I have COOLWWWSEARCH on my system again. Spybot and Adaware say that its not there)
LonnyRJones
2005-11-09, 07:21
Hang tight and someone familur with Aol and its program's will chip in hopefully
i just installed spybot myself and right away i got the trojan win 32 dialer notice from aol spyware also. i thought about and decided i didnt need multible spywares, i had run into a problem with that before. i am going to try out the spybot it seems alot more advanced than aol's. so to remove or uninstall it try going to add remove programs and than click remove aol uninstaller and it will give you the option to remove the aol spyware. you can try that and see if it works
I actually had a similar problem.
AOL Spyware Protection blocked the Trojan.Win32.Dailer.hc
and I've actually ran Housecall(trend micro) and It didn't find anything.And the problem with AOL Spyware Protection is it doesn't give you an exact location of the virus or whatever that is on your computer supposely.
I definitely want to avoid formating my computer at all costs. because I just formated my computer in the beginning of this month(November) and it was a pain in the arse to do and I had to be instructed on how install my drivers right.I had go through Dell Help Desk because I didn't install my drivers right and the Monitor wouldn't work right so I had to cough up 100 dollars for them help me since Dell help Desk isn't under the warrenty type thing. It was a major pain in the ass to do.
I even googled this virus or whatever it is and that's how I found out about this forum. I do have Spybot.
So...is there a way of removing this? (I've been reading through this post.)
Are we sure this isn't a False-Positive?
LonnyRJones
2005-11-27, 07:58
"Are we sure this isn't a False-Positive?"
Hi, Welcome to the forum
I believe it is a false possitive, Aol uses parts of pest patrols program,
it is well known for false possitives.
"Are we sure this isn't a False-Positive?"
Hi, Welcome to the forum
I believe it is a false possitive, Aol uses parts of pest patrols program,
it is well known for false possitives.
Hey thanks for welcoming me.
Yeah I didn't want o panick over a a trojan if it was actually a false-positive.
Last time I panicked over a false-Positive I well like I said above... I formated my computer than messed up monitor by not installing my drivers correctly and ... than I had to like pay Dell Help Desk 100 dollars for their help.:/
Arctic Wolf
2005-12-08, 04:56
Still cannot remove all the remnants of AOL Spyware. Have use the ad/remove programs feature of Winxp and it says AOl spyware is gone but I still get the spysweeper notification occassionally and AOL says its spyware is partially active.
Any help removing AOL spyware would be appreciated as I cannot find the active file anywhere on my system.
LonnyRJones
2005-12-08, 05:36
Hi
Is it possible to contact AOL support and get more info ?
Arctic Wolf
2005-12-08, 07:39
Hi
Is it possible to contact AOL support and get more info ?
I have tried and they maintain that no duplicate installation is possible and simply using the programs unistall feature will do the trick. I suspect I may have to do a complete unistall of AOL and then a reinstall.
Its really weird, I cannot find any folders or executatables for AOL spyware yet AOL maintains in its dialup box that I have partial coverage. Today I got a message saying that AOL had quarantined Atomic2 1.1 and com.com whatever they are.
I did a bit of research on this when Artic Wolf originally posted and mentioned the Beta version of the AOL Spyware Protection. Unfortunately, it appears that AOL dumped the original program that was being written for them when it had too many issues and switched to including a re-branded existing program (Pest Patrol?, I believe Lonny mentioned) in its place.
The problem is that those who had installed the original Beta probably simply installed the new program over the old, leaving remnants of the Beta on the PC. Since the two programs were probably totally different, it's likely the old program remained at least to some extent as you discovered. Probably the Beta should have been uninstalled before installing the final released version.
Since the original program never went past Beta stage, most of AOL support is probably unaware that it even existed. Even if they are, they may not acknowledge it's existence since it was never officially released or supported.
This means those who tried it may be left in exactly your situation. Other then removing the old program remnants by hand, which would be extremely difficult without original installation info, a complete PC reformat and re-install is probably the only way to truly clean it out. I could find nothing on the Web describing the original Beta other then that it existed, though it's possible there may be information on the AOL web sites that only members can access.
In either case, only AOL users are likely to have this info since virtually no one else would have ever had access to the orignal Beta. Since most AOL users are non-technical, it's not likely anyone ever analyzed the Beta, so only AOL itself could probably provide it. This is why Beta software has warnings, since exactly such situations can occur, though they're pretty rare these days.
I didn't pipe up before because I thought you'd gone to talk to AOL and would get an answer there, but since that hasn't worked I thought I'd mention it now. I don't remember where I found this info, but I believe it was some sort of article about the Beta.
This is interesting, I just found it while trying to find the original article.
http://www.spywaredata.com/spyware/spyware-adware-about.php
What's most interesting about it is this paragraph from a different article on another site.
AOL on Tuesday introduced its own version of anti-spyware protection from Aluria Software. The new feature for AOL's nearly 25 million subscribers will be available when the Dulles, Va.-based online giant debuts AOL 9.0 in the "next few weeks."
http://www.internetnews.com/xSP/article.php/3296851
Since it appears the same person developed both products, they were probably close, but not quite the same. Unless the Aluria product was the original Beta and AOL later replaced it with Pest Patrol, which I thought was the basis of the current version myself.
Either way, your issue is the same. Without information or an unistaller for the earlier version a complete re-install of the OS after format is probably the only way to completely remove it.
I'm also seeing Win32.Trojan.Dialer.hc come up with Zone alarm anti-spyware.
I'ts deleting a registry entry.
Upon installing Spybot, I have no error.....When I update Spybot, is when it comes in.
Are you sure it's a false positive?
I have always used the two together with no problem before.
md usa spybot fan
2006-03-22, 19:49
miadlor:
What is the actual detection you are getting and what is the registry entry that is being deleted?
miadlor:
What is the actual detection you are getting and what is the registry entry that is being deleted?
I'm checking now...........small experiment.............
Ok........
It's coming from the update: Detection Rules dated 2006(3-19)
Registry value:
HKEY_CURRNET_USERS\Software\Miicrosoft\Windows\CurrentVersion\InternetSetting\ZoneMap\Domains\archiviosex.net
is being deleted.
md usa spybot fan
2006-03-22, 20:16
During immunization Spybot adds the following registry entry to place archiviosex.net into Internet Explorer's restricted sites zone.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\archiviosex.net]
*=dword:00000004
If you go into Spybot > Immunize you will probably get a warning that you are missing an item.
No warning message of missing item.
Question?.......the deleted registry entry ended at .......... archivio.net
what's the extra
Are you sure of this or speculating? (no offense)
Actually "Imunizing" reinstalls the "Win32.Trojan.Dialer.hz".
md usa spybot fan
2006-03-22, 20:49
The "*=dword:00000004" is the code to place something into Internet Explorer's restricted sites zone.
Reference:
Microsoft Knowledge Base Article – 182569
Description of Internet Explorer security zones registry entries
http://support.microsoft.com/default.aspx?kbid=182569
Internet Explorer 4.0 and later
Internet Explorer security zones settings are stored under the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
These registry keys contain the following keys:
• TemplatePolicies
• ZoneMap
• Zones
....
ZoneMap
The ZoneMap key contains the following keys: • Domains
• ProtocolDefaults
• Ranges
....
Zones
The Zones key contains keys that represent each security zone that is defined for the computer. By default, the following five zones are defined (numbered zero through four): Value Setting
------------------------------
0 My Computer
1 Local Intranet Zone
2 Trusted sites Zone
3 Internet Zone
4 Restricted Sites Zone
No BS nor speculation.
Try the following:
Go into Spybot > Immunize > click the "Check again" button and see if you get a warning.
Even if not click the "Immunize" button (big green plus sign) at the top of the right pane to immunize again. Then run another ZoneAlarm Anit-Spyware scan and see if the Win32.Trojan.Dialer.hc detection returns.
Added with edit:
ps: I see that you already tried to re-immunize while I was typing.
md usa spybot fan
2006-03-22, 21:07
miadlor:
Prove it to yourself:
Go into Internet Explorer > Tools > Internet options... > "Security" tab > click the "Restricted sites" button > then the "Sites" button > the Web sites listings will show what sites are in the restricted zone.
Look for the following both before and after immunizing with Spybot and removing the entry with ZoneAlarm (note the entries are in alphabetical order by the second and third nodes of the name):
*.archiviosex.net
Exactly what you said!
So Zone Alarm is in error.....because it's not coming up with all the others as infections.
md usa spybot fan
2006-03-22, 22:39
miadlor:
Since you seem convinced, maybe you could do yourself and other users of ZoneAlarm Anti-Spyware a favor and report the false positive in the Zone Labs User Forum:
http://forum.zonelabs.org/zonelabs
Here:
ZoneAlarm Antivirus/Anti-Spyware
http://forum.zonelabs.org/zonelabs/board?board.id=Antivirus
Perhaps they will recognize their error and correct the problem.
Made a post on Zone's site.
All set...............
http://forum.zonelabs.org/zonelabs/board/message?board.id=Antivirus&message.id=10436