Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Zhelatin

  1. #1
    Member
    Join Date
    Feb 2006
    Posts
    94

    Angry Zhelatin

    Spybot has just found Win32.Zhelatin.k on my computer. I have my browsers set to protect me from unwanted cookies and downloads, so why would I get this? Can you help?
    Last edited by tashi; 2007-06-20 at 23:31. Reason: Moved from the General Security Alerts forum

  2. #2
    Spybot Advisor Team Zenobia's Avatar
    Join Date
    Oct 2005
    Posts
    5,483

    Default

    It might be helpful if you showed the short log,so that someone could have a look at it.
    Produce a short log (showing items flagged)
    1. Open SpyBot.
    2. Check for problems.
    3. When finished, right click and choose copy results (not the full report) to clipboard and post that into topic.

  3. #3
    Member
    Join Date
    Feb 2006
    Posts
    94

    Default Second scan

    I've since found a couple of holes in my browser privacy which I've now patched up. I ran Spybot again, and this time the trojan didn't come up - I had done the "fix" when it first appeared. So if this happens again I'll try collecting the results as you suggested, Zenobia. Thanks!

    P.S. Is there something significant about "Produce a short log (showing items flagged)?" Should I find that somewhere when I get notification of a possible threat?
    Last edited by Benzmum; 2007-06-21 at 05:03.

  4. #4
    Spybot Advisor Team Zenobia's Avatar
    Join Date
    Oct 2005
    Posts
    5,483

    Default

    That was so that what Spybot was finding could be posted on here,so it could be seen on this forum.It's basically what you see after a scan if you click the + signs,in text form.It's sometimes helpful to see.In your case,where you seemed surprised that Spybot detected something,I wanted to see if I could find out if it might be a false positive or something.

    This is Sophos description of W32/Dref-Y,aka Email-Worm.Win32.Zhelatin.k.
    http://www.sophos.com/security/analyses/w32drefy.html

    How is your computer,since Spybot fixed it?Everything seem okay?Was your computer acting funny before Spybot detected that?

  5. #5
    Member
    Join Date
    Feb 2006
    Posts
    94

    Default False positive?

    Hi Zenobia. My computer's been behaving fine lately, thanks. (The last time it was acting up I was using a spyware/antivirus package that was constantly running around my computer and slowing things down enormously. That was Shaw Secure, a derivative I gather of FSecure. I removed it and everything speeded up enormously.)

    I was reading today that Windows Defender is supposed to "protect" against spyware. In fact, I do a Windows Defender scan once a week and it never finds ANYTHING; whereas AdAware, Spybot & AVG do find things on occasion. I really wonder if Windows Defender does anything at all.

    I'll keep notes on what you've said for next time Spybot detects something, and I'll see what comes up then. Thanks again for your help.

  6. #6
    Spybot Advisor Team Zenobia's Avatar
    Join Date
    Oct 2005
    Posts
    5,483

    Default

    Okay,that's good to hear.I thought I'd fish around a little and see how things were with your computer,where the description of Zhelatin.k says it drops more malware.

    I see your title says "False Positive?",so in case you're unsure what that term means,I thought I'd put this link on for you.It can also apply to an antispyware app:
    http://www.viruslist.com/en/glossary?glossid=153654932
    Last edited by Zenobia; 2007-06-22 at 09:05.

  7. #7
    Member
    Join Date
    Feb 2006
    Posts
    94

    Default Computer state

    Thanks for that link describing false positives. Obviously, it doesn't apply to something like Zhelatin.k being identified. Today I had some slow-downs on my system and I made a point of checking my task manager. But all the CPU was being used up by legit software, and the main culprit was Microsoft processes. So I think I'm ok. Will keep my eyes open, though. And there's nothing like disabling cookies except for only those highly trusted sites, huh?

  8. #8
    Member
    Join Date
    Feb 2006
    Posts
    94

    Default Zhelatin.k again

    Hi Zenobia. I just did a Spybot scan, and the trojan Win32.Zhelatin.k came up again, along with something about a windows firewall bypass. Here's the short log you asked me to copy:

    Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done)
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE

    Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done)
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE

    Win32.Zhelatin.k: Settings (Registry value, nothing done)
    HKEY_USERS\S-1-5-21-3293823761-4021508746-2703944788-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\*\greeting card.exe


    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    2005-05-31 blindman.exe (1.0.0.1)
    2005-05-31 SpybotSD.exe (1.4.0.3)
    2007-06-05 spybotsd14.exe (0.0.0.0)
    2005-05-31 TeaTimer.exe (1.4.0.2)
    2007-06-05 unins000.exe (51.41.0.0)
    2005-05-31 Update.exe (1.4.0.0)
    2007-05-23 advcheck.dll (1.5.3.0)
    2005-05-31 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2005-05-31 SDHelper.dll (1.4.0.0)
    2007-01-02 Tools.dll (2.0.1.0)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2007-06-20 Includes\Cookies.sbi (*)
    2007-05-30 Includes\Dialer.sbi (*)
    2007-06-20 Includes\DialerC.sbi (*)
    2007-06-20 Includes\Hijackers.sbi (*)
    2007-06-20 Includes\HijackersC.sbi (*)
    2007-06-20 Includes\Keyloggers.sbi (*)
    2007-06-20 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2007-06-20 Includes\Malware.sbi (*)
    2007-06-20 Includes\MalwareC.sbi (*)
    2007-03-21 Includes\PUPS.sbi (*)
    2007-06-20 Includes\PUPSC.sbi (*)
    2007-06-20 Includes\Revision.sbi (*)
    2007-05-30 Includes\Security.sbi (*)
    2007-06-20 Includes\SecurityC.sbi (*)
    2007-06-20 Includes\Spybots.sbi (*)
    2007-06-20 Includes\SpybotsC.sbi (*)
    2005-02-17 Includes\Tracks.uti
    2007-06-20 Includes\Trojans.sbi (*)
    2007-06-20 Includes\TrojansC.sbi (*)
    2007-06-06 Plugins\TCPIPAddress.dll

    Can you figure out what's going on?

    Also, when I first opened Spybot today, I got that "weird popup" that people were talking about in February, that led to PepiMK's website.

  9. #9
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hi there Benzmum.

    I see greeting card.exe in the log, please run an on-line anti virus scan.

    • eTrust Antivirus Web Scanner Requires Internet Explorer. (If prompted on that page, allow Active X and the install of software - this is needed to scan your system)
      It may take a while to download the updates needed, and then you will be presented with a screen to scan your system.
    Do not be concerned if the scanner "finds" things it says it cannot fix.

    Let us know how it goes, and save the log in case we need to move you to the malware removal forum.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  10. #10
    Member
    Join Date
    Feb 2006
    Posts
    94

    Default card.exe

    Thanks, Tashi. I have a slow connection so I'll wait till tomorrow morning before I do the online scan - takes hours, and my computer's right next to my bed!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •