Kayman wrote:
> On Sat, 22 Nov 2008 11:23:53 -0500, PA Bear [MS MVP] wrote:
>
>> Kayman wrote:
>>>> Malwarebytes actually performs better in Normal Mode.
>>>
>>> Thanks, I'll keep that in mind!
>>
>> You have one? <wink>
>
> Definitely.
If you want to be believed, you must immediately post a link to pictures
of what's inside your skull.
<ducks and runs>
--
Rhonda Lea Kirk Fries
"You know you can indict a ham sandwich if you want to."
William J. Martini, Judge, United States District Court
On Sun, 23 Nov 2008 02:05:03 -0600, Rhonda Lea Kirk Fries wrote:
> Kayman wrote:
>> On Sat, 22 Nov 2008 11:23:53 -0500, PA Bear [MS MVP] wrote:
>>
>>> Kayman wrote:
>>>>> Malwarebytes actually performs better in Normal Mode.
>>>>
>>>> Thanks, I'll keep that in mind!
>>>
>>> You have one? <wink>
>>
>> Definitely.
>
> If you want to be believed, you must immediately post a link to pictures
> of what's inside your skull.
Boasting is not my thing (refer to my signature :-))
On Nov 19, 11:58*pm, Kayman <kaymanDeleteT...@operamail.com> wrote:
> On Wed, 19 Nov 2008 20:18:51 -0800 (PST), browserquesti...@yahoo.com wrote:
> > When I visitwww.bankofamerica.com, there is an additional field
> > "Enter ATM card number:"
> > When I visitwww.wellsfargo.com, there is an additional field for "ATM
> > PIN"
>
> > These fields don't appear when I use Mozilla Firefox v3.0
>
> > I've reported the problem to the respective banks.
>
> > Ad-Aware (free) , Spybot and Windows Defender don't detect this hijack
>
> > Can someone here help me identify who/what hijacked my IE 6 browser,
> > and how I can find out which illegal IP address these 2 fields are
> > being transmitted to?
>
> 1.Clear the (IE) temporary Internet files and the history cache.
> Click Start==>Run... then type (or copy/paste) "inetcpl.cpl" (w/out
> quotation marks) into the box, then click the 'OK' button.
> In Internet Properties panel 'General' tab, under 'Browsing history', click
> 'Delete...'button, in 'Delete Browsing History' panel, click the 'Delete
> all...'button then place a checkmark into the box beside 'Also delete files
> and settings stored by add-ons', Click 'Yes' and exit the Internet
> Properties panel by clicking the 'OK' button.
>
> 2.Clean HDD
> Click Start==>Run... then type (or copy/paste) "cleanmgr" (w/out quotation
> marks into the box, then click the 'OK' button. Select your drive
> (presumably WinXP (Cand click OK.
>
> 3.Download/execute:
> Malwarebytes© Corporation - Anti-Malwarehttp://www.malwarebytes.org/mbam/program/mbam-setup.exe
> --and--
> SuperAntispyware - Freehttp://www.superantispyware.com/superantispywarefreevspro.html
>
> After the software is updated, it is suggested scanning the system in Safe
> Mode.
>
> 4.Download and execute HiJack This! (HJT)http://www.trendsecure.com/portal/en...ols/hijackthis
>
> Please, do not post HJT logs to this newsgroup.
> Fora where you can get expert advice for HiJack This! (HJT) logs.
>
> http://www.thespykiller.co.uk/index....d3289dd877ab75...
>
> NOTE:
> Registration is required in any of the above mentioned fora before posting
> a HJT log and read the 'stickies' (instructions/guidelines) for the
> respective HJT forum.
>
> 5.Routinely practice Safe-Hex.http://www.claymania.com/safe-hex.html
>
> Good luck
Thanks!
Malwarebytes found 6 backdoor bots and some infected files:
svchost.exe, twext.exe
that the other spyware tools missed.
My IE 6 browser is back to normal now.
From: <browserquestions@yahoo.com>
| Thanks!
| Malwarebytes found 6 backdoor bots and some infected files:
| svchost.exe, twext.exe
| that the other spyware tools missed.
| My IE 6 browser is back to normal now.
You had a Zbot infection.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
browserquestions@yahoo.com wrote:
<snip>
> Malwarebytes found 6 backdoor bots and some infected files:
> svchost.exe, twext.exe
> that the other spyware tools missed.
> My IE 6 browser is back to normal now.
But is the computer free of any/all hijackware?
On Nov 21, 8:45 pm, Dustin Cook <bughunter.dus...@gmail.com> wrote:
> Kayman <kaymanDeleteT...@operamail.com> wrote innews:gg35b6$nbi$1@news.motzarella.org:
>
>
>
> > On Wed, 19 Nov 2008 20:18:51 -0800 (PST), browserquesti...@yahoo.com
> > wrote:
>
> >> When I visitwww.bankofamerica.com, there is an additional field
> >> "Enter ATM card number:"
> >> When I visitwww.wellsfargo.com, there is an additional field for
> >> "ATM PIN"
>
> >> These fields don't appear when I use Mozilla Firefox v3.0
>
> >> I've reported the problem to the respective banks.
>
> >> Ad-Aware (free) , Spybot and Windows Defender don't detect this
> >> hijack
>
> >> Can someone here help me identify who/what hijacked my IE 6 browser,
> >> and how I can find out which illegal IP address these 2 fields are
> >> being transmitted to?
> > 3.Download/execute:
> > Malwarebytes© Corporation - Anti-Malware
> >http://www.malwarebytes.org/mbam/program/mbam-setup.exe
> > After the software is updated, it is suggested scanning the system in
> > Safe Mode.
>
> Malwarebytes actually performs better in Normal Mode.
I thought it was preferable to do these thing (e.g. anti virus scans)
in Safe Mode to prevent stealth virii from going into stealth mode.
The only thing safer than the Safe Mode is to boot up from a WIN PE or
BART PE CD ?
On Nov 26, 10:39 am, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:
> browserquesti...@yahoo.com wrote:
>
> <snip>
>
> > Malwarebytes found 6 backdoor bots and some infected files:
> > svchost.exe, twext.exe
> > that the other spyware tools missed.
> > My IE 6 browser is back to normal now.
>
> But is the computer free of any/all hijackware?
The saga continues.
After the initial cleanup using Malwarebytes Anti-Malware and
SUPERAntiSpyware,
MBAM found an additional Trojan.Downloader in a system restore point.
Next day, it found
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
\iepinit_dlls (Spyware.Agent.H) -> Quarantined and deleted
successfully.
and C:\WINDOWS\system32\nvaux32.dll (Spyware.Agent.H)
Next day,
my Computer Associates AntiVirus v8 reported a couple of instances of:
Win32/Pruserinf.Y
on the infected laptop, and now also on a Desktop PC that was shared
via a network share!
I Installed avast! on the laptop, and during the initial boot up scan,
it found:
Win32:Zbot-ASN [Trj]
Win32:Invo [Cryp]
But now, CA anti-virus on the laptop crashes (conflict with avast! ?)
My laptop Firewall (ZoneAlarm free) reports outbound requests in the
middle of the night from strangely named .exe file from the Windows
\temp folder.
I've also upgrade the MSIE on the laptop to v7, but use Firefox v3 as
the default.
Is there something still hiding in the laptop, and generating all
these other trojans?
From: <browserquestions@yahoo.com>
| I thought it was preferable to do these thing (e.g. anti virus scans)
| in Safe Mode to prevent stealth virii from going into stealth mode.
| The only thing safer than the Safe Mode is to boot up from a WIN PE or
| BART PE CD ?
There are no computer viri or virii. They are computer viruses.
MBAM does not target viruses. It targets non-viral malware.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: <browserquestions@yahoo.com>
| The saga continues.
| After the initial cleanup using Malwarebytes Anti-Malware and
| SUPERAntiSpyware,
| MBAM found an additional Trojan.Downloader in a system restore point.
| Next day, it found
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
| \iepinit_dlls (Spyware.Agent.H) -> Quarantined and deleted
| successfully.
| and C:\WINDOWS\system32\nvaux32.dll (Spyware.Agent.H)
| Next day,
| my Computer Associates AntiVirus v8 reported a couple of instances of:
| Win32/Pruserinf.Y
| on the infected laptop, and now also on a Desktop PC that was shared
| via a network share!
| I Installed avast! on the laptop, and during the initial boot up scan,
| it found:
Win32::Zbot-ASN [Trj]
Win32::Invo [Cryp]
| But now, CA anti-virus on the laptop crashes (conflict with avast! ?)
| My laptop Firewall (ZoneAlarm free) reports outbound requests in the
| middle of the night from strangely named .exe file from the Windows
| \temp folder.
| I've also upgrade the MSIE on the laptop to v7, but use Firefox v3 as
| the default.
| Is there something still hiding in the laptop, and generating all
| these other trojans?
You can have only one fully installed anti virus application performing both "On Demand"
and "On Access" scanning. You can't have two.
You can however supplement that one fully installed anti virus application with additional
"On Demand" anti virus scanners. These can be online scanners or command line scanners
than run locally.
You are still infected. There should be NO applications running from the TEMP folder. So
if ZA is indicating there is "...outbound requests in the
middle of the night from strangely named .exe file from the Windows .\temp folder..." you
still have a problem.
Start by uninstalling Avast and see if that corrects CA anti-virus. Then perform the
following...
Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en...HJTInstall.exe
Then post the contents of the HJT log in your post in one of the below expert forums...
{ Please - Do NOT post the HJT Log here ! }
Forums where you can get expert advice for HiJack This! (HJT) Logs.
NOTE: Registration is REQUIRED in any of the below before posting a log
Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0
Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.malwarebytes.org/forums/i...hp?showforum=7
Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/...splay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malwa..._Here-f37.html
http://gladiator-antivirus.com/forum...?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/...p?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
David H. Lipman wrote:
> From: <browserquestions@yahoo.com>
>
>
>> The saga continues.
>
>> After the initial cleanup using Malwarebytes Anti-Malware and
>> SUPERAntiSpyware,
>> MBAM found an additional Trojan.Downloader in a system restore point.
>> Next day, it found
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>> NT\CurrentVersion\Windows \iepinit_dlls (Spyware.Agent.H) ->
>> Quarantined and deleted successfully.
>> and C:\WINDOWS\system32\nvaux32.dll (Spyware.Agent.H)
>
>> Next day,
>> my Computer Associates AntiVirus v8 reported a couple of instances
>> of: Win32/Pruserinf.Y
>> on the infected laptop, and now also on a Desktop PC that was shared
>> via a network share!
>
>> I Installed avast! on the laptop, and during the initial boot up
>> scan, it found:
> Win32::Zbot-ASN [Trj]
> Win32::Invo [Cryp]
>
>> But now, CA anti-virus on the laptop crashes (conflict with avast! ?)
>
>> My laptop Firewall (ZoneAlarm free) reports outbound requests in the
>> middle of the night from strangely named .exe file from the Windows
>> \temp folder.
>
>> I've also upgrade the MSIE on the laptop to v7, but use Firefox v3 as
>> the default.
>
>> Is there something still hiding in the laptop, and generating all
>> these other trojans?
>
> You can have only one fully installed anti virus application
> performing both "On Demand" and "On Access" scanning. You can't have
> two.
>
> You can however supplement that one fully installed anti virus
> application with additional "On Demand" anti virus scanners. These
> can be online scanners or command line scanners than run locally.
>
> You are still infected. There should be NO applications running from
> the TEMP folder. So if ZA is indicating there is "...outbound
> requests in the
> middle of the night from strangely named .exe file from the Windows
> .\temp folder..." you still have a problem.
>
> Start by uninstalling Avast and see if that corrects CA anti-virus.
[snip]
Shouldn't he shut off his System Restore since the virus(s) seem to be in
there and empty out his temp and TIF files?
Then shouldn't he run the detection programs again? Just curious, since I do
not have XP or Vista.
Thanks.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote