Thursday, May 03, 2007

Thursday Thirteen #31

This is a shoutout to anyone with tech savvy who might know something about one of the items listed here and be able to point us in the direction of help.

I expect for most of you that your eyes will glaze over as you scan this list. Imagine if this had been your primary reading material for the past six days. I was so anxious about this, I couldn't just let the scan programs to their job. I actually watched the names of the files and the names of the threats as they streamed by. In the first scan by AVG on Saturday morning there were over 450 instances of treats identified. Over 400 were Tracking Cookies. About 20 to 30 of them were programs which spread pieces of themselves all thru the system.

Watching those scans in progress was a lot like watching paint dry. At first anyway. But over time, I started to see relevance and clues and connections and some of those led me to the solution.

The latest scan found only 40 some threats of which all but four items were tracking cookies. UCMore the so called search accelerator is still skulking in one location. As is one of the Trojans and Not-A-Virus with its redirect capability.

The latest frustration is that after the last scan the instruction to delete upon reboot (which we resorted to when giving the command to remove the offenders tended to crash the Anti-Malware program while it was in process) those items found in C:\System Volume Information\_restore came back with a warning that it could not be done without damaging a file important to the system. So if a competent program like AVG can't ferret out a known baddie because it hides itself in a vital folder then what is a non-geek to do?

Thirteen of the Malware Found on My Laptop Since Saturday
(and where they were found if known, including multiple locations)

1. C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP493\A0048229.exe -> Adware.Agent

2. HKLM\SOFTWARE\Effective-i -> Adware.EffectiveBrandToolbar
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar
HKU\S-1-5-21-2184598315-1240948459-3972223151-1007\Software\Effective-i -> Adware.EffectiveBrandToolbar
HKU\S-1-5-21-2184598315-1240948459-3972223151-1007\Software\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar
HKU\S-1-5-21-2184598315-1240948459-3972223151-1007\Software\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar .

3. C:\Documents and Settings\Joy\Local Settings\Temp\Doh.exe -> Adware.ClickSpring

4. C:\Documents and Settings\Joy\Local Settings\Temp\New2D0.tmp\upg_dll.dll -> Adware.NewDotNet .
C:\Program Files\NewDotNet -> Adware.NewDotNet .
C:\Program Files\NewDotNet\newdotnet7_48.dll -> Adware.NewDotNet C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP493\A0050223.exe -> Adware.NewDotNet .
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP493\A0050224.exe -> Adware.NewDotNet .
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP493\A0050225.exe -> Adware.NewDotNet .
C:\WINDOWS\NDNuninstall7_48.exe -> Adware.NewDotNet .
C:\WINDOWS\system32\smpi1\win.exe -> Adware.NewDotNet
HKLM\SOFTWARE\Classes\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet .
HKLM\SOFTWARE\Classes\Tldctl2.URLLink -> Adware.NewDotNet HKLM\SOFTWARE\Classes\Tldctl2.URLLink.1 -> Adware.NewDotNet HKLM\SOFTWARE\Classes\Tldctl2.URLLink\CLSID -> Adware.NewDotNet HKLM\SOFTWARE\Classes\Tldctl2.URLLink\CurVer -> Adware.NewDotNet HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\New.net Startup -> Adware.NewDotNet HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net -> Adware.NewDotNet
HKLM\SOFTWARE\New.net -> Adware.NewDotNet : Ignored.
HKU\S-1-5-21-2184598315-1240948459-3972223151-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet.
HKU\S-1-5-21-2184598315-1240948459-3972223151-1007\Software\New.net -> Adware.NewDotNet .
[1800] C:\Program Files\NewDotNet\newdotnet7_48.dll -> Adware.NewDotNet
[1808] C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL -> Adware.NewDotNet [2412] C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL -> Adware.NewDotNet : Ignored.
[3376] C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL -> Adware.NewDotNet : Ignored.

5. C:\Documents and Settings\Joy\My Documents\WіnSxS\ѕеrvices.exe -> Adware.PurityScan .
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP493\A0048228.dll -> Adware.PurityScan

6. C:\Documents and Settings\Joy\Start Menu\Programs\UCmore - The Search Accelerator -> Adware.Ucmore
C:\Documents and Settings\Joy\Start Menu\Programs\UCmore - The Search Accelerator\How To Uninstall.lnk -> Adware.Ucmore .
C:\Documents and Settings\Joy\Start Menu\Programs\UCmore - The Search Accelerator\UCmore - The Search Accelerator.lnk -> Adware.Ucmore C:\Documents and Settings\Joy\Start Menu\Programs\UCmore - The Search Accelerator\UCmore Tour.lnk -> Adware.Ucmore .
C:\RECYCLER\S-1-5-21-2184598315-1240948459-3972223151-1007\Dc56\IUCmore.dll -> Adware.Ucmore
C:\RECYCLER\S-1-5-21-2184598315-1240948459-3972223151-1007\Dc56\UCMTSAIE.dll -> Adware.Ucmore
C:\WINDOWS\system32\smpi1\win66.exe/IUCMORE.DLL -> Adware.Ucmore
C:\WINDOWS\system32\smpi1\win66.exe/UCMTSAIE.DLL -> Adware.Ucmore .
C:\WINDOWS\system32\smpi1\win66.exe/empty_00000001 -> Adware.UcmoreHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCmore - The Search Accelerator -> Adware.UCmore .

7. C:\Documents and Settings\Joy\Local Settings\Temp\wr-1-2000219.exe -> Downloader.Agent.bls .
C:\WINDOWS\retadpu2000219.exe -> Downloader.Agent.bls .
C:\WINDOWS\system32\smpi1\win11.exe -> Downloader.Agent.bls.
C:\WINDOWS\updater.exe -> Downloader.Agent.bls

8. C:\Documents and Settings\Joy\Local Settings\Temp\Install-Errorprotector-Free.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l
C:\Documents and Settings\Joy\Local Settings\Temporary Internet Files\Content.IE5\7NNZPVTX\hh[1].htm -> Not-A-Virus.Exploit.JS.ADODB.Stream.t .
C:\Documents and Settings\Joy\Local Settings\Temporary Internet Files\Content.IE5\S9P3SH2H\portal[1].htm -> Not-A-Virus.Exploit.MhtRedir
C:\Documents and Settings\Joy\Local Settings\Temporary Internet Files\Content.IE5\THV6VUBG\portal[1].htm -> Not-A-Virus.Exploit.MhtRedir

9. C:\WINDOWS\system32\smpi1\win5.exe -> Trojan.Agent

10. C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP492\A0048225.exe -> Trojan.Small .
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP493\A0050226.exe -> Trojan.Small

The following three came up in scans by programs that did not provide the detail as in the above examples. At least not for free trial usuers:

11. Busky B

12. Core

13. Yazzle

The following are not included in the thirteen because I cannot be sure they are malware as they have not been identified as such by a scan. But error messages contain reference to them:

1. iexplore.exe comes up in a runtime error that appears just before the browser crashes

2.system32\rfkwymtg.dll comes up in an error message claiming it cannot be found as logging onto the desktop after a reboot is in progress

3. gorPUS.exe this is one of several mysterious programs that get accused of Not Responding durring log off and won't close unless you click end task

4 NDrv.exe and services.exe both throw up error messages upon logging on after reboots claiming to have encountered an error and needing to close.

Links to other Thursday Thirteens!

1. scooper 2. Gattina 3. L^2

(leave your link in comments, I'll add you here!)

Get the Thursday Thirteen code here!

The purpose of the meme is to get to know everyone who participates a little bit better every Thursday. Visiting fellow Thirteeners is encouraged! If you participate, leave the link to your Thirteen in others comments. It's easy, and fun! Be sure to update your Thirteen with links that are left for you, as well! I will link to everyone who participates and leaves a link to their 13 things. Trackbacks, pings, comment links accepted!


3 tell me a story:

Anonymous,  5/03/2007 6:04 AM  

I stopped by and have no clue about any of the list. Good luck!ht

Gattina 5/03/2007 7:46 AM  

You could have written that in chinese, for me it's the same don't understand anything, sorry !

L^2 5/03/2007 3:03 PM  

Sorry I don't think I can help, but, good luck with the computer.

Blog Directories

Saysher.com

Sitemeter

Feed Buttons

Powered By Blogger

About This Blog

Web Wonders

Once Upon a Time

alt

alt

alt

alt

70 Days of Sweat

Yes, master.

Epic Kindle Giveaway Jan 11-13 2012

I Melted the Internet

  © Blogger templates The Professional Template by Ourblogtemplates.com 2008

Back to TOP