Continuing from http://forum.ccleaner.com/index.php?act=ST...t=5576&st=0
Hi Andy,
I followed your instructions but Ewido found nothing. Below is a copy of my Hijackthis log file and the results from your batch file. Ive included two results the second was taken after another attack. There was an error while executing the batch, I think text4.txt wasn't created as there was no text to write
Logfile of HijackThis v1.99.1
Scan saved at 10:33:12, on 25/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Common Files\AOL\1147904741\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1147904741\ee\AOLServiceHost.exe
c:\program files\common files\aol\1147904741\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1147904741\ee\AOLServiceHost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dan.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1147904741\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dan.co.uk
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
------
AutoComplete HKLM/HKCU Export:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Use FormSuggest"="no"
"FormSuggest Passwords"="no"
"FormSuggest PW Ask"="no"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete]
"Append Completion"="no"
"AutoSuggest"="yes"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms]
"AskUser"=dword:00000001
Protected Storage Information:
STATE : 4 RUNNING
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProtectedStorage]
"Start"=dword:00000002
------
After another Attack
AutoComplete HKLM/HKCU Export:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Use FormSuggest"="no"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete]
"Append Completion"="no"
"AutoSuggest"="yes"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms]
"AskUser"=dword:00000000
Protected Storage Information:
STATE : 4 RUNNING
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProtectedStorage]
"Start"=dword:00000002
1
AOL Infostealer spyware
Started by mikedd, Jun 25 2006 10:42 AM
9 replies to this topic
#2 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 25 June 2006 - 04:24 PM
Hi Mike
There's nothing bad showing in the log so its probably best if we check abit deeper to make sure there is no hidden problems.
Regarding the batch, I was checking if there was value's in HKLM which should not be present so its nice to see they didnt exist, this is the main key for enabling/disabling the AutoComplete prompts
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms]
"AskUser"=dword:00000001
When its set to 1 you will get the prompt when you type something into a search engine but after you make the choice it should then set the value to 0 and not prompt you to choose again, the Protected Storage part is a Windows Service for storing infomation to prevent access by unauthorized users so its good to see the service it running and set to Automatic
Are you using the Administrator account on your PC and when you say another attack is this just random or does it happen every time you reboot or everytime you open IE ?
Goto Start Menu -> Run -> type
SFC /SCANNOW
(There's a space after SFC) , Press OK and it will run the System File Checker. Follow the prompts, and insert your Windows installation CD if requested then reboot the computer after it has finished.
Please then download WinPFind from Here
Save it to the desktop,Right click and choose Extract All then run Winpfind.exe
Click Configure Scan Options
Under the Run Add ONs section select ALL the options in the box below it then Press Apply
Then Click Start Scan
once the scan is finished, please CLOSE WinPFind and post the contents of the logfile winpfind.txt which will save into the WinPFind folder back on the forum.
Finally run Kaspersky's WebScanner
Cheers
Andy
There's nothing bad showing in the log so its probably best if we check abit deeper to make sure there is no hidden problems.
Regarding the batch, I was checking if there was value's in HKLM which should not be present so its nice to see they didnt exist, this is the main key for enabling/disabling the AutoComplete prompts
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms]
"AskUser"=dword:00000001
When its set to 1 you will get the prompt when you type something into a search engine but after you make the choice it should then set the value to 0 and not prompt you to choose again, the Protected Storage part is a Windows Service for storing infomation to prevent access by unauthorized users so its good to see the service it running and set to Automatic
Are you using the Administrator account on your PC and when you say another attack is this just random or does it happen every time you reboot or everytime you open IE ?
Goto Start Menu -> Run -> type
SFC /SCANNOW
(There's a space after SFC) , Press OK and it will run the System File Checker. Follow the prompts, and insert your Windows installation CD if requested then reboot the computer after it has finished.
Please then download WinPFind from Here
Save it to the desktop,Right click and choose Extract All then run Winpfind.exe
Click Configure Scan Options
Under the Run Add ONs section select ALL the options in the box below it then Press Apply
Then Click Start Scan
once the scan is finished, please CLOSE WinPFind and post the contents of the logfile winpfind.txt which will save into the WinPFind folder back on the forum.
Finally run Kaspersky's WebScanner
- Please go HERE and click Kaspersky Online Scanner
- Read and Accept the Agreement
- You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- If you see a Windows dialog asking if you want to install this software, click the Install button.
- The program will launch and then begin downloading the latest definition files,
- When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
- Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
- Under "Please select a target to scan:", click My Computer to start the scan.
- When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
Cheers
Andy
#3 OFFLINE
-
- Members
-
- 8 posts
Newbie
Posted 26 June 2006 - 10:35 PM
Hi Andy
My PC isn't networked so id guess Im using the administrator account but Im not sure.
As to when the attacks occurred, AOL anti spyware doesn't record times of attack so I don't know if they occurred at set intervals. They appear to come about 30 minutes after typing a password but again Im not sure, there not frequent enough to be predictable. At the most there have been 8 in one day over four-five hours.
Over the last 24 hours there seemed to be a lull in attacks so I thought Ewido shield must of stopped them, then there was another attack this morning and I found out the Ewido shield wasn't activated anyway for some reason. There was another lull after using sfc but again a second attack occurred. However since then there hasn't been an attack, not only that I haven't had an autocomplete window. Is it possible one of Ewido options is preventing it? One of the options disables the windows messenger service, should I switch it back on? Is there a way of completely disabling Ewido short of uninstalling it?
I used SFC and it ran without incident, I don't know if it would have signalled an error if one of the system files was corrupted of not. Could SFC itself become altered by a trojan?
I carried out a scan using winpfind and the results are in the included file. I tried to use Kaspersky Online Scanner but even with security options down graded to medium it wouldn't run, pressing the online scanner button resulted in no action, maybe the service is temporarily suspended.
I hope the results included help. Thanks in advance.
Mike
My PC isn't networked so id guess Im using the administrator account but Im not sure.
As to when the attacks occurred, AOL anti spyware doesn't record times of attack so I don't know if they occurred at set intervals. They appear to come about 30 minutes after typing a password but again Im not sure, there not frequent enough to be predictable. At the most there have been 8 in one day over four-five hours.
Over the last 24 hours there seemed to be a lull in attacks so I thought Ewido shield must of stopped them, then there was another attack this morning and I found out the Ewido shield wasn't activated anyway for some reason. There was another lull after using sfc but again a second attack occurred. However since then there hasn't been an attack, not only that I haven't had an autocomplete window. Is it possible one of Ewido options is preventing it? One of the options disables the windows messenger service, should I switch it back on? Is there a way of completely disabling Ewido short of uninstalling it?
I used SFC and it ran without incident, I don't know if it would have signalled an error if one of the system files was corrupted of not. Could SFC itself become altered by a trojan?
I carried out a scan using winpfind and the results are in the included file. I tried to use Kaspersky Online Scanner but even with security options down graded to medium it wouldn't run, pressing the online scanner button resulted in no action, maybe the service is temporarily suspended.
I hope the results included help. Thanks in advance.
Mike
Attached Files
-
WinPFind.Txt 52.61K
25 downloads
#4 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 26 June 2006 - 11:15 PM
Hi Mike
I will check the log over in the next hour or so and get back to you as Im just helping on another forum but it shouldn't take long.
If you goto Start Menu > Control Panel > User Accounts and find your profile name does it have Computer Administrator or Limited Account ? , Are there any other accounts setup on this screen (ignore the guest account as its there by default and should be turned off and also ignore ASP.Net if its there as thats connected to NET.Framework)
Im still not sure if this is a malware problem or if one of your security programs are blocking the changes being made which is making them re-appear
There no reason to turn on the Messenger Service, this isnt connected to Instant Messenger Programs and the service is set to disabled by default on updated systems, the service description is "Transmits net send and Alerter service messages between clients and servers" so thats fine to leave the way it is.
I noticed my version of Ewido has also gone disabled even though it showed it was a 30 day trial when I installed it last week so maybe it's detected I already had the previous version installed, I dont mind as I only use it as a on-demand scanner which I just use to scan the system so it still works fine for that
If you have the real time protection active on yours and you want to disable it then it can be done by right clicking the Ewido icon on the system tray and unchecking Resident Shield (the options are now grayed out on mine)
If SFC would of found any damaged or corrupt system files it would of prompted you to insert the disk, if it ran through without any prompts then its a good sign the protected system files are fine. Its possible for SFC to be turned off by malware but if it starts running and shows its checking the protected system files then its fine.
Can you disable Nortons Ad Blocking feature and then try Kaspersky again, the Ad Blocker also usually has a pop up window blocker enabled so this maybe interfering with Kaspersky's scanner, click the Adblocker on Norton's menu and choose configure and then disable the Ad Blocking and pop up window blocking then try run Kaspersky again, if there is any infections then its very likely this scanner will find them so it would be good if you can get it to run on your PC.
Let us know if you can then run Kaspersky
Cheers
Andy
I will check the log over in the next hour or so and get back to you as Im just helping on another forum but it shouldn't take long.
If you goto Start Menu > Control Panel > User Accounts and find your profile name does it have Computer Administrator or Limited Account ? , Are there any other accounts setup on this screen (ignore the guest account as its there by default and should be turned off and also ignore ASP.Net if its there as thats connected to NET.Framework)
Im still not sure if this is a malware problem or if one of your security programs are blocking the changes being made which is making them re-appear
There no reason to turn on the Messenger Service, this isnt connected to Instant Messenger Programs and the service is set to disabled by default on updated systems, the service description is "Transmits net send and Alerter service messages between clients and servers" so thats fine to leave the way it is.
I noticed my version of Ewido has also gone disabled even though it showed it was a 30 day trial when I installed it last week so maybe it's detected I already had the previous version installed, I dont mind as I only use it as a on-demand scanner which I just use to scan the system so it still works fine for that
If you have the real time protection active on yours and you want to disable it then it can be done by right clicking the Ewido icon on the system tray and unchecking Resident Shield (the options are now grayed out on mine) If SFC would of found any damaged or corrupt system files it would of prompted you to insert the disk, if it ran through without any prompts then its a good sign the protected system files are fine. Its possible for SFC to be turned off by malware but if it starts running and shows its checking the protected system files then its fine.
Can you disable Nortons Ad Blocking feature and then try Kaspersky again, the Ad Blocker also usually has a pop up window blocker enabled so this maybe interfering with Kaspersky's scanner, click the Adblocker on Norton's menu and choose configure and then disable the Ad Blocking and pop up window blocking then try run Kaspersky again, if there is any infections then its very likely this scanner will find them so it would be good if you can get it to run on your PC.
Let us know if you can then run Kaspersky
Cheers
Andy
#5 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 27 June 2006 - 12:20 AM
Hi Mike
Ive checked the WinPFind log and its fine, I'll wait to see what Kaspersky shows if you can get it to run after disabling Nortons Protection.
Andy
Ive checked the WinPFind log and its fine, I'll wait to see what Kaspersky shows if you can get it to run after disabling Nortons Protection.
Andy
#6 OFFLINE
-
- Members
-
- 8 posts
Newbie
Posted 27 June 2006 - 01:09 AM
Hi Andy,
The Kaspersky scan found nothing so I guess the mystery continues. Ive included the report in text form.
As you can see from the included photo, the AOL software hasn't detected any more attacks since the two I mentioned.
Thanks
Mike
The Kaspersky scan found nothing so I guess the mystery continues. Ive included the report in text form.
As you can see from the included photo, the AOL software hasn't detected any more attacks since the two I mentioned.
Thanks
Mike
Attached Files
-
kaspersky.txt 23.4K
26 downloads
-
aol.JPG 270.11K
44 downloads
#7 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 27 June 2006 - 01:26 AM
Hi Mike
Im starting to get the impression that AOL is reporting a false positive and then resetting your Auto Complete settings as the system is clean. Is it possible for me to download the AOL scanner your using so I can test it or does it come as part of an internet package ?
Cheers
Im starting to get the impression that AOL is reporting a false positive and then resetting your Auto Complete settings as the system is clean. Is it possible for me to download the AOL scanner your using so I can test it or does it come as part of an internet package ?
Cheers
#8 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 27 June 2006 - 01:43 AM
Hi Mike,
It looks like you can sleep well as it is a AOHell problem and not a Trojan problem
Taken from the AOL message boards
The value's it's detecting are genuine and not a threat, I installed AOL Security Edition but it will not let me update the scanner definitions unless I give them credit card info so I'll forget that idea
Just give it afew days and they should fix it as its abit stupid of them to be detecting Microsoft reg value's as an Information stealing Trojan
.gif)
It looks like you can sleep well as it is a AOHell problem and not a Trojan problem
Taken from the AOL message boards
Quote
Scan Started on June 18, 2006 at 12:23:21 PM
Engine Version: 5.6.7.4
Dat Date: June 16, 2006 10:14:40 AM
Pest Detected on June 18, 2006 at 12:23:25 PM
Pest ID: 453098577
Name: InfoStealer
Location: Key "hkey_current_user \software\microsoft\internet explorer\main" value "formsuggest pw ask"
Pest Detected on June 18, 2006 at 12:23:27 PM
Pest ID: 453098577
Name: InfoStealer
Location: Key "hkey_current_user \software\microsoft\internet explorer\main" value "formsuggest passwords"
Engine Version: 5.6.7.4
Dat Date: June 16, 2006 10:14:40 AM
Pest Detected on June 18, 2006 at 12:23:25 PM
Pest ID: 453098577
Name: InfoStealer
Location: Key "hkey_current_user \software\microsoft\internet explorer\main" value "formsuggest pw ask"
Pest Detected on June 18, 2006 at 12:23:27 PM
Pest ID: 453098577
Name: InfoStealer
Location: Key "hkey_current_user \software\microsoft\internet explorer\main" value "formsuggest passwords"
The value's it's detecting are genuine and not a threat, I installed AOL Security Edition but it will not let me update the scanner definitions unless I give them credit card info so I'll forget that idea
Just give it afew days and they should fix it as its abit stupid of them to be detecting Microsoft reg value's as an Information stealing Trojan
#9 OFFLINE
-
- Members
-
- 8 posts
Newbie
Posted 27 June 2006 - 12:05 PM
Hi Andy,
Excellent news, now it looks like I wont be lobbying the politicians to bring in the death penalty for trojan writers.
Its not important now I suppose but the 'attacks' are continuing and I'm using the administrator account which is the only account apart from guest.
Just one more question though, should I restore the blocked files or leave them as is.
Thanks for the help.
Mike
Excellent news, now it looks like I wont be lobbying the politicians to bring in the death penalty for trojan writers.
Its not important now I suppose but the 'attacks' are continuing and I'm using the administrator account which is the only account apart from guest.
Just one more question though, should I restore the blocked files or leave them as is.
Thanks for the help.
Mike
#10 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 27 June 2006 - 04:21 PM
Hey Mike
Its safe to unblock them and then choose Allow next time its detected as all its doing is detecting the Auto complete settings after you make the choice then removing them so you have to choose again, all the blocked events will be for the same thing, your Auto complete export which we initially run does confirm that it removed the two value's which are harmless
Here's another post from the AOL message boards which may help
Its safe to unblock them and then choose Allow next time its detected as all its doing is detecting the Auto complete settings after you make the choice then removing them so you have to choose again, all the blocked events will be for the same thing, your Auto complete export which we initially run does confirm that it removed the two value's which are harmless
Here's another post from the AOL message boards which may help
Quote
If it was AOL Spyware Protection, and the name was InfoStealer,
that's a false positive (a mistake) that was introduced in the 6/16 DAT update files. The following registry items are being identified as InfoStealer:
Location: Key "hkey_current_user \software\microsoft\internet explorer\main" value "formsuggest pw ask"
Location: Key "hkey_current_user \software\microsoft\internet explorer\main" value "formsuggest passwords"
But they appear to be normal Internet Explorer options that millions of people have. You may have only one of them as I do.
If you have not run another scan afterward, look at the log file.
There is a log for the last scan (you have to use Tools, Folder Options, View, show hidden files): For Windows XP it is C:\Documents and Settings\All Users\Application Data\AOL\User Profiles\All Users\antiSpyware\scanlog.txt
You can click on Start, Run, and paste in this file name and then it will open the file for you. If the only things it found were the two above, then you didn't have a Trojan after all. If it shows nothing found, then you probably ran another scan afterward.
If you selected Block, then you have removed those Internet Explorer options. If you have the AOL Safety and Security Center, you can open spyware protection. If there is a triangle in front of Spyware Protection pointing to the right, click on it and it should show Allowed Items and Blocked Items underneath. Click on Blocked items and it will give you a list by date. You can select the date that shows InfoStealer under it. Click on the date. Then you can click on Restore and it should undo what it did when it blocked.
The next time you scan, it will still identify the same registry items. But you can click on Allow (to ignore forever). Or Ignore (to ignore once) but then you will have to keep Ignoring it until AOL fixes the false detection.
that's a false positive (a mistake) that was introduced in the 6/16 DAT update files. The following registry items are being identified as InfoStealer:
Location: Key "hkey_current_user \software\microsoft\internet explorer\main" value "formsuggest pw ask"
Location: Key "hkey_current_user \software\microsoft\internet explorer\main" value "formsuggest passwords"
But they appear to be normal Internet Explorer options that millions of people have. You may have only one of them as I do.
If you have not run another scan afterward, look at the log file.
There is a log for the last scan (you have to use Tools, Folder Options, View, show hidden files): For Windows XP it is C:\Documents and Settings\All Users\Application Data\AOL\User Profiles\All Users\antiSpyware\scanlog.txt
You can click on Start, Run, and paste in this file name and then it will open the file for you. If the only things it found were the two above, then you didn't have a Trojan after all. If it shows nothing found, then you probably ran another scan afterward.
If you selected Block, then you have removed those Internet Explorer options. If you have the AOL Safety and Security Center, you can open spyware protection. If there is a triangle in front of Spyware Protection pointing to the right, click on it and it should show Allowed Items and Blocked Items underneath. Click on Blocked items and it will give you a list by date. You can select the date that shows InfoStealer under it. Click on the date. Then you can click on Restore and it should undo what it did when it blocked.
The next time you scan, it will still identify the same registry items. But you can click on Allow (to ignore forever). Or Ignore (to ignore once) but then you will have to keep Ignoring it until AOL fixes the false detection.
