3 replies to this topic

[mrjohncougar]

Ok I'm going to try and do this, I'm have horrible headaches and I stink at posting. Last Wednesday i was on a site called Yeeeah.com clicked on a link to see something and spy sweeper said i was screwed. This is not porn not even close,I thought i was protected and was being smart as to where i went, I was wrong. Spy sweeper came up and then i saw av2009 asking to download. I got to the desktop and ran a spy sweeper scan and a hijack log. hijack log showed six problems however spy sweeper only found one piece of adware, one piece I own it so i'm stuck. I then ran a malwarebytes scan.

Here's my question, I ran a scan and the software showed 24 detections, the log file showed 27 detections and in quarantine there is only 17 detections. Quarantine shows 7 files, five registry keys, and five registry values. the log which i'm posting adds 5 memory modules and 5 registry data items? Why are the totals as to what was deteted and quarantined so different?
By the way malwarebytes got everything, I ran another hijack log and was clean, also ran a superantispyware scan. I'm very happy about malwarebytes ticked off about spy sweeper. Thanks alot.

Malwarebytes' Anti-Malware 1.30
Database version: 1455
Windows 5.1.2600 Service Pack 2

12/3/2008 7:30:09 PM
mbam-log-2008-12-03 (19-30-09).txt

Scan type: Full Scan (C:\|)
Objects scanned: 139913
Time elapsed: 34 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 5
Registry Values Infected: 5
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\miziwiva.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\nunayeta.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\disovibu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gafuyowo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\puyipufo.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1f0b2395-f536-4091-ad70-6d4ff4085b69} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1f0b2395-f536-4091-ad70-6d4ff4085b69} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1f0b2395-f536-4091-ad70-6d4ff4085b69} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d4dc18b5 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rekumoboto (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmd7ef2b29 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\gafuyowo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\gafuyowo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\puyipufo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\puyipufo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\puyipufo.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\miziwiva.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\aviwizim.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\disovibu.dll (Trojan.BHO.H) -> Delete on reboot.
C:\WINDOWS\system32\nunayeta.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gafuyowo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\puyipufo.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2XCDIHAD\cntr[1] (Trojan.Vundo) -> Quarantined and deleted successfully.

PEACE

[exile360]

I'm not sure about all the discrepancies, but the memory threats won't be in quarantine because the files that create the processes in memory would be what gets quarantined. It is also possible that either something wasn't removable through normal means so it wasn't quarantined, or a reg entry was simply removed while removing another like if it were a subkey.

[mrjohncougar]

I was sure that the infections were gone because i ran a hijack this log before the scan and after. I have mixed emotions, malwarebytes was terrific however the number one or two rated spy ware missed every Trojan and just came up with ad ware. I feel now that I have to really watch what i click on. I use the sites that i got attacked on,but i should have known that when I clicked on links to look at other stories spy sweeper kept coming up saying danger. They were sitting on the links ready. I also have to say that there are web reviews on products all over the web and i got upset reading a poor review on malwarebytes, being at the bottom of thirty products alot are so bad they aren't even rated in most reviews. I won't put a link in because it will create anger. This is a very good product and you support it better than most, that's all that i can ask for. I keep thinking about spyware blaster and I think it would be a pain, because i have multi browsers and spyware. KEEP UP THE GOOD WORK, THANKS

[exile360]

Yes, it's true that MBAM does very poorly in certain test scenarios, but it's simply because of the way it was designed. It is made so that it will detect ACTIVE malware on a system, and more often than not, to save themselves time, the testers simply place malware files in a folder and scan it to see which ones detect it, and how many they detect. MBAM doesn't work that way, it is made so that, rather than using specific file signatures, like an antivirus does, it looks in the actual locations in the system and registry where the malware would be if the system were actually infected by it. That's why you only need to use the quick scan option with MBAM, because it's programmed to look in those key locations, and that's also why the definitions are so small (that and the fact that it will find most variants of malware it detects using heuristics, not needing a specific signature for each one). And no worries, the users don't generally get to upset about those reviews anymore, we're used to it. We know it works, and that's good enough for us.