A cleaning success

's Computer Specifications

I had a chance to work with a machine with a significant infestation today,
and was pleased with the results--here's a condensed version of the
cleaner.log:

2/10/2005 10:46:35
AM::------------------------------------------------------------------
2/10/2005 10:46:35 AM::Initializing Clean - (ScanID:
EA62F7C5-C951-43A9-8027-7CD956)
2/10/2005 10:46:36 AM::Clean Threat MyWebSearch Toolbar (ID:14137)
2/10/2005 10:47:53 AM::Clean Threat MyWebSearch Toolbar (ID:14137) Complete
2/10/2005 10:47:54 AM::Clean Threat 180search Assistant (ID:14814)
2/10/2005 10:48:05 AM::Clean Threat 180search Assistant (ID:14814) Complete
2/10/2005 10:48:05 AM::Clean Threat IST.ISTbar (ID:7457)
2/10/2005 10:48:13 AM::Clean Threat IST.ISTbar (ID:7457) Complete
2/10/2005 10:48:13 AM::Clean Threat Trojan.Downloader.TargetSavers
(ID:15121)
2/10/2005 10:48:25 AM::Clean Threat Trojan.Downloader.TargetSavers
(ID:15121) Complete
2/10/2005 10:48:25 AM::Clean Threat Travelling Salesman (ID:15211)
2/10/2005 10:48:26 AM::Clean Threat Travelling Salesman (ID:15211) Complete
2/10/2005 10:48:26 AM::Clean Threat AvenueMedia.DyFuCA (ID:4711)
2/10/2005 10:48:35 AM::Clean Threat AvenueMedia.DyFuCA (ID:4711) Complete
2/10/2005 10:48:35 AM::Clean Threat IST.PowerScan (ID:9942)
2/10/2005 10:48:37 AM::Clean Threat IST.PowerScan (ID:9942) Complete
2/10/2005 10:48:37 AM::Clean Threat SideFind (ID:14817)
2/10/2005 10:48:51 AM::Clean Threat SideFind (ID:14817) Complete
2/10/2005 10:48:51 AM::Clean Threat ShopAtHome (ID:10773)
2/10/2005 10:49:16 AM::Clean Threat ShopAtHome (ID:10773) Complete
2/10/2005 10:49:16 AM::Clean Threat Popular Screensavers (ID:14911)
2/10/2005 10:49:16 AM::Clean Threat Popular Screensavers (ID:14911) Complete
2/10/2005 10:49:17 AM::Clean Threat Xrenoder (ID:12166)
2/10/2005 10:49:19 AM::Clean Threat Xrenoder (ID:12166) Complete
2/10/2005 10:49:19 AM::Clean Threat IST.XXXToolbar (ID:14816)
2/10/2005 10:49:20 AM::Clean Threat IST.XXXToolbar (ID:14816) Complete
2/10/2005 10:49:20 AM::Clean Threat MediaTickets CDT (ID:14900)
2/10/2005 10:49:23 AM::Clean Threat MediaTickets CDT (ID:14900) Complete
2/10/2005 10:49:23 AM::Clean Threat Unclassified.Trojan.Z (ID:15205)
2/10/2005 10:49:25 AM::Clean Threat FunWebProducts (ID:14912)
2/10/2005 10:49:26 AM::Clean Threat FunWebProducts (ID:14912) Complete
2/10/2005 10:49:26 AM::Clean Threat MoneyTree (ID:8632)
2/10/2005 10:49:27 AM::Clean Threat MoneyTree (ID:8632) Complete
2/10/2005 10:49:27 AM::Clean Threat CoolWebSearch.StartPage (ID:14949)
2/10/2005 10:49:28 AM::Clean Threat CoolWebSearch (ID:4092)
2/10/2005 10:49:28 AM::Clean Threat CoolWebSearch (ID:4092) Complete
2/10/2005 10:49:28 AM::Clean Threat IST.SlotchBar (ID:4739)
2/10/2005 10:49:29 AM::Clean Threat IST.SlotchBar (ID:4739) Complete
2/10/2005 10:49:29 AM::Clean Threat ClickSpring.PuritySCAN (ID:10115)
2/10/2005 10:49:29 AM::Clean Threat ClickSpring.PuritySCAN (ID:10115)
Complete
2/10/2005 10:49:30 AM::Clean Threat Claria.DashBar (ID:4207)
2/10/2005 10:49:30 AM::Clean Threat Claria.DashBar (ID:4207) Complete
2/10/2005 10:49:31 AM::Unititializing Clean
2/10/2005 10:49:31
AM::------------------------------------------------------------------
2/10/2005 10:53:22 AM::------------------------------------------------
2/10/2005 10:53:22 AM::Starting GIANT AS Cleaner
2/10/2005 10:53:22 AM::Running all Cleaner deletes
2/10/2005 10:53:22 AM::---Starting Quick Cleaner DelFolders
2/10/2005 10:53:22 AM::---Starting Quick Cleaner DelRegKeys
2/10/2005 10:53:22 AM::---Starting Quick Cleaner DelRegValues
2/10/2005 10:53:22 AM::Checking threats to clean
2/10/2005 10:53:22 AM::Ending GIANT AS Cleaner
2/10/2005 10:53:22 AM::------------------------------------------------

You'll note there are some high-profile names in there--coolwebsearch and
istbar, for example, but these probably aren't the latest and greatest
examples of those genres.

This machine is behind ISA Server firewall, but not part of a domain or
managed in any way. It has Norton Antivirus 2003 in place, up to date, and
with a current scan. Norton doesn't see this stuff, apparently, or perhaps
the users are ignoring the scan results--I need to re-check that detail.

One scan was all this took--I've done a subsequent scan in safe mode and it
found a no-name, no-details browser hijacker, so I'm not sure what that is,
but I removed it.

After the scan completed, checking over executables on the drive, I did find
something which at a command prompt looks like "L$ass.exe", but in Explorer,
looks like LSASS.EXE--good trick! System, Hidden, read-only, so I pulled it
off and submitted it to Virustotal, with the below result:

Results of a file scan
This is the report of the scanning done over "l__1109" file that VirusTotal
processed on 02/10/2005 at 19:48:14 (GMT+1).
Antivirus Version Update Result
AntiVir 6.29.0.11 02.10.2005 no virus found
AVG 718 02.10.2005 no virus found
BitDefender 7.0 02.10.2005 no virus found
ClamAV devel-20050130 02.10.2005 Trojan.Dropper.Purityscan.I
DrWeb 4.32b 02.10.2005 no virus found
eTrust-Iris 7.1.194.0 02.10.2005 no virus found
eTrust-Vet 11.7.0.0 02.10.2005 no virus found
Fortinet 2.51 02.09.2005 no virus found
F-Prot 3.16a 02.10.2005 no virus found
Kaspersky 4.0.2.24 02.10.2005 no virus found
NOD32v2 1.995 02.10.2005 no virus found
Norman 5.70.10 02.07.2005 no virus found
Panda 8.02.00 02.10.2005 no virus found
Sybari 7.5.1314 02.10.2005 no virus found
Symantec 8.0 02.10.2005 no virus found

VirusTotal is a free service offered by Hispasec Sistemas. There are no
guarantees about abailability and continuity of this service. Even when the
detection rate given by the use of multiple antivirus engines is far
superior to the one offered by only one product, this results DO NOT
guarantee the harmlessness of a file. There is no such a solution that can
offer a 100% rate of efectiveness recognizing virus and malware.> Go to:
Home Contact En Español
--------------------------------------------------------------------------------
www.virustotal.com :: @ Hispasec Sistemas 2004 :: e-mail (E-Mail Removed)

I'm interested that only CLAM managed to ID this as Purityscan, one of the
critters Microsoft Antispyware removed, but obviously left this piece behind
(in \windows\system32.)

I'll also submit it to the DHS scanner when I find that URL reference.

Anyway--I think Microsoft Antispyware did a nice job on this machine (and
several others in a small office I seldom visit)--Thanks, Microsoft!
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

's Computer Specifications

On a final check of this machine I also found a dll--plyw.dll, belonging to
Purityscan still in place on the machine. When I submitted that one to
Virustotal, Kaspersky identified it as adware, in addition to ClamAV.

I also found an unknown BHO which I blocked.

So--the cleaning wasn't perfect, but it was quite good, I think.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

's Computer Specifications

Bill Sanderson wrote:
> On a final check of this machine I also found a dll--plyw.dll,
> belonging to Purityscan still in place on the machine. When I
> submitted that one to Virustotal, Kaspersky identified it as adware,
> in addition to ClamAV.
> I also found an unknown BHO which I blocked.
>
> So--the cleaning wasn't perfect, but it was quite good, I think.

For a BETA, this is great.

)

Thread Tools
Show Printable Version Email this Page
Rate This Thread
Rate This Thread:

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Cleaning a HP Laserjet 6P -- Which Cleaning Utility and Where?	Brainstormer	Printers	1	9th Jun 2010 07:54 AM
Success	nivrip	General Discussion	6	16th Nov 2009 09:54 PM
Web Success	Dave	Microsoft Excel Misc	0	14th Jun 2006 04:15 AM
Web Success	Dave	Microsoft Access Forms	0	14th Jun 2006 01:15 AM
Web Success	Dave	Microsoft Access	0	14th Jun 2006 01:12 AM