A cleaning success

B

Bill Sanderson

I had a chance to work with a machine with a significant infestation today,
and was pleased with the results--here's a condensed version of the
cleaner.log:

2/10/2005 10:46:35
AM::------------------------------------------------------------------
2/10/2005 10:46:35 AM::Initializing Clean - (ScanID:
EA62F7C5-C951-43A9-8027-7CD956)
2/10/2005 10:46:36 AM::Clean Threat MyWebSearch Toolbar (ID:14137)
2/10/2005 10:47:53 AM::Clean Threat MyWebSearch Toolbar (ID:14137) Complete
2/10/2005 10:47:54 AM::Clean Threat 180search Assistant (ID:14814)
2/10/2005 10:48:05 AM::Clean Threat 180search Assistant (ID:14814) Complete
2/10/2005 10:48:05 AM::Clean Threat IST.ISTbar (ID:7457)
2/10/2005 10:48:13 AM::Clean Threat IST.ISTbar (ID:7457) Complete
2/10/2005 10:48:13 AM::Clean Threat Trojan.Downloader.TargetSavers
(ID:15121)
2/10/2005 10:48:25 AM::Clean Threat Trojan.Downloader.TargetSavers
(ID:15121) Complete
2/10/2005 10:48:25 AM::Clean Threat Travelling Salesman (ID:15211)
2/10/2005 10:48:26 AM::Clean Threat Travelling Salesman (ID:15211) Complete
2/10/2005 10:48:26 AM::Clean Threat AvenueMedia.DyFuCA (ID:4711)
2/10/2005 10:48:35 AM::Clean Threat AvenueMedia.DyFuCA (ID:4711) Complete
2/10/2005 10:48:35 AM::Clean Threat IST.PowerScan (ID:9942)
2/10/2005 10:48:37 AM::Clean Threat IST.PowerScan (ID:9942) Complete
2/10/2005 10:48:37 AM::Clean Threat SideFind (ID:14817)
2/10/2005 10:48:51 AM::Clean Threat SideFind (ID:14817) Complete
2/10/2005 10:48:51 AM::Clean Threat ShopAtHome (ID:10773)
2/10/2005 10:49:16 AM::Clean Threat ShopAtHome (ID:10773) Complete
2/10/2005 10:49:16 AM::Clean Threat Popular Screensavers (ID:14911)
2/10/2005 10:49:16 AM::Clean Threat Popular Screensavers (ID:14911) Complete
2/10/2005 10:49:17 AM::Clean Threat Xrenoder (ID:12166)
2/10/2005 10:49:19 AM::Clean Threat Xrenoder (ID:12166) Complete
2/10/2005 10:49:19 AM::Clean Threat IST.XXXToolbar (ID:14816)
2/10/2005 10:49:20 AM::Clean Threat IST.XXXToolbar (ID:14816) Complete
2/10/2005 10:49:20 AM::Clean Threat MediaTickets CDT (ID:14900)
2/10/2005 10:49:23 AM::Clean Threat MediaTickets CDT (ID:14900) Complete
2/10/2005 10:49:23 AM::Clean Threat Unclassified.Trojan.Z (ID:15205)
2/10/2005 10:49:25 AM::Clean Threat FunWebProducts (ID:14912)
2/10/2005 10:49:26 AM::Clean Threat FunWebProducts (ID:14912) Complete
2/10/2005 10:49:26 AM::Clean Threat MoneyTree (ID:8632)
2/10/2005 10:49:27 AM::Clean Threat MoneyTree (ID:8632) Complete
2/10/2005 10:49:27 AM::Clean Threat CoolWebSearch.StartPage (ID:14949)
2/10/2005 10:49:28 AM::Clean Threat CoolWebSearch (ID:4092)
2/10/2005 10:49:28 AM::Clean Threat CoolWebSearch (ID:4092) Complete
2/10/2005 10:49:28 AM::Clean Threat IST.SlotchBar (ID:4739)
2/10/2005 10:49:29 AM::Clean Threat IST.SlotchBar (ID:4739) Complete
2/10/2005 10:49:29 AM::Clean Threat ClickSpring.PuritySCAN (ID:10115)
2/10/2005 10:49:29 AM::Clean Threat ClickSpring.PuritySCAN (ID:10115)
Complete
2/10/2005 10:49:30 AM::Clean Threat Claria.DashBar (ID:4207)
2/10/2005 10:49:30 AM::Clean Threat Claria.DashBar (ID:4207) Complete
2/10/2005 10:49:31 AM::Unititializing Clean
2/10/2005 10:49:31
AM::------------------------------------------------------------------
2/10/2005 10:53:22 AM::------------------------------------------------
2/10/2005 10:53:22 AM::Starting GIANT AS Cleaner
2/10/2005 10:53:22 AM::Running all Cleaner deletes
2/10/2005 10:53:22 AM::---Starting Quick Cleaner DelFolders
2/10/2005 10:53:22 AM::---Starting Quick Cleaner DelRegKeys
2/10/2005 10:53:22 AM::---Starting Quick Cleaner DelRegValues
2/10/2005 10:53:22 AM::Checking threats to clean
2/10/2005 10:53:22 AM::Ending GIANT AS Cleaner
2/10/2005 10:53:22 AM::------------------------------------------------

You'll note there are some high-profile names in there--coolwebsearch and
istbar, for example, but these probably aren't the latest and greatest
examples of those genres.

This machine is behind ISA Server firewall, but not part of a domain or
managed in any way. It has Norton Antivirus 2003 in place, up to date, and
with a current scan. Norton doesn't see this stuff, apparently, or perhaps
the users are ignoring the scan results--I need to re-check that detail.

One scan was all this took--I've done a subsequent scan in safe mode and it
found a no-name, no-details browser hijacker, so I'm not sure what that is,
but I removed it.

After the scan completed, checking over executables on the drive, I did find
something which at a command prompt looks like "L$ass.exe", but in Explorer,
looks like LSASS.EXE--good trick! System, Hidden, read-only, so I pulled it
off and submitted it to Virustotal, with the below result:

Results of a file scan
This is the report of the scanning done over "l__1109" file that VirusTotal
processed on 02/10/2005 at 19:48:14 (GMT+1).
Antivirus Version Update Result
AntiVir 6.29.0.11 02.10.2005 no virus found
AVG 718 02.10.2005 no virus found
BitDefender 7.0 02.10.2005 no virus found
ClamAV devel-20050130 02.10.2005 Trojan.Dropper.Purityscan.I
DrWeb 4.32b 02.10.2005 no virus found
eTrust-Iris 7.1.194.0 02.10.2005 no virus found
eTrust-Vet 11.7.0.0 02.10.2005 no virus found
Fortinet 2.51 02.09.2005 no virus found
F-Prot 3.16a 02.10.2005 no virus found
Kaspersky 4.0.2.24 02.10.2005 no virus found
NOD32v2 1.995 02.10.2005 no virus found
Norman 5.70.10 02.07.2005 no virus found
Panda 8.02.00 02.10.2005 no virus found
Sybari 7.5.1314 02.10.2005 no virus found
Symantec 8.0 02.10.2005 no virus found

VirusTotal is a free service offered by Hispasec Sistemas. There are no
guarantees about abailability and continuity of this service. Even when the
detection rate given by the use of multiple antivirus engines is far
superior to the one offered by only one product, this results DO NOT
guarantee the harmlessness of a file. There is no such a solution that can
offer a 100% rate of efectiveness recognizing virus and malware.> Go to:
Home Contact En Español
--------------------------------------------------------------------------------
www.virustotal.com :: @ Hispasec Sistemas 2004 :: e-mail (e-mail address removed)

I'm interested that only CLAM managed to ID this as Purityscan, one of the
critters Microsoft Antispyware removed, but obviously left this piece behind
(in \windows\system32.)

I'll also submit it to the DHS scanner when I find that URL reference.

Anyway--I think Microsoft Antispyware did a nice job on this machine (and
several others in a small office I seldom visit)--Thanks, Microsoft!
 
B

Bill Sanderson

On a final check of this machine I also found a dll--plyw.dll, belonging to
Purityscan still in place on the machine. When I submitted that one to
Virustotal, Kaspersky identified it as adware, in addition to ClamAV.

I also found an unknown BHO which I blocked.

So--the cleaning wasn't perfect, but it was quite good, I think.
 
W

Wayne Wastier

Bill said:
On a final check of this machine I also found a dll--plyw.dll,
belonging to Purityscan still in place on the machine. When I
submitted that one to Virustotal, Kaspersky identified it as adware,
in addition to ClamAV.
I also found an unknown BHO which I blocked.

So--the cleaning wasn't perfect, but it was quite good, I think.
Click to expand...

For a BETA, this is great. :blush:)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Is ActiveSearch really trying to install?? 3
Repeatedly attempting to delete same adwares 1
Comet Systems 2
Security Agents have no checkpoints 3
0x8050800c and Defender Followup 6
MS Error Log (Is this normal) 9
Microsoft AntiSpyware Beta versus Norton AntiVirus 2004 2
need help finding most common number and so on 2

Top