I have removed numerous infectons from a system. 4 Trojans Win32/Tibs.HH Win32/Vundo.gen!C Win32/Vundo.gen!E Win32/Zlob.2WY Adware Win32/Antivirus2008 - aka Trojan.FakeAlert.RL Apparently I'm still missing one or more things. These are the current issues: 1. Host file is ignored. I've checked the registry and group policy, nothing set that would in the normal places that would tell MSFT to look somewhere else or disable it. 2. IE7 allows me to google but all links are bogus and point somewhere else and redirect. 3. I can type in addresses that work, like superantispyware but I cannot download it. I've downloaded it on another system and have even installed it but sometimes the 'check for updates' will fail and partly into the scan, it reboots the system. 4. Finally got Defender to install but updates check returns: 0x80060422. 5. DEP was blocking IE7 and notepad. Modified DEP to 'all' and then added those to be able to use them. Had to return it back to Windows only to get Defender to install. 6. Windows Live OneCare Online Security Scan found the trojans, some were in recent restore points. Those have been removed. 7. Running am EMSI A-Squared (ActiveX control) scan now but nothing found so far. 8. I uninstalled IE7 (using IE6 now). IE still hooked and even though I hard coded the IP for www.superantispyware.com in the hosts file, it returns a failure. "Ping request could not find host www.superantispyware.com Please check the name and try again. 9. I ran a sfc /scannow - no change to anything. The hosts file has me baffled and leads me to believe something is still present and capturing the call. I cannot get my sniffer to work on that system. Filemon would take me quite awhile to get information from it. Process Explorer didn't show anything revealing. I feel it's tied to a profile because if we kill the admin profile and recreate it, it works. Any idea what I'm missing or possible tasks to try?
"Roland Hall" <nobody@nowhere> wrote in message news:%23$wvXAf4IHA.784@TK2MSFTNGP04.phx.gbl... I have removed numerous infectons from a system. 4 Trojans Win32/Tibs.HH Win32/Vundo.gen!C Win32/Vundo.gen!E Win32/Zlob.2WY Adware Win32/Antivirus2008 - aka Trojan.FakeAlert.RL Apparently I'm still missing one or more things. These are the current issues: 1. Host file is ignored. I've checked the registry and group policy, nothing set that would in the normal places that would tell MSFT to look somewhere else or disable it. 2. IE7 allows me to google but all links are bogus and point somewhere else and redirect. 3. I can type in addresses that work, like superantispyware but I cannot download it. I've downloaded it on another system and have even installed it but sometimes the 'check for updates' will fail and partly into the scan, it reboots the system. 4. Finally got Defender to install but updates check returns: 0x80060422. 5. DEP was blocking IE7 and notepad. Modified DEP to 'all' and then added those to be able to use them. Had to return it back to Windows only to get Defender to install. 6. Windows Live OneCare Online Security Scan found the trojans, some were in recent restore points. Those have been removed. 7. Running am EMSI A-Squared (ActiveX control) scan now but nothing found so far. 8. I uninstalled IE7 (using IE6 now). IE still hooked and even though I hard coded the IP for www.superantispyware.com in the hosts file, it returns a failure. "Ping request could not find host www.superantispyware.com Please check the name and try again. 9. I ran a sfc /scannow - no change to anything. The hosts file has me baffled and leads me to believe something is still present and capturing the call. I cannot get my sniffer to work on that system. Filemon would take me quite awhile to get information from it. Process Explorer didn't show anything revealing. I feel it's tied to a profile because if we kill the admin profile and recreate it, it works. Any idea what I'm missing or possible tasks to try? -- Roland Hall IMSI found Riskware.RiskTool.Win32.Processor.20 Who comes up with these names? *rme* File: c:\windows\system32\process.exe Defender found nothing. I ran autoruns and searched for process.exe but nothing was found. Prevx.com says it's bad: http://www.prevx.com/filenames/X2766939096032263765-0/PROCESS.EXE.html ...but it appears the process.exe I have is this one: http://www.beyondlogic.org/solutions/processutil/processutil.htm It may have been put there by one of the trojans. -- Roland Hall
An infected wsock32.dll or ws2_32.dll could be cause. Or a trojan Layered Service Provider (LSP). See if you have the LSP Explorer add-on installed in Adaware. "Roland Hall" <nobody@nowhere> wrote in message news:%23$wvXAf4IHA.784@TK2MSFTNGP04.phx.gbl... >I have removed numerous infectons from a system. > > 4 Trojans > Win32/Tibs.HH > > Win32/Vundo.gen!C > > Win32/Vundo.gen!E > > Win32/Zlob.2WY > > > > Adware > > Win32/Antivirus2008 - aka Trojan.FakeAlert.RL > > > > Apparently I'm still missing one or more things. > > > > These are the current issues: > > > > 1. Host file is ignored. I've checked the registry and group policy, > nothing set that would in the normal places that would tell MSFT to look > somewhere else or disable it. > > 2. IE7 allows me to google but all links are bogus and point somewhere > else > and redirect. > > 3. I can type in addresses that work, like superantispyware but I cannot > download it. I've downloaded it on another system and have even installed > it but sometimes the 'check for updates' will fail and partly into the > scan, > it reboots the system. > > 4. Finally got Defender to install but updates check returns: 0x80060422. > > 5. DEP was blocking IE7 and notepad. Modified DEP to 'all' and then added > those to be able to use them. Had to return it back to Windows only to > get > Defender to install. > > 6. Windows Live OneCare Online Security Scan found the trojans, some were > in > recent restore points. Those have been removed. > > 7. Running am EMSI A-Squared (ActiveX control) scan now but nothing found > so > far. > > 8. I uninstalled IE7 (using IE6 now). IE still hooked and even though I > hard coded the IP for www.superantispyware.com in the hosts file, it > returns > a failure. "Ping request could not find host www.superantispyware.com > Please > check the name and try again. > > 9. I ran a sfc /scannow - no change to anything. > > > > The hosts file has me baffled and leads me to believe something is still > present and capturing the call. I cannot get my sniffer to work on that > system. Filemon would take me quite awhile to get information from it. > Process Explorer didn't show anything revealing. > > > > I feel it's tied to a profile because if we kill the admin profile and > recreate it, it works. Any idea what I'm missing or possible tasks to > try? > > > >
