JPI_Cache worm

Secure Home | Search | About

Lost Password?

Microsoft Antivirus Discussions

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Subject

Author

Date

JPI_Cache worm

Phil

08-10-2006

David H. Lipman

Phi

Elendil

Phi

Elendil

Phi

David H. Lipman

Elendil

Elendil

David H. Lipman

Phi

David H. Lipman

David H. Lipman

Phi

Phi

David H. Lipman

Phi

David H. Lipman

Phi

David H. Lipman

Phi

David H. Lipman

Phi

David H. Lipman

Phi

David H. Lipman

Posted by Elendil on August 10, 2006, 7:23 pm

If you were Registered and logged in, you could reply and use other advanced thread options

Interesting... I was completely off on my guesses of the rogue program
you might be infected with; no matter. Now that you have identified the
source (SpyGuard is a rather vile malware rogue program) it will be much
easier for myself and other helpers to give you an accurate solution. I
should post back within 15 minutes with a decent solution.

Phil wrote:

> When you open the ad it is bringing me to spyguard.com. I will run over there

> and hopefully have the info from the scan in approx 1.5 hrs.

--
3rd Place Florida State Science & Engineering Fair Finalist
Grand Award & 1st Place Broward County Science Fair Winner
Discovery Channel Young Scientist Challenge Competitor
Moving onto high school while losing many friends, yet opening doors to
a new world…

Posted by =?Utf-8?B?UGhpbA==?= on August 10, 2006, 9:31 pm

If you were Registered and logged in, you could reply and use other advanced thread options

Here is the repost from ewido.

ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:11:48 PM 8/10/2006

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\ ->
Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\ ->
Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\ ->
Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet
Explorer\Toolbar\ -> Adware.Generic :
Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\ -> Adware.Generic : Cleaned
with backup (quarantined).
HKU\S-1-5-21-92247039-728987707-2028630691-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
-> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-92247039-728987707-2028630691-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
-> Adware.Generic : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall6_98.exe -> Adware.NewDotNet : Cleaned with backup
(quarantined).
C:\WINDOWS\NDNuninstall7_14.exe -> Adware.NewDotNet : Cleaned with backup
(quarantined).
C:\Program Files\IntCodec\iesplugin.dll -> Downloader.Zlob.adl : Cleaned
with backup (quarantined).
C:\Program Files\IntCodec\pmmon.exe -> Downloader.Zlob.adl : Cleaned with
backup (quarantined).
C:\Program Files\IntCodec\pmsngr.exe -> Downloader.Zlob.adl : Cleaned with
backup (quarantined).
C:\Documents and Settings\Phil\Local Settings\Temp\tmp16.tmp ->
Not-A-Virus.Hoax.Win32.Renos.dp : Cleaned with backup (quarantined).
C:\Documents and Settings\Phil\Cookies\phil@2o7[1].txt -> TrackingCookie.2o7
: Cleaned with backup (quarantined).
C:\Documents and Settings\Phil\Cookies\phil@coxhsi.112.2o7[1].txt ->
TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Phil\Cookies\phil@microsofteup.112.2o7[1].txt ->
TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Phil\Cookies\phil@questionmarket[1].txt ->
TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\WINDOWS\system32\Agent.dll -> Trojan.Agent.qg : Cleaned with backup
(quarantined).

::Report end

--
Thank you,
Phil

"Elendil" wrote:

> Interesting... I was completely off on my guesses of the rogue program

> you might be infected with; no matter. Now that you have identified the

> source (SpyGuard is a rather vile malware rogue program) it will be much

> easier for myself and other helpers to give you an accurate solution. I

> should post back within 15 minutes with a decent solution.

> Phil wrote:

> > When you open the ad it is bringing me to spyguard.com. I will run over

there

> > and hopefully have the info from the scan in approx 1.5 hrs.

> --

> 3rd Place Florida State Science & Engineering Fair Finalist

> Grand Award & 1st Place Broward County Science Fair Winner

> Discovery Channel Young Scientist Challenge Competitor

> Moving onto high school while losing many friends, yet opening doors to

> a new world…

Posted by David H. Lipman on August 10, 2006, 10:00 pm

If you were Registered and logged in, you could reply and use other advanced thread options

< snip >

| C:\Program Files\IntCodec\iesplugin.dll -> Downloader.Zlob.adl : Cleaned
| with backup (quarantined).
| C:\Program Files\IntCodec\pmmon.exe -> Downloader.Zlob.adl : Cleaned with
| backup (quarantined).
| C:\Program Files\IntCodec\pmsngr.exe -> Downloader.Zlob.adl : Cleaned with
| backup (quarantined).
| C:\Documents and Settings\Phil\Local Settings\Temp\tmp16.tmp ->

< snip >

Yepper... The ZLob Trojan from the CODEC guys !

Any web site that has "CODEC" in its name and purports to be a Video CODEC is in
reality a
ZLob Trojan installer

This PC needs to be cleaned using the SmitFraud family specialized tools !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Posted by Elendil on August 11, 2006, 7:59 am

If you were Registered and logged in, you could reply and use other advanced thread options

Thanks for doing the analysis for me David! At any rate, Phil, the
anti-smitfraud tools David has recommended(in his nicely organized
procedures) should do the trick in removing the malware on your system.
Please post back with the results on how everything went!

David H. Lipman wrote:

> < snip >

> | C:\Program Files\IntCodec\iesplugin.dll -> Downloader.Zlob.adl : Cleaned

> | with backup (quarantined).

> | C:\Program Files\IntCodec\pmmon.exe -> Downloader.Zlob.adl : Cleaned with

> | backup (quarantined).

> | C:\Program Files\IntCodec\pmsngr.exe -> Downloader.Zlob.adl : Cleaned with

> | backup (quarantined).

> | C:\Documents and Settings\Phil\Local Settings\Temp\tmp16.tmp ->

> < snip >

> Yepper... The ZLob Trojan from the CODEC guys !

> Any web site that has "CODEC" in its name and purports to be a Video CODEC is

in reality a

> ZLob Trojan installer

> This PC needs to be cleaned using the SmitFraud family specialized tools !

Posted by Elendil on August 10, 2006, 7:26 pm

If you were Registered and logged in, you could reply and use other advanced thread options

Actually make that one minute... here's your healing instructions; if
you have any questions feel free to post back here or at BC:

http://www.bleepingcomputer.com/forums/topic58415.html

if you visit that link, you'll be taken to one of Bleeping Computer's
Self-Malware-Removal-Guides. This should effectively remove SpyGuard,
but if not don't hesitate to post for help!

Phil wrote:

> When you open the ad it is bringing me to spyguard.com. I will run over there

> and hopefully have the info from the scan in approx 1.5 hrs.

Similar Threads	Posted
Worm VB.AS Aliases W32.Alcra.B and W32/Alcan.worm!p2p	July 18, 2005, 8:37 am
WORM/DELF.FPV - new worm??	January 14, 2008, 6:58 am
new worm?	June 20, 2006, 5:09 am
new worm i think	November 22, 2006, 6:15 pm
RE NEW WORM	November 23, 2006, 5:24 pm
Worm?	November 11, 2008, 1:17 pm
Virus/worm?	October 25, 2005, 2:29 am
Virus-Worm	April 6, 2006, 5:43 pm
Worm Rontok	April 20, 2006, 10:35 pm
W32.Sinnaka.A@mm worm	May 2, 2006, 12:36 am

The site map in XML format XML site map