Jump to content


Photo

Another ProtectionBar (Zlob)


  • Please log in to reply
15 replies to this topic

#1 DrDre

DrDre

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 01 September 2006 - 11:13 AM

Hello,

Spywareinfo.com forums have helped us research so many entries, it is time to start paying back :)

Here is a new ProtectionBar entry (smitfraud or Zlob.. we choose to name it Zlob)

O3 - Toolbar: Protection Bar - {fe2d25c1-c1db-4b5e-9390-af1cb5302f32} - C:\Program Files\PCODEC\iesplugin.dll

Unfortunately we cannot offer a hjt log, as our system is a bit different.

BTW, we come accross new entries very often, please let me know if you'd like us to post on a regular basis.

Best regards,

DrDre
SpyNoMore

#2 DrDre

DrDre

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 01 September 2006 - 04:31 PM

.. yet another Zlob (smitfraud)

O21 - SSODL: gorgonian - {e944d14a-03aa-43e3-9d0e-4f50c4d1b005} - C:\WINDOWS\system32\eowygj.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad gorgonian {e944d14a-03aa-43e3-9d0e-4f50c4d1b005}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler {e944d14a-03aa-43e3-9d0e-4f50c4d1b005} gorgonian

regards,

DrDre
SpyNoMore

#3 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,559 posts

Posted 01 September 2006 - 05:32 PM

Reply here with submissions of new entries for any of the CastleCops databases --- O2, O3, O4, 09, O10, O16, O18, O20, O21, O22, and O23 databases. We will need to see the entry, the filename, and preferably the log it came from, to determine the associated infection (or legitimate program).

This is the description of the forum you posted in and so I moved it the more appropriate parent forum...

Without knowing where you got these, who you are and what evidence you have that these are Zlob, it is not clear that this will be helpful... Can you provide more details??
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#4 DrDre

DrDre

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 01 September 2006 - 06:11 PM

Budfred,

I appreciate your concerns and I will try to alleviate them. I work for IllySoft LLC, a registered US company which owns SpyNoMore (http://www.spynomore.com) antispyware. SpyNoMore includes a soon to be patented tool called Custom Fix. Custom Fix allows users to upload a scan report (at their discretion) to our server for further analysis, in case the scan does not pick up on an infection. We analyze the user's report, prepare a fix and dispatch it back directly to them. Custom Fix has enabled us to catch many new malware programs. We note that Zlob is very active nowadays and we tend to target it a bit more aggressively than others. A peculiar style of infection that Zlob follows is to target the 3 locations shown in my thread above, namely"

O21 - SSODL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

It really is no problem for me at all to not post more malware entries. I thought we'd be doing users a favor by exposing the latest threats as and when they come out. If it is the consensus that we hold off on posting, please let me know.

Best regards,

DrDre
SpyNoMore

#5 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 01 September 2006 - 11:46 PM

Hi DrDre,

So as I understand, you want to develop a "Custom Fix" which is an extra service you provide for the users who purchased SpyNoMore?
Or is this a free standalone service? So anyone can submit their reports?

We note that Zlob is very active nowadays and we tend to target it a bit more aggressively than others.

What others do you mean? These Zlob variants are already very active for a couple of months now and is targetted pretty well by most. There are some free tools that deal with these dlls (SSOD-STS) pretty good, even when the dll is unknown yet.
It deals with related registry entries and gives the option to uninstall the rogue scanner (if installed).. which in this case is Virusburst.

I thought we'd be doing users a favor by exposing the latest threats as and when they come out.


That's indeed a favor, but will be a full time job if you want to stay up to date. Because sometimes more than one different dll loaded under SSOD/STS is 'released' in one day. :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#6 DrDre

DrDre

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 02 September 2006 - 01:59 AM

Miekiemoes,

Long time reader and big fan of yours :)

[quote]you want to develop a "Custom Fix" which is an extra service you provide for the users who purchased SpyNoMore?[/quote]
Custom Fix is a tool that is already included in SpyNoMore and it is free of charge for users who have already purchased a SpyNoMore subscription.

[quote]What others do you mean? These Zlob variants are already very active for a couple of months now and is targeted pretty well by most.[/quote]
I meant that we receive users' reports daily and we notice that Zlob seems to be dominant. Our reporting system allows us to catch Zlob (and other) entries as and when they come out. For example, here's a fresh BHO which you will not find any reference to on Google:

O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt1.dll

[quote]There are some free tools that deal with these dlls (SSOD-STS) pretty good, even when the dll is unknown yet.[/quote]
Agreed, but it is always better and safer to target malware based on solid entries so as not to leave room for guessing, don't you agree?[/quote]
[quote]That's indeed a favor, but will be a full time job if you want to stay up to date. Because sometimes more than one different dll loaded under SSOD/STS is 'released' in one day. :)[/quote]
That's by no means an exaggeration, but I was thinking we can contribute every now and then, especially if we detect highly active uncharted entries.

All the best to you Miekiemoes :)

DreDre
SpyNoMore

#7 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 02 September 2006 - 07:04 AM

Hi DrDre,

So, Custom Fix is actually an option where users have to submit their reports for any malware related problem or only for the Zlob Variants? And then you write a fix especially for their system? Or give detailed instructions what to delete? A bit the same as we do here with hijackthislogs?
That's indeed a good service.

For example, here's a fresh BHO which you will not find any reference to on Google:

O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt1.dll


Most scanners do detect and remove the related file ixt1.dll, since that one doesn't change that often as the CLSID. Ideal is ofcourse that both CLSID and file are removed. But targetting and deleting the file is a priority.

Agreed, but it is always better and safer to target malware based on solid entries so as not to leave room for guessing, don't you agree?

In this case, it isn't really guessing - it's comparing entries with eachother in the first place. When no match, not deletion either. And a backup is always created. These tools are updated almost everyday with new variants, so the 'heuristic' option of these tools aren't always needed. It creates reports and these reports are needed to update in case the tool doesn't deal with it yet. :)

but I was thinking we can contribute every now and then, especially if we detect highly active uncharted entries.

That would be nice ofcourse.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#8 DrDre

DrDre

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 02 September 2006 - 09:00 AM

Hey Miekiemeos,

So, Custom Fix is actually an option where users have to submit their reports for any malware related problem or only for the Zlob Variants? And then you write a fix especially for their system? Or give detailed instructions what to delete? A bit the same as we do here with hijackthislogs?
That's indeed a good service.


Custom Fix is an option, a second line of defense if you will, for users to submit their reports to our server in case SpyNoMore is not completely removing the infection. We review each report, then prepare a customized fix (tailored to correct the problem coming from that specific user), then dispatch the fix back to the user (we actually upload it on our server, ready to be downloaded by the user). The user can run SpyNoMore, click on Custom Fix, check the status of his / her fix, and if it exists on our server, SpyNoMore will let them know. All they have to do is download and install the fix (via SpyNoMore). So we do not send them back instructions, just the fix. It requires no handling on user's side except for accepting the fix. Custom Fix handles all malware, not just Zlob :) It is similar in nature to HJT, but it targets more areas.

Most scanners do detect and remove the related file ixt1.dll, since that one doesn't change that often as the CLSID. Ideal is ofcourse that both CLSID and file are removed. But targetting and deleting the file is a priority.


Agreed.

In this case, it isn't really guessing - it's comparing entries with eachother in the first place. When no match, not deletion either. And a backup is always created. These tools are updated almost everyday with new variants, so the 'heuristic' option of these tools aren't always needed. It creates reports and these reports are needed to update in case the tool doesn't deal with it yet. :)


Agreed as well. It's when malware targets 'ShellServiceObjectDelayLoad' and 'SharedTaskScheduler', this is when fast exposure (putting them forums) helps. I'm not too sure HJT detects these, I may be wrong, please advise.

That would be nice ofcourse.

Thanks :)

Best regards,

DrDre
SpyNoMore

#9 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 02 September 2006 - 09:37 AM

Agreed as well. It's when malware targets 'ShellServiceObjectDelayLoad' and 'SharedTaskScheduler', this is when fast exposure (putting them forums) helps. I'm not too sure HJT detects these, I may be wrong, please advise.


Hijackthis doesn't target the STS yet, but it does target the SSODL. It looks like this for example:

O21 - SSODL: gorgonian - {e944d14a-03aa-43e3-9d0e-4f50c4d1b005} - C:\WINDOWS\system32\eowygj.dll

Above entry is actually already enough for us. We know what file, we know what CLSID and we know it is also present under the STS key, so intstructions to manually deal with it are easily given. Smitrem, Smitfraudfix, Roguescanfix and others deal with those as well, so a manual removal is actually not needed. :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#10 DrDre

DrDre

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 03 September 2006 - 06:04 AM

Thanks Miekiemoes :)

DrDre

#11 DrDre

DrDre

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 05 September 2006 - 01:06 AM

yet another Zlob

O21 - SSODL: died - {7fa55359-7223-410f-bc82-efb3e3ded07f} - C:\WINDOWS\system32\gtpbx.dll

C:\WINDOWS\system32\gtpbx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad died {7fa55359-7223-410f-bc82-efb3e3ded07f}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler {7fa55359-7223-410f-bc82-efb3e3ded07f} died

regards,

DrDre
SpyNoMore

#12 miekiemoes

miekiemoes

    Malware Expert

  • Retired Staff
  • PipPipPipPipPip
  • 20,026 posts

Posted 05 September 2006 - 05:06 AM

You may want to add next ones as well (again virusburst):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{6570b782-1a41-4053-b2c9-12c7fcf0d84d}"="imputable"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"imputable"="{6570b782-1a41-4053-b2c9-12c7fcf0d84d}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6570b782-1a41-4053-b2c9-12c7fcf0d84d}\InProcServer32]
@="C:\\WINDOWS\\System32\\duxzj.dll"
"ThreadingModel"="Apartment"

;)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#13 DrDre

DrDre

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 05 September 2006 - 08:41 AM

Hey, thanks ;)

#14 TonyKlein

TonyKlein

    Forum Deity

  • Expert
  • PipPipPipPipPip
  • 1,841 posts

Posted 09 September 2006 - 02:06 PM

And a belated thank you!

Tracking this topic now... ;)

http://castlecops.com/CLSID.html

Edited by TonyKlein, 09 September 2006 - 02:06 PM.


#15 DrDre

DrDre

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 14 September 2006 - 06:21 AM

You're welcome Tony, it's a pleasure to cooperate with such high caliber people like Miekiemoes and yourself :)

Here's latest Zlob.VirusBurst, fresh from the oven ;)

C:\WINDOWS\system32\syycum.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6076d2b1-634c-4685-843b-f826045ea5dc}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6076d2b1-634c-4685-843b-f826045ea5dc}\InProcServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6076d2b1-634c-4685-843b-f826045ea5dc}\InProcServer32\@="C:\WINDOWS\System32\syycum.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6076d2b1-634c-4685-843b-f826045ea5dc}\InProcServer32\ThreadingModel="Apartment"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{6076d2b1-634c-4685-843b-f826045ea5dc}="hemadynamometer"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\hemadynamometer="{6076d2b1-634c-4685-843b-f826045ea5dc}"

Best regards,

DrDre
SpyNoMore

#16 srosscal

srosscal

    Member

  • New Member
  • Pip
  • 1 posts

Posted 27 October 2006 - 12:23 PM

[quote name='DrDre' date='Sep 1 2006, 05:11 PM' post='458633']
Budfred,

I appreciate your concerns and I will try to alleviate them. I work for IllySoft LLC, a registered US company which owns SpyNoMore (http://www.spynomore.com) antispyware. SpyNoMore includes a soon to be patented tool called Custom Fix. Custom Fix allows users to upload a scan report (at their discretion) to our server for further analysis, in case the scan does not pick up on an infection. We analyze the user's report, prepare a fix and dispatch it back directly to them. Custom Fix has enabled us to catch many new malware programs. We note that Zlob is very active nowadays and we tend to target it a bit more aggressively than others. A peculiar style of infection that Zlob follows is to target the 3 locations shown in my thread above, namely"

O21 - SSODL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

It really is no problem for me at all to not post more malware entries. I thought we'd be doing users a favor by exposing the latest threats as and when they come out. If it is the consensus that we hold off on posting, please let me know.

Best regards,

DrDre
SpyNoMore


from srosscal
I was told by SpyNoMore if I download there program it would remove it and it found and removed most of it however the bar is still there. what can I DO I have been emailng u guys and getting no were
got any thoughts




Member of UNITE
Support SpywareInfo Forum - click the button