Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

ZLOB infection, think I've killed it but want to make sure

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

ZLOB infection, think I've killed it but want to make sure

Unread postby Triss » December 5th, 2008, 7:51 pm

Hi all

As you can see from the subject line I was hit by the ZLOB Trojan 2 days ago. I've spent the last 2 evenings cleaning and scanning my PC. Oh and kicking myself because I'm usually one of those extremely careful people and did something completely stupid. I got one of those Facebook links, from someone I know. When it wanted to install something I very carefully downloaded the file and scanned it with AVG (which is kept up to date) and it found nothing. So I ran the file, and of course it was a Trojan :( :oops: .

I already had AVG (Free version), Windows Defender, and Spybot S&D running on my system. Windows Defender caught the ZLOB infection and said it had removed it, but it began hijacking my browser homepage, so I went looking for help.

I found the Malware Removal and Prevention guide at Castlecops, and followed it. I'll list everything I've done in sequence as accurately as I can remember.
http://wiki.castlecops.com/Malware_Remo ... :_Overview

While following the guide I have done the following:
Uninstalled utorrent (the only file sharing I use, and rarely)
I performed a preliminary HijackThis reference scan and have that log saved on my desktop if you need it

Add/Remove Programs:
I uninstalled an app named "Toolbar" back when I was following the guide, and have since noticed and removed another named "System Requirements Lab" as they were the only apps on my PC I did not recognise as something I had installed.

Clutter:
I ran CCleaner and ATF Cleaner

Antispyware:
Spybot S&D on first pass found ZLOB and claimed to have removed it. On next pass it claimed my system was clean.
Windows Defender (having been the initial program that "found and removed" the ZLOB infection. I ran a full scan and the only threats it recognised were old installers for Kazaa and Getright, neither of which were installed. I let it remove them anyway.
Meanwhile even as Spybot was swearing blind that my system was clean, I had browsers opening up at random, fake popup messages finding fake trojans and offering to clean them (I was closing windows as fast as I could)
So I uninstalled Spybot in disgust and downloaded SuperAntiSpyware, and it found and removed 32 threats, including 2 memory resident processes. My browser has behaved itself since, and the next time I scanned it came back clean. I have kept logs if you need them.

Antiviral scans:
I went to Eset and ran their antiviral scan, which told me I had to buy Nod32, grrr
So I used Kaspersky online scanner. It found an old email from 2005 that had an exe I'd never installed (thank goodness), containing a World of Warcraft keylogger, which I then found and deleted. Other than that it found some old joke flash videos that it listed as potential adware but nothing more sinister. I deleted them anyway and re-ran the Kaspersky full scan and it came back clean.

AntiTrojan Scans:
I then ran MalwareBytes Anti-Malware, which again found ZLOB files and registry entries and deleted them! I have the log if you need that. The real worry is that it appears to have removed the same things that SuperAntispyware had already removed.
I have since run it again and it found nothing.

Last night I ran another SuperAntiSpyware scan which reported clean, then set an AVG full system scan running and went to bed with it set to turn off the PC when done.
This morning I ran another MBAM scan and that has also come back clean.

I now have Javacool's SpywareGuard and SpywareBlaster installed along with the other programs I've mentioned. I keep Windows up to date, and will reinstall SpyBot if you recommend I do so.

Basically I just want to make sure I've got the thing, it worries me that it appeared to reinfect my system (ie that Malwarebytes found it after SuperAntispyware said it had cleaned it out).

Ok so here's my latest hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:13 p.m., on 6/12/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\Program Files (x86)\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files (x86)\Microsoft Office\Office\OSA.EXE
C:\Program Files (x86)\AVG\AVG8\avgtray.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\SpywareGuard\sgmain.exe
C:\Program Files (x86)\SpywareGuard\sgbhp.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG8\avgssie.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files (x86)\SpywareGuard\dlprotect.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~2\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~2\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~2\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [PE2CKFNT SE] "C:\Program Files (x86)\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files (x86)\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files (x86)\Microsoft Office\Office\OSA.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files (x86)\SpywareGuard\sgmain.exe
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files (x86)\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.eset.com
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files (x86)\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7973 bytes

Thanks very much in advance, I very much appreciate your help (and patience). I've been using PCs pretty much all my life and owned my own computer for at least 12 years and this is the first time I've ever actually had a virus infect my system. :(
Triss
Active Member
 
Posts: 12
Joined: December 5th, 2008, 6:56 pm
Location: Auckland, New Zealand
Advertisement
Register to Remove

Re: ZLOB infection, think I've killed it but want to make sure

Unread postby Katana » December 16th, 2008, 6:16 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
  1. Please Read All Instructions Carefully
  2. If you don't understand something, stop and ask! Don't keep going on.
  3. Please do not run any other tools or scans whilst I am helping you
  4. Please continue to respond until I give you the "All Clear"
    (Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly Image

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe


----------------------------------------------------------------------------------------

I apologize for the delay in responding, but as you can probably see the forums are quite busy.
Unfortunately there are far more people needing help than there are helpers.

If you still require help please do the following


Download and Run RSIT
  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: ZLOB infection, think I've killed it but want to make sure

Unread postby Triss » December 17th, 2008, 3:05 am

Hi Katana and thanks very much for responding. Delay perfectly understandable, just relieved you're on the case :D

I ran RSIT.exe as you explained, but it only opened log.txt not info.txt, I'm not sure if I missed something.

Below is the log.txt that it opened:

Logfile of random's system information tool 1.04 (written by random/random)
Run by Donna at 2008-12-17 19:58:52
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 296 GB (62%) free of 477 GB
Total RAM: 4094 MB (71% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:57 p.m., on 17/12/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files (x86)\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\Program Files (x86)\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files (x86)\Microsoft Office\Office\OSA.EXE
C:\Program Files (x86)\SpywareGuard\sgmain.exe
C:\Program Files (x86)\AVG\AVG8\avgtray.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\SpywareGuard\sgbhp.exe
C:\Users\Donna\Desktop\RSIT.exe
C:\Program Files (x86)\Trend Micro\HijackThis\Donna.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG8\avgssie.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files (x86)\SpywareGuard\dlprotect.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~2\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~2\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~2\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [PE2CKFNT SE] "C:\Program Files (x86)\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files (x86)\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files (x86)\Microsoft Office\Office\OSA.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files (x86)\SpywareGuard\sgmain.exe
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files (x86)\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.eset.com
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files (x86)\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7946 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files (x86)\AVG\AVG8\avgssie.dll [2008-08-29 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}]
SpywareGuardDLBLOCK.CBrowserHelper - C:\Program Files (x86)\SpywareGuard\dlprotect.dll [2003-08-02 192512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files (x86)\Java\jre6\bin\ssv.dll [2008-12-05 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
AVG Security Toolbar - C:\PROGRA~2\AVG\AVG8\AVGTOO~1.DLL [2008-07-26 2055960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll [2008-12-05 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~2\AVG\AVG8\AVGTOO~1.DLL [2008-07-26 2055960]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"=C:\PROGRA~2\AVG\AVG8\avgtray.exe [2008-11-29 1261336]
"AppleSyncNotifier"=C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-07-22 116040]
"QuickTime Task"=C:\Program Files (x86)\QuickTime\QTTask.exe [2008-05-27 413696]
"iTunesHelper"=C:\Program Files (x86)\iTunes\iTunesHelper.exe [2008-07-30 289064]
"Adobe Reader Speed Launcher"=C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"NeroFilterCheck"=C:\Windows\system32\NeroCheck.exe [2001-07-09 155648]
"SunJavaUpdateSched"=C:\Program Files (x86)\Java\jre6\bin\jusched.exe [2008-12-05 136600]
"PE2CKFNT SE"=C:\Program Files (x86)\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe [1998-07-03 25088]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-19 1555968]
"SUPERAntiSpyware"=C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe [2008-12-13 1809648]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Photo Express Calendar Checker SE.lnk - C:\Program Files (x86)\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe

C:\Users\Donna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Microsoft Find Fast.lnk - C:\Program Files (x86)\Microsoft Office\Office\FINDFAST.EXE
Office Startup.lnk - C:\Program Files (x86)\Microsoft Office\Office\OSA.EXE
SpywareGuard.lnk - C:\Program Files (x86)\SpywareGuard\sgmain.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.DLL [2008-12-13 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files (x86)\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=C:\Program Files (x86)\SpywareGuard\spywareguard.dll [2003-08-02 126976]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoActiveDesktop"=
"ForceActiveDesktopOn"=
"NoActiveDesktopChanges"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2008-12-14 13:20:53 ----D---- C:\ViewSonic
2008-12-13 13:15:00 ----D---- C:\Users\Donna\AppData\Roaming\Media Player Classic
2008-12-13 13:10:36 ----D---- C:\Users\Donna\AppData\Roaming\Real
2008-12-13 13:10:36 ----D---- C:\ProgramData\Real
2008-12-13 13:10:36 ----D---- C:\Program Files (x86)\Real Alternative
2008-12-13 13:10:36 ----A---- C:\Windows\system32\rmoc3260.dll
2008-12-13 13:10:36 ----A---- C:\Windows\system32\pndx5032.dll
2008-12-13 13:10:36 ----A---- C:\Windows\system32\pndx5016.dll
2008-12-13 13:10:36 ----A---- C:\Windows\system32\pncrt.dll
2008-12-13 13:10:36 ----A---- C:\Windows\system32\msvcr71.dll
2008-12-13 13:10:36 ----A---- C:\Windows\system32\msvcp71.dll
2008-12-11 02:33:17 ----A---- C:\Windows\system32\tzres.dll
2008-12-10 21:59:14 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2008-12-10 21:59:14 ----A---- C:\Windows\system32\Apphlpdm.dll
2008-12-10 21:58:48 ----A---- C:\Windows\system32\gdi32.dll
2008-12-10 21:58:46 ----A---- C:\Windows\system32\explorer.exe
2008-12-10 21:58:46 ----A---- C:\Windows\explorer.exe
2008-12-10 21:58:43 ----A---- C:\Windows\system32\mf.dll
2008-12-10 21:58:42 ----A---- C:\Windows\system32\WMVCORE.DLL
2008-12-10 21:58:42 ----A---- C:\Windows\system32\WMNetMgr.dll
2008-12-10 21:58:42 ----A---- C:\Windows\system32\logagent.exe
2008-12-10 21:58:37 ----A---- C:\Windows\system32\shell32.dll
2008-12-10 21:58:29 ----A---- C:\Windows\system32\wininet.dll
2008-12-10 21:58:29 ----A---- C:\Windows\system32\urlmon.dll
2008-12-10 21:58:29 ----A---- C:\Windows\system32\mshtml.dll
2008-12-10 21:58:29 ----A---- C:\Windows\system32\ieframe.dll
2008-12-10 21:58:28 ----A---- C:\Windows\system32\mstime.dll
2008-12-10 21:58:26 ----A---- C:\Windows\system32\jsproxy.dll
2008-12-10 21:58:26 ----A---- C:\Windows\system32\iertutil.dll
2008-12-07 12:32:17 ----D---- C:\Users\Donna\AppData\Roaming\Mozilla
2008-12-07 12:32:08 ----D---- C:\Program Files (x86)\Mozilla Firefox
2008-12-07 01:35:45 ----A---- C:\Windows\NeroDigital.ini
2008-12-07 01:34:34 ----D---- C:\Program Files (x86)\uTorrent
2008-12-06 22:29:02 ----D---- C:\Users\Donna\AppData\Roaming\Opera
2008-12-06 22:28:53 ----D---- C:\Program Files (x86)\Opera
2008-12-06 11:23:28 ----D---- C:\ProgramData\CheckPoint
2008-12-06 11:23:27 ----D---- C:\Program Files (x86)\Zone Labs
2008-12-06 11:23:20 ----D---- C:\Windows\Internet Logs
2008-12-06 11:21:04 ----D---- C:\Program Files (x86)\SpywareGuard
2008-12-06 01:15:11 ----A---- C:\Windows\system32\mbam-log-2008-12-06 (01-15-08).txt
2008-12-05 20:09:13 ----D---- C:\Windows\Sun
2008-12-05 03:45:56 ----AD---- C:\ProgramData\TEMP
2008-12-05 03:45:52 ----D---- C:\Program Files (x86)\SpywareBlaster
2008-12-05 03:45:52 ----A---- C:\Windows\system32\MSSTDFMT.DLL
2008-12-05 03:43:35 ----D---- C:\Users\Donna\AppData\Roaming\Malwarebytes
2008-12-05 03:43:30 ----D---- C:\ProgramData\Malwarebytes
2008-12-05 03:43:30 ----D---- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2008-12-05 03:21:56 ----D---- C:\Program Files (x86)\EsetOnlineScanner
2008-12-05 02:30:23 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2008-12-05 02:30:20 ----D---- C:\Users\Donna\AppData\Roaming\SUPERAntiSpyware.com
2008-12-05 02:30:20 ----D---- C:\Program Files (x86)\SUPERAntiSpyware
2008-12-05 02:05:11 ----D---- C:\Program Files (x86)\CCleaner
2008-12-05 01:10:27 ----A---- C:\Windows\system32\deploytk.dll
2008-12-05 00:44:40 ----D---- C:\rsit
2008-12-05 00:42:18 ----D---- C:\Program Files (x86)\Trend Micro
2008-12-04 22:38:03 ----A---- C:\Windows\system32\wups.dll
2008-12-04 22:38:03 ----A---- C:\Windows\system32\wudriver.dll
2008-12-04 22:38:03 ----A---- C:\Windows\system32\wuapi.dll
2008-12-04 22:37:59 ----A---- C:\Windows\system32\wuwebv.dll
2008-12-04 22:37:59 ----A---- C:\Windows\system32\wuapp.exe
2008-11-26 21:02:00 ----A---- C:\Windows\system32\connect.dll
2008-11-26 21:01:48 ----A---- C:\Windows\system32\PortableDeviceApi.dll
2008-11-26 21:01:37 ----A---- C:\Windows\system32\WindowsCodecsExt.dll
2008-11-26 21:01:37 ----A---- C:\Windows\system32\WindowsCodecs.dll
2008-11-26 21:01:37 ----A---- C:\Windows\system32\PhotoMetadataHandler.dll

======List of files/folders modified in the last 1 months======

2008-12-17 19:58:56 ----D---- C:\Windows\Temp
2008-12-17 19:58:47 ----D---- C:\Windows\Prefetch
2008-12-17 19:58:47 ----D---- C:\Windows\Debug
2008-12-17 19:58:47 ----D---- C:\Windows
2008-12-17 19:57:56 ----D---- C:\Windows\System32
2008-12-17 19:57:56 ----D---- C:\Windows\inf
2008-12-13 13:10:36 ----RD---- C:\Program Files (x86)
2008-12-13 13:10:36 ----HD---- C:\ProgramData
2008-12-13 13:10:36 ----D---- C:\Windows\SysWOW64
2008-12-11 17:58:33 ----D---- C:\Windows\rescache
2008-12-11 17:53:27 ----D---- C:\Windows\winsxs
2008-12-11 17:42:41 ----D---- C:\Windows\AppPatch
2008-12-11 17:42:41 ----D---- C:\Program Files (x86)\Windows Mail
2008-12-11 17:42:40 ----D---- C:\Windows\system32\en-US
2008-12-07 20:04:41 ----D---- C:\Users\Donna\AppData\Roaming\uTorrent
2008-12-07 20:04:16 ----SHD---- C:\Windows\Installer
2008-12-07 20:03:26 ----HD---- C:\$AVG8.VAULT$
2008-12-06 12:08:25 ----SD---- C:\Windows\Downloaded Program Files
2008-12-05 03:43:33 ----D---- C:\Windows\system32\drivers
2008-12-05 03:32:14 ----D---- C:\Temp
2008-12-05 03:14:34 ----D---- C:\Program Files (x86)\Spybot - Search & Destroy
2008-12-05 03:14:33 ----D---- C:\ProgramData\Spybot - Search & Destroy
2008-12-05 02:29:57 ----D---- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2008-12-05 02:12:54 ----D---- C:\Windows\Minidump
2008-12-05 01:49:05 ----D---- C:\Windows\system32\Macromed
2008-12-05 01:10:23 ----A---- C:\Windows\system32\javaws.exe
2008-12-05 01:10:23 ----A---- C:\Windows\system32\javaw.exe
2008-12-05 01:10:23 ----A---- C:\Windows\system32\java.exe
2008-12-05 01:10:22 ----D---- C:\Program Files (x86)\Java
2008-11-29 11:42:46 ----D---- C:\Games

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx64;AVG Free AVI Loader Driver x64; C:\Windows\System32\Drivers\avgldx64.sys []
R1 AvgMfx64;AVG Free On-access Scanner Minifilter Driver x64; C:\Windows\System32\Drivers\avgmfx64.sys []
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller; C:\Windows\system32\DRIVERS\l160x64.sys []
R3 AvgWfpA;AVG Free8 Firewall Driver x86; C:\Windows\System32\Drivers\avgwfpa.sys []
R3 GEARAspiWDM;GEARAspiWDM; C:\Windows\System32\Drivers\GEARAspiWDM.sys []
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHD64.sys []
R3 ksthunk;Kernel Streaming Thunks; C:\Windows\system32\drivers\ksthunk.sys []
R3 MTsensor;ATK0110 ACPI UTILITY; C:\Windows\system32\DRIVERS\ASACPI.sys []
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys []
S1 SASDIFSV;SASDIFSV; \??\C:\Program Files (x86)\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
S1 SASKUTIL;SASKUTIL; \??\C:\Program Files (x86)\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys []
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys []
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys []
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys []
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys []
S3 RivaTuner64;RivaTuner64; \??\C:\Program Files (x86)\RivaTuner v2.10\RivaTuner64.sys [2008-09-10 19952]
S3 SASENUM;SASENUM; \??\C:\Program Files (x86)\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys []
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files (x86)\Lavasoft\Ad-Aware\aawservice.exe [2008-07-26 611664]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-07-22 116040]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~2\AVG\AVG8\avgemc.exe [2008-08-29 875288]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704]
R2 Bonjour Service;Bonjour Service; C:\Program Files (x86)\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe []
R3 iPod Service;iPod Service; C:\Program Files (x86)\iPod\bin\iPodService.exe [2008-07-30 532264]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64; C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2008-01-06 93696]
S3 PerfHost;@%systemroot%\sysWow64\perfhost.exe,-2; C:\Windows\SysWow64\perfhost.exe [2008-01-19 19968]
S3 Steam Client Service;Steam Client Service; C:\Program Files (x86)\Common Files\Steam\SteamService.exe [2008-09-07 92656]

-----------------EOF-----------------
Triss
Active Member
 
Posts: 12
Joined: December 5th, 2008, 6:56 pm
Location: Auckland, New Zealand

Re: ZLOB infection, think I've killed it but want to make sure

Unread postby Katana » December 17th, 2008, 6:05 am

Well, your logs are looking clean and you have already run the scans that I would have asked you to :)

The only thing I can think of is that you have a Router, and the settings have been altered on that to send you to sites that reinfect you.

Please can you post the log from the last MalwareBytes scan, along with C:\RSIT\Info.exe
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: ZLOB infection, think I've killed it but want to make sure

Unread postby Triss » December 17th, 2008, 9:33 am

I haven't been getting the page redirects since I did the major cleanup, I have my browser set to start at a blank page and it is doing so (also, am using Firefox now). I have a secure (non default) password set in my router so I'd be surprised if anything had got in there. I checked it anyway and nothing looks wrong.

I don't know if it's genuine or a false positive but every now and again AVG comes up saying there is a hidden folder in C:\Temp named 2970ED503A059B5E that has a trojan (AVG doesn't find anything if I scan this folder, only if something else like MBAM does). Given that my credit card got hijacked last weekend while I was using what I thought was a secure site (blizzard https site, was doing a world of warcraft character transfer) this has me worried. The folder in C:\Temp can't be seen unless I tell Vista to show protected OS files, and I can't access it. According to file security it is owned by S-1-0. It won't let AVG delete or quarantine it.

Anyway, here's the MalwareBytes AntiMalware log:

Malwarebytes' Anti-Malware 1.31
Database version: 1463
Windows 6.0.6001 Service Pack 1

7/12/2008 9:27:33 a.m.
mbam-log-2008-12-07 (09-27-33).txt

Scan type: Full Scan (C:\|)
Objects scanned: 199216
Time elapsed: 33 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
****************************************************************

And the RSIT info.txt:

info.txt logfile of random's system information tool 1.04 2008-12-05 00:44:47

======Uninstall list======

-->C:\Program Files (x86)\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\Windows\UNNeroVision.exe /UNINSTALL
-->C:\Windows\UNNMP.exe /UNINSTALL
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player 10 ActiveX-->C:\Windows\SysWOW64\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Apple Software Update-->MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
ASUSUpdate-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{587178E7-B1DF-494E-9838-FA4DD36E873C}\setup.exe" -l0x9
Atheros Communications Inc.(R) L1 Gigabit Ethernet Driver-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{6E19F210-3813-4002-B561-94D66AA182B6}\Setup.exe" -l0x9 -removeonly
AVG Free 8.0-->C:\Program Files (x86)\AVG\AVG8\setup.exe /UNINSTALL
Browser Toolbar-->"C:\Program Files (x86)\WebMediaViewer\browseu.exe"
HijackThis 2.0.2-->"C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Microsoft Office 97, Professional Edition-->C:\Program Files (x86)\Microsoft Office\Office\Setup\Acme.exe /w Off97Pro.STF
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022-->MsiExec.exe /X{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}
Nero Suite-->C:\Program Files (x86)\Common Files\Ahead\Uninstall\Setup.exe /uninstall
OpenOffice.org Installer 1.0-->MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
QuickTime-->MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
Realtek High Definition Audio Driver-->RtlUpd64.exe -r -m
RivaTuner v2.10-->"C:\Program Files (x86)\RivaTuner v2.10\uninstall.exe"
Spybot - Search & Destroy-->"C:\Program Files (x86)\Spybot - Search & Destroy\unins000.exe"
System Requirements Lab-->C:\Program Files (x86)\SystemRequirementsLab\Uninstall.exe
TeamSpeak 2 RC2-->"C:\Program Files (x86)\Teamspeak2_RC2\unins000.exe"
Ulead Photo Express 2.0 SE-->C:\Windows\IsUninst.exe -f"C:\Program Files (x86)\Ulead Systems\Ulead Photo Express 2 SE\Uninst.isu" -c"C:\Program Files (x86)\Ulead Systems\Ulead Photo Express 2 SE\IS32Inst.dll"
ViewSonic Monitor Drivers x64-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{48963B63-7A10-49D6-8B08-61E6132453D0}\Setup.exe" -l0x9
ViewSonic Windows Vista x64 Signed Files-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{FC47C7A5-BE63-11D5-B7C9-005004566E4D}\Setup.exe" -l0x9
Visual C++ 8.0 Runtime Setup Package (x64)-->MsiExec.exe /I{021C4C4F-C93C-4425-BFFD-C2D16776BFAE}
World of Warcraft-->C:\Program Files (x86)\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
Xvid 1.1.3 final uninstall-->"C:\Program Files (x86)\Xvid\unins000.exe"

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: AVG Anti-Virus Free
AS: AVG Anti-Virus Free (disabled)
AS: Windows Defender

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files (x86)\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=AMD64
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=Intel64 Family 6 Model 23 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=1706
"NUMBER_OF_PROCESSORS"=2
"CLASSPATH"=.;C:\Program Files (x86)\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files (x86)\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------

Hope this helps, thanks again!
Triss
Active Member
 
Posts: 12
Joined: December 5th, 2008, 6:56 pm
Location: Auckland, New Zealand

Re: ZLOB infection, think I've killed it but want to make sure

Unread postby Katana » December 17th, 2008, 2:52 pm

Let's have a deeper look



OTMoveIt
Please download OTMoveIt3 by OldTimer and save it to your desktop
  • Double-click OTMoveIt3.exe to run it.
  • Copy the lines in the codebox below. ( Make sure you include :Processes )
Code: Select all
:Processes
explorer.exe
:Files
C:\Temp\*.* /s
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]



  • Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • - Close ALL open windows (especially Internet Explorer!)-
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Please Download GMER to your desktop

Download GMER and extract it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log.
  • Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: ZLOB infection, think I've killed it but want to make sure

Unread postby Triss » December 18th, 2008, 6:58 am

Hi Katana

Here's the log from OTMoveIt3. It doesn't look like it spotted the hidden folder, but then I can't see it unless I use a command prompt and add the /ah flag to my search to find hidden folders and files.

========== PROCESSES ==========
Unable to kill process: explorer.exe
========== FILES ==========
File/Folder C:\Temp\*.* not found.
========== COMMANDS ==========
File delete failed. C:\Users\Donna\AppData\Local\Temp\~DFCEE.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Donna\AppData\Local\Temp\~DFF233.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
FireFox cache emptied.
Opera cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12182008_232113

Files moved on Reboot...
C:\Users\Donna\AppData\Local\Temp\~DFCEE.tmp moved successfully.
C:\Users\Donna\AppData\Local\Temp\~DFF233.tmp moved successfully.

**************************************************************

GMER seems to have found it though and says it's a rootkit.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-18 23:52:02
Windows 6.0.6001 Service Pack 1


---- Services - GMER 1.0.14 ----

Service C:\Temp\2970ED503A059B5E\2970ED503A059B5E (*** hidden *** ) [AUTO] 2970ED503A059B5E <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\2970ED503A059B5E@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\2970ED503A059B5E@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\2970ED503A059B5E@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\2970ED503A059B5E@ImagePath \??\C:\Temp\2970ED503A059B5E\2970ED503A059B5E
Reg HKLM\SYSTEM\CurrentControlSet\Services\2970ED503A059B5E@WOW64 1
Reg HKLM\SYSTEM\ControlSet002\Services\2970ED503A059B5E@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\2970ED503A059B5E@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\2970ED503A059B5E@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\2970ED503A059B5E@ImagePath \??\C:\Temp\2970ED503A059B5E\2970ED503A059B5E
Reg HKLM\SYSTEM\ControlSet002\Services\2970ED503A059B5E@WOW64 1

---- Files - GMER 1.0.14 ----

File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.ci 4096 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.dir 4096 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wid 65536 bytes

---- EOF - GMER 1.0.14 ----

Cheers
Donna
Triss
Active Member
 
Posts: 12
Joined: December 5th, 2008, 6:56 pm
Location: Auckland, New Zealand

Re: ZLOB infection, think I've killed it but want to make sure

Unread postby Katana » December 18th, 2008, 7:50 am

OK, you have a rootkit.
Let's see if we can get this the easy way since you have a 64 bit system.


Reboot in safe mode
You will now need to reboot in safe mode, you will not have internet access whilst you do the next part
Please copy/paste or print the following instructions.


To reboot in safe mode
You can boot in Safe Mode by restarting your computer, then continually tapping F5 OR F8 until a menu appears.
Use your up arrow key to highlight Safe Mode, then hit enter.



OTMoveIt
  • Double-click OTMoveIt3.exe to run it.
  • Copy the lines in the codebox below. ( Make sure you include :Processes )
Code: Select all
:Processes
explorer.exe
:Services
2970ED503A059B5E
:Reg
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\2970ED503A059B5E]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\2970ED503A059B5E]
:Files
C:\Temp\2970ED503A059B5E
:Commands
[Start Explorer]
[Reboot]


  • Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • - Close ALL open windows (especially Internet Explorer!)-
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: ZLOB infection, think I've killed it but want to make sure

Unread postby Triss » December 18th, 2008, 8:14 am

Here's the latest OTMoveIt3 log. Dang that folder is stubborn.

========== PROCESSES ==========
Unable to kill process: explorer.exe
========== SERVICES/DRIVERS ==========
Service 2970ED503A059B5E stopped successfully.
Service 2970ED503A059B5E deleted successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\2970ED503A059B5E\\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\2970ED503A059B5E\\ not found.
========== FILES ==========
Folder move failed. C:\Temp\2970ED503A059B5E scheduled to be moved on reboot.
========== COMMANDS ==========
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12192008_010219

Files moved on Reboot...
Folder move failed. C:\Temp\2970ED503A059B5E scheduled to be moved on reboot.

********************************************
Cheers
Donna
Triss
Active Member
 
Posts: 12
Joined: December 5th, 2008, 6:56 pm
Location: Auckland, New Zealand

Re: ZLOB infection, think I've killed it but want to make sure

Unread postby Katana » December 18th, 2008, 8:27 am

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: ZLOB infection, think I've killed it but want to make sure

Unread postby Triss » December 19th, 2008, 6:44 pm

Hi Katana

Unfortunately when I tried to use ComboFix it came up with a message saying it was only Win XP and 2000 compatible. Looking further it seems Combofix will not run on 64 bit systems, and I'm running Vista 64 Home Premium.

Is there a 64 bit version you know of, or another tool that's 64 bit compatible?

Thanks
Donna
Triss
Active Member
 
Posts: 12
Joined: December 5th, 2008, 6:56 pm
Location: Auckland, New Zealand

Re: ZLOB infection, think I've killed it but want to make sure

Unread postby Katana » December 19th, 2008, 7:16 pm

Hmmm, let's use Avenger instead

We need to execute an Avenger2 script
Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  1. Please download The Avenger2 by SwanDog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Code: Select all
    Drivers to delete:
    2970ED503A059B5E
    Files to delete:
    C:\Temp\2970ED503A059B5E\2970ED503A059B5E
    
  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Please post a fresh RSIT log along with the Avenger log
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: ZLOB infection, think I've killed it but want to make sure

Unread postby Triss » December 19th, 2008, 8:13 pm

This is a bit puzzling. I opened Avenger and pasted the code just as you instructed. It came up with the two prompts, one of which says it's set itself to run on reboot. But when it boots up, nothing. No command window opens, and no log opens.

When I go back into Avenger and go File, Open Log File (had to do this when we used OTMoveIt as it doesn't automatically open its log either), it says no log has been created. It just doesn't seem to be launching on reboot.

***EDIT***

Tracing it through, Avenger creates a registry entry to autostart C:\Cleanup.exe
It creates, in C:\ the following files:
Cleanup.exe
Cleanup.bat
Zip.exe

The contents of Cleanup.bat are as follows:

@ECHO OFF
cd %systemdrive%\
if exist %systemdrive%\avenger\backup.zip move /y %systemdrive%\avenger\backup.zip "%systemdrive%\avenger\backup-%date:/=.%-%time::=.%.zip"
move /y backup.reg %systemdrive%\avenger\
copy /y avenger.txt %systemdrive%\avenger\
for %%a in (c d e f g h i j k l m n o p q r s t u v w x y z) do if exist %%a:\avenger attrib -r -h -s %%a:\avenger\* /S /D & zip -r -S -q -m -! -P infected "%systemdrive%\avenger\backup.zip" %%a:\avenger\* -x %systemdrive%\avenger\backup*.zip & rmdir %%a:\avenger
del zip.exe
del cleanup.exe
del cleanup.bat

My memory of DOS commands is pretty rusty, but if I'm reading it right, this appears to copy a bunch of stuff into C:\Avenger (since C is the systemdrive) and then remove C:\Avenger (rmdir %%a:\avenger). But whatever it's trying to do, it's not logging it, and that hidden folder in C:\temp is still there.

Pondering that hidden folder in C:\temp, it may be possible to delete it if I go into security and take ownership of it. I have a feeling it's Vista security itself that's blocking the attempts to remove it using OTMoveIt.

Sorry my system is causing so much trouble.

Cheers
Donna
Triss
Active Member
 
Posts: 12
Joined: December 5th, 2008, 6:56 pm
Location: Auckland, New Zealand

Re: ZLOB infection, think I've killed it but want to make sure

Unread postby Katana » December 20th, 2008, 8:56 am

Triss wrote:Pondering that hidden folder in C:\temp, it may be possible to delete it if I go into security and take ownership of it. I have a feeling it's Vista security itself that's blocking the attempts to remove it using OTMoveIt.

Sorry my system is causing so much trouble.


Hi Donna,
It isn't Vista that's causing the problem, more the x64 part of it.
The tools we use are designed to run in a 32 bit environment and aren't compatible with x64 yet.
As it happens, you are one of a very select group to actually have a rootkit on a 64 bit machine ;)


Bear with me while I do some research.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: ZLOB infection, think I've killed it but want to make sure

Unread postby Katana » December 20th, 2008, 6:15 pm

Let's try that again, with a different script.


Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  1. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Code: Select all
    Drivers to delete:
    2970ED503A059B5E
    Folders to delete:
    C:\Temp\2970ED503A059B5E
    
  2. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  3. Read the prompt that appears, and press OK.
  4. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  5. Press the "Execute" button.
  6. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  7. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Please post a fresh RSIT log along with the Avenger log[/quote]
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 296 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware