datasafe Report post Posted June 23, 2009 Hi guys I've been using SAS for a month or so now. One of my friends downloader SpyHunter and ran it on his PC - quite a few trojans were detected and of course he paid up and cleared them. Tonight, I downloaded a trial copy of SpyHunter, updated the 'definitions' and did a scan, I was quite alarmed when I was presented with the following results! Is this a scam to get one to pay for the software? If not, why hasn't this been dealt with by SAS? Cheers John Share this post Link to post Share on other sites
datasafe Report post Posted June 23, 2009 Geez, that was a quick reply! Another screen grab showing the problem lies in the registry keys I'm always suspicious when problems are detected by one spyware software and not by another, that's why I decided to post. The reason I tried out SpyHunter this evening was because I discovered my root directory of C:\ contained hundreds of empty folders that just appeared! Each empty folder appears to have the name of folders I store in My Documents. I was also presented with an error message on boot-up that stated something like: A folder named C:\Program might cause a problem, rename or ignore. Took me quite some while to delete all the empty folders - now in the recycle bin, just in case! Here's the last scan results, just a few cookies: SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 06/23/2009 at 06:55 AM Application Version : 4.26.1004 Core Rules Database Version : 3951 Trace Rules Database Version: 1893 Scan type : Complete Scan Total Scan Time : 02:40:13 Memory items scanned : 1138 Memory threats detected : 0 Registry items scanned : 8315 Registry threats detected : 0 File items scanned : 114227 File threats detected : 6 Adware.Tracking Cookie C:\Documents and Settings\John Cooper\Cookies\john_cooper@atdmt[2].txt C:\Documents and Settings\John Cooper\Cookies\john_cooper@adbrite[2].txt C:\Documents and Settings\John Cooper\Cookies\john_cooper@media6degrees[1].txt C:\Documents and Settings\John Cooper\Cookies\john_cooper@mycounter.tinycounter[1].txt C:\Documents and Settings\John Cooper\Cookies\john_cooper@hotlog[1].txt Trace.Known Threat Sources C:\Documents and Settings\John Cooper\Local Settings\Temporary Internet Files\Content.IE5\OR9UX6PK\virusremoverprofessional_pic1[1].png Share this post Link to post Share on other sites
69Chico54 Report post Posted June 24, 2009 I also got a Zlob.HTML adware/spyware the other day. Superanti... didn't find it, but another free download caught this trojan horse. I have been trying to figure this out for 3 days, but to no avail thus far. I knew I was affected/infected because my homepage changed. My modem lights -which have 8 led lights- went down to 2 that were lit once I was infected. I now have my homepage and modem lights back, but every time I run Superanti... the infected files are still return. Here they are: Generated 06/24/2009 at 01:49 PM Application Version : 4.26.1006 Core Rules Database Version : 3954 Trace Rules Database Version: 1896 Scan type : Quick Scan Total Scan Time : 00:02:48 Memory items scanned : 575 Memory threats detected : 0 Registry items scanned : 501 Registry threats detected : 8 File items scanned : 1988 File threats detected : 1 Adware.Tracking Cookie C:\Users\Edmonds\AppData\Roaming\Microsoft\Windows\Cookies\edmonds@maxis.112.2o7[1].txt Rogue.AdwareAlert HKCR\CLSID\{755C6BC2-A679-4025-84D3-4AE283A87B14} HKCR\CLSID\{755C6BC2-A679-4025-84D3-4AE283A87B14}\DefaultIcon HKCR\CLSID\{755C6BC2-A679-4025-84D3-4AE283A87B14}\Shell HKCR\CLSID\{755C6BC2-A679-4025-84D3-4AE283A87B14}\Shell\Open HKCR\CLSID\{755C6BC2-A679-4025-84D3-4AE283A87B14}\Shell\Open\Command HKCR\CLSID\{755C6BC2-A679-4025-84D3-4AE283A87B14}\ShellFolder HKCR\CLSID\{755C6BC2-A679-4025-84D3-4AE283A87B14}\ShellFolder#Attributes HKCR\CLSID\{755C6BC2-A679-4025-84D3-4AE283A87B14}\ShellFolder#WantsFORPARSING I didn't run it all of the way through because this is all that shows up. I am at my wits, or lackthereof, end with this little virus or whatever it is. Please help... Thanks in advance... After the other Free adware caught it, then Superanti... did get the above. Whether this is related I have no clue- . Peace... Share this post Link to post Share on other sites
datasafe Report post Posted June 24, 2009 "Are they all in HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains?" It appears they are! And I don't visit porn sites either John Share this post Link to post Share on other sites
69Chico54 Report post Posted June 24, 2009 Ok, I ran a System Restore and then I only had 1 Rogue, and also deleted my IE 8 and then redownloaded it. I ran the Superanti... and it was totally free of anything. So far so good... Only time will tell, but I will keep you informed if something pops back up. Thanks Tons... Share this post Link to post Share on other sites
69Chico54 Report post Posted June 24, 2009 Ok, I ran a System Restore and then I only had 1 Rogue, and also deleted my IE 8 and then redownloaded it. I ran the Superanti... and it was totally free of anything. So far so good... Only time will tell, but I will keep you informed if something pops back up. Thanks Tons... My 15-year-old thought he was clever once and entered a few porn sites. My computer was loaded with trouble, and I snapped at him for this. Do not ever enter those sites because even suppsoed legit sites may be hacked. Just my 2 cents on this.... Share this post Link to post Share on other sites
prairie dog Report post Posted June 25, 2009 Regarding SpyHunter, It has a very shady past and you will be hard pushed to find anyone experienced in computer security recommend it. See this thread I agree. I haven't heard or read too many good things about spyhunter Share this post Link to post Share on other sites
talkinghead Report post Posted July 20, 2009 I bet you all have Spybot active and you have activated "Immunize" in Spybot. SpyHunter has picked up the registry keys that Spybot has put there to protect against those sites. If you want to prove it "undo" the immunization and run SpyHunter again, and they will not be there. Share this post Link to post Share on other sites
SUPERAntiSpy Report post Posted July 20, 2009 I bet you all have Spybot active and you have activated "Immunize" in Spybot. SpyHunter has picked up the registry keys that Spybot has put there to protect against those sites. If you want to prove it "undo" the immunization and run SpyHunter again, and they will not be there. This is exactly right - either SpyBot or SpywareBlaster's immunize feature will add thousands of domains to the ZoneMap area of the registry. SpyHunter is not looking if they are blocked or allowed - it's simply detecting them because they are there. No need to submit a support request. Share this post Link to post Share on other sites
