Yesterday I had the interesting experience when my system tray and desktop icons disappeared. I was forced to do a system restore (Windows XP SP2, Dell Inspiron 600m, Avast anti-virus, Super Antispyware, Spyware Blocker).
By accident I discovered that the Internet Explorer-ZoneMap-Domains files in my registry are FULL of malware dialers and addresses. I don’t know if they were directly responsible for the shell attack.
I ran Avast antivirus this evening, and there are about 13 files with the “installer archive is corrupted” message. All (but one) cannot be put in the Virus Chest; an error occurs. These are the files:
Does this mean that the first 11 files are Avast files that have been corrupted? Since I can’t move, delete or repair them, what should I do? (I recognize that the last file is from an uninstalled version of GOM Player, but I have the same problems trying to get rid of it.)
Why didn’t Avast detect the nasty malware in my ZoneMap folders, and how can I get them out? I don’t want to just delete them out of the registry, because (a) there are so many it would be very tedious, and (b) I’m afraid I won’t find the associated files in the registry that are disguised.
I will greatly appreciate any guidance you can give me on these matter. Thanks alot!
This is not Chest, but the ‘moved’ folder of avast. It’s impossible to know the original path of these files now. Are you sure these are the files you’ve moved to Chest?
No. They’re files that avast detected and as per your instruction were ‘moved’.
If you go to Windows Explorer, can’t you delete (send to Recycle bin) that files?
Do you use AVGas or any other antispyware product?
I tried to install the Trojan Remover program (this was to deal with the malware in my registry), but at the end of the download I got a Windows message saying the installation file was corrupt, so the operation was aborted.
Does this mean that most of the files found in the Avast scan are broken pieces of this program? How can I get rid of them?
2)I am not using Spybot, because I tried it previously, and the version had a LOT of bugs. So I deleted it. Instead, I have Spyware Blaster and Super Antispyware.
The files found by the Avast scan are not in the Chest. I tried to move them, and got an error message. Then I tried to place them in the Chest, and that gave error messages, too. So right now they are just sitting in the Last Scan Report box. From the file paths, it “looks” like they were moved, but they do not appear in the Chest.
Is there another place where they can be stored? Where is it?
4)Could you explain how I can delete them using Windows Explorer? Do you mean calling them up using the “Search” function?
I did have AVG on my system, but I took it off because I understood it would cause problems to have both Avast and AVG programs running at the same time (AVG also has an antivirus component, and it was causing freeze-ups). I currently have Super Antispyware (Free edition) and Spyware Blaster, instead.
And finally, could I have your expert opinion on a program that would delete the Trojan dialers and websites out of my registry?
Depending on the value of the dword the Internet Explorer-ZoneMap-Domains represents domains in the Intranet Zone, Trusted Sites Zone, Internet Zone, or Restricted Sites Zone. I’m guessing the list your seeing is the Restricted Sites Zone (dword = 4) and you wouldn’t necessarily want to delete addresses listed there. The easiest way to check this is to just look in Internet Explorer under the Security tab.
registry keys: use some special anti-spyware program… it’s hard to keep an list of bad zones for us and delete them…
corrupted installers: maybe the file isn’t fully downloaded (is incomplete) and that’s the reason of unpack to fail… and maybe it is some unsupported version of installer (with different structures, offsets etc) which we can’t unpack… i don’t know, when i haven’t seen the files… anyway - in case of unpack error the files under the installer are not scanned… if you are sure that it is some legal trojan removal tool, you can run it even when avast didn’t unpack it correctly…
Re: malware in ZoneMap folder in my registry: the files in these folders (under each and every HKEY USER) were all quite obviously pornographic, so I knew I personally had not placed them in the Explorer Security zones (I have no web addresses in those zones, as it happens).
What I mean by dialers are malware programs (in this case, pornographic) that use your modem to dial-up sites without your permission and you get the bill! I’m just not interested! (NONE of these HUNDREDS, and I mean HUNDREDS of malware sites, were of interest to girls, judging by the names!)
Yes, I uninstalled Spybot through Add/Remove programs.
Now, here are some new developments.
I went back to my Avast antivirus program to review the last report scan (which I put in my original post). Well, there was a new file in the chest under Infected Files, and it looked like one of the 12 which I couldn’t move. So I scanned it in the chest, and while it was scanning I noticed it expanded and listed all 12 problem files. At the end of the scan it conflated back down to one file, and is now marked ‘no virus’! I guess what happened was that my original attempts to move the files produced an error message, but the files got moved later in a delayed reaction. But should it happen like that?
So, now that they have “no virus”, does this mean I can restore them?
Also, re: ZoneMap malware - I also use Super Antispyware, and I vaguely remember a setting for ZoneMap under the Repairs section. Well, there is one, so I hit “reset” for default settings. Then I went into my registry and lo and behold, all that malware was GONE! I did a search under ZoneMap and one of the delightful site names and the Domains are truly EMPTY!
Of course I don’t know how my original ZoneMap settings got corrupted, but they’re fixed now!
So I guess all I need to know now is if I can restore the no-virus files in my Avast virus chest.
Judging by what you did to get rid of them, it’s very possible SAS put them there to prevent access. When you restored the defaults in SAS, the list was cleared.
You could try submitting the files to virustotal ( http://www.virustotal.com/ ) and see if any thing shows up. It’s possible that it was a false positive that was corrected by the last vps update. You will have to move them out of the chest to a temp folder to submit them.
Here’s a partial view of my Zone Map. There are porn sites, URL’s with “dialer” in the name that are not actual dialer programs, etc. The dword for all of these is 4 meaning they are all part of my Restricted Zone. I didn’t put these there - Spybot S&D or Spyware Blaster or IE Spyad put them there for me. Is this sort of what you saw on your computer?
I followed your suggestion and attempted to send the files to virustotal.com (which is a great site). However, they were both too big to download there. I was able to send 3 winsock system files that were also in my virus chest, and they are clean. Can I now restore the winsock files?
In extracting the 12 original files to a temporary folder (in preparation for sending to virustotal.com), it became clear that they are the installation file for an anti-trojan program and its associated virus library. I suspect that means Avast issued a false positive for them, but I’m not sure. I ran a scan on them inside the virus chest, and its says ‘no virus’. Does that mean they are clean and I can now restore them?
Mauserme: YES! That is very similar to what was in my ZoneMap, only with more colorful titles. So you and Oldman have explained how they got in ZoneMap in the first place - my Super Antispyware or Spyware Blaster put them there. Is it bad that I deleted them using the SAS repair module?
I now have a clearer understanding of what happened. Hopefully I am getting closer to restoring the virus chest files. Thanks again for your continuing advice.
I edited my post to prevent displaying the most colorful domain names ;D
Some security programs add these sites to protect you by enforcing tighter security settings if you (or someone using your computer) ever strayed to one of these sites. But deleting them doesn’t harm anything.
What are the names of the winsock files you’re referring too? I wouldn’t mess with this too much - the winsock layer is a like a chain of programs that , if broken, will kill your interent connection. SuperAntiSpyware has a tool to fix this if it happens, but best not to break it in the first place.
In regard to the Trojan Remover files I would be inclined to just delete them. If you still want to install Trojan Remover a fresh download would probably be more successful.
And the very last line in your initial post - that is a system restore point. It could probably be deleted too if Windows is not protecting it.
The winsock files are: wsock32.dll, winsock.dll, kernel32.dll. They were put in my virus chest about a month ago, but haven’t done anything but re-scan them there, because I knew they were serious files and was afraid I’d blow something up. Should I just leave them there?
I will follow your advice and do a fresh download of the Trojan Remover, and I will delete the gomx.dll restore file.
Those 3 files, should be in the system portion of the chest. Please open the chest and click on the plus sign. Then click on system files. You should see those 3 files there. They are backups that avast put there. There is no need to restore them.
I cannot find the gomx.dll file in registry, 'though I can find the rest of the restore string. Is it important that I find and delete it? It’s just that every time I run Avast, it brings up this file.
Otherwise, tomorrow - I mean later today! - I will clean up the anti trojan software.
As mauserme said you may or may not be able to delete it if windows is protecting it.
If it is a very old restore point you can do the following
Disk Cleanup - Launch the Disk Cleanup tool and then select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.
Oldman’s suggestion about clearing the old restore points is perfect.
Just one other thought from my point of view - poking around in the registry is not the safest thing in the world and is an inefficient way to solve malware problems. Its sometimes necessary, but only as a last resort.
Thanks for your suggestion about ERUNT; it is a great tool.
I will think about deleting all my old restore points; as mauserme pointed out, and I have found out the hard way, it is risky deleting things out of your registry (!) This is one reason I am very familiar with System Restore (!)
Gentlemen, I thank all of you for your considerable assistance in this matter. I have learned alot!
ginnie