@Tarq57
Having UPH cleanup does what it says it does and will prevent errors in the Event logs.
It is installed by default on Vista.
@Ragamuffin
Can you open Notepad?
Go to Start then Run… then enter notepad then tap Enter to open Notepad that MBAM needs to display logs.
In MBAM select Logs and there should be a log there that you can select with Open that displays a MBAM log with Notepad:
Malwarebytes’ Anti-Malware 1.39
Database version: 2504
Windows 5.1.2600 Service Pack 3
7/26/2009 6:11:06 AM
mbam-log-2009-07-26 (06-11-06).txt
@Tarq57
Having UPH cleanup does what it says it does and will prevent errors in the Event logs.
It is installed by default on Vista.
I have it installed, have had for about two years.
I think it's a very useful program.
But I don't think it's a "you must have this".
It would seem to me it's a "this is a good idea to install."
Yes? No?
It came up on it’s own, so it seems it tried to open the log at the end of the scan, but hadn’t been able to save it because it didn’t create the location where it should be.
How did you get on uploading the file to virustotal? (I'd treat "a.exe" with the same degree of suspicion as "b.exe".)
If anything new attempts an internet connection now, the firewall should warn you. If unsure whether it's safe or not, block it. (This can later be undone if necessary.) And let us know.
I, perhaps a bit foolishly, deleted "a.exe" since it wasn't being flagged as a problem and quarantined. I didn't like the idea of just leaving it there.
It’s saving the logs properly now, and I can see them in the “logs” tab, it seems it just couldn’t create the directory where it wanted to save them, so I did it manually.
One more thing, could the actions described here in anyway be responsible? I have been experiencing problems with the atdmt tracking cookie and followed those instructions to get rid of it, although it didn’t work, I still get the cookie whenever I start up Windows Live Messenger.
Edit: I just tried visiting worldofraids.com with avast off and AVG reinstalled, it came up with a warning about
http://192.192.216.166/fox.htm
saying that it was a flash exploit. I blocked it and closed the window, the b.exe file hasn’t been detected, and on going back to worldofraids.com it appears to be gone off the list of items there.
[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:
[*]File - Lop Check
[*]File - Purity Scan
[*]Evnt - EvtViewer (last 10)
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Ok, I’m 99.9% sure now that the problem was being caused by the link mentioned in my previous post, ending in fox.htm and labelled as a flash exploit. Since blocking it and the ip it comes from with firefox addons and internet options I no longer get crashes when visiting worldofraids.com nor any warnings from AVG or avast, although it seems to have been removed from the site anyway.
I’ve done one final set of scans with avast, avg, MBAM, SUPERAntiSpyware, Spybot S&D, plus a HijackThis log and they’ve turned up nothing, apart from SUPERAntiSpyware finding the atdmt tracking cookie still.
So anyway, Tarq, thank you very much for all of your help, and my apologies if any of my replies were a bit rambling or unclear. Also, YoKenny, thank you for your recommendations too. And essexboy, thank you for that, if it pops up again I will defiantly give it a go.
Maybe you like to make the link you gave in a previous posting non-clickable because there is a suspicious inline script ]Script outside of … block
var memory; var nop = unescape("%u0808%u0808"); var spray=decodeURI("abcd0C0Cabcd6090abcd1CEBabcd4B...
It is code of a PDF exploit with heapspray (because they know where to spray the heap for Adobe’s software is broken so they are sure of the desired results, so be extra cautious where you surf with mentioned exploitable software!) For more on this exploit: wXw.milw0rm.com/exploits/8570
@essexboy, the danger is out there on the Internet…
@Ragamuffin: Well let us return to the exploit in the links you gave with a short recapitulation of what the heap spray vulnerability stands for:
Heap spraying basically termed as the substitute to ‘Arbitrary Code Execution’. In plain English. Intruders try to enter in the system by executing some sort of code from your browser, hackers certainly know what is meant here.
Heap spraying was introduced back in 2001, and started getting off with the help of browsers in the year 2005 and beyond. This exploit have done major damages in that same year 2005, as it was first tried in bowers at the time. This term is generally used by cybercriminals and in the computer security world to define arbitrary code execution.
This code which sprays the heap attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process’ heap and fill the bytes in these blocks with the right values.
These heap blocks will approximately be in the same location every time the heap spray is run. Well this is well known fact for hackers today. This gives them advantage over testing Adobe against this heap spray exploit.
Adobe might have forget to close all its open doors for such a common vulnerability at the launch of the momentary version, but we will soon see it patched,
With NoScript extension installed in the Firefox browser we are secure against this arbitrary code vulnerability or the next one, so no sweat,
Not too bad just a few remnants of SpyFalcon there - you missed the real nasty
Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Files/Folders - Modified Within 30 Days]
NY -> Bu_.exe -> H:\Documents and Settings\Ian.LENORE\Local Settings\Temp\~nsu.tmp\Bu_.exe
NY -> Au_.exe -> H:\Documents and Settings\Ian.LENORE\Local Settings\Temp\~nsu.tmp\Au_.exe
[Empty Temp Folders]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.
All Processes Killed
[Files/Folders - Modified Within 30 Days]
H:\Documents and Settings\Ian.LENORE\Local Settings\Temp\~nsu.tmp\Bu_.exe moved successfully.
H:\Documents and Settings\Ian.LENORE\Local Settings\Temp\~nsu.tmp\Au_.exe moved successfully.
[Empty Temp Folders]
So… I hope so?
And Pol, thanks for explaining that, it’s a bit over my head, but thanks all the same.
Probably a silly question, but do I need to go an delete the Bu_.exe and Au_.exe files manually? Because I can find them in H:_OTS\MovedFiles\07262009_174245\H_Documents and Settings[username.comp]\Local Settings\Temp~nsu.tmp\