Win32:Dialer-1346

[Tarq57]

Ah. I thought they'd fixed that. Please download This hotfix and place it in your Program files\malwarebytesantimalware folder. Allow it to replace the existing version of MBAM.exe.
Then try it.

[YoKenny]

You could also install:
Microsoft Visual C++ 2008 Redistributable Package (x86)
http://www.microsoft.com/downloads/details.aspx?FamilyID=9b2da534-3e03-4391-8a4d-074b9f2bc1bf&displaylang=en

I also notice you need:
User Profile Hive Cleanup Service
Brief Description
A service to help with slow log off and unreconciled profile problems.
http://www.microsoft.com/downloadS/details.aspx?FamilyID=1b286e6d-8912-4e18-b570-42470e2f3582&displaylang=en

[Tarq57]

You could also install:
Microsoft Visual C++ 2008 Redistributable Package (x86)
http://www.microsoft.com/downloads/details.aspx?FamilyID=9b2da534-3e03-4391-8a4d-074b9f2bc1bf&displaylang=en

Yokenny, the reported problem has been reported at the malwarebyte forum, the fix was posted here, which is where I linked it from.

I would have thought the UPH cleanup was an optional program to install.
You make it sound as though it's necessary.
Feel free to discuss.

[Ragamuffin]

I've done a full scan with MBAM and it didn't detect and infected objects, but when it finished apparently it didn't create a log and came up with the "Windows cannot find..." error.

Edit: It appears I needed to create the file path to where it can save logs, I've done that and here is a report from a quick scan:

Malwarebytes' Anti-Malware 1.39
Database version: 2504
Windows 5.1.2600 Service Pack 3

26/07/2009 11:04:51
mbam-log-2009-07-26 (11-04-51).txt

Scan type: Quick Scan
Objects scanned: 110361
Time elapsed: 1 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Tarq57]

What was the error message in response to? You searching for the log, or did it pop up automatically when MBAM finished scanning?
Have you checked in MBAM settings (in the second checkbox down) that it should create a log?

However, the point is that nothing is detected as infected.
HJT indicates the same. This has got to be somewhat reassuring.

Please send the quarantined item to Avast from within the chest. (Right click the entry in the chest for the options).

Should the virus warning occur again, try initially doing nothing, but open the folder the file reported is in, then try scanning it with MBAM.
I'm not sure this will actually work, as Avast may lock it, and prevent scanning or correct detection.

How did you get on uploading the file to virustotal? (I'd treat "a.exe" with the same degree of suspicion as "b.exe".)
If anything new attempts an internet connection now, the firewall should warn you. If unsure whether it's safe or not, block it. (This can later be undone if necessary.) And let us know.

Love some more second opinions about this scenario.

[YoKenny]

@Tarq57
Having UPH cleanup does what it says it does and will prevent errors in the Event logs.
It is installed by default on Vista.

@Ragamuffin
Can you open Notepad?

Go to Start then Run... then enter notepad then tap Enter to open Notepad that MBAM needs to display logs.

In MBAM select Logs and there should be a log there that you can select with Open that displays a MBAM log with Notepad:
Malwarebytes' Anti-Malware 1.39
Database version: 2504
Windows 5.1.2600 Service Pack 3

7/26/2009 6:11:06 AM
mbam-log-2009-07-26 (06-11-06).txt

Scan type: Quick Scan
Objects scanned: 90226
Time elapsed: 5 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Tarq57]

@Tarq57
Having UPH cleanup does what it says it does and will prevent errors in the Event logs.
It is installed by default on Vista.

I have it installed, have had for about two years.
I think it's a very useful program.
But I don't think it's a "you must have this".
It would seem to me it's a "this is a good idea to install."
Yes? No?

[YoKenny]

No to "you must have this."
Yes to "this is a good idea to install."

[Ragamuffin]

What was the error message in response to? You searching for the log, or did it pop up automatically when MBAM finished scanning?
Have you checked in MBAM settings (in the second checkbox down) that it should create a log?

It came up on it's own, so it seems it tried to open the log at the end of the scan, but hadn't been able to save it because it didn't create the location where it should be.

How did you get on uploading the file to virustotal? (I'd treat "a.exe" with the same degree of suspicion as "b.exe".)
If anything new attempts an internet connection now, the firewall should warn you. If unsure whether it's safe or not, block it. (This can later be undone if necessary.) And let us know.

I, perhaps a bit foolishly, deleted "a.exe" since it wasn't being flagged as a problem and quarantined. I didn't like the idea of just leaving it there.

@Ragamuffin
Can you open Notepad?

Go to Start then Run... then enter notepad then tap Enter to open Notepad that MBAM needs to display logs.

In MBAM select Logs and there should be a log there that you can select with Open that displays a MBAM log with Notepad:

It's saving the logs properly now, and I can see them in the "logs" tab, it seems it just couldn't create the directory where it wanted to save them, so I did it manually.

[Ragamuffin]

One more thing, could the actions described here in anyway be responsible? I have been experiencing problems with the atdmt tracking cookie and followed those instructions to get rid of it, although it didn't work, I still get the cookie whenever I start up Windows Live Messenger.

Edit: I just tried visiting worldofraids.com with avast off and AVG reinstalled, it came up with a warning about

Code: [Select]

http://192.192.216.166/fox.htm saying that it was a flash exploit. I blocked it and closed the window, the b.exe file hasn't been detected, and on going back to worldofraids.com it appears to be gone off the list of items there.

[essexboy]

Unfortunately HJT no longer gives the full picture, if you wish I can assist

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTS  to your Desktop

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS.exe to start the program.
  
• Check the box that says Scan All Users
  
• Under Additional Scans check the following:
• File - Lop Check
• File - Purity Scan
• Evnt - EvtViewer (last 10)

• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

[Ragamuffin]

Ok, I'm 99.9% sure now that the problem was being caused by the link mentioned in my previous post, ending in fox.htm and labelled as a flash exploit. Since blocking it and the ip it comes from with firefox addons and internet options I no longer get crashes when visiting worldofraids.com nor any warnings from AVG or avast, although it seems to have been removed from the site anyway.

I've done one final set of scans with avast, avg, MBAM, SUPERAntiSpyware, Spybot S&D, plus a HijackThis log and they've turned up nothing, apart from SUPERAntiSpyware finding the atdmt tracking cookie still.

So anyway, Tarq, thank you very much for all of your help, and my apologies if any of my replies were a bit rambling or unclear. Also, YoKenny, thank you for your recommendations too. And essexboy, thank you for that, if it pops up again I will defiantly give it a go.

[essexboy]

No problems - it is just that there is a nasty variant of TDSS at the moment which sometimes accompanies the a.exe tribe

[Ragamuffin]

Well, better safe than sorry in that case, here's a link to the log: link

[polonus]

Hi Ragamuffin,

Maybe you like to make the link you gave in a previous posting non-clickable because there is a suspicious inline script  ]Script outside of <HTML>...</HTML> block

Code: [Select]

var memory; var nop = unescape("%u0808%u0808"); var spray=decodeURI("abcd0C0Cabcd6090abcd1CEBabcd4B... It is code of a PDF exploit with heapspray (because they know where to spray the heap for Adobe's software is broken so they are sure of the desired results, so be extra cautious where you surf with mentioned exploitable software!) For more on this exploit: wXw.milw0rm.com/exploits/8570

@essexboy, the danger is out there on the Internet...

@Ragamuffin: Well let us return to the exploit in the links you gave with a short recapitulation of what the heap spray vulnerability stands for:

Heap spraying basically termed as the substitute to ‘Arbitrary Code Execution’. In plain English. Intruders try to enter in the system by executing some sort of code from your browser, hackers certainly know what is meant here.

Heap spraying was introduced back in 2001, and started getting off with the help of browsers in the year 2005 and beyond. This exploit have done major damages in that same year 2005, as it was first tried in bowers at the time. This term is generally used by cybercriminals and in the computer security world to define arbitrary code execution.

This code which sprays the heap attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process’ heap and fill the bytes in these blocks with the right values.

These heap blocks will approximately be in the same location every time the heap spray is run. Well this is well known fact for hackers today. This gives them advantage over testing Adobe against this heap spray exploit.

Adobe might have forget to close all its open doors for such a common vulnerability at the launch of the momentary version, but we will soon see it  patched,
With NoScript extension installed in the Firefox browser we are secure against this arbitrary code vulnerability or the next one, so no sweat,


polonus