[FIXED]Exploit.HTML.Hostile-URL.gen - DESKTOP PC
Goto page 1, 2 Next
CastleCops
-> Trend Micro HijackThis Logs
Author: Amethyst_08, Location: Canada
Posted: Thu Jun 26, 2008 5:34 pm Post subject: Exploit.HTML.Hostile-URL.gen - DESKTOP PC
Hello,
I am writing about 2 computers. One is a desktop PC, the other is a laptop networked wirelessly to the desktop. the desktop is running Windows XP Media Center Edition. The laptop is running Windows XP Pro. Both systems are using AVG Free 7.5 as antivirus, the Windows firewall (both systems are behind 2 NAT routers), and Spybot S & D 1.5. The desktop has the immunizer turned on but not the resident items. The laptop does not have the immunizer activated yet.
Not sure what I've got going on here. I was at this website [WARNING, THIS IS A MALWARE LINK, SO I AM INSERTING A SPACE TO KEEP IT FROM BEING CLICKABLE]:
http:// chaumontdevin.com /nonfiction/ evil.text
The website was just plain, ordinary text. No graphics, nothing. Just text. Simple. Looked harmless.
I saved the web page to my hard drive, to the shared folder. I scanned the file with AVG before I opened it. When I clicked to open it, I had to choose a program to open it with. I chose wordpad. It opened and looked like a plain text document.
We use a broadband satellite internet connection. We used to use dialup and that connection has been disabled but was still on the hard drive. The phone line was not connected to the PC. Since this file was opened, the dialup dialogue window has been popping up with our former dialup connection attempting to activate. I was suspicious and scanned the file at Virustotal on June 24th. It was declared clean at that time. I scanned my whole system with Bitdefender online and it came up clean. I've updated Spybot just yesterday and scanned with that. It came up clean. This morning I deleted the dialup account icon in my network folder and this item has not popped up since.
This morning I used the laptop to scan the file with http://virusscan.jotti.org/
It came up clean. However, today virustotal.com flagged it as this:
WindowWasher-Gateway: Exploit.HTML.Hostile-URL.gen
I've scanned the PC with Ewido's online scanner and it cleaned up 151 tracking cookies that Spybot has missed. (Not impressed.)
I've deleted the file and it's not even in my recycle bin. I checked my firefox download list and it says the file was downloaded as I described, but at a time of day when I'm pretty sure the PC wasn't even on.
I think I may have opened this file on the laptop as well with wordpad, unfortunately. I'll be scanning it later with Ewido as well.
Where do I go from here? The file in question is deleted, but how do I find out whether or not I still have a problem. Something was trying to phone home from the PC, that's obvious, but I don't know if it's gone or not or if there's something else there that needs to be cleaned up. It didn't succeed in connecting to the internet.
Should I be changing any passwords that were used since the download took place? (I think it was June 24th).
By the way, feel free to report that link. I'm not going to navigate to it, but I am going to notify google.
Help!
This is how virustotal saw the file:
File size: 1328 bytes
MD5...: 4b962b5c3bd7c3f6b7918b2b3abe4ba7
SHA1..: f43c5348b15c4a377bc645afd132f5a96ecf9b66
SHA256: 128dc372809221fb003be3b300e971e173e8b24ded73fd6f5ec840416a383f2d
SHA512: e5bb258c8731e2cd73f4e771721c17a752c9c6828b73a00041df612dec22d3e0
b08ffde55c9204eea36b22c32983de665d733aad9a639216e527c7a7a2ec8507
PEiD..: -
PEInfo: -
packers (F-Prot): Unicode
Virustotal called the file: "Default.html"
Author: Amethyst_08, Location: Canada
Posted: Thu Jun 26, 2008 6:15 pm Post subject:
I am currently scanning the PC with ESET's online scanner.
Author: Amethyst_08, Location: Canada
Posted: Thu Jun 26, 2008 6:15 pm Post subject:
I am currently scanning the PC with ESET's online scanner.
Author: Amethyst_08, Location: Canada
Posted: Thu Jun 26, 2008 7:59 pm Post subject:
Aggh! Having a heck of a time figuring out this forum. I've just run Hijack this on the PC and here's the log. Please let me know if there's anything wrong.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:50 PM, on 26/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager
Unicode\CTSyncU.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates
from HP.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft
Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&local
e=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&loc
ale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start Page =
http://weatheroffice.ec.gc.ca/city/pages/sk-3_metric_e.h
tml
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&loc
ale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet
Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&loc
ale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Connection
Wizard,ShellNext =
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&local
e=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy Web Print Helper -
{68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program
Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class -
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint -
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program
Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP]
ARPWRMSG.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI
Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital
Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.
exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program
Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe"
/run
O4 - HKLM\..\Run: [LSBWatcher]
c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program
Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program
Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup
"C:\Program
Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program
Files\Common
Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program
Files\Common Files\Scansoft
Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program
Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program
Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleTo
olbarNotifier.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program
Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program
Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run]
C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL
SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run]
C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User
'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run]
C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User
'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run]
C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User
'Default user')
O4 - Startup: Webshots.lnk = C:\Program
Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk =
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk =
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk =
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program
Files\Updates from HP\9972322\Program\Updates from
HP.exe
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program
Files\My Book\WD Backup\uBBMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel
- res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print
List - res://C:\Program
Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed
Print - res://C:\Program
Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview -
res://C:\Program
Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print -
res://C:\Program
Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) -
{85d1f590-48f4-11d9-9669-0800200c9a66} -
C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender
Online Scanner v8 -
{85d1f590-48f4-11d9-9669-0800200c9a66} -
C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research -
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help -
{E2D4D26B-0180-43a4-B05F-462D6D54C789} -
C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L
=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help -
{E2D4D26B-0180-43a4-B05F-462D6D54C789} -
C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L
=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) -
{e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}
(Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1}
(ewidoOnlineScan Control) -
http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend
Micro ActiveX Scan Agent 6.6) -
http://housecall65.trendmicro.com/housecall/applet/html/
native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B}
(DownloadManager Control) -
http://dlm.tools.akamai.com/dlmanager/versions/activex/d
lm-activex-2.0.6.5.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B}
(OnlineScanner Control) -
http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD}
(OnagerCtrl Class) -
http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}
(BDSCANONLINE Control) -
http://download.bitdefender.com/resources/scan8/oscan8.c
ab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
(WUWebControl Class) -
http://www.update.microsoft.com/windowsupdate/v6/V5Contr
ols/en/x86/client/wuweb_site.cab?1191739698421
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5}
(Symantec RuFSI Utility Class) -
http://security.symantec.com/sscv6/SharedContent/common/
bin/cabsa.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582}
(ICSScanner Class) -
http://download.zonelabs.com/bin/promotions/spywaredetec
tor/ICSScanner371420.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125}
(mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
(ActiveScan Installer Class) -
http://acs.pandasoftware.com/activescan/as5free/asinst.c
ab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7}
(ActiveCGM Control) -
http://tgs.gov.mb.ca/roadinfo/help/downLoadIE/Acgm.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc.
- C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -
GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) -
GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT,
s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access -
Creative Technology Ltd -
C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -
Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. -
C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling
Service (LightScribeService) - Hewlett-Packard Company -
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
--
End of file - 11700 bytes
The ESET scan came back clean, no malware found.
Author: Prince_Serendip,
Posted: Fri Jun 27, 2008 11:44 am Post subject:
I've split off the HijackThis log for your laptop to a seperate topic. It would get way too confusing to do them both in the same topic. This topic is now for your Desktop PC.
LAPTOP topic is posted here: 
/postitle224216-0-0-.html
You're Ready for cleaning. 
At CastleCops we screen all HijackThis logs for errors, out-of-date versions, unupdated operating systems, omissions and P2P applications; getting you [READY] for cleaning by our 1st Responders and Security Experts. Now you wait for one of them to come help you.
Author: Amethyst_08, Location: Canada
Posted: Thu Jul 10, 2008 6:07 pm Post subject:
Updated Hijack This log as of today:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:31 AM, on 10/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\arservice.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://weatheroffice.ec.gc.ca/city/pages/sk-3_metric_e.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.0.6.5.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191739698421
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371420.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://tgs.gov.mb.ca/roadinfo/help/downLoadIE/Acgm.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
--
End of file - 12018 bytes
Computer is experiencing no behavior problems. 
Author: bamajim,
Posted: Fri Jul 11, 2008 1:54 pm Post subject:
Amethyst_08
I done see any signs of spyware/malware in the logs you posted.
You seem to have done a number of scans which alll came back clean.
Let's do one more to be sure.
Run an online virus scan called Kaspersky from HERE.
1. At the main page. Press on "Accept". After reading the contents.
2. At the next window Select Update. Allow the Database to update.
Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
3. Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete.
4. Select Scan Report.
5. If any threats were found they will appear in the report
6. Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well
Author: Amethyst_08, Location: Canada
Posted: Fri Jul 11, 2008 3:38 pm Post subject:
Thanks, that's the news I wanted. 
Before I run the scans with Kapersky, I have a question. Does the Kapersky online scanner give one the option to have it 'report only' on what it finds, or does it just automatically clean or delete what it perceives as a threat? I've seen a lot of 'false positives' with security products and I don't want Kapersky deleting something that I don't want deleted. I've become a firm believer in 'verify and research it first' when it comes to security software and its findings. When I used ZoneAlarm Internet Security Suite, it was constantly flagging my graphics software as being malware when, in reality, it was anything but.
Thanks, looking forward to your reply. I've never tried Kapersky, but I'm always interested in learning about good online scanners.
Author: bamajim,
Posted: Fri Jul 11, 2008 4:50 pm Post subject:
Amethyst_08
The Kaspersky online only detects infections. It does not remove them. That why we request the log file.
Kaspersky is one of the most up to date and acurate online scans there is.
Author: Amethyst_08, Location: Canada
Posted: Fri Jul 11, 2008 10:12 pm Post subject:
I ran the Kapersky scan, and this is the result:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, July 11, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, July 11, 2008 17:26:31
Records in database: 943103
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan statistics:
Files scanned: 132792
Threat name: 2
Infected objects: 11
Suspicious objects: 0
Duration of the scan: 02:00:42
File name / Threat name / Threats count
C:\Documents and Settings\HP_Administrator\My Documents\Computer driver updates\zaSuiteSetup_65_737_000_en.exe Infected: Exploit.PHP.Userpic.a 1
C:\Program Files\HP\Digital Imaging\{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}\setup\AiOHelp\1200trb.cab Infected: Exploit.PHP.Userpic.a 1
C:\Program Files\HP\Digital Imaging\{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}\setup\AiOHelp\1300_help.cab Infected: Exploit.PHP.Userpic.a 4
C:\Program Files\HP\Digital Imaging\{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}\setup\AiOHelp\1310_help.cab Infected: Exploit.PHP.Userpic.a 4
C:\Program Files\Online Services\AOL\United States\AOL90\comps\toolbar\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
The selected area was scanned.
The first item on the list, zaSuiteSetup_65_737_000_en.exe, is most definitely a false positive. It is the ZoneAlarm Internet Security Suite which I downloaded quite a while ago. I no longer use ZoneAlarm. I'm uploading that one to virustotal right now. There's no reason for me to have this .exe on my system, actually. I won't be using it.
I'm not so sure about the other ones, the .cab files in the AiOHelp folder. When I right click on properties, I get their size and the dates they were created and that's it. I do think, they are part of my HP imaging software. I can't find anything online about them in the way of information. I scanned each of them at virustotal.com and only GData 2.0.7306.1023 flags them as being that Exploit.PHP item. I'll check at the HP website for more information on those.
The AOL item came pre-installed on the computer, as did a lot of extra things that I've never used. I don't use AOL at all. At virustotal.com, Sophos also flags this one as being a problem and also calls it "SearchIt.t".
So now what? I wasn't expecting to find any problems at all, so this is rather alarming, actually.
Author: Amethyst_08, Location: Canada
Posted: Fri Jul 11, 2008 10:28 pm Post subject:
I'm seeing rumblings about this Exploit.PHP.Userpic.a thing being a false positive, would like to know if this is the case with my files.
I hope it's OK to post links to other forums.
http://forum.kaspersky.com/index.php?s=a6af3be5a01b3a514d26355676221233&showtopic=76469
I guess my concern about those .cab files is that I still do use the HP imaging software, this came preinstalled on my system. I don't know how to replace those .cab files if there is something wrong with them and I don't know if the software would be usable without them.
Author: Amethyst_08, Location: Canada
Posted: Fri Jul 11, 2008 10:44 pm Post subject:
Re those .cab files, their properties all say they were last modified May 23, 2005. All of the .cab files in that entire folder have the same modification date.
(You can tell I really WANT this to be a false positive,eh? 
)
I removed the ZoneAlarm setup file from my hard drive. It didn't need to be there anyway. I don't think the AOL .exe is actually functioning, but I can probably get rid of that if you think it's advisable. I'll never use AOL.
Author: Amethyst_08, Location: Canada
Posted: Sat Jul 12, 2008 1:39 am Post subject:
I scanned each of those .cab files at virusscan.jotti.org/, and they were flagged as Exploit.PHP.Userpic.a by F-Secure Antivirus, Ikarus, and of course Kapersky. And nothing was detected by any of the programs I would have normally scanned with for a 2nd or third opinion, such as Panda, Bitdefender, and ESET. AVG is not finding anything.
I can't find any information about this on the internet. The modification date of these .cab files is the same as that of all the other .cab files and executables in that folder. I don't know what to think at this point.
Anyway, I'll say no more until I hear from an expert. 
Author: bamajim,
Posted: Sat Jul 12, 2008 1:43 am Post subject:
Amethyst_08
They are false positives.
There is nothing there to be concerned about. False positives are created when certain files display similar properties as malware files. It happens.
The .exe file associated with AOL was tagged as Adware. Which may or may not be true. AOL has allowed themselves to become a large advertising IE provider, which is the very reason that they are almost gone.
Author: Amethyst_08, Location: Canada
Posted: Wed Jul 16, 2008 2:39 am Post subject:
OK, thanks! I guess we'll consider this matter resolved.
This is a great service you guys offer here, much appreciated.
CastleCops
-> Trend Micro HijackThis Logs
All times are GMT
Goto page 1, 2 Next
Page 1 of 2
Powered by phpBB © 2001 phpBB Group