Author Topic: HEUR/HTML.Malware found - what to do now?  (Read 22191 times)

0 Members and 1 Guest are viewing this topic.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
HEUR/HTML.Malware found - what to do now?
« on: December 12, 2009, 02:22:28 PM »
Avira found this as I was googling a software review this morning and quarantined it:

Quote
Virus or unwanted program 'HEUR/HTML.Malware [heuristic]'
detected in file 'C:\Documents and Settings\Helena\Local Settings\Application Data\Mozilla\Firefox\Profiles\lfoq4mi4.default\Cache\BDFDE8C9d01.
Action performed: Move file to quarantine

I read that files like this can be false positives.  Should I do anything more about it? 

I'm never quite sure where to post questions like this because I don't know if I need scan logs or not to ask the question.


Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #1 on: December 12, 2009, 02:50:49 PM »
Ran an MBAM scan on C drive and found this:

Malwarebytes' Anti-Malware 1.42
Database version: 3349
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/12/2009 10:48:34 AM
mbam-log-2009-12-12 (10-48-34).txt

Scan type: Full Scan (C:\|)
Objects scanned: 224689
Time elapsed: 41 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #2 on: December 12, 2009, 03:08:41 PM »
shoot...I just found something else that says this also could be an MBAM false positive.

This all seems so complicated.....

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #3 on: December 12, 2009, 04:54:31 PM »
SuperAnti-Spyware has now found this:

Trojan.Agent/Gen-Nullo[Short]

http://img442.imageshack.us/img442/8922/12122009125135.png


I will be starting a new topic and posting my logs......wow.   I think I might need to reinstall NoScript.  This is crazy.

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: HEUR/HTML.Malware found - what to do now?
« Reply #4 on: December 12, 2009, 05:00:36 PM »
No new topic. Paste your logs here.  

I was already preparing a response with needed changes to your security defenses (including NoScript) but saw you had responded while previewing.  I will post the response but only do steps 1-4 until after your computer is cleaned.

~~~~~~~~~~~~~~~~~~

Search results are injected with all kinds of nasty goodies.  In addition, there are numerous websites infected with SQL injections (as evidenced by just one example of the 318x.com iframe injection 318x SQL Injection Claims 125,000+ and 318x Compromises Bigger on Yahoo).

I suggest you do the following:

1)  Disable the following Extensions in Firefox:  

Java Console 6.0.15
Java Quick Starter 1.0

2)  Disable the following Plug-in in Firefox:

Windows Presentation Foundation
Java(TM) Platform SE 6U13

3)  Read the instructions and Install NoScript:  http://noscript.net/

4)  to http://www.mywot.com/ and install the add-on for both Firefox and IE. Although not perfect, WOT will help identify trusted sites.

5)  Update Internet Explorer to IE8.

6)  Install MVPS Hosts File, which will block all ads, banners, cookies, web bugs, and even most hijackers listed at http://www.mvps.org/winhelp2002/hosts.txt. This is accomplished by blocking the Server that supplies them.  Example from the update topic: the following entry 127.0.0.1 ad.doubleclick.net blocks all files supplied by the DoubleClick Server to the web page you are viewing. This also prevents the server from tracking your movements.
  • Right-click on the download link and save the file to your Desktop:  http://www.mvps.org/winhelp2002/hosts.zip
  • From your Desktop right-click (hosts.zip) and select: Extract All from the menu.
  • Click Next, click Next, select the option: "Show Extracted files", click Finish (This will open the newly created hosts folder on your Desktop.
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
  • Go to http://www.landzdown.com/index.php?topic=244.0 and subscribe to the topic, being sure to visit the update notice each time you receive an e-mail notice.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #5 on: December 12, 2009, 05:07:50 PM »
OK..   I made a new registry backup with ERUNT then ran  RSIT. It did not print an info.txt log

I'll start on 1-4. 

Root Repeal results:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2009/12/12 13:08
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB6D91000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADDA000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB5CCF000   Size: 49152   File Visible: No   Signed: -
Status: -

SSDT
-------------------
#: 041   Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xbaf3ae4e

#: 053   Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xbaf3ae44

#: 063   Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xbaf3ae53

#: 065   Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xbaf3ae5d

#: 098   Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xbaf3ae62

#: 122   Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xbaf3ae30

#: 128   Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xbaf3ae35

#: 193   Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xbaf3ae6c

#: 204   Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xbaf3ae67

#: 247   Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xbaf3ae58

#: 257   Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xb6e690b0

==EOF==


-------------------------------------------------------------------------------
Logfile of random's system information tool 1.06 (written by random/random)
Run by Helena at 2009-12-12 12:57:39
Microsoft Windows XP Professional Service Pack 3
System drive C: has 282 GB (93%) free of 305 GB
Total RAM: 2047 MB (70% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:47 PM, on 12/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ImageShack\QuickShot\QuickShot.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SmileyPad\SmileyPad.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Helena\Desktop\desktopsV1.01.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Helena\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Helena.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF Viewer\PDFXCviewIEPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ImageShackUtil] C:\Program Files\ImageShack\QuickShot\QuickShot.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QSmile] C:\Program Files\AsefSoft\Quick Smile 3\QSmile.exe /h
O4 - HKLM\..\Run: [SmileyPad] C:\Program Files\SmileyPad\SmileyPad.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Sysinternals Desktops] C:\Documents and Settings\Helena\Desktop\desktopsV1.01.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5898 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-562591055-682003330-1003Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-562591055-682003330-1003UA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F}]
PDF-XChange Viewer IE-Plugin - C:\Program Files\Tracker Software\PDF Viewer\PDFXCviewIEPlugin.dll [2009-07-14 1093400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-11 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-10-11 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2008-03-17 16858112]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2008-03-17 69632]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-09-17 13574144]
"nwiz"=nwiz.exe /install []
"ImageShackUtil"=C:\Program Files\ImageShack\QuickShot\QuickShot.exe [2006-04-29 1046528]
"Samsung PanelMgr"=C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe [2008-02-25 536576]
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [2007-03-01 153136]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-09-17 86016]
"QSmile"=C:\Program Files\AsefSoft\Quick Smile 3\QSmile.exe /h []
"SmileyPad"=C:\Program Files\SmileyPad\SmileyPad.exe [2006-04-14 1331200]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-09-05 417792]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-10-11 149280]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe [2008-01-04 202024]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"Sysinternals Desktops"=C:\Documents and Settings\Helena\Desktop\desktopsV1.01.exe [2008-09-05 118824]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
C:\Documents and Settings\Helena\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-20 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-13 239616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

======List of files/folders created in the last 1 months======

2009-12-09 00:43:21 ----HDC---- C:\WINDOWS\$NtUninstallKB970430$
2009-12-09 00:43:16 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2009-12-09 00:43:11 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$
2009-12-09 00:42:46 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2009-12-09 00:42:40 ----HDC---- C:\WINDOWS\$NtUninstallKB971737$
2009-12-08 07:18:08 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-12-06 16:10:33 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-12-01 09:51:20 ----D---- C:\Program Files\PNGGauntlet
2009-11-30 21:49:49 ----D---- C:\Documents and Settings\Helena\Application Data\OpenOffice.org
2009-11-30 21:47:29 ----D---- C:\Program Files\OpenOffice.org 3
2009-11-30 21:46:03 ----D---- C:\Program Files\redist
2009-11-30 21:46:03 ----D---- C:\Program Files\readmes
2009-11-30 21:46:03 ----D---- C:\Program Files\licenses
2009-11-30 10:38:40 ----D---- C:\Program Files\CCleaner
2009-11-28 10:38:52 ----A---- C:\RootRepeal report 11-28-09 (10-38-52).txt
2009-11-28 10:35:33 ----D---- C:\rsit
2009-11-28 10:31:33 ----D---- C:\WINDOWS\ERDNT
2009-11-28 10:31:00 ----D---- C:\Program Files\ERUNT
2009-11-25 03:01:22 ----HDC---- C:\WINDOWS\$NtUninstallKB976098-v2$
2009-11-25 03:01:16 ----HDC---- C:\WINDOWS\$NtUninstallKB973687$

======List of files/folders modified in the last 1 months======

2009-12-12 12:57:41 ----D---- C:\WINDOWS\Prefetch
2009-12-12 12:41:50 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-12-12 12:41:47 ----D---- C:\Program Files\SpywareBlaster
2009-12-12 12:27:20 ----D---- C:\Program Files\Mozilla Firefox
2009-12-12 12:25:40 ----D---- C:\WINDOWS\Temp
2009-12-12 12:25:38 ----D---- C:\WINDOWS\system32\CatRoot2
2009-12-12 12:24:07 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-12-12 10:54:04 ----D---- C:\WINDOWS
2009-12-12 10:53:07 ----D---- C:\WINDOWS\system32\drivers
2009-12-12 10:52:07 ----D---- C:\WINDOWS\pss
2009-12-12 10:48:34 ----RD---- C:\Program Files
2009-12-11 19:48:10 ----D---- C:\Documents and Settings\Helena\Application Data\gtk-2.0
2009-12-09 01:30:07 ----D---- C:\WINDOWS\Debug
2009-12-09 00:45:01 ----D---- C:\WINDOWS\system32
2009-12-09 00:43:24 ----HD---- C:\WINDOWS\inf
2009-12-09 00:43:23 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-12-09 00:43:10 ----HD---- C:\WINDOWS\$hf_mig$
2009-12-09 00:43:02 ----D---- C:\WINDOWS\system32\en-us
2009-12-09 00:43:02 ----D---- C:\Program Files\Internet Explorer
2009-12-09 00:42:53 ----D---- C:\WINDOWS\ie7updates
2009-12-08 07:15:23 ----SHD---- C:\Config.Msi
2009-12-06 16:10:56 ----SHD---- C:\WINDOWS\Installer
2009-12-06 16:10:54 ----D---- C:\Program Files\SUPERAntiSpyware
2009-12-06 16:10:52 ----D---- C:\Documents and Settings\Helena\Application Data\SUPERAntiSpyware.com
2009-12-06 16:10:33 ----D---- C:\Program Files\Common Files
2009-12-05 14:59:13 ----D---- C:\WINDOWS\system32\config
2009-12-05 14:58:58 ----D---- C:\WINDOWS\system32\wbem
2009-12-05 14:58:58 ----D---- C:\WINDOWS\Registration
2009-12-01 14:06:19 ----A---- C:\WINDOWS\system32\MRT.exe
2009-11-30 22:58:01 ----D---- C:\Documents and Settings\Helena\Application Data\Macromedia
2009-11-30 21:48:38 ----RSD---- C:\WINDOWS\assembly
2009-11-30 21:47:46 ----RSD---- C:\WINDOWS\Fonts
2009-11-29 15:04:40 ----D---- C:\Documents and Settings\Helena\Application Data\OfficeUpdate12
2009-11-25 03:20:13 ----D---- C:\WINDOWS\system32\CatRoot
2009-11-25 03:00:20 ----D---- C:\WINDOWS\WinSxS
2009-11-16 18:56:38 ----D---- C:\Program Files\GIMP-2.0
2009-11-16 14:54:41 ----HDC---- C:\WINDOWS\$NtUninstallKB969947$
2009-11-15 01:30:03 ----D---- C:\WINDOWS\system
2009-11-15 01:30:03 ----D---- C:\Program Files\Common Files\Microsoft Shared

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-12-08 56816]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-03-17 4737024]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-09-17 6132576]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2008-03-17 54016]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2008-03-17 22016]
R3 nvsmu;nvsmu; C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2008-03-17 13312]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S2 DgiVecp;DgiVecp; \??\C:\WINDOWS\system32\Drivers\DgiVecp.sys []
S2 SSPORT;SSPORT; \??\C:\WINDOWS\system32\Drivers\SSPORT.sys []
S3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
S3 PSI;PSI; C:\WINDOWS\system32\DRIVERS\psi_mf.sys [2009-06-17 12648]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-08-06 185089]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-10-11 153376]
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3; C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe [2007-09-20 853288]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-09-17 163908]
R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe [2008-01-04 382248]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: HEUR/HTML.Malware found - what to do now?
« Reply #6 on: December 12, 2009, 05:31:11 PM »
Info.txt will only run one time, unless you delete the current copy from C:\RSIT.  That said, in looking at the Info.txt log from a couple weeks ago, I note that it shows only AntiVir in Security Center information and see your Specs link shows you are using the Windows firewall.  If you are not behind a router, it may be time for you to reconsider another firewall.

What SAS saw was in System Restore.  I merely wanted to double-check your log. 

Please do the following:

Run ATF Cleaner
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
  • Click Exit on the Main menu to close the program.
  • Shutdown/restart the computer.
Let's clear out the infected System Restore points.  First, create a new Restore Point:

1.  Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.
2.  Click Create a Restore Point, and then click Next.
3.  Name your restore point. (i.e., clean)
4.  Click the Create button.
5.  When the new restore point has been created, click Close.

Now remove the infected restore points:
  • Click start-->Run and type cleanmgr into the run box and then click "OK".
  • Select the drive where Windows is installed (if you have more than one drive) and click "OK".
  • When the scan completes, check/uncheck desired boxes.
  • Next, please click the More Options tab at the top.
  • Click the "Clean up..." button under the System Restore section at the bottom.
  • Answer Yes to the question "Are you sure you want to delete all but the most recent restore point?", click OK and answer Yes again.
  • The disk clean up utility will remove the selected items.  When it completes, please restart the computer to properly record the changes made to the hard disk.
Now you can return to the list of suggestions I provided.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #7 on: December 12, 2009, 05:44:17 PM »
cant find Java Console 6.0.15

Steps 1-4 completed.  I did have NoScript operating at one point but removed it because it was causing problems accessing a site I visit every day. Can't remember the exact problem at the moment, but hopefully that can be sorted out.

Also IE8 question:  Is this really a good idea to update from IE7 to IE8 on my set-up?  My husband has advised me against it..doesn't like IE8 for some reason possibly compatibility with XP? It may have been about not upgrading when it first came out, not sure.

Just ran ATF Cleaner, about to remove the system restore points...

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #8 on: December 12, 2009, 05:54:06 PM »
after rebooting following ATF cleaner, I have lost all my quick launch icons except for the Avira one... :(

How do I get them back?

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #9 on: December 12, 2009, 06:02:45 PM »
nvm....I rebooted again and they came back.   

Can I use CC Cleaner to delete the old system restore points? I always fear mucking stuff up when I type things into the Run box.  [When the scan completes, check/uncheck desired boxes. ??? woudl that be all previous restore points except the one I just made?]

Also...yes we are behind a router with our cable provider.

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: HEUR/HTML.Malware found - what to do now?
« Reply #10 on: December 12, 2009, 06:49:28 PM »
No, CCleaner is not for old system restore points.  See the complete instructions regarding "More options" for the restore points, which explains that all but the last point will be removed.

I believe the equipment from your cable provider is a modem not a router.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: HEUR/HTML.Malware found - what to do now?
« Reply #11 on: December 12, 2009, 07:01:04 PM »
Regarding IE8, it is your computer, your choice.  I am not aware of any compatibility issues with XP and am merely attempting to provide you with information for creating a secure environment.  Read about it here:  http://www.microsoft.com/windows/internet-explorer/default.aspx


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #12 on: December 12, 2009, 08:42:10 PM »
I believe I have completed everything on the list, including the update to IE8.   I figure I hardly ever use IE except to test things, so what could it hurt. And I think my husband has washed his hands of me after I decided to uninstall CA Security Suite anyway...so I"m going to go with what you guys tell me. :)
For Disk Cleanup..I did it...and only checked Temporary Internet Files nad Recycle Bin to clean before removing old system restore points.  If I need to clean other areas with that, please specify.

o..one thing...I could not find  Java Console 6.0.15 anywhere to disable.

I would be happy to reinstall the  Zone Alarm firewall. I liked it. The only reason I uninstalled it was because my husband couldn't get our computers to network and he thought that was the problem. (That and he kept telling me I didn't need a firewall anyway because we are behind a router)  Well, Zone Alarm has been gone for months and he still hasn't gotten the computers to network together, so I don't see any reason not to use it again.

I'll try and find the instructions again on how to do that.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #13 on: December 12, 2009, 09:21:24 PM »
None of the WOT icons are showing on my search page ....so now another thing to track down...but that can be sorted out later.


Found the post where you gave me some advice on this before and so have not proceeded with anything yet. (Except to download ZoneAlarm 9.1.007 from cnet.com.)

You talked about Microsoft Security Essentials and mentioned that Zone Alarm in not on your recommend list because of the toolbar switcheroo thing.  I could avoid installing that if used Zone Alarm, correct? Aside from that is it a good firewall?  Or would you be recommending something else?


Offline Paddy

  • LandzDown Team
  • Hero Member
  • *****
  • Posts: 1575
    • View Profile
This is one race of people for whom psychoanalysis is of no use whatsoever - Sigmund Freud (about the Irish)

Never argue with a fool, they will lower you to their level and then beat you with experience.