vinakamath

January 13, 2009

I forgot to answer this in my earlier post....i2.com is my company domain. In this case do i still have to run SmitFraudFix?

January 13, 2009

just realized i didn't attach the latest mbam log:

Malwarebytes' Anti-Malware 1.32

Database version: 1646

Windows 5.1.2600 Service Pack 2

1/12/2009 6:07:45 PM

mbam-log-2009-01-12 (18-07-45).txt

Scan type: Quick Scan

Objects scanned: 98740

Time elapsed: 14 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

January 13, 2009

While awaiting your reply I tried a few things, and I think I may have been successful in removing the trojan. Here are the steps I took:

1) Disabled Teatimer

2) Disabled system restore

3) There were two entries I fixed using Hijackthis

BHO - {no name} - {xxxxxxxxxxxxxxxxxxx....}

O20 - AppInit <3 DLLs>

4) Restarted the system

5) ran mbam quick Scan - 2 problems showed up as above. fixed these

6) Restarted system.

This seems to have fixed the issue since the MS Juan and MS Track System don't show up anymore. Also, there is no popup issue with firefox. And Vundo does not show up in S&D or mbam.After all this, I turned on TeaTimer.

I just ran HijackThis and the following entry showed up...I had fixed a similar entry in hijackthis previously:

O2 - BHO: (no name) - {E389CDA1-7ED6-4605-B9A6-9E648714D623} - (no file)

So has Vundo gone away or just hiding to fight another day?

Also, the i need these java versions for my work since I need to work on older java versions for some older products.

Thanks for all your help.

Just attaching the latest mbam and hjt logs for yr reference:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:30:46 PM, on 1/12/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\lotus\notes\nslsvice.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe

C:\WINDOWS\system32\nfsclnt.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\lotus\notes\ntmulti.exe

C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Sonexis\ApplicationSharing\AppDriverService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\system32\PSXRUN.EXE

C:\WINDOWS\system32\psxss.exe

C:\SFU\usr\sbin\zzInterix

C:\SFU\usr\sbin\init

C:\SFU\usr\sbin\inetd

C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

C:\WINDOWS\TEMP\KEF157.EXE

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\stsystra.exe

C:\jre1.5.0_14\bin\jusched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Skype\Plugin Manager\SkypePM.exe

C:\jre1.5.0_14\bin\jucheck.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\EditPlus 2\editplus.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.sharepoint

O15 - Trusted Zone: http://*.sharepoint (HKLM)

O15 - ESC Trusted Zone: http://mozilla.davz.net

O15 - ESC Trusted Zone: http://i2corpinet1.i2.com

O15 - ESC Trusted Zone: http://www.mozilla.com

O15 - ESC Trusted Zone: http://sea.search.msn.com

O15 - ESC Trusted Zone: http://www.netidentity.com

O15 - ESC Trusted Zone: http://ftp-mozilla.netscape.com

O15 - ESC Trusted Zone: http://login.passport.com

O15 - ESC Trusted Zone: http://login.passport.net

O15 - ESC Trusted Zone: http://www.sysinternals.com

O15 - ESC Trusted Zone: http://mozilla.davz.net (HKLM)

O15 - ESC Trusted Zone: http://i2corpinet1.i2.com (HKLM)

O15 - ESC Trusted Zone: http://www.mozilla.com (HKLM)

O15 - ESC Trusted Zone: http://sea.search.msn.com (HKLM)

O15 - ESC Trusted Zone: http://ftp-mozilla.netscape.com (HKLM)

O15 - ESC Trusted Zone: http://login.passport.com (HKLM)

O15 - ESC Trusted Zone: http://login.passport.net (HKLM)

O16 - DPF: fdba39af-b1d4-41ab-b45e-ff4bb5755336 - https://icm.i2.com//Downloads/cmW32client.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://dlwsis02/aspnet_client/Altiris_AppW...ib/mcsimenu.CAB

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204055187531

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204055178937

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {74233DB3-F72F-44EA-94DC-258A624037E6} (ComponentOne FlexGrid 8.0 (UNICODE Light)) - http://dlwsis02/aspnet_client/Altiris_AppW...lib/VSFlex8.CAB

O16 - DPF: {7FA319FB-FFB9-4089-87EB-63179244E6E6} (NetDirect) - https://extranet.i2.com/nortel_cacheable/NetDirect.cab

O16 - DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} (Iewiper Control) - https://extranet.i2.com/nortel_cacheable/iewiper.cab

O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://i2corpmail11.i2.com/dwa7W.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.webex.com/client/T25L/webex/ieatgpc.cab

O16 - DPF: {FDF527BA-DDDA-11D3-AA82-006094EB09CB} (Altiris Clipboard Helper) - http://dlwsis02/aspnet_client/Altiris_AppW...eXClipboard.CAB

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = i2.com

O17 - HKLM\Software\..\Telephony: DomainName = i2.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = i2.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = i2.com

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\i2 VPN Access\Extranet_serv.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: i2 CIS 6.3 Agent 5015 (i2_CIS_6.3_Agent_5015) - Macrovision - C:\i2\CIS\6.3\NTServiceScripts\CISAgent.exe

O23 - Service: Iap - Dell Inc. - C:\Program Files\Dell\OpenManage\Client\Iap.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Program Files\lotus\notes\nslsvice.exe

O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe

O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: OracleDBConsoleorcl - Unknown owner - D:\oracle\product\11.1.0\db_1\bin\nmesrvc.exe (file missing)

O23 - Service: OracleOraDb11g_home1TNSListener - Unknown owner - D:\oracle\product\11.1.0\db_1\BIN\TNSLSNR.exe (file missing)

O23 - Service: OracleServiceORCL - Unknown owner - d:\oracle\product\11.1.0\db_1\bin\ORACLE.EXE (file missing)

O23 - Service: Sonexis Application Sharing Driver Service - Sonexis, Inc. - C:\Program Files\Sonexis\ApplicationSharing\AppDriverService.exe

O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: Transportation Manager Process Monitor (TmProcMonSrvc) - Unknown owner - C:\WINDOWS\system32\TmProcMonSrvc.exe (file missing)

O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--

End of file - 14521 bytes