Possible Malware
Results 1 to 8 of 8

Thread: Possible Malware

Hybrid View

  1. #1
    Senior Member
    Join Date
    Oct 2004
    Posts
    183

    Possible Malware

    My system is XP Pro SP3 and I use IE7 for browsing. I use a non-admin account for routine day-to-day computer needs

    I've had difficulty accessing www.netbootdisk.com and it's forum. When I try to access it now, I'm presented with a picture of a woman and adverts for several tools (a registry cleaner, network management tool etc.) I suspected that I had some malware so I started to investigate.

    I have ClamWin which doesn't report any problems and I've run AdAware, Spybot (in Safe Mode) and HiJackThis (in Normal Mode). AdAware found some tracking cookies but nothing of any great concern and I allowed it to remove them. Spybot was clean. Here's the HiJackThis log:

    Code:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 13:24:34, on 12/01/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\vmnat.exe
    C:\Program Files\VMware\VMware Server\tomcat\bin\Tomcat6.exe
    C:\WINDOWS\system32\vmnetdhcp.exe
    C:\Program Files\VMware\VMware Server\vmware-authd.exe
    C:\Program Files\VMware\VMware Server\vmware-hostd.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Ignatius\Desktop\HiJackThis.exe
    
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.zonelabs.com/downloadrequest?updtConfId=1840&updtReqId=955937635
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-21-1292428093-839522115-1060284298-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Ignatius')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware server\vsocklib.dll
    O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware server\vsocklib.dll
    O15 - Trusted Zone: http://www.adobe.com
    O15 - Trusted Zone: http://*.windowsupdate.com
    O15 - Trusted Zone: http://download.zonealarm.com
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219575147145
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1220910961751
    O16 - DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574} (VMware Remote Console Plug-in 2.5.0.00000) - 
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
    O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
    O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
    O23 - Service: VMware Host Agent (VMwareHostd) - Unknown owner - C:\Program Files\VMware\VMware Server\vmware-hostd.exe
    O23 - Service: VMware Server Web Access (VMwareServerWebAccess) - Apache Software Foundation - C:\Program Files\VMware\VMware Server\tomcat\bin\Tomcat6.exe
    O23 - Service: VMware VSS Writer (vmwriter) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmVssWriter.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    
    --
    End of file - 6123 bytes
    I've rebooted several times between the various scans and also rebooted my ADSL router but the problem persists.

    Does anyone have any recommendations?

    Thanks for your time.

  2. #2
    Member
    Join Date
    Apr 2004
    Posts
    69
    Yes, it presents a pic of a woman and adverts to system tools for me as well.


    Looks like someone forgot to pay for their domain, and internet miscreants were only too happy to snap it up.

  3. #3
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    I will second that. Although i dont see ads or any women (due to my add blocking apps) i just see the:

    Welcome to netbootdisk.com

    Related Searches
    Insurance
    Credit Cards
    Education Online
    Hotel Reservation
    Dating Online
    Debt Consolidation
    @Ignatius
    I doubt that its your computers fault.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  4. #4
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Nothing wrong with your PC - Its the domain you are trying to access.
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  5. #5
    Senior Member t34b4g5's Avatar
    Join Date
    Sep 2003
    Location
    Australia.
    Posts
    2,391
    Looks like someone has bought the domain and is either cybersquatting hoping the orig owner will offer them large amount of money.

    it's just a typical domain parking page.

  6. #6
    Senior Member
    Join Date
    Oct 2004
    Posts
    183
    Thanks for the reassurance guys. I know that I practice safe hex so would have been surprised if I had been caught by some malware.

    As a side line, I really hope that the site admin gets it back under his control. I've found it a remarkably useful site and forum.

  7. #7
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    I have seen that screen before I think. I suspected that it was just some standard screen that a web host put up for non-revenue generating domains.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  8. #8
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,188
    Somewhat off topic, but has anyone here used 'DropMyRights'? It was written by a MS employee for those that want to run as admin all of the time. It allows you to lower the rights of certain applications when you run them. So, for instance, you can run your browser with 'normal user' rights. I heard about it on the Security Now podcast...
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

Similar Threads

  1. A Detailed Malware Removal Guide
    By CyberB0b in forum The Security Tutorials Forum
    Replies: 20
    Last Post: August 15th, 2008, 12:07 PM
  2. Replies: 2
    Last Post: June 21st, 2008, 08:51 PM
  3. Malware Scanner Definitions, Signatures
    By Soda_Popinsky in forum AntiVirus Discussions
    Replies: 8
    Last Post: August 18th, 2004, 08:31 PM
  4. Fighting Malware
    By Starfuckers|Inc in forum The Security Tutorials Forum
    Replies: 7
    Last Post: November 10th, 2003, 01:41 PM
  5. LOVEGATE_J on the rise
    By thehorse13 in forum AntiVirus Discussions
    Replies: 3
    Last Post: May 23rd, 2003, 02:35 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •