Thread: Pop ups - Win32/BaiduSobar or Win32/Henbang
View Single Post
Old 02-01-2008, 09:59 PM   #4 (permalink)
jusatsking
Registered User
 
Join Date: Jan 2008
Posts: 9
OS: xp pro sp2


Re: Pop ups - Win32/BaiduSobar or Win32/Henbang
I thought a latter scan log might be better.

PANDA log Activescan:


Incident Status Location

Adware:adware/baidubar Not disinfected Windows Registry
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\User\Cookies\user@com[1].txt
Adware:Adware/BaiduBar Not disinfected C:\WINDOWS\system32\morelion.exe[MdaSet.exe]

Deckard's System Scanner main.txt:

Deckard's System Scanner v20071014.68
Run by User on 2008-02-01 23:45:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:11 PM, on 01/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\User\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 127.0.0.2 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe Common Objects - {C86488AF-13D5-4FEF-9DDF-9FB88698CFC1} - C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\USERDATA\webbrowser_3103.dll
O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ChikkaDefault] C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Ò×Ȥ¹ºÎï - {EE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=824 (file missing)
O9 - Extra 'Tools' menuitem: Ò×Ȥ¹ºÎï - {EE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=824 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...lscbase370.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} - http://www.trendsecure.com/easy_inst...syInstallX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - http://messenger.zone.msn.com/binary...t.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8025 bytes

-- Files created between 2008-01-01 and 2008-02-01 -----------------------------

2008-02-01 23:05:22 0 dr-h----- C:\Documents and Settings\User\Recent
2008-02-01 22:11:39 0 d-------- C:\ie-spyad_zo
2008-02-01 22:03:22 0 d-------- C:\Program Files\SpywareBlaster
2008-02-01 21:52:56 8576 --a------ C:\WINDOWS\system32\drivers\mekyvadoedlc.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-02-01 18:29:57 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-02-01 18:18:44 0 d-------- C:\Program Files\Hewlett-Packard
2008-02-01 18:16:23 0 d-------- C:\WINDOWS\LastGood
2008-02-01 18:15:46 0 d-------- C:\Program Files\HP
2008-02-01 18:12:07 116970 --a------ C:\WINDOWS\hpoins11.dat
2008-01-30 00:03:25 0 d-------- C:\WINDOWS\system32\NtmsData
2008-01-28 01:47:42 0 d-------- C:\Documents and Settings\User\Application Data\OfficeUpdate12
2008-01-28 01:45:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-28 01:43:04 0 d-------- C:\Program Files\Windows Live Safety Center
2008-01-28 01:30:03 0 d-------- C:\Program Files\iPod
2008-01-28 01:29:35 0 d-------- C:\Program Files\iTunes
2008-01-28 01:26:17 0 d-------- C:\Program Files\QuickTime
2008-01-28 01:22:10 0 d-------- C:\Program Files\Common Files\Apple
2008-01-28 01:01:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-27 23:12:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-27 23:08:22 0 d-------- C:\Program Files\Yahoo!
2008-01-25 18:02:18 188960 -----n--- C:\WINDOWS\system\WINGDE.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows(TM) Operating System>
2008-01-25 18:02:18 12800 -----n--- C:\WINDOWS\system\WING32.DLL <Not Verified; Microsoft Corporation; WinG>
2008-01-25 18:02:18 92208 -----n--- C:\WINDOWS\system\WING.DLL <Not Verified; Microsoft Corporation; WinG>
2008-01-25 18:02:18 44464 -----n--- C:\WINDOWS\system\D2HTOOLS.DLL <Not Verified; WexTech Systems, Inc.; Doc-To-Help®>
2008-01-22 20:20:30 0 d-------- C:\Program Files\Microsoft Games
2008-01-21 15:11:10 298496 -----n--- C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2008-01-21 15:11:08 0 d-------- C:\Documents and Settings\User\WINDOWS
2008-01-18 17:13:12 0 d-------- C:\Program Files\Trend Micro
2008-01-18 16:52:44 0 d-------- C:\Documents and Settings\User\Application Data\WinRAR
2008-01-18 15:36:15 8576 -----n--- C:\WINDOWS\system32\drivers\rjvescefttgt.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-18 15:18:22 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-14 20:31:27 0 d-------- C:\Documents and Settings\All Users\Application Data\pixelStorm
2008-01-11 23:01:21 0 d-------- C:\Program Files\Chikka Messenger
2008-01-11 22:42:33 765952 -----n--- C:\WINDOWS\system32\xvidcore.dll
2008-01-11 22:42:31 180224 -----n--- C:\WINDOWS\system32\xvidvfw.dll
2008-01-11 22:42:31 0 d-------- C:\Program Files\Xvid
2008-01-11 22:32:28 0 d-------- C:\Documents and Settings\Charles\Application Data\WinRAR
2008-01-10 19:39:12 0 d-------- C:\Program Files\Windows Defender
2008-01-10 15:29:23 0 d-------- C:\Program Files\Windows Live
2008-01-09 19:51:29 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-01-09 19:47:33 0 d--hs---- C:\Documents and Settings\LocalService\UserData
2008-01-09 02:14:18 0 d-------- C:\Program Files\Common Files\ODBC
2008-01-09 00:30:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-01-06 13:08:00 14 -----n--- C:\WINDOWS\system32\-10958-54120
2008-01-06 04:08:48 14 -----n--- C:\WINDOWS\system32\systeminfo3.dll
2008-01-05 11:42:19 20541 -----n--- C:\WINDOWS\system32\detoured.dll <Not Verified; Microsoft Corporation; Microsoft Research Detours Package>
2008-01-05 11:04:04 18087 -----n--- C:\WINDOWS\system32\comrcinf.dat
2008-01-04 13:45:48 396 -----n--- C:\WINDOWS\system32\cmbinfo.dat
2008-01-04 13:45:19 165693 -----n--- C:\WINDOWS\system32\dodolook254.exe
2008-01-03 23:56:23 0 d-------- C:\Program Files\Microsoft Works
2008-01-03 23:52:40 0 d-------- C:\Program Files\Microsoft Visual Studio 8


-- Find3M Report ---------------------------------------------------------------

2008-02-01 23:22:41 0 d-------- C:\Program Files\Symantec AntiVirus
2008-02-01 23:19:42 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-01 18:01:33 0 d-------- C:\Program Files\Common Files
2008-01-28 18:10:47 0 d-------- C:\Documents and Settings\User\Application Data\Image Zone Express
2008-01-28 13:14:16 0 d-------- C:\Program Files\Apple Software Update
2008-01-27 23:12:42 0 d-------- C:\Documents and Settings\User\Application Data\Adobe
2008-01-21 15:43:15 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-10 15:24:03 45056 ---hs---- C:\WINDOWS\bitdot.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2008-01-05 20:15:45 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-04 19:39:57 0 d-------- C:\Program Files\Common Files\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C86488AF-13D5-4FEF-9DDF-9FB88698CFC1}]
04/01/2008 02:10 PM 172032 --------- C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\USERDATA\webbrowser_3103.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [23/01/2005 09:36 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [23/01/2005 09:31 AM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [14/10/2004 01:42 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 06:51 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 12:11 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/06/2005 09:21 AM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [23/06/2005 07:27 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 07:20 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [10/01/2008 03:27 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [15/01/2008 03:22 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 05:00 AM]
"ChikkaDefault"="C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe" [28/08/2007 05:11 PM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [30/08/2007 05:43 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [04/01/2008 7:40:08 PM]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22d3cbaa-8028-11dc-8623-000f1f927d07}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{468a92cc-5a31-11dc-85cc-000f1f927d07}]
AutoRun\command- E:\LaunchU3.exe -a

*Newly Created Service* - MEKYVADOEDLC
*Newly Created Service* - VCABIAHBWJXA



-- End of Deckard's System Scanner: finished at 2008-02-01 23:47:24 ------------


Thank you.
jusatsking is offline