Trojan.Script.255967

View previous topic View next topic Go down

Trojan.Script.255967

Post by digiman56 on 29th January 2010, 3:40 pm

Win Xp SP3, Bit Defender 2010 Total Security, SpyBot S&D

For the last two days i have been unable to save any of my files in Front Page 2003.

Bit Defender informs me i have the above trojan and promptly quarantines it but every time i try and save again in FP i get the same result, plus a FP warning that it cannot open certain temp files (eg; wpZ9fs03.tmp). . Apparently the trojan is stored in Temp Internet Files Folder\Front Page Temp Dir\fpmboauu.tmp.

However, i am unable to locate the Temp Internet Files folder at all, it is not showing anywhere! I have some knowledge of the workings of computer but this has got me baffled. I instructed IE to move the Temp Internet Files folder to a different location but still do not see it. I have all folders and files showing, including hȋdden.

SpyBot did not detect it. Can anyone help please?

Many thanks :smile2:

Results from HiJack This report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:20:48, on 29/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Admin\My Documents\Downloads\winlogon.scr

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2010\IEToolbar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8BE4467-0D57-4FC1-AF58-87C9458321B3}: NameServer = 62.24.139.6 62.24.139.7
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Adobe Active File Monitor V8 (AdobeActiveFileMonitor8.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. [You must be registered and logged in to see this link.] - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe
O23 - Service: 0bb5d905ac8cb79dbb7a0d60b6a3ef84 (bbffcadbeefedd) - Unknown owner - C:\WINDOWS\bbffcadbeefedd.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe

--
End of file - 9177 bytes


Last edited by digiman56 on 29th January 2010, 3:42 pm; edited 1 time in total (Reason for editing : misspelt word)

digiman56
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-01-29
OS OS : Windows XP
Points Points : 25120
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan.Script.255967

Post by Dr Jay on 29th January 2010, 4:48 pm

Please download [You must be registered and logged in to see this link.], and save to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.cmd to start.
  • It will finish quickly and launch a log.
  • Post the contents of it in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Trojan.Script.255967

Post by digiman56 on 29th January 2010, 7:13 pm

Thank you for the quick response Big Grin

here is a copy of the log;

Cheetah-Anti-Rogue v1.2.10
by DragonMaster Jay

Microsoft Windows XP [Version 5.1.2600]
Date: 29/01/2010 - Time: 19:13:16 - Arch.: x86


-- Malware tools check --


-- Known infection --



Extra message: Detection only.


EOF

digiman56
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-01-29
OS OS : Windows XP
Points Points : 25120
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan.Script.255967

Post by Dr Jay on 29th January 2010, 7:29 pm

Please download the latest version of Kaspersky GetSystemInfo (GSI) from [You must be registered and logged in to see this link.] and save it to your Desktop.
  • Please close all other applications running on your system.
  • Please double click GetSystemInfo.exe to open it.
  • Click the Settings button.
  • Set it to Maximum
  • IMPORTANT! Then please click Customize - choose Driver / Ports tab and
  • Uncheck Scan Ports.
  • Click Create Report to run it.
  • It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop. Please upload the folder to [You must be registered and logged in to see this link.] and click the Submit button.

Please copy and paste the url of the GSI Parser report (not the log) in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Trojan.Script.255967

Post by digiman56 on 29th January 2010, 9:14 pm

as instructed...

[You must be registered and logged in to see this link.]

digiman56
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-01-29
OS OS : Windows XP
Points Points : 25120
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan.Script.255967

Post by Dr Jay on 30th January 2010, 1:07 am

There is a dangerous backdoor trojan on your system. This is a sign of total system compromise.
[You must be registered and logged in to see this link.] are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to: [You must be registered and logged in to see this link.]
I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer until the computer can be cleaned.
Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:

Though the backdoor has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a backdoor trojan. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove backdoor trojans cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
Guides for format and reinstall: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]
However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Trojan.Script.255967

Post by spanky52 on 30th January 2010, 5:44 pm

Thank you for the comprehensive reading :O). I have d/l Belarc and run a scan, results lower down the page.

I am the only user of my main computer, and use it mainly for my photographic work and surfing the web.I have online banking but i have no other personal or financial details on file. Would the cookie be infected?

If necessary i am prepared to format and re-install but its gonna be a pain!!

A couple of questions before i decide, if thats ok?

As the trojan was possibly delivered by email (according to BItDefender explanation) will it have infected all my mail? Not much point in saving them only to transfer the problem to a cleaned system.

Also, as Front Page is the only program that has so far given me the warning on this trojan, are my files infected as well? I do not get this warning on every page i amend, only when i seem to add a table and then save it.

Below is the Belarc Advisor profile, followed by the Benchmark Log, i am not sure if they will be helpful or not. Exactly what sort of files are affected?

Many thanks, your time and advice is gretly appreciated

Operating System System Model
Windows XP Professional Service Pack 3 (build 2600)
Install Language: English (United States)
System Locale: English (United Kingdom) Foxconn OEM
Enclosure Type: Desktop
Processor a Main Circuit Board b
3.33 gigahertz Intel Celeron D
16 kilobyte primary memory cache
512 kilobyte secondary memory cache
64-bit ready
Not hyper-threaded Board: Foxconn P4M900-8237A
Bus Clock: 133 megahertz
BIOS: Phoenix Technologies, LTD 6.00 PG 08/18/2008
Drives Memory Modules c,d
660.14 Gigabytes Usable Hard Drive Capacity
578.96 Gigabytes Hard Drive Free Space

ATAPI DVD A DH18A1P [CD-ROM drive]
3.5" format removeable media [Floppy drive]

Hitachi HDP725050GLA360 [Hard drive] (500.11 GB) -- drive 0, SMART Status: Healthy
Kingston DataTraveler 2.0 USB Device [Hard drive] (2.02 GB) -- drive 2
MAXTOR STM3160815AS [Hard drive] (160.04 GB) -- drive 1, SMART Status: Healthy 2944 Megabytes Usable Installed Memory

Slot 'A0' has 2048 MB
Slot 'A1' has 2048 MB
Local Drive Volumes

c: (NTFS on drive 0) 249.56 GB 211.54 GB free
d: (NTFS on drive 1) 160.03 GB 152.88 GB free
e: (NTFS on drive 0) 250.54 GB 214.53 GB free

Network Drives
nȯne detected
Users (mouse over user name for details) Printers
local user accounts last logon
Admin 30/01/2010 16:09:29 (admin)
Administrator 16/12/2009 17:00:28 (admin)
local system accounts
ASPNET never
Guest never
HelpAssistant never
SUPPORT_388945a0 never


Marks a disabled account; Marks a locked account EPSON Stylus Photo R265 Series on USB001
Microsoft XPS Document Writer on XPSPort:
Send To Microsoft OneNote Driver on Send To Microsoft OneNote Port:

Controllers Display
Standard floppy disk controller
Primary IDE Channel [Controller] (2x)
Secondary IDE Channel [Controller] (2x)
VIA Bus Master IDE Controller - 0571
VIA Serial ATA Controller - 5337 VIA Chrome9 HC IGP [Display adapter]
GNR TS509 [Monitor] (14.9"vis, s/n 002241, June 2006)
Bus Adapters Multimedia
VIA Rev 5 or later USB Universal Host Controller (4x)
VIA USB Enhanced Host Controller Realtek High Definition Audio
Virus Protection [Back to Top] new Group Policies
BitDefender Antivirus Version 13.0.18
Virus Definitions Version Up To Date
Realtime File Scanning On
nȯne discovered
Communications Other Devices

Realtek RTL8139 Family PCI Fast Ethernet NIC
Dhcp Server: nȯne responded
Physical Address: 00:15:58:AD:DA:C1
USB Human Interface Device
Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
HID-compliant mouse
USB Mass Storage Device
USB Root Hub (5x)
pcouffin device for 32 bits systems

See your entire network map...
click for Belarc's System Management products

new Network Map (mouse over IP address for physical address) [Back to Top]
No details available

Find your security vulnerabilities...
click for Belarc's System Management products

Missing Microsoft Security Hotfixes [Back to Top]
These required security hotfixes (using the 01/21/2010 Microsoft Security Bulletin Summary) were not found installed. Note: CIS benchmarks require that Critical and Important severity security hotfixes must be installed.
Q978207 - Critical (details...)


Manage all your software licenses...
click for Belarc's System Management products

Software Licenses [Back to Top]

Adobe Systems - Adobe Photoshop Elements 6.0 1057-1088-0001-9650-4099-1673
Adobe Systems - Adobe Photoshop Elements 8.0 1057-1130-4175-7709-9909-3757
Ahead - Nero 7 1C82-A0K5-19E5-MAAX-400F-1M9D-716D
Belarc - Advisor 75330150
Encyclopaedia Britannica - Student and Home Edition 65e8633d-1eea-11b2-9a2c-c62a8e06c05c
Microsoft - Internet Explorer 76487-640-1457236-23912 (Key: CB9YB-Q73J8-RKPMH-M2WFT-P4WQJ)
Microsoft - Office Enterprise 2007 89388-707-1528066-65443 (Key: KGFVY-7733B-8WCK9-KTG64-BC7D8)
Microsoft - Office FrontPage 2003 72079-640-0000106-55164 (Key: WFDWY-XQXJF-RHRYG-BG7RQ-BBDHM)
Microsoft - WebFldrs XP 12345-111-1111111-09304
Microsoft - Windows XP Professional 76487-640-1457236-23912 (Key: CB9YB-Q73J8-RKPMH-M2WFT-P4WQJ)


Find unused software and reduce licensing costs...
click for Belarc's System Management products

new Software Versions & Usage (mouse over i for details, click i for location) [Back to Top]
ı i 2007 Microsoft Office system Version 12.0.6514.5000
i Acclaim Software Ltd - Focus Magic Version 3.01
ı i Acresso Software Inc. - FLEXnet Publisher (32 bit) Version 11.6.1.0 build 66138
ı i Adobe Acrobat Version 9.3.0.148
i Adobe Active File Monitor V6
ıı i Adobe Photoshop CS4 CS4
ı i Adobe Photoshop Elements 6.0 Version 6.0
ı i Adobe Photoshop Elements Version 6.0
ı i Adobe Photoshop Elements Version 8.0
ı i Adobe Reader and Acrobat Manager Version 1.1.5.0
ıı i Adobe Reader Version 9.3.0.148
i Adobe Systems Incorporated - Elements Organizer Version 8.0
ı i Alexander Roshal - WinRAR archiver Version 3.70.0.0
i Apple Computer, Inc. - QuickTime QuickTime 6.5.1
ı i Belarc, Inc. - Advisor Version 8.1h
i Bibble 5
ı i BitDefender 2010 Version 13,0,19,346
i BitDefender Products Version 1, 0, 104, 0
ıı i BitTorrent, Inc. - µTorrent Version 1.8.5.17414
i Cinematronics - 3D Pinball Version 5.1.2600.5512
ı i ContextMenu.exe
i Foxconn Technology Group - FOX LiveUpdate Version 1, 0, 5, 0
ı i Google Inc. - Picasa Photo Viewer Version 3.6.0
i Google Inc. - Picasa Version 3.6.0
i Google Updater Version 2.0.711.37800.beta
ı i HDRsoft - Photomatix Version 3.0.3007.40940
ı i IObit - Advanced SystemCare 3 Version 3.0.0.0
ı i Jalbum Version 8.5.3
i Microsoft (R) Windows Script Host Version 5.7.0.18066
i Microsoft Application Error Reporting Version 12.0.6413.1000
i Microsoft Clip Organizer Version 11.0.8164
i Microsoft Corporation - Groove Audit Service Version 4.2.2.2803
ı i Microsoft Corporation - Internet Explorer Version 8.00.6001.18702
ı i Microsoft Corporation - Messenger Version 4.7.3001
i Microsoft Corporation - Office Diagnostics Service Version 12.0.6413.1000
i Microsoft Corporation - Office Diagnostics Version 12.0.6413.1000
i Microsoft Corporation - Office Source Engine Version 12.0.4518.1014
i Microsoft Corporation - SelfCert Version 11.0.8164
ı i Microsoft Corporation - Windows Installer - Unicode Version 3.1.4001.5512
i Microsoft Corporation - Windows Movie Maker Version 2.1.4026.0
i Microsoft Corporation - Windows® NetMeeting® Version 3.01
i Microsoft Corporation - Zone.com Version 1.2.626.1
i Microsoft Data Access Components Version 3.525.1132.0
ı i Microsoft Office 2003 Version 11.0.8164
i Microsoft Office Groove Version 4.2.2.2807
i Microsoft Office InfoPath Version 11.0.8161
i Microsoft Office InfoPath Version 12.0.6413.1000
i Microsoft Office OneNote Version 12.0.6415.1000
i Microsoft Office Outlook Version 12.0.6514.5000
i Microsoft Office Picture Manager Version 11.0.8161
i Microsoft Office Save My Settings/Profile Wizard Version 11.0.8161
i Microsoft® .NET Framework Version 2.0.50727.3053 i Microsoft® .NET Framework Version 3.0.6920.1427
ı i Microsoft® Visual Studio .NET Version 7.00.9466
i Microsoft® Windows Live ID Version 6.500.3146.0
ıı i Microsoft® Windows® Operating System Version 11.0.5721.5145
i MindVision - Installer VISE 2.8.3 Version 2.8.3
i MindVision Software - Installer VISE Version 3.6.0
ı i Mozilla Corporation - Firefox Version 3.5.7
i Nero AG - Cover Designer Version 2, 10, 1, 1
ı i Nero AG NeroCheck Version 1, 0, 0, 7
i Nero BackItUp Version 2, 10, 6, 4
ıı i Nero Burning ROM Version 7, 11, 10, 0
i Nero BurnRights Version 2.1.0.11
i Nero CD - DVD Speed Version 4, 7, 7, 15
i Nero DriveSpeed Version 3, 0, 11, 2
ı i Nero Home Version 2,0,17,0
i Nero ImageDrive Version 3.0.0.12
i Nero InfoTool Version 4, 4, 3, 0
i Nero Installer Version 1, 6, 48, 14
i Nero MediaHome Version 2,5,17,0
i Nero Mobile Version 1.4.0.9
i Nero PhotoSnap image editor Version 1, 2, 0, 25
i Nero Photosnap Viewer Version 1, 2, 0, 25
i Nero Recode 2 Version 2, 5, 6, 0
ı i Nero ShowTime Version 3, 10, 1, 0
i Nero SoundTrax Version 2, 10, 1, 0
i Nero StartSmart Version 3, 10, 1, 7
i Nero Vision Version 4,9,7,6
i Nero WaveEditor Version 3, 10, 1, 0
ı i Pranas.NET - LightBox Web Gallery Generator Version 2.1.1.0
ı i Prolific Technology Inc. - IoctlSvc Application Version 1, 6, 0, 0
i Safer Networking Limited - Secure Shredder Version 1.9.0.0
i Safer Networking Limited - Spybot - Search & Destroy Version 1, 5, 2, 0
i Safer Networking Limited - Spybot - Search & Destroy Version 1, 6, 0, 0
ı i Safer Networking Limited - SpyBot-S&D Version 1, 6, 2, 0
ı i Safer-Networking Ltd. - Spybot - Search & Destroy Version 1, 6, 2, 0
i SEIKO EPSON CORPORATION - DspReadMe Version 1.00
i SEIKO EPSON CORPORATION - EPSON Easy Photo Print Version 1.50
i SEIKO EPSON CORPORATION - EPSON PRINT Image Framer Tool Version 3.21
i SEIKO EPSON CORPORATION - SETUP APPLICATION Version 6.00
i SPACE.com, Canada, Inc. - Starry Night Version 5.0.0
i SSC Service Utility Version 4.0.0.0
i starter Application Version 1, 0, 0, 1
i Sun Microsystems, Inc. - Java(TM) Platform SE 6 U17 Version 6.0.170.4
i SupportSoft Container Version 6,7,1154,0
ı i SupportSoft sprtcmd Version 6,7,1035,0
ı i the VideoLAN Team - VLC media player Version 1.0.3.0
ı i Tobias Huellmandel Software - PanoramaStudio Version 1.6.0.78
i TODO: Version 1.0.0.1
i Video Converter Version 1, 0, 0, 0
ıı i VSO Software SARL - ConvertXtoDVD Version 3.0.0.0
i Wizards to adjust .NET Framework security, assign trust to assemblies, and fix broken .NET applications. Version 1.0.5000.0


i Mouse over to see details, click to see where software is installed.
ı Marks software last used within the past 7 days.
ıı Marks software last used within the past 90 days, but over 7 days ago.
ııı Marks software last used within the past year, but over 90 days ago.
ıııı Marks software last used over 1 year ago.
Unmarked software lacks the data to determine last use.


Audit your security posture...
click for Belarc's System Management products

Installed Microsoft Hotfixes [Back to Top]
.NET Framework 2.0 Service Pack 2
KB958481 on 13/12/2009 (details...)
KB974417 on 13/12/2009 (details...)
.NET Framework 3.0 Service Pack 2
KB958483 on 13/12/2009 (details...)
.NET Framework 3.5 SP1
KB958484 on 13/12/2009 (details...)
KB963707 on 13/12/2009 (details...)
.NETFramework
1.1
S867460 (details...)
M953297 (details...)
MSXML4SP2
KB954430 on 13/12/2009 (details...)
KB973688 on 13/12/2009 (details...)
Office Access MUI (English) 2007
KB953195[SP] on 13/12/2009 (details...)
KB963663 on 15/12/2009 (details...)
Office Access Setup Metadata MUI (English) 2007
KB953195[SP] on 13/12/2009 (details...)
Office Enterprise 2007
KB953195[SP] on 13/12/2009 (details...)
KB957789 on 13/12/2009 (details...)
KB967642 on 13/12/2009 (details...)
KB969559 on 13/12/2009 (details...)
KB969604 on 13/12/2009 (details...)
KB969613 on 13/12/2009 (details...)
KB969693 on 13/12/2009 (details...)
KB972363 on 13/12/2009 (details...)
KB972581 on 13/12/2009 (details...)
KB973593 on 13/12/2009 (details...)
KB973704 on 13/12/2009 (details...)
KB973709 on 13/12/2009 (details...)
KB974234 on 13/12/2009 (details...)
KB976416 on 13/12/2009 (details...)
KB977839 on 13/01/2010 (details...)
Office Excel MUI (English) 2007
KB953195[SP] on 13/12/2009 (details...)
KB963678 on 15/12/2009 (details...)
Office FrontPage 2003
KB921598 on 30/01/2010 (details...)
KB923618[SP] on 29/01/2010 (details...)
KB943973 on 30/01/2010 (details...)
KB945185 on 30/01/2010 (details...)
KB947319 on 30/01/2010 (details...)
KB951535 on 30/01/2010 (details...)
KB953404 on 30/01/2010 (details...)
KB972580 on 30/01/2010 (details...)
KB974554 on 30/01/2010 (details...)
KB975051 on 30/01/2010 (details...)
Office Groove MUI (English) 2007
KB953195[SP] on 13/12/2009 (details...)
Office Groove Setup Metadata MUI (English) 2007
KB953195[SP] on 13/12/2009 (details...)
Office InfoPath MUI (English) 2007
KB953195[SP] on 13/12/2009 (details...)
KB963662 on 15/12/2009 (details...)
Office OneNote MUI (English) 2007
KB953195[SP] on 13/12/2009 (details...)
KB963670 on 15/12/2009 (details...)
Office Outlook MUI (English) 2007
KB953195[SP] on 13/12/2009 (details...)
KB963677 on 15/12/2009 (details...)
Office PowerPoint MUI (English) 2007
KB953195[SP] on 13/12/2009 (details...)
KB963669 on 15/12/2009 (details...)
Office Proof (English) 2007
KB953195[SP] on 13/12/2009 (details...)
Office Proof (French) 2007
KB953195[SP] on 13/12/2009 (details...)
Office Proof (Spanish) 2007
KB953195[SP] on 13/12/2009 (details...)
Office Publisher MUI (English) 2007
KB953195[SP] on 13/12/2009 (details...)
KB963667 on 15/12/2009 (details...)
Office Shared MUI (English) 2007
KB953195[SP] on 13/12/2009 (details...)
KB963671 on 15/12/2009 (details...)
KB963673 on 15/12/2009 (details...)
Office Shared Setup Metadata MUI (English) 2007
KB953195[SP] on 13/12/2009 (details...)
Office Word MUI (English) 2007
KB953195[SP] on 13/12/2009 (details...)
KB963665 on 15/12/2009 (details...)
Software Update for Web Folders (English) 12
KB953195[SP] on 13/12/2009 (details...)
Windows Media Format 11 SDK
KB929399 (details...)
Windows Media Player 11
KB939683 (details...)
SP0
KB954154_WM11 on 12/12/2009 (details...)
Windows Media Player
KB952069_WM9 (details...)
KB954155_WM9 (details...)
KB968816_WM9 (details...)
KB973540_WM9 (details...)
Windows XP
SP-1
KB909520 on 15/12/2009 (details...)
SP0
KB941569 on 12/12/2009 (details...)
KB971961-IE8 (details...)
KB972260-IE8 (details...)
KB972636-IE8 (details...)
KB974455-IE8 (details...)
KB976325-IE8 on 13/12/2009 (details...)
SP3
KB952011 on 13/12/2009 (details...)
KB963093 on 15/12/2009 (details...)
SP4
KB915800-V4 on 15/12/2009 (details...)
KB954550-V5 on 13/12/2009 (details...)
KB955759 on 13/12/2009 (details...)
KB961118 on 13/12/2009 (details...)
KB969947 (details...)
KB970430 on 13/12/2009 (details...)
KB970653-V3 on 12/12/2009 (details...)
KB971737 on 13/12/2009 (details...)
KB972270 on 13/01/2010 (details...)
KB973687 on 13/12/2009 (details...)
KB973904 on 13/12/2009 (details...)
KB974318 on 13/12/2009 (details...)
KB974392 on 13/12/2009 (details...)
KB976098-V2 on 13/12/2009 (details...)



Click here to see all available Microsoft security hotfixes for this computer.

Marks a security hotfix (using the 01/21/2010 Microsoft Security Bulletin Summary)
Marks a security hotFix that fails verification (a security vulnerability)
Marks a hotfix that verifies correctly
Marks a hotfix that fails verification (note that failing hotfixes need to be reinstalled)
Unmarked hotfixes lack the data to allow verification


--------------------------------------------------------------------------------


a. Processor clock speed is measured at computer start-up, and on laptops may be impacted by power option settings.
b. Data may be transferred on the bus at one, two, or four times the Bus Clock rate.
c. Memory slot contents may not add up to Installed Memory if some memory is not recognized by Windows.
d. Memory slot contents is reported by the motherboard BIOS. Contact system vendor if slot contents are wrong.
e. This is the manufacturer's factory installed product key rather than yours. You can change it to your product key here [You must be registered and logged in to see this link.] for Windows, or here [You must be registered and logged in to see this link.] for Office.
Copyright 2000-9, Belarc, Inc. All rights reserved.
Legal notice. U.S. Patents 5665951, 6085229 and Patents pending.

--------------------------------------------------------------------------------

Belarc Benchmark results


CIS Benchmark Score Details
Computer Name: Martin-2ab68ebf (in HOME)
Profile Date: 30 January 2010 17:01:48
Advisor Version: 8.1h
Windows Logon: Admin


Click here for Belarc's security products, for large and small companies.


Score: 1.88 of 10 (scoring rules...) = Pass
= Fail
Benchmark: CIS WinXP Legacy, Version 1.3

Service Packs and Hotfixes
Current Service Pack Section Score: 1.25 of 1.25
1. Latest Service Pack


Critical and Security Hotfixes Section Score: 0.00 of 1.25
1. Latest Critical and Security Hotfixes


Account and Audit Policies
Password Policies Section Score: 0.00 of 0.83
1. Current Password Ages

2. Minimum Password Length


Audit and Account Policies Section Score: 0.00 of 0.83
1. Audit Account Logon Events

2. Audit Account Management

3. Audit Logon Events

4. Audit Object Access

5. Audit Policy Change

6. Audit Privilege Use

7. Audit System Events

8. Minimum Password Age

9. Maximum Password Age

10. Password Complexity

11. Store Passwords using Reversible Encryption

12. Password History Size

13. Account Lockout Duration

14. Account Lockout Threshold

15. Reset Account Lockout Count Time


Event Log Policies Section Score: 0.00 of 0.83
1. Application Event Log: Maximum Size

2. Application Event Log: Restrict Guest Access

3. Security Event Log: Maximum Size

4. Security Event Log: Restrict Guest Access

5. System Event Log: Maximum Size

6. System Event Log: Restrict Guest Access


Security Settings
Anonymous Account Restrictions Section Score: 0.00 of 0.83
1. Network Access: Allow Anonymous SID/Name Translation

2. Network Access: Do not allow Anonymous Enumeration of SAM Accounts

3. Network Access: Do not allow Anonymous Enumeration of SAM Accounts and Shares


Security Options Section Score: 0.00 of 0.83
1. Accounts: Guest Account Status

2. Accounts: Limit Local Account Use of Blank Passwords to Console Logon Only

3. Accounts: Rename administrator account

4. Accounts: Rename guest account

5. Devices: Allowed to format and eject removable media

6. Devices: Unsigned Driver Installation Behavior

7. Domain Member: Digitally Encrypt or Sign Secure Channel Data (Always)

8. Domain Member: Digitally Encrypt Secure Channel Data (When Possible)

9. Domain Member: Digitally Sign Secure Channel Data (When Possible)

10. Domain Member: Disable Machine Account Password Changes

11. Domain Member: Maximum Machine Account Password Age

12. Interactive Logon: Do Not Display Last User Name

13. Interactive Logon: Do Not Require CTRL+ALT+DEL

14. Interactive Logon: Message Text for Users Attempting to Log On

15. Interactive Logon: Message Title for Users Attempting to Log On

16. Interactive Logon: Number of Previous Logons to Cache

17. Interactive Logon: Prompt User to Change Password Before Expiration

18. Interactive Logon: Smart Card Removal Behavior

19. Microsoft Network Client: Digitally Sign Communication (if server agrees)

20. Microsoft Network Client: Send Unencrypted Password to Connect to Third-Party SMB Server

21. Microsoft Network Server: Amount of Idle Time Required Before Disconnecting Session

22. Microsoft Network Server: Digitally Sign Communication (if client agrees)

23. Microsoft Network Server: Disconnect Clients When Logon Hours Expire

24. Network Access: Let Everyone Permissions Apply to Anonymous Users

25. Network Access: Shares that can be accessed anonymously

26. Network Access: Sharing and Security Model for Local Accounts

27. Network Security: LAN Manager Authentication Level

28. Network Security: LDAP Client Signing Requirements

29. Recovery Console: Allow Automatic Administrative Log On

30. Shutdown: Allow System to be Shut Down Without Having to Log On

31. Shutdown: Clear Virtual Memory Pagefile

32. System Objects: Default Owner for Objects Created by Members of the Administrators Group


Additional Security Settings Section Score: 0.00 of 0.83
1. Suppress Dr. Watson Crash Dumps

2. Disable Automatic Execution of the System Debugger

3. Disable Autoplay from any Disk Type, Regardless of Application

4. Disable Autoplay from the Default Profile

5. Disable Automatic Logon

6. Disable Automatic Reboots After a Blue Screen of Death

7. Disable CD Autorun

8. Protect Against Computer Browser Spoofing Attacks

9. Protect Against Source-routing Spoofing

10. Protect the Default Gateway Network Setting

11. Ensure ICMP Routing via Shortest Path First

12. Help Protect Against Packet Fragmentation

13. Manage Keep-alive Times

14. Protect Against Malicious Name-release Attacks

15. Ensure Router Discovery is Disabled

16. Protect Against SYN Flood Attacks

17. SYN Attack Protection - Manage TCP Maximum Half-open Sockets

18. SYN Attack Protection - Manage TCP Maximum Half-open Retired Sockets

19. Enable IPSec to Protect Kerberos RSVP Traffic

20. Hide Workstation from Network Browser Listing

21. Enable Safe DLL Search Mode


Available Services and Other Requirements
Available Services Section Score: 0.00 of 0.63
1. Alerter Service Permissions

2. Clipbook Service Permissions

3. FTP Publishing Service Permissions

4. IIS Admin Service Permissions

5. Messenger Service Permissions

6. NetMeeting Remote Desktop Sharing Service Permissions

7. Remote Desktop Help Session Manager Permissions

8. Routing and Remote Access Service Permissions

9. SMTP Service Permissions

10. SNMP Service Permissions

11. SNMP Trap Permissions

12. Telnet Service Permissions

13. World Wide Web Publishing Services Permissions


User Rights Section Score: 0.00 of 0.63
1. Access this Computer from the Network

2. Act as Part of the Operating System

3. Allow Logon through Terminal Services

4. Back up Files and Directories

5. Bypass Traverse Checking

6. Change the System Time

7. Create a Pagefile

8. Create a Token Object

9. Create Permanent Shared Objects

10. Debug Programs

11. Deny Access to this Computer from the Network

12. Force Shutdown from a Remote System

13. Generate Security Audits

14. Increase Scheduling Priority

15. Load and Unload Device Drivers

16. Lock Pages in Memory

17. Log on Locally

18. Manage Auditing and Security Log

19. Modify Firmware Environment Values

20. Perform Volume Maintenance Tasks

21. Profile Single Process

22. Profile System Performance

23. Remove Computer from Docking Station

24. Replace a Process Level Token

25. Restore Files and Directories

26. Shut Down the System

27. Take Ownership of File or Other Objects


Other System Requirements Section Score: 0.63 of 0.63
1. All Local Volumes NTFS

2. Restricted Group: Remote Desktop Users


File and Registry Permissions Section Score: 0.00 of 0.63
1. Permissions for HKLM\software\microsoft\windows\currentversion\installer

2. Permissions for HKLM\software\microsoft\windows\currentversion\policies

3. Permissions for HKLM\system\currentcontrolset\enum

4. Permissions for HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers

5. Permissions for HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities

6. Permissions for USERS\.DEFAULT\Software\Microsoft\SystemCertificates\Root\ProtectedRoots

7. Permissions for HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit

8. Permissions for %SystemRoot%\system32\tlntsvr.exe

9. Permissions for %SystemRoot%\system32\tftp.exe

10. Permissions for %SystemRoot%\system32\telnet.exe

11. Permissions for %SystemRoot%\system32\subst.exe

12. Permissions for %SystemRoot%\system32\sc.exe

13. Permissions for %SystemRoot%\system32\runas.exe

14. Permissions for %SystemRoot%\system32\rsh.exe

15. Permissions for %SystemRoot%\system32\rexec.exe

16. Permissions for %SystemRoot%\system32\regsvr32.exe

17. Permissions for %SystemRoot%\system32\regedt32.exe

18. Permissions for %SystemRoot%\regedit.exe

19. Permissions for %SystemRoot%\system32\reg.exe

20. Permissions for %SystemRoot%\system32\rcp.exe

21. Permissions for %SystemRoot%\system32\netsh.exe

22. Permissions for %SystemRoot%\system32\net1.exe

23. Permissions for %SystemRoot%\system32\net.exe

24. Permissions for %SystemRoot%\system32\[You must be registered and logged in to see this link.]

25. Permissions for %SystemRoot%\system32\eventtriggers.exe

26. Permissions for %SystemRoot%\system32\eventcreate.exe

27. Permissions for %SystemRoot%\system32\edlin.exe

28. Permissions for %SystemRoot%\system32\drwtsn32.exe

29. Permissions for %SystemRoot%\system32\drwatson.exe

30. Permissions for %SystemRoot%\system32\debug.exe

31. Permissions for %SystemRoot%\system32\cacls.exe

32. Permissions for %SystemRoot%\system32\attrib.exe

33. Permissions for %SystemRoot%\system32\at.exe



Why are benchmarks important for IT security? Many current threats are not stopped by perimeter security systems such as firewall and anti-virus systems. Setting and monitoring configurations based on consensus benchmarks is a critical step because this is a pro-active way to avoid many successful attacks. The U.S. National Security Agency has found that configuring computers with proper security settings blocks 90% of the existing threats (IA Newsletters "Security Benchmarks: A Gold Standard." Click here to request a copy.) For our white paper, "Security Within", click here to request a copy.

What is the Center for Internet Security (CIS)? The CIS is an open association consisting of industry, government and academic members. Its mission is to help IT organizations more effectively manage their risks related to information security. Click here for details.

What are the CIS Benchmarks? The Benchmarks are developed by CIS members and staff and are consensus based, best-practice security configurations for computers connected to the Internet. Click here for details.

What is the CIS Benchmark Score? The Belarc Advisor has performed a security audit of your system using the CIS Level-I benchmark appropriate to your operating system. The result is a number between zero and ten that gives a measure of the vulnerability of your system to potential threats. The higher the number the less vulnerable your system.

How can you reduce your security vulnerability? The CIS configurations are available as Microsoft security template files from the CIS. Warning: Applying these security templates may cause some applications to stop working correctly. Back up your system prior to applying these security templates or apply the templates on a test system first.
Click here to download the templates from the CIS (requires registration and acceptance of the CIS license agreement).




--------------------------------------------------------------------------------
Copyright 2000-9, Belarc, Inc. All rights reserved.
Legal notice. U.S. Patents 6085229, 5665951 and Patents pending.
--------------------------------------------------------------------------------

:smile2: :sad:


Last edited by spanky52 on 30th January 2010, 5:46 pm; edited 1 time in total (Reason for editing : correction to spelling)

spanky52
Novice
Novice

Posts Posts : 11
Joined Joined : 2010-01-29
OS OS : Windows XP
Points Points : 25196
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan.Script.255967

Post by Dr Jay on 30th January 2010, 6:52 pm

Let's search deeper:

Please download [You must be registered and logged in to see this link.] and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Trojan.Script.255967

Post by spanky52 on 30th January 2010, 7:55 pm

SDFix report


SDFix: Version 1.240
Run by Admin on 30/01/2010 at 19:26

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-30 19:40:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden services & system hive ...

scanning hȋdden registry entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden processes: 0
hȋdden services: 0
hȋdden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ćTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :



Files with hȋdden Attributes :

Wed 4 Nov 2009 1,168,216 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Thu 5 Mar 2009 2,260,480 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sat 19 Dec 2009 9,496,056 A..H. --- "C:\Program Files\Google\Picasa3\setup.exe"
Sun 29 Nov 2009 0 A.SH. --- "C:\Documents and Settings\Admin\My Documents\My Web Sites\mwaphotography\images\04_Panoramas\.Thumbs.db.tmp"

Finished!


HiJack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:51:31, on 30/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\Admin\My Documents\Downloads\winlogon.scr

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2010\IEToolbar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Adobe Active File Monitor V8 (AdobeActiveFileMonitor8.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. [You must be registered and logged in to see this link.] - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe
O23 - Service: 0bb5d905ac8cb79dbb7a0d60b6a3ef84 (bbffcadbeefedd) - Unknown owner - C:\WINDOWS\bbffcadbeefedd.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe

--
End of file - 9013 bytes

spanky52
Novice
Novice

Posts Posts : 11
Joined Joined : 2010-01-29
OS OS : Windows XP
Points Points : 25196
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan.Script.255967

Post by Dr Jay on 30th January 2010, 9:58 pm

Thought so..sorry that was a false alarm.

Please download the [You must be registered and logged in to see this link.]. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

==

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].
Alternate link: [You must be registered and logged in to see this link.].
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

==

Please make sure the MBAM and GMER log is posted in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Trojan.Script.255967

Post by spanky52 on 31st January 2010, 3:04 pm

I cannot post a copy of the log as it is apparently too big for this reply (272kb), i can't see anyway to attach it either, suggestions?

I was unable to install MBAM properly as i got this message: Mbam.exe Application eror - failed t0 initialize properly (0x0000005)

spanky52
Novice
Novice

Posts Posts : 11
Joined Joined : 2010-01-29
OS OS : Windows XP
Points Points : 25196
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan.Script.255967

Post by spanky52 on 31st January 2010, 4:57 pm

I managed to get MBAM to work by installing it in safe mode, log below

GMER log can be found here [You must be registered and logged in to see this link.]

Malwarebytes' Anti-Malware 1.44
Database version: 3668
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

31/01/2010 16:50:15
mbam-log-2010-01-31 (16-50-05).txt

Scan type: Full Scan (C:\|)
Objects scanned: 210558
Time elapsed: 48 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\SDFix\dummy.sys (Malware.Trace) -> No action taken.
C:\SDFix\apps\dummy.sys (Malware.Trace) -> No action taken.
C:\Documents and Settings\Admin\My Documents\downloads\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> No action taken.[You must be registered and logged in to see this link.][You must be registered and logged in to see this link.]

spanky52
Novice
Novice

Posts Posts : 11
Joined Joined : 2010-01-29
OS OS : Windows XP
Points Points : 25196
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan.Script.255967

Post by Dr Jay on 31st January 2010, 7:39 pm

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE

You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done


To remove all of the tools we used and the files and folders they created, please do the following:
Please download [You must be registered and logged in to see this link.] by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download [You must be registered and logged in to see this link.] to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


==

Download Security Check by screen317 from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Trojan.Script.255967

Post by spanky52 on 1st February 2010, 12:22 am

Well, Dragon Master Jay, everything has been done to the word.........and the trojan is still there. I am still unable to physically see the Temp Internet Files folder, despite moving it to my C:\Docs & Settings\Admin folder, which is where BitDefender says it is!!

Here is the report by Security Check

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
BitDefender Total Security 2010
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:

Spybot - Search & Destroy
HijackThis 2.0.2
Java(TM) 6 Update 17
Adobe Flash Player 10
Adobe Reader 9.3
``````````````````````````````
Process Check:
objlist.exe by Laurent

Common Files BitDefender BitDefender Update Service livesrv.exe
BitDefender BitDefender 2010 vsserv.exe
BitDefender BitDefender 2010 bdagent.exe
BitDefender BitDefender 2010 seccenter.exe
``````````````````````````````
DNS Vulnerability Check:

Unknown. This method cannot test your vulnerability to DNS cache poisoning.

`````````End of Log```````````

spanky52
Novice
Novice

Posts Posts : 11
Joined Joined : 2010-01-29
OS OS : Windows XP
Points Points : 25196
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan.Script.255967

Post by Dr Jay on 1st February 2010, 5:01 am

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

  • [You must be registered and logged in to see this link.]
    SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found [You must be registered and logged in to see this link.].
  • [You must be registered and logged in to see this link.].
    Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).


NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
[You must be registered and logged in to see this link.]

Securing your computer

  • [You must be registered and logged in to see this link.] - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • [You must be registered and logged in to see this link.] replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.


Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:


Thank you for choosing GeekPolice. Please see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Trojan.Script.255967

Post by spanky52 on 1st February 2010, 10:26 am

I take it that i now have to reformat my hard drive???

Many thanks anyway for the time you have spent on my problem, your help has been greatly appreciated, and even though the trojan hasn't been removed i have gained knowledge from this experience :O)


Thank You! Thank You! Thank You!

spanky52
Novice
Novice

Posts Posts : 11
Joined Joined : 2010-01-29
OS OS : Windows XP
Points Points : 25196
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan.Script.255967

Post by Dr Jay on 1st February 2010, 2:43 pm

No. That appears to be a false positive from BitDefender.

Would you like us to enumerate that directory (temp folder) anyway?

We had detection and removal tools stronger than BitDefender, working on your computer, and they should have completely removed the trojan.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Trojan.Script.255967

Post by spanky52 on 2nd February 2010, 2:47 pm

I have to agree with you that the Trojan is a false positive from Bit Defender.

I decided to reformat the drive anyway and after installing BitDefender 2009 instead and adding a borrowed legal copy of Front Page 2007 (Expressions Web) i again got the same warning.

I finally found the Temp Internet Files Folder by unticking 'Hide Protected Operating System files' but i didn't see a folder names 'Front Page temp dir' in it which still puzzles me somewhat Annoyed or Unimpress

I'm not sure what you mean by 'enumerate' but if you feel it will help then i'll go for it!!!

At the moment, if i want to work in FP then i disable the anti-virus and start it again when i've finished.

Here is a log from Hi-Jack This

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 14:46:00, on 02/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AC90E46-A60E-4152-B8FE-FD37E1A10A3B}: NameServer = 62.24.139.7 62.24.139.6
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. [You must be registered and logged in to see this link.] - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 6688 bytes

spanky52
Novice
Novice

Posts Posts : 11
Joined Joined : 2010-01-29
OS OS : Windows XP
Points Points : 25196
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan.Script.255967

Post by Dr Jay on 2nd February 2010, 3:02 pm

If you already have reformatted/reinstalled...

no need to check out that directory. Seems weird about the FP.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Trojan.Script.255967

Post by spanky52 on 2nd February 2010, 4:15 pm

Indeed it does. I've used both BD and FP for the last few months together and not had a problem. At least i know i can more or less ignore it now.

Once again, thanks for your assistance :smile2:

I feel this can now be considered as 'closed'.......

Martin

spanky52
Novice
Novice

Posts Posts : 11
Joined Joined : 2010-01-29
OS OS : Windows XP
Points Points : 25196
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan.Script.255967

Post by Dr Jay on 2nd February 2010, 7:58 pm

You're welcome. Smile


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum