Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Weird Malware (adware.systemprocess) Found By Symantec


  • Please log in to reply
1 reply to this topic

#1 RushSonic

RushSonic

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 14 November 2007 - 12:14 AM

For the past two days, my copy of Symantec Anti-Virus discovered a malware called Adware.SystemProcess. I followed the instructions to remove it on Symantec's web page and briefly it was gone(Here's the method to remove it.). Unfortunately, this morning, the malware returned, albeit in a much smaller quantity. I checked the registry entries that I had to manually delete and they were clean. I scanned with Lavasoft Ad-Aware SE, but despite using a full scan, it returned no problems. I'm sure that this malware is almost gone, but I am not sure what I have missed, so here is my HijackThis log.

Update: I let TrendMicro HouseCall scan my computer. According to it, I have three trojans on my computer. I don't know how I got them because I have not been filesharing or going to illicit web pages, but they're there. I don't have the names of them yet, but I will add them. How an online scanner can find malware a "bought" version can not, I'll never understand.

In case it is needed, I am running Windows XP Media Center Edition on a Gateway laptop with 2 GB of ram, an Intel Core Duo processor clocked at 1.6 GHZ, and a 120 GB SATA HD.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:52 PM, on 11/13/2007
Platform: Windows XP SP2 (WinNT

5.01.2600)
MSIE: Internet Explorer v7.00

(7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows

Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program

Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program

Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Cisco Systems\Cisco

Secure Services

Client\ConnectionClient.exe
C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec

AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix

Storage Manager\iaantmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New

Boundary\PrismXL\PRISMXL.SYS
C:\Program

Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec

AntiVirus\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop

Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Intel Matrix

Storage Manager\iaanotif.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program

Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program

Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program

Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows

Defender\MSASCui.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Google\Google Desktop

Search\GoogleDesktop.exe
C:\Program

Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program

Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec

Shared\ccApp.exe
C:\Program Files\Lavasoft\Ad-Aware SE

Professional\Ad-Watch.exe
C:\Program Files\Google\Google Desktop

Search\GoogleDesktop.exe
C:\Program Files\Mozilla

Firefox\firefox.exe
E:\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69

157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54

896
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54

896
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69

157
R1 - HKCU\Software\Microsoft\Internet

Connection Wizard,ShellNext =

http://windowsupdate.microsoft.com/
O2 - BHO: SSVHelper Class -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program

Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\program

files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO -

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -

C:\Program

Files\Google\GoogleToolbarNotifier\2.0.30

1.7164\swg.dll
O3 - Toolbar: &Google -

{2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program

files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray]

C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search]

"C:\Program Files\Google\Google Desktop

Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [IAAnotif] C:\Program

Files\Intel\Intel Matrix Storage

Manager\iaanotif.exe
O4 - HKLM\..\Run: [igfxtray]

C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd]

C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers]

C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp]

stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program

Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program

Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program

Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Windows Defender]

"C:\Program Files\Windows

Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IntelZeroConfig]

"C:\Program

Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless]

"C:\Program

Files\Intel\Wireless\Bin\ifrmewrk.exe"

/tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [vptray]

C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program

Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program

Files\Lavasoft\Ad-Aware SE

Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\1.2.11

28.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\RunOnce:

[RemovePittNetSetup]

C:\WINDOWS\system32\cmd.exe /c "rmdir

"C:\Documents and

Settings\Owner\Application Data\PittNet"

/S /Q"
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program

Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java

Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program

Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem:

@xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program

Files\Messenger\Msgslang.dll,-61144 -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program

Files\Messenger\Msgslang.dll,-61144 -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF:

{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}

(Installation Support) - C:\Program

Files\Yahoo!\Common\Yinsthelper.dll
O20 - AppInit_DLLs:

C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: mdc -

C:\WINDOWS\SYSTEM32\SsoWindows.dll
O23 - Service: Symantec Event Manager

(ccEvtMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager

(ccSetMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: Cisco Secure Services

Client - Cisco Systems - C:\Program

Files\Cisco Systems\Cisco Secure Services

Client\ConnectionClient.exe
O23 - Service: Symantec AntiVirus

Definition Watcher (DefWatch) - Symantec

Corporation - C:\Program Files\Symantec

AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless

Event Log (EvtEng) - Intel Corporation -

C:\Program

Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoogleDesktopManager -

Google - C:\Program Files\Google\Google

Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service

(gusvc) - Google - C:\Program

Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage

Event Monitor (IAANTMon) - Intel

Corporation - C:\Program

Files\Intel\Intel Matrix Storage

Manager\iaantmon.exe
O23 - Service: LiveUpdate - Symantec

Corporation -

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EX

E
O23 - Service: Pml Driver HPZ12 - HP -

C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary

Technologies, Inc. - C:\Program

Files\Common Files\New

Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel® PROSet/Wireless

Registry Service (RegSrvc) - Intel

Corporation - C:\Program

Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless

Service (S24EventMonitor) - Intel

Corporation - C:\Program

Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) -

symantec - C:\Program Files\Symantec

AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers

Service (SNDSrvc) - Symantec Corporation

- C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc

(SPBBCSvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus -

Symantec Corporation - C:\Program

Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8303 bytes

Edited by RushSonic, 14 November 2007 - 07:30 AM.


BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:22 PM

Posted 28 November 2007 - 06:27 AM

Hi RushSonic, :thumbsup:

If you still need help please post a fresh HijackThis log and I'll be happy to look at it for you.

Open notepad and in the Format box set word wrap to automatic.

Thanks for your patience. :blink:

P.S. Please copy/paste the log into this thread using the Add Reply button.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users