Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Java Exploit Issue


  • This topic is locked This topic is locked
2 replies to this topic

#1 Klone90

Klone90

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:29 AM

Posted 20 May 2013 - 03:37 PM

Trend Micro Office Scan is blocking a URL from running, every time a web page is opened hXXttp://loadasset.info/run.js?92736 pops up as a blocked URL in the notification message. Im really trying to determine if this is potentially harmful or not.
 
 I am pasting the DDS logs below per the instructions provided by the response to my previous post.
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7601.17514
Run by Kyle.Lindler at 16:31:39 on 2013-05-20
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.1917.961 [GMT -4:00]
.
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {B7599298-8445-728A-A5C7-A26A082C8BDA}
SP: Trend Micro OfficeScan Anti-spyware *Enabled/Updated* {0C38737C-A27F-7D04-9F77-991873ABC167}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Trend Micro Personal Firewall *Enabled* {49A8346C-6900-54B6-B1B3-5F678736DDE9}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\2X\Client\TUXCredProv.exe
C:\Windows\dwrcs\DWRCS.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Nitro PDF\Reader\2.0\NitroPDFReaderDriverService2x64.exe
C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k regsvc
C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Altiris\Dagent\dagent.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe
C:\Program Files (x86)\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe
C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmPfw.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Altiris\Dagent\dagentui.exe
C:\Program Files\ActiveFax\Terminal\TSClientB.exe
C:\Windows\dwrcs\DWRCST.EXE
C:\Program Files (x86)\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\system32\PrintIsolationHost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://intranet2/SitePages/Home.aspx
uDefault_Page_URL = hxxp://intranet2/SitePages/Home.aspx
mWinlogon: Userinit = userinit.exe
BHO: Coupon Companion Plugin: {11111111-1111-1111-1111-110211181104} - C:\Program Files (x86)\Coupon Companion Plugin\Coupon Companion Plugin.dll
BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmIEPlg32.dll
BHO: SelectionLinksBHO Class: {300BEC06-B743-4D19-86B9-11DC711D7FFB} - C:\Program Files (x86)\OApps\SelectionLinks.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: WeCareReminder Class: {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll
mRun: [OfficeScanNT Monitor] "C:\Program Files (x86)\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: ForceStartMenuLogOff = dword:1
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: SoftwareSASGeneration = dword:3
mPolicies-Windows\System: AddAdminGroupToRUP = dword:1
mPolicies-Windows\System: SlowLinkProfileDefault = dword:1
mPolicies-Windows\System: CompatibleRUPSecurity = dword:1
Trusted Zone: adobe.com
Trusted Zone: adp.com
Trusted Zone: athenahealth.com
Trusted Zone: bcbsc.com
Trusted Zone: breakawaylearning.com
Trusted Zone: csod.com
Trusted Zone: hp.com
Trusted Zone: iosocrp.com
Trusted Zone: java.com
Trusted Zone: microsoft.com
Trusted Zone: nmisweb.com
Trusted Zone: notifymd.com
Trusted Zone: palmettohealth.org
Trusted Zone: pittsrad.net
Trusted Zone: provsc.com
Trusted Zone: provsc.net
Trusted Zone: scmedicaid.com
Trusted Zone: sun.com
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {B723F1B4-7132-45CA-A538-E90FBB690F3E} - hxxps://athenanet.athenahealth.com/static_20121220/AthenanetRegistry.cab
TCP: NameServer = 172.20.0.2 172.19.0.2 172.18.0.2
TCP: Interfaces\{830CD7D4-F2C2-490D-A1CD-3F40DE6B4E50} : DHCPNameServer = 172.20.0.2 172.19.0.2 172.18.0.2
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmIEPlg32.dll
SSODL: WebCheck - <orphaned>
x64-BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmIEPlg.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [DagentUI] C:\Program Files\Altiris\Dagent\dagentui.exe
x64-Run: [ActiveFax Terminal Server] C:\Program Files\ActiveFax\Terminal\TSClientB.exe
x64-Run: [DameWare MRC Agent] C:\Windows\dwrcs\DWRCST.exe
x64-Trusted Zone: adobe.com
x64-Trusted Zone: adp.com
x64-Trusted Zone: athenahealth.com
x64-Trusted Zone: bcbsc.com
x64-Trusted Zone: breakawaylearning.com
x64-Trusted Zone: csod.com
x64-Trusted Zone: hp.com
x64-Trusted Zone: iosocrp.com
x64-Trusted Zone: java.com
x64-Trusted Zone: microsoft.com
x64-Trusted Zone: nmisweb.com
x64-Trusted Zone: notifymd.com
x64-Trusted Zone: palmettohealth.org
x64-Trusted Zone: pittsrad.net
x64-Trusted Zone: provsc.com
x64-Trusted Zone: provsc.net
x64-Trusted Zone: scmedicaid.com
x64-Trusted Zone: sun.com
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmIEPlg.dll
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R1 TmLwf;Trend Micro NDIS 6.0 Filter Driver;C:\Windows\System32\drivers\tmlwf.sys [2010-4-24 196688]
R2 2X SSO Service;2X SSO Service;C:\Program Files\2X\Client\TUXCredProv.exe [2012-10-14 777096]
R2 Altiris Deployment Agent;Altiris Deployment Agent;C:\Program Files\Altiris\Dagent\dagent.exe [2012-1-11 2040832]
R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;C:\Program Files\Common Files\Nitro PDF\Reader\2.0\NitroPDFReaderDriverService2x64.exe [2011-6-21 341296]
R2 tmevtmgr;tmevtmgr;C:\Windows\System32\drivers\tmevtmgr.sys [2012-12-21 64304]
R2 TmFilter;Trend Micro Filter;C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmxpflt.sys [2009-12-4 344376]
R2 TmPreFilter;Trend Micro PreFilter;C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmpreflt.sys [2009-12-4 42808]
R2 tmWfp;Trend Micro WFP Callout Driver;C:\Windows\System32\drivers\tmwfp.sys [2010-4-24 338000]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-3-2 187392]
R3 TmPfw;OfficeScan NT Firewall;C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmPfw.exe [2012-12-21 596736]
R3 TmProxy;OfficeScan NT Proxy Service;C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe [2012-12-21 918032]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-7-9 123856]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-12-18 19456]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-12-18 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2012-12-18 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-12-18 1255736]
.
=============== Created Last 30 ================
.
2013-05-20 14:38:24 -------- d-----w- C:\Program Files\CCleaner
2013-05-17 17:12:56 9460464 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B2D99E7E-BD1C-484E-B11D-E7AD6ED801B7}\mpengine.dll
2013-04-24 08:43:41 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys
.
==================== Find3M  ====================
.
2013-05-20 13:06:32 866720 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2013-05-20 13:06:32 788896 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-05-02 06:06:08 278800 ------w- C:\Windows\System32\MpSigStub.exe
2013-03-19 06:04:06 5550424 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-03-19 05:46:56 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2013-03-19 05:04:13 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04:10 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47:50 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll
2013-03-19 03:06:33 112640 ----a-w- C:\Windows\System32\smss.exe
2013-03-08 00:12:17 963488 ----a-w- C:\Windows\System32\deployJava1.dll
2013-03-08 00:12:17 1085344 ----a-w- C:\Windows\System32\npDeployJava1.dll
2013-03-02 05:56:00 1188864 ----a-w- C:\Windows\System32\wininet.dll
2013-03-02 04:58:26 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-03-02 03:57:05 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2013-03-02 03:22:06 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-03-01 03:36:04 3153408 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 16:32:17.21 ===============

Attached Files


Edited by nasdaq, 24 May 2013 - 10:42 AM.
Bad URL obfuscated.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:29 AM

Posted 24 May 2013 - 10:43 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Link 1
Link 2

IMPORTANT !!! Save ComboFix.exe to your Desktop

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe and follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please paste the logs in your next reply DO NOT ATTACH THEM.
Let me know what problem persists.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:29 AM

Posted 30 May 2013 - 08:29 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users