Re: Trojan horse Downloader.Stubby.A

From: Bill Sanderson (Bill_Sanderson_at_msn.com.plugh.org)
Date: 12/10/03 

Date: Wed, 10 Dec 2003 01:06:02 -0500

LOL--I won't disagree with either of your picks--I'm sure I wouldn't miss
those a bit (nor either of Mike's picks, either!)

I'm ready to ditch Office 2000 for 2003--maybe OSA will disappear on its
own?

"Kent W. England [MVP]" <kwe@mvps.org> wrote in message
news:Oqtnb7svDHA.2492@TK2MSFTNGP12.phx.gbl...
> A few thousand more of these and someone could build an interesting
> database of applications and malware.
>
> I'd lose:
> O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft
> Office\Office10\OSA.EXE
> and
> O4 - HKLM\..\Run: [QuickTime Task] "D:\program
> files\quicktime\qttask.exe" -atboottime
>
> but they'll come back, just like any malware. ;-)
>
> --
> Kent W. England, Microsoft MVP for Windows Security
>
>
>
> "Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message
> news:%23SYAmhgvDHA.2308@TK2MSFTNGP11.phx.gbl...
> > I just ran HijackThis on my system.
> >
> > It was useful--it allowed me to remove a couple of startups, one of
> which
> > remained from a manual ripping out by the roots of some software, and
> > another of which I was tired of seeing in my notification area.
> >
> > OTOH, here's what was left. There's a lot here, and I believe it is
> all
> > stuff that is reasonably safe and that I want. Sorting out the dross
> from
> > this kind of list is going to take some real care, no?
> >
> > -----------------------------------------------------------
> > Logfile of HijackThis v1.97.7
> > Scan saved at 10:54:36 PM, on 12/8/2003
> > Platform: Windows XP SP1 (WinNT 5.01.2600)
> > MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
> >
> > Running processes:
> > E:\WINDOWS\System32\smss.exe
> > E:\WINDOWS\system32\winlogon.exe
> > E:\WINDOWS\system32\services.exe
> > E:\WINDOWS\system32\lsass.exe
> > E:\WINDOWS\system32\svchost.exe
> > E:\WINDOWS\System32\svchost.exe
> > E:\WINDOWS\system32\spoolsv.exe
> > E:\WINDOWS\Explorer.EXE
> > E:\Program Files\Google\ggviewer67-34.exe
> > E:\Program Files\TZO\TZOClient.exe
> > E:\WINDOWS\System32\taskswitch.exe
> > E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
> > C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
> > E:\WINDOWS\System32\ctfmon.exe
> > E:\WINDOWS\System32\devldr32.exe
> > E:\Program Files\MSN Messenger\MsnMsgr.Exe
> > E:\Program Files\AnalogX\TSDropCopy\tsdc.exe
> > E:\Program Files\United Devices\UD.exe
> > E:\Program Files\United Devices\ud_1706422.exe
> > E:\WINDOWS\System32\CTsvcCDA.EXE
> > E:\WINDOWS\System32\inetsrv\inetinfo.exe
> > E:\Program Files\United Devices\ud_1706422_0.dir\ud_ligfit_Release.exe
> > E:\WINDOWS\System32\ScsiAccess.EXE
> > E:\WINDOWS\System32\tcpsvcs.exe
> > E:\WINDOWS\System32\snmp.exe
> > E:\WINDOWS\System32\svchost.exe
> > E:\Program Files\TZO\TZO_NT_Service.exe
> > E:\WINDOWS\System32\VetMsgNT.exe
> > E:\WINDOWS\System32\MsPMSPSv.exe
> > E:\Program Files\Outlook Express\msimn.exe
> > E:\Program Files\SpamPal\spampal.exe
> > E:\Documents and Settings\billS\Desktop\hijackthis\HijackThis.exe
> >
> > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
> Bill
> > Sanderson's Microsoft Internet Explorer
> > R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
> > Settings,ProxyServer = gopher=127.0.0.1:80
> > O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
> D:\Program
> > Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
> > O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
> e:\program
> > files\google\googletoolbar1.dll
> > O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
> > E:\WINDOWS\System32\msdxm.ocx
> > O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
> e:\program
> > files\google\googletoolbar1.dll
> > O4 - HKLM\..\Run: [TZOClient] E:\Program Files\TZO\TZOClient.exe
> > O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\Updreg.exe
> > O4 - HKLM\..\Run: [AHQInit] E:\Program
> > Files\Creative\SBLive2k\Program\AHQInit.exe
> > O4 - HKLM\..\Run: [CoolSwitch] E:\WINDOWS\System32\taskswitch.exe
> > O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
> > E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
> > O4 - HKLM\..\Run: [QuickTime Task] "D:\program
> > files\quicktime\qttask.exe" -atboottime
> > O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
> > O4 - HKLM\..\Run: [Qwik-Fix] "E:\Program Files\PivX
> Qwik-Fix\QwikFix.exe"
> > splash
> > O4 - HKLM\..\Run: [VetTray]
> c:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
> > O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
> > O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN
> Messenger\MsnMsgr.Exe"
> > /background
> > O4 - Startup: SpamPal.lnk = E:\Program Files\SpamPal\spampal.exe
> > O4 - Startup: TSDropCopy.lnk = E:\Program
> Files\AnalogX\TSDropCopy\tsdc.exe
> > O4 - Startup: UD Agent.lnk = ?
> > O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
> > O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft
> > Office\Office10\OSA.EXE
> > O8 - Extra context menu item: &Google Search - res://E:\Program
> > Files\Google\GoogleToolbar1.dll/cmsearch.html
> > O8 - Extra context menu item: Backward &Links - res://E:\Program
> > Files\Google\GoogleToolbar1.dll/cmbacklinks.html
> > O8 - Extra context menu item: Cac&hed Snapshot of Page -
> res://E:\Program
> > Files\Google\GoogleToolbar1.dll/cmcache.html
> > O8 - Extra context menu item: Si&milar Pages - res://E:\Program
> > Files\Google\GoogleToolbar1.dll/cmsimilar.html
> > O8 - Extra context menu item: Translate Page - res://E:\Program
> > Files\Google\GoogleToolbar1.dll/cmtrans.html
> > O9 - Extra button: Related (HKLM)
> > O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
> > O9 - Extra button: Messenger (HKLM)
> > O9 - Extra 'Tools' menuitem: Messenger (HKLM)
> > O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
> > http://support.dell.com/systemprofiler/SysPro.CAB
> > O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office
> Template
> > and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
> > O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
> > http://www.apple.com/qtactivex/qtplugin.cab
> > O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl
> Class) -
> >
> https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=Compaq
> > O16 - DPF: {11865A2A-649F-4FA1-8B99-B97DF8070B7C} (IWSystemchecks
> Control) -
> > http://msfm.interwise.com/msfm/English/ActiveX/IWsystemchecks.cab
> > O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E2} (ShowSetupObj2
> Class) -
> > http://invite.mshow.com/ShowSetup2.dll
> > O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E3} (ShowSetupObj3
> Class) -
> > http://invite.mshow.com/ShowSetup.cab
> > O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
> > Control) -
> http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
> > O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) -
> > http://a19.g.akamai.net/7/19/7125/1269/ftp.coupons.com/v6/brix6ie.cab
> > O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor
> > Class) -
> >
>
http://protect.microsoft.com/security/protect/WSA/shared/cab/x86/MSSecAdv.cab?1063205794992
> > O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
> > scanner) -
> > http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
> > O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) -
> > http://207.82.221.103/10085e868404f4209c21/netzip/RdxIE.cab
> > O16 - DPF: {41E95AF7-BB7B-403D-8E8B-4162188943DE} (INVC Participant
> Console
> > 1.51) - http://66.228.194.114/in/clients/listener/bin/inlist151.cab
> > O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) -
> > http://office.microsoft.com/productupdates/content/opuc.cab
> > O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb
> ActiveX
> > Control) -
> http://msfm.interwise.com/IWCampus/student/client/iftwclix.cab
> > O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) -
> > https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
> > O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com
> Operating
> > System Class) -
> >
> http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,56/mcinsctl.cab
> > O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology
> > Client) - http://webiqonline.com/WebIQ/bin/WebIQ.cab
> > O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
> > http://207.188.7.150/0503130719ab0a231c04/netzip/RdxIE6.cab
> > O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -
> > http://office.microsoft.com/productupdates/content/opuc.cab
> > O16 - DPF: {713AE1D4-897C-11D2-B2A0-00C04F94B4D5} (WUCorpSuppControl
> > Class) - http://corporate.windowsupdate.microsoft.com/en/wucorpct.CAB
> > O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall
> Control) -
> >
>
http://a840.g.akamai.net/7/840/537/2003031101/housecall.antivirus.com/housecall/xscan53.cab
> > O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP
> Client
> > Control (redist)) - http://fgc2003/tsweb/msrdp.cab
> > O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure
> Class) -
> > http://supportservices.msn.com/us/smtptool/MailCfg.cab
> > O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline
> Control) -
> > http://www.bitdefender.com/scan/Msie/bitdefender.cab
> > O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) -
> >
> http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
> > O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl
> > Object) - http://carpoint.msn.com/components/ocx/Survid/MSSurVid.cab
> > O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan
> Installer
> > Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
> > O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
> >
>
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37575.7315856482
> > O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline
> Object) -
> > http://www.ravantivirus.com/scan/ravonline.cab
> > O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B}
> (WebResponseAttachments
> > Control) -
> https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
> > O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround
> > Object) - http://carpoint.msn.com/Components/Ocx/Exterior/Outside.cab
> > O16 - DPF: {BF116476-3238-4EDA-A2D7-6D6814EF0DEC} (Quicksilver
> Class) -
> >
>
http://scpwbf.ops.placeware.com/etc/place/RCC-BETA/pws-ms-04/5100-zi/lib/quicksilver.cab
> > O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI
> Registry
> > Information Class) -
> > http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
> > O16 - DPF: {C78AC153-1FB9-4198-986D-3613E49B152E} (ScanMe Class) -
> >
>
http://download.microsoft.com/download/win2000platform/Utility/416/NT45XP/EN-US/mssecuredll.cab
> > O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
> Object) -
> > http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
> > O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office
> Tools on
> > the Web Control) -
> > http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
> > O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) -
> > http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
> > O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control
> 4.5) -
> > http://fdl.msn.com/public/chat/msnchat45.cab
> > O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) -
> > http://www.zoomify.com/download/zoomify214.cab
>

Quantcast