PDA

View Full Version : Malware Bytes Results: Trojan.BHO? Stolen.Data? Fake.Malware.Dropper?


JSX Hacx
2009-02-28, 03:23
hi again...i was wondering why Cyber Defender is a trojan.......it works fine for me....and heres some unusual result (PornClenser i got from a popup)



Malwarebytes' Anti-Malware 1.34
Database version: 1811
Windows 6.1.6801

2/27/2009 9:14:15 PM
mbam-log-2009-02-27 (21-14-09).txt

Scan type: Full Scan (C:\|)
Objects scanned: 151830
Time elapsed: 20 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 9
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 8
Files Infected: 46

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Users\STC\AppData\LocalLow\CyberDefender\cdmyidd.dll (Trojan.BHO) -> No action taken.
C:\Program Files\PC\msvbvm60.dll (Rogue.PornCleanser) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\cdmyidd.securitytoolbar (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{cd24eb02-9831-4838-99d0-726d411b1328} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{f20da564-9254-49fe-a678-cc3cef172252} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\cdmyidd.securitytoolbar.1 (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\PornCleanser (Rogue.PornCleanser) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\PC (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\data (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\logs (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\logs\media (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\logs\savepictures (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\logs\screenspy (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\logs\urls (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\web (Rogue.PornCleanser) -> No action taken.

Files Infected:
C:\Users\STC\AppData\LocalLow\CyberDefender\cdmyidd.dll (Trojan.BHO) -> No action taken.
C:\$Recycle.Bin\S-1-5-21-377501024-839871225-1018076246-1001\$RISTRXC\SSEngine.dll (Rogue.AdwarePro) -> No action taken.
C:\Program Files\PC\remove.exe (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\asycfilt.DLL (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\COMCAT.DLL (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\COMCTL32.OCX (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\COMDLG32.OCX (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\endkeylog.exe (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\IEEvents.ctl (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\ListPrivileges.txt (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\MSCOMCTL.OCX (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\msdirectx.sys (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\MSFLXGRD.OCX (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\msvbvm60.dll (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\oleaut32.DLL (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\olepro32.DLL (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\resiea.res (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\stdole2.tlb (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\svchosts.exe (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\TABCTL32.OCX (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\trz2D8F.tmp (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\unins000.dat (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\unins000.exe (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\Urlhist.tlb (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\VB6STKIT.DLL (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\vbscript.dll (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\wndrivers.dat (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\WORDPAD.EXE (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\data\AllowedSites.txt (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\data\Applications.txt (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\data\BlockSites.txt (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\data\keywords.txt (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\logs\media\blockedmedia.txt (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\logs\savepictures\2008_3_11__19_20_36.bmp (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\logs\screenspy\2008_3_11__19_22_37.bmp (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\logs\urls\visitedurl.txt (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\web\stoppage.html (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\web\stoppage2.html (Rogue.PornCleanser) -> No action taken.
C:\Program Files\PC\web\stoppage3.html (Rogue.PornCleanser) -> No action taken.
C:\Users\STC\AdwarePro_Setup.exe (Rogue.Installer) -> No action taken.
C:\Users\STC\Downloads\AdwarePro_Setup.exe (Rogue.Installer) -> No action taken.
C:\Windows\System32\MSVolume.dll (Fake.Dropped.Malware) -> No action taken.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC\PC 2008 on the Web.url (Rogue.PornCleanser) -> No action taken.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC\PC 2008.lnk (Rogue.PornCleanser) -> No action taken.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC\Remove PC 2008.lnk (Rogue.PornCleanser) -> No action taken.
C:\keylog.rtf (Stolen.Data) -> No action taken.
peku006
2009-03-02, 12:18
Hello and Welcome to Safer Networking,

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:


If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Please continue to respond until I give you the "All Clear"

If you follow these instructions, everything should go smoothly.

First you need to rerun MBAM, you did not let it clean what it found.
C:\Users\STC\AppData\LocalLow\CyberDefender\cdmyidd.dll (Trojan.BHO) -> No action taken.

1 - Run Malwarebytes' Anti-Malware

Open Malwarebytes' Anti-Malware
Select the Update tab
Click Check for Updates
After the update have been completed, Select the Scanner tab.

Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:

C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

2 - download and run RSIT

Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt<- (will be maximized) and info.txt<- (will be minimized)

3 - Status Check
Please reply with

1.the logs from RSIT (log.txt ,info.txt)
2. the Malwarebytes' Anti-Malware Log
description of any problems you are having with your PC

Thanks peku006
tashi
2009-03-02, 20:38
Being helped here: http://forums.spybot.info/showthread.php?t=46210

JSX Hacx, please don't start new topics for every question.

Best regards.