TDS-3 alarm

Discussion in 'Trojan Defence Suite' started by mfreemanhcp7, Jan 27, 2004.

Thread Status:
Not open for further replies.
  1. mfreemanhcp7

    mfreemanhcp7 Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    37
    Location:
    England's Sunny South Coast!!
    I have run Spybot S&D and Adaware 6.0, I also have SpywareBlaster and SpywareGuard - all have been updated today where available. The scans do not come up with any problems but I have an alarm in TDS-3 of a 'possible web downloader' referring to the popuppopper folder - which blocks pop-up ads. Don't know if the problem is with the following:

    O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\Security\AD-SPY~1\PopUps\POPUPP~1\PopLib.dll

    I like the popuppopper application but don't want to keep it if its a threat.

    Any help would be greatly appreciated and further comments on my log well received.

    P.S. how do I start to understand what's good and bad in a HJT log because you guys must get really cheesed with reviewing everybody's logso_O

    Logfile of HijackThis v1.97.7
    Scan saved at 20:20:46, on 27/01/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    D:\My Programs\Software\Ghost\GhostStartService.exe
    C:\Program Files\Eset\nod32krn.exe
    D:\My Programs\Security\AntiVirus\Tmntsrv.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    D:\My Programs\Software\Ghost\GhostStartTrayApp.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\Security\Firewall\ZAP\ZONEAL~1\zlclient.exe
    C:\Program Files\Security\AntiTrojan\TauScan\Tauscan 1.6\taumon.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Security\AntiTrojan\TDS\TDS-3.exe
    D:\My Programs\Security\AntiVirus\pccguide.exe
    D:\My Programs\Security\AntiVirus\PCCClient.exe
    D:\My Programs\Security\AntiVirus\Pop3trap.exe
    C:\WINDOWS\System32\ctfmon.exe
    D:\My Programs\Utility\Ashampoo\Ashampoo UnInstaller Suite Plus\UnInstaller Suite\UIWatcher.exe
    C:\Program Files\Security\Roboform\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\Security\Firewall\ZAP\VisualZone\VisualZone.exe
    C:\Program Files\Utilities\MRU\MRU-Blaster\scheduler.exe
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\Program Files\Security\Ad-Spy Ware\SpywareGuard\SpywareGuard\sgmain.exe
    C:\Program Files\Security\Ad-Spy Ware\SpywareGuard\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Security\Firewall\Port Explorer\Port Explorer\PortExplorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Utilities\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.visualizesoftware.com/visualzone/visualzone_faq.htm
    O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\Security\AD-SPY~1\PopUps\POPUPP~1\PopLib.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\Security\Ad-Spy Ware\SpywareGuard\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Security\Roboform\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Security\Roboform\Siber Systems\AI RoboForm\RoboForm.dll
    O4 - HKLM\..\Run: [GhostStartTrayApp] D:\My Programs\Software\Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Security\Firewall\ZAP\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [Tau Monitor] C:\Program Files\Security\AntiTrojan\TauScan\Tauscan 1.6\taumon.exe
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKLM\..\Run: [TDS3] C:\Program Files\Security\AntiTrojan\TDS\TDS-3.exe
    O4 - HKLM\..\Run: [pccguide.exe] "D:\My Programs\Security\AntiVirus\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "D:\My Programs\Security\AntiVirus\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "D:\My Programs\Security\AntiVirus\Pop3trap.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [UIWatcher] D:\My Programs\Utility\Ashampoo\Ashampoo UnInstaller Suite Plus\UnInstaller Suite\UIWatcher.exe
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Security\Roboform\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\Utilities\MRU\MRU-Blaster\scheduler.exe
    O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\Utilities\MRU\MRU-Blaster\mrublaster.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\Security\Ad-Spy Ware\SpywareGuard\SpywareGuard\sgmain.exe
    O4 - Global Startup: VisualZone.lnk = C:\Program Files\Security\Firewall\ZAP\VisualZone\VisualZone.exe
    O8 - Extra context menu item: Customize Menu   &4 - file://C:\Program Files\Security\Roboform\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Fill Forms   &] - file://C:\Program Files\Security\Roboform\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Save Forms   &[ - file://C:\Program Files\Security\Roboform\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms   &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms   &[ (HKLM)
    O9 - Extra button: PopupPopper Control Panel (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar   &2 (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A59ED4A2-D942-42A3-8ED5-B6BD79F402D7}: NameServer = 195.92.195.95 195.92.195.94
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi long name :) previously known as mfreemanhcp17
    The HJT is Pieter c.s.'s specialty so i'm not going to touch that part; in my uneducated view in this i don't see nothing inappropriate, others might have recommendations.

    But you can zip and submit the alarm to Gavin to look into it and if necessary refine the detection.
    submit@diamondcs.com.au
     
  3. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Jooske,

    that's correct :)

    The log was completely clean, but I moved the topic to this section because it was more like a specific TDS question, and the HT log checked to be completely clean.

    You answered the question by asking to submit the alarm, thanks! :)

    Take care

    Cheers,
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks Unzy and you're welcome!
    You guys do a great job with those HJT logs!
    :cool:
     
Thread Status:
Not open for further replies.