Tag Archives | trend micro

Another Reason to Hate Trend Micro…

Tonight, one of my new clients asked me to clean up a rogue anti-virus app and install his new anti-virus, Trend Micro Titanium (…whatever that means).  I popped the disc in, clicked install and bam!

Check out the screen shot below (click to enlarge):Trend-Micro-Titanium

Are you F’n kidd’in me?  Trend Micro is NOT compatible with an On-Demand scanner (the free version of MalwareBytes is not real-time)?  Personally, if it were me, I’d cancel this install and buy a full copy of MalwareBytes (which includes really good real-time protection).

Continue Reading · 11

The Call – Warning! Your system is in danger.

Once in awhile I like to show off some of the malware I find when visit my St. Louis clients. Tonight I thought I’d treat you to a creative little rogue antivirus! When Joyce (my new client) would try visit free.avg.com (or any website) she would be presented with this fake little message…”Warning! Your system is in danger“.

Joyce was infected with the ever present and ever changing ZLOB trojan. I don’t have too much to say about this rogue except that it hijacked every single website visit with the text seen below (which is sorta rare). When Joyce would click the message she would get (…see img B) an installer for Antivirus Pro 2009. Joyce didn’t install Antivirus 2009 because she had heard about such scams at work.

I cleaned Joyce’s machine with Malwarebytes and GMER in safemode. Later she opted to buy Norton Internet Security 2009. Joyce had an expired copy of Trend Micro 2008.

Img. A

Img B.

Continue Reading · 9

HiJackThis Log For Anti-Malware Product Reviews

As I work on the F-Secure review I thought I’d introduce HiJackThis logs before and after.  Here is the current HijackThis Log for this (current) infected PC:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:31 AM, on 9/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\shell.exe
C:\WINDOWS\wpopejyl.exe
C:\Program Files\NetProject\scit.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\SystemDefender\SystemDefender.exe
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\NetProject\scm.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\cjb\cjb8.exe
C:\Program Files\Ultimate Defender\UltimateDefender.exe
C:\WINDOWS\system32\lphca7uj0erdc.exe
C:\Program Files\rhce7uj0erdc\rhce7uj0erdc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Program Files\VirusHeat 4.3\VirusHeat 4.3.exe
C:\WINDOWS\system32\pphca7uj0erdc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_04\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.getbackpage.com/?cm=540422&lt=1&it=2008-04-27%2016%3A09%3A32&dt=2008-07-13%2020%3A55%3A08&q=http://www.yahoo.com/?rs=1
F2 – REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 – BHO: (no name) – {01BA2111-5518-D0C8-A667-01E739079356} – C:\WINDOWS\system32\tnxqilzf.dll
O2 – BHO: (no name) – {182C7ED7-E56D-4509-9D9B-AC49318D9895} – C:\WINDOWS\System32\urqqrsr.dll
O2 – BHO: BhoApp Class – {32131238-5434-4234-4234-432432423432} – C:\Program Files\syscmd\mscmp32.dll
O2 – BHO: SSVHelper Class – {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} – C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 – BHO: (no name) – {7C109800-A5D5-438F-9640-18D17E168B88} – C:\Program Files\NetProject\sbmdl.dll (file missing)
O2 – BHO: e404 helper – {8F10DE2B-E923-4548-B524-4D9C5FA80777} – C:\Program Files\Helper\1208921198.dll
O2 – BHO: 717305 helper – {963916CD-6311-485D-93DC-3BD1B9E2D2CB} – (no file)
O2 – BHO: Mirar – {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} – C:\WINDOWS\System32\WinNB58.dll
O2 – BHO: iSecurity – {A8311E8F-E459-4D22-89B4-CB9DCF10A425} – C:\WINDOWS\System32\ISECUR~1.CPL
O2 – BHO: ContextProgram – {E4D1D56C-3EC9-2F5D-FAA3-4112CCDD61DC} – C:\Program Files\ContextProgram\ContextProgram-2.dll
O2 – BHO: cj helper – {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} – C:\Program Files\IE Extensions\cj.v2.dll
O3 – Toolbar: Mirar – {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} – C:\WINDOWS\System32\WinNB58.dll
O4 – HKLM\..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe”
O4 – HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 – HKLM\..\Run: [SystemDefender] “C:\Program Files\SystemDefender\SystemDefender.exe” hide
O4 – HKLM\..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exe
O4 – HKLM\..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exe
O4 – HKLM\..\Run: [iSecurity applet] rundll32.exe iSecurity.cpl,SecurityMonitor
O4 – HKLM\..\Run: [wofgrqls] C:\WINDOWS\system32\wofgrqls.exe
O4 – HKLM\..\Run: [apadibub] regsvr32 /u “C:\Documents and Settings\All Users\Application Data\apadibub.dll”
O4 – HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\System32\drvboj.dll,startup
O4 – HKLM\..\Run: [cjb] C:\Program Files\cjb\cjb8.exe
O4 – HKLM\..\Run: [VirusHeat 4.3] “C:\Program Files\VirusHeat 4.3\VirusHeat 4.3.exe” /h
O4 – HKLM\..\Run: [Ultimate Defender] “C:\Program Files\Ultimate Defender\UltimateDefender.exe” hide
O4 – HKLM\..\Run: [lphca7uj0erdc] C:\WINDOWS\system32\lphca7uj0erdc.exe
O4 – HKLM\..\Run: [SMrhce7uj0erdc] C:\Program Files\rhce7uj0erdc\rhce7uj0erdc.exe
O4 – HKCU\..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 – HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 – HKLM\..\Policies\Explorer\Run: [rTwrdHqj21] C:\WINDOWS\wpopejyl.exe
O4 – HKLM\..\Policies\Explorer\Run: [J286hthVnp] C:\WINDOWS\wpopejyl.exe
O4 – HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 – Startup: .protected
O4 – Startup: findfast.exe
O4 – Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 – Global Startup: .protected
O4 – Global Startup: autorun.exe
O4 – Global Startup: svchost.exe
O7 – HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 – Extra button: (no name) – {9034A523-D068-4BE8-A284-9DF278BE776E} – http://www.gateietool.com/redirect.php (file missing)
O9 – Extra ‘Tools’ menuitem: IE Anti-Spyware – {9034A523-D068-4BE8-A284-9DF278BE776E} – http://www.gateietool.com/redirect.php (file missing)
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O15 – Trusted Zone: http://click.getmirar.com (HKLM)
O15 – Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 – Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 – Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 – DPF: {2F0E7094-51A2-ECEB-8CF6-EF32B5ECD15E} – http://virusremover2008.com/VRM_Free.exe
O16 – DPF: {7D5DD829-6C90-42C5-B54C-2AFA82F988BA} (CLoader Object) – http://www.av-xp2008.com/tools/virusremover.dll
O16 – DPF: {C931FDF3-0319-0CAE-6DFD-8D061EABF08D} – http://virusremover2008.com/VRM_Free.exe
O20 – AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O20 – Winlogon Notify: urqqrsr – C:\WINDOWS\SYSTEM32\urqqrsr.dll
O20 – Winlogon Notify: wingvd32 – C:\WINDOWS\SYSTEM32\wingvd32.dll
O21 – SSODL: zip – {177ab526-6b94-4cc2-b303-c1b6a4070316} – C:\WINDOWS\Installer\{177ab526-6b94-4cc2-b303-c1b6a4070316}\zip.dll
O21 – SSODL: CheckMon – {b62df42a-0f78-46d6-81d0-3f0ae0d8dc6b} – C:\WINDOWS\Installer\{b62df42a-0f78-46d6-81d0-3f0ae0d8dc6b}\CheckMon.dll
O21 – SSODL: iSecurity – {A8311E8F-E459-4D22-89B4-CB9DCF10A425} – C:\WINDOWS\System32\ISECUR~1.CPL
O22 – SharedTaskScheduler: frowardness – {b0fdc513-46b9-46fc-8e70-d575ee546dae} – C:\WINDOWS\System32\zfaiqwr.dll
O23 – Service: VMware Descheduled Time Accounting Service (vmdesched) – VMware, Inc. – C:\Program Files\VMware\VMware Tools\vmdesched.exe
O23 – Service: VMware Tools Service (VMTools) – VMware, Inc. – C:\Program Files\VMware\VMware Tools\VMwareService.exe


End of file – 6816 bytes

Continue Reading · 3