Jahewi's Anti-Malware Information
Rogue application: X Password Generator
May i have your special attention for ......
... the newest VirusBurst-installer!
X Password
Generator
Somehow, reading
where the site is hosted and who the owner is ...
Registration Service
Provided By: ESTDOMAINS
INC
Domain Name:
XPASSGENERATOR.COM
Registrant: stCod
int (Petronije
Marinkovic)
Creation Date: 12-Sep-2006
.
.. i have some doubts to this claim
on the site
Nice, normal installation ...
... at this point, you seem to be able to break off and come out
unharmed ...
Icon of the downloaded X Password Generator-Installation
file
... wich is impossible, ones the installation has reach
this point.
All the trojans and the fake malware-scanner VirusBurst, have been
deployed.
The computer is, very sufficiently, have been overtaken by desktop- and
browser-hijackers, fake toolbar-messages and, offcourse, VirusBurst.
Not to mention the gritters you don't even see ......
Waiting just a little bit longer for the things to come,
give you, roughly, the following desktop ...
... watch the constant increasing number of open Internet
Explorer-windows.
At this picture there are 4 ... and counting :-D
Logfile of HijackThis v1.99.1
Scan saved at 21:07:27, on 18-9-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\X Password Generator\isamonitor.exe
C:\Program Files\X Password Generator\pmsngr.exe
C:\Program Files\X Password Generator\isamini.exe
C:\Program Files\X Password Generator\pmmon.exe
C:\Program Files\Virus-Burst\Virus-Burst.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Program Files\Robot Genius\Spyberus\RgView.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hjt\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
= Koppelingen
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} -
C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Robot Genius - {1FD7EA94-0650-4CF5-ACFF-CDB36A6E924F} -
C:\Program Files\Robot Genius\Spyberus\RgWinId.dll
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} -
C:\Program Files\X Password Generator\isaddon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} -
C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Protection Bar -
{479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - C:\Program Files\X Password
Generator\iesplugin.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RGLauncher] C:\Program Files\Robot
Genius\Spyberus\Spyberus.exe /S
O4 - HKLM\..\Run: [Virus-Burst] C:\Program
Files\Virus-Burst\Virus-Burst.exe /h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt
7\SnagIt32.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - AppInit_DLLs: C:\PROGRA~1\ROBOTG~1\Spyberus\RGIEMon.dll
O21 - SSODL: hemadynamometer -
{6076d2b1-634c-4685-843b-f826045ea5dc} - C:\WINDOWS\System32\syycum.dll
Hijackthis-Log, at this point:
