Hi, sorry took so long to get back. Full Plate, and was trying to do a
couple of 2-6 hour scans as had done before. I did not re-acquire /
reproduce what wanted, but that was 3rd time around anyways. with items
pasting below, items not included for: (1. trendmicro online scan seem to
acquire those that no other find: greyware/trojans..? seem to show only
serial number file name results / so did they actually find anything? 2.
my zonelabs, zonealarm suite deep scan was not monitored: would have seen
java wildtangent being redeleted as was case twice within couple days before.
3. x?missing, pending); recent scan history:
You said you had info on wild-tangent. (note: view all key-loggers as
hostile)
XXXXXXXXXXXXXXXXX
Missing: have stored / need to locate: Wildtangent screens for Java
Registry entry and exact FILE NAMES that spawned wildtangent, items as
origin under Java.
FOCUS:
060413 Spybot: WildTangent, in other than java (below)
060414 Spybot: WildTangent in JAVA registry (below)
060419 ZoneAlarm: WildTangent in JAVA registry (below) search / found
java origin files for wiletangent, under programs java directory. as:
060419 ZA Virus Scan: WILDTANGENT Medium Type: Adware Status:
This item is active and may pose a threat to your security and/or privacy.
Select the treatment you wish to apply.
Information: It is recommended that you quarantine and optionally delete
this application because it has no value, is a stand-alone application, and
not part of any other software package. Its quarantine or deletion does not
affect your system stability. WildTangent is an online gaming plugin bundle
from Wildtangent.com similar to Macromedia Flash. WildTangent uses built in
required feature that is used to provide Adware based advertising to the user.
060413 adaware: results
http://www.lavasoft.de/support/download/
Windows RegData Vulnerability
HKEY_LOCAL_MACHINE:software\microsoft\windows\currentversion\url\defaultprefix*** (c:\searchpage.html?page=)
\url\prefixes*home*
\url\prefixes*mosaic*
\url\prefixes*www*
Tracking Cookies IECache Entry Data Miner
Cookie:
[email protected]/
Cookie:
[email protected]/
Cookie:
[email protected]/
C:\Documents and Settings\A\Cookies\a@adtech[2].txt
C:\Documents and Settings\A\Cookies\a@questionmarket[2].txt
C:\Documents and Settings\A\Cookies\a@serving-sys[2].txt
C:\Documents and Settings\A\Cookies\a@tribalfusion[1].txt
C:\Documents and Settings\A\Cookies\a@
C:\Documents and Settings\A\Cookies\a@
IBIS Toolbar File Data Miner
C:\WINDOWS\Temp\~398875.5mp
IBIS Toolbar Regkey
HKEY_CURRENT_USER:software\microsoft\mediaplay\controllplaybar\ + 6more
HKEY_CURRENT_USER:software\microsoft\internetexplorer\main*AutoSearch"
IBIS Toolbar Regvalue
HKEY_LOCAL_MACHINE:software\microsoft\windows\currentversion\installer\userdata*TUD"
HKEY_LOCAL_MACHINE:software\microsoft\windows\internetexplorer\main*1EWatsonEnabled"
060413 spybot results
http://www.safer-networking.org/en/download/index.html
CoolWWWSearch: IE Search page (Registry change, fixed)
HKEY_USERSS-1-5-21-284587905-1161744426-439199626-1007\Software\Microsoft\Internet Explorer\Main\SearchURL=about:blank
CoolWWWSearch.Smartfinder: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}
WildTangent: Program directory (Directory, fixed)
C:\WINDOWS\wt\wtDRM\
WildTangent: Global settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\WildTangent
WildTangent: Program directory (Directory, fixed)
C:\WINDOWS\wt\wtupdates\
WildTangent: Program directory (Directory, fixed)
C:\WINDOWS\wt\updater\
WildTangent: Program directory (Directory, fixed)
C:\WINDOWS\wt\webdriver\
Windows Security Center.FirewallOverride: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\FirewallOverride!=dword:0
eBayToolbar.v1: Module usage (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/eBayFile.Fil
eBayToolbar.v1: Log file (File, fixed)
C:\eBay.log
NewsUpdate: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Creative Tech\Software Installed\News
NewsUpdate: Program directory (Directory, fixed)
C:\Program Files\Creative\News\
NewsUpdate: Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Classes\CTMARQ.CTMarqCtrl.1
NewsUpdate: Class ID (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C1B43B81-8B3C-11D4-B615-00A0C98E9F5B}
WildTangent: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Java VM\ClassPath=...;C:\Program
Files\WildTangent\Apps\DRM0302Java.jar...
WildTangent: Program directory (Directory, fixed)
C:\WINDOWS\wt\
NewsUpdate: Class ID (CTMarq Property Page) (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C1B43B82-8B3C-11D4-B615-00A0C98E9F5B}
NewsUpdate: Interface (_DCTMarq) (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{C1B43B7F-8B3C-11D4-B615-00A0C98E9F5B}
NewsUpdate: Interface (_DCTMarqEvents) (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{C1B43B80-8B3C-11D4-B615-00A0C98E9F5B}
NewsUpdate: Type library (CTMarq ActiveX Control module) (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{C1B43B7E-8B3C-11D4-B615-00A0C98E9F5B}
Marketengines: Tracking cookie (Internet Explorer: A) (Cookie, fixed) ???
Microtrend Housecall result names: VIRUSES, GREYWARE & SPYWARE, MALWARE
(VIRUSES, WORMS, TROJANS, etc.)
http://trendmicro.com
http://housecall.trendmicro.com/
http://be.trendmicro-europe.com/consumer/housecall/housecall_launch.php
http://be.trendmicro-europe.com/housecall/v6.5/? scan pg2 (item
descriptions)
http://be.trendmicro-europe.com/consumer/housecall/housecall_launch.php
SCAN RESULTS:
ADW_SE.131757
ADW_SE.131739
ADW_SE.131740
ADW_SE.131755
ADW_SE.131754
ADW_SE.131756
ADW_SE.131749
ADW_SE.131753
ADW_SE.131750
ADW_SE.66593
ADW_SE.68189
ADW_SE.102384
ADW_SE.103386
ADW_SE.131752
ADW_SE.131751
ADW_SE.131741
ADW_SE.BHO_SE.120660
BHO_SE.120660
ADW_SE.131748
HTL_CAIN.100 2 each
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
060414 ADAWARE results
060414 6pm Adaware: 2 files: data miner tracking by: LIVEPERSON.NET
060414 SPYBOT results
WildTangent: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Java VM\ClassPath=...;C:\Program
Files\WILDTANGENT\Apps\DRM0301Java.jar...
060414 ZoneAlarm Suite results
tracking cookie Win32.Startpage.FU
Virus Tribalfusion
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
060419 JAVA DOWNLOAD
http://www.java.com/en/download/installed.jsp page
shows reference to gaming sofware for your computer
060419 ZA Virus Scan: WILDTANGENT Medium Type: Adware Status:
This item is active and may pose a threat to your security and/or privacy.
Select the treatment you wish to apply.
Information: It is recommended that you quarantine and optionally delete
this application because it has no value, is a stand-alone application, and
not part of any other software package. Its quarantine or deletion does not
affect your system stability. WildTangent is an online gaming plugin bundle
from Wildtangent.com similar to Macromedia Flash. WildTangent uses built in
required feature that is used to provide Adware based advertising to the user.
~060419 ZA (sent to ZA, no response)
[Suspicious Behavior: XNeat is attempting to monitor user activities on
this computer. If allowed it may try to track or log keystrokes (user
input), mouse movements/clicks, web sites visited, and other behaviors.]
- Does this mean (as far as many apps seem to be trying to steal this
information), that I could still use with firewall protection in place? i.e.
is the application blocked from sending to internet / CAN I / (or DOES ZA)
BLOCK IT as an independent step? Is there a way to check applications in a
different way / on list, / submit app names?.. etc?
- There seems to be a built in "keylogger"? to Sun Systems "JAVA" called:
Wild Tangent. Aside from advice I had received from outside source to update
it with new version, with Wild Tangent running. (Wild tangent seems to
re-install itself) any ideas? (re-detectable only with byte level scan with
ZA, else same with prev. apps scans)
060425 trendmicro
TROJ_Generic malware
ADW_SE.131757 greyware/spyware (here / below listed as infections)
ADW_SE.131739 1740 1755 1754 1756 1749 1750
ADW_SE.66593 68189 102384 102386 131751 120660
AFTER TRENDMICRO, REBOOT, STILL HAVE TREND -ACTIVE- ON MY SYSTEM
060425 zone alarm deep scan
XXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXX