# Trojan.Malscript!html



## Unlucky_Pete (Aug 31, 2008)

While reading some articles on some websites today my Norton Internet Security alerted me that Auto-Protect has detected and blocked Trojan.Malscript!html.

This was followed by another pop-up with the same message and then another, and another, and another... etc.

Since the pop-ups didn't appear until I started reading from kongming.net I decided to close this window and see if the pop-ups would continue. The pop-ups stopped. I checked my Norton history which listed all of the blocked attacks and checked the recommended action. According to Norton the problem is "resolved" and no action is required. However, I'm feeling a little paranoid about this, especially since this is four attempted attacks in a row with a virus; so I'd like any advice, information, or opinions regarding this.

Is it possible that my computer is already infected without my knowledge and are there any precautions or procedures I should take into consideration? Any and all advice would be appreciated.

- Unlucky Pete


----------



## Cookiegal (Aug 27, 2003)

That's an alert for an embedded javascript that will redirect you to a malicious site so it may be that the site you were visiting has had their url compromised. 

Norton's logs should tell you where you were being redirected. Can you get that information please?


----------



## Cookiegal (Aug 27, 2003)

Also what browser (and version) are you using?


----------



## Unlucky_Pete (Aug 31, 2008)

The log doesn't show where I was going to be redirected but it does have the file name:

c:\documents and settings\owner\local settings\temporary internet files\content.ie5\0b7jy8p5\p[1].css

Norton gives this "high" severity.

As for my browser, it is IE ver. 6.0.

I hope this helps.


----------



## Cookiegal (Aug 27, 2003)

You should really use a more secure browser, either upgrade to IE8 or use Firefox with the No-Script add-on.

Go to *Start *- *Run *and copy and paste the following then click OK:

*shell:cache\content.ie5*

This should open your *content.ie5* folder. Select the following folder and click delete:

*0b7jy8p5*

*Click here* to download ATF Cleaner by Atribune and save it to your desktop.
Double-click *ATF-Cleaner.exe* to run the program.
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
*If you use Firefox:*
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


*If you use Opera:*
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*
[*]NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


Click *Exit* on the Main menu to close the program.

Then reboot and post a new HijackThis log please.


----------



## Unlucky_Pete (Aug 31, 2008)

Just out of curiousity, what does the "*0b7jy8p5*" folder do and will deleting this folder have any effect on my computer?


----------



## Cookiegal (Aug 27, 2003)

Content.ie5 is part of your temporary Internet files and the folders it contains (not the Content.ie5 folder) can be safely deleted.


----------



## Unlucky_Pete (Aug 31, 2008)

Sorry for the very late reply but my schedule has been crazy and I haven't had the chance to try this out yet. During the few moments I got to use the computer, I haven't had any more alerts, I hope this is a good sign. I will follow the instructions below on the weekends if I can and post a HijackThis log on this thread.

Thank you.


----------



## Cookiegal (Aug 27, 2003)

OK. Thanks for letting me know.


----------



## Unlucky_Pete (Aug 31, 2008)

A strange thing happened: I tried finding *0b7jy8p5* in order to delete it but could not find it. In fact there was only one item in the content.ie5 folder (I can't remember its name). A few minutes ago I logged in here to mention this, but decided to try it one more time, since I wasn't sure if that one item in the folder was of any importance. This time I got about twelve items inside the folder and *0b7jy8p5* was at the very top of the list!

I wasn't connected to the internet the first time I tried this, so that might have been the cause of it, but it still seems very strange to me.

Below is a pasted copy of my HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:53:29 PM, on 18/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\LTMSG.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\IPSBHO.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5792372C-7F09-4827-83B9-B2855B0608C4}: NameServer = 204.174.64.1 204.174.65.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{5792372C-7F09-4827-83B9-B2855B0608C4}: NameServer = 204.174.64.1 204.174.65.1
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 5145 bytes


----------



## Cookiegal (Aug 27, 2003)

Please download Malwarebytes' Anti-Malware from *Here*.

Double Click *mbam-setup.exe* to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish, so please be patient.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.
Extra Note:

*If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.*


----------



## Unlucky_Pete (Aug 31, 2008)

Once again I'm sorry for the late reply. Things seem to just keep coming up!

I did however manage to find some time today upon returning home to look up Malware Bytes. I've heard that NIS 2009 sometimes conflicts with other anti-virus/anti-spyware programs, so I thought it would be worth checking out.

http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=47219

If it is safe to run with Norton, I should be able to post the results by Monday.

Also I was wondering if there was anything suspicious looking in my HijackThis Log that I should be worried about.

Thank you for your patience.

- Unlucky Pete


----------



## Cookiegal (Aug 27, 2003)

There is nothing serious in the log. I would uninstall MarketBrowser though via the Control Panel - Add/Remove programs.

It's safe to run MalwaBytes with NIS installed.


----------



## Unlucky_Pete (Aug 31, 2008)

Okay, here's the MalwareBytes log file.

Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)


----------



## Cookiegal (Aug 27, 2003)

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have Java then you will need to go to the following link and download the latest version:

*JRE 6 Update 14*

Instructions for Kaspersky scan:


Read through the requirements and privacy statement and click on *Accept* button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*.
When the downloads have finished, click on *Settings*.
Make sure the following is checked. 
*Spyware, Adware, Dialers, and other potentially dangerous programs 
Archives
Mail databases*

Click on *My Computer* under *Scan*.
Once the scan is complete, it will display the results. Click on *View Scan Report*.
You will see a list of infected items there. Click on *Save Report As...*.
Save this report to a convenient place. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button.
Please post this log in your next reply.


----------



## Unlucky_Pete (Aug 31, 2008)

I'm really sorry for the delay but I've been finding it next to impossible to get onto the computer for long. Since it is hardly fair to continuously make you wait like this, I think I will deal with this at some other point in the future (probably in another thread if this one gets locked).

I'd like to thank you for all of your help and for your patience.

- Unlucky Pete


----------



## Cookiegal (Aug 27, 2003)

This one will automatically close after 45 days of inactivity but you can click on the report button to have it reopened if you wish to continued after it's closed.


----------

