Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Really Bad Trojan And Virus, Win32, Smitfraud & More (part 2)


  • Please log in to reply
1 reply to this topic

#1 sadpuppy

sadpuppy

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 13 August 2007 - 05:30 PM

Hi Guys,

after few days clean they came back, i didnt surf much web, only few anime sites which i have been using for years.
i noticed little lag this morning. and then windows firewall ask me to accept Internet Explorer. (which now i never use IE anymore)
i accidentally accept and then Task Manager was filled with those trojan exe again. i quickly cut the net and did a System Restore which RichieUK helped me with.
i just did a scan with DrWebCureIt and found alot of nasty.

I also need help on programs to help me keep safe. something that i can 24hour protection i have read Provention but still not 100% sure which one

my previous thread: http://www.bleepingcomputer.com/forums/t/103388/really-bad-trojan-and-virus-win32-smitfraud-more-keep-coming-back/

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:10 PM, on 13/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:4001
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182445661078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182445618406
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kaspersky Anti-Virus Service (kavsvc) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5887 bytes


Drwebcure it log:

_ser.exe;C:\Documents and Settings\Owner\Local Settings\Temp;Trojan.Popuper;Deleted.;
cpush.tmp;C:\Program Files\Common Files\CPUSH;Adware.Sogou;Incurable.Moved.;
A0028540.dll;C:\System Volume Information\_restore{DDC8882E-7DD9-4504-83F3-4191CFCD0EFD}\RP81;Adware.Sogou;Incurable.Moved.;
A0028555.exe\data001;C:\System Volume Information\_restore{DDC8882E-7DD9-4504-83F3-4191CFCD0EFD}\RP81\A0028555.exe;Trojan.Inject.357;;
A0028555.exe;C:\System Volume Information\_restore{DDC8882E-7DD9-4504-83F3-4191CFCD0EFD}\RP81;Archive contains infected objects;Moved.;
A0028558.exe;C:\System Volume Information\_restore{DDC8882E-7DD9-4504-83F3-4191CFCD0EFD}\RP81;Trojan.Resun;Deleted.;
A0028561.dll;C:\System Volume Information\_restore{DDC8882E-7DD9-4504-83F3-4191CFCD0EFD}\RP81;Trojan.DownLoader.29398;Deleted.;
A0028562.exe;C:\System Volume Information\_restore{DDC8882E-7DD9-4504-83F3-4191CFCD0EFD}\RP81;Trojan.DownLoader.29398;Deleted.;
A0028605.exe;C:\System Volume Information\_restore{DDC8882E-7DD9-4504-83F3-4191CFCD0EFD}\RP81;Trojan.Inject.357;Deleted.;
A0028606.dll;C:\System Volume Information\_restore{DDC8882E-7DD9-4504-83F3-4191CFCD0EFD}\RP81;Adware.Sogou;Incurable.Moved.;
A0028607.dll;C:\System Volume Information\_restore{DDC8882E-7DD9-4504-83F3-4191CFCD0EFD}\RP81;BackDoor.Rpcs;Incurable.Moved.;
A0028609.exe;C:\System Volume Information\_restore{DDC8882E-7DD9-4504-83F3-4191CFCD0EFD}\RP81;BackDoor.Rpcs;Deleted.;
A0028610.dll;C:\System Volume Information\_restore{DDC8882E-7DD9-4504-83F3-4191CFCD0EFD}\RP81;Adware.Baidu;Incurable.Moved.;
A0028611.dll;C:\System Volume Information\_restore{DDC8882E-7DD9-4504-83F3-4191CFCD0EFD}\RP81;Trojan.DownLoader.29398;Deleted.;
MFEX-1.DAT;C:\System Volume Information\_restore{DDC8882E-7DD9-4504-83F3-4191CFCD0EFD}\RP81\snapshot;Adware.Sogou;Incurable.Moved.;
6b581.txt;C:\WINDOWS;Trojan.Popuper;Deleted.;
KB908023.log;C:\WINDOWS;Adware.QQHelp.577;Incurable.Moved.;
647e1(2).exe;C:\WINDOWS\system32;Trojan.Popuper;Deleted.;
serverhelp.dll.tmp;C:\WINDOWS\system32;Adware.Baidu;Incurable.Moved.;

Edited by sadpuppy, 13 August 2007 - 05:33 PM.


BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:53 AM

Posted 26 August 2007 - 09:48 AM

Hello sadpuppy and welcome to the BC HijackThis forum. I see no signs of viruses or malware in the log. It is clean. Performing a system restore might have taken care of whatever issues were occurring.

Just to be on the safe side, let's do one other scan and see if anything shows up.

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.

If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users