Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

exploit.realplay.e and trojandownloader.psyme.LS [RESOLVED]

Started by Arkanu , Mar 20 2008 07:53 AM

This topic is locked

#1
Arkanu

Posted 20 March 2008 - 07:53 AM

Member

Member
13 posts

Hello fellows!

First of all, thanks for your help. I'll be posting an hijackthis log since I couldn't download SUPERAntiSpyware. However, I'll try and provide you all the information I have:

Eset NOD32 antivirus detected and quarantined the following (as I can see, exploit.realplay.e and trojandownloader.psyme.LS were found during a hidden connection to the site mentioned below):

20.03.2008 15:22:48 Real-time file system protection file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZF7ZI2P7\r[1].htm JS/Exploit.RealPlay.E trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE.
20.03.2008 15:22:46 HTTP filter file http://791224.com/06014.htm VBS/TrojanDownloader.Psyme.LS trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 15:22:46 HTTP filter file http://791224.com/r.htm JS/Exploit.RealPlay.E trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 15:11:38 HTTP filter file http://791224.com/06014.htm VBS/TrojanDownloader.Psyme.LS trojan connection terminated - quarantined HOME-1234567891\Administrator Threat was detected upon access to web by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
20.03.2008 15:11:37 HTTP filter file http://791224.com/r.htm JS/Exploit.RealPlay.E trojan connection terminated - quarantined HOME-1234567891\Administrator Threat was detected upon access to web by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
20.03.2008 15:01:10 Real-time file system protection file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\7K6TXJJ4\r[1].htm JS/Exploit.RealPlay.E trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe.
20.03.2008 15:01:03 HTTP filter file http://791224.com/06014.htm VBS/TrojanDownloader.Psyme.LS trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 15:00:57 HTTP filter file http://791224.com/06014.htm VBS/TrojanDownloader.Psyme.LS trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 15:00:57 HTTP filter file http://791224.com/r.htm JS/Exploit.RealPlay.E trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 14:52:08 Real-time file system protection file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\68H5DR0S\r[1].htm JS/Exploit.RealPlay.E trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe.
20.03.2008 14:52:08 HTTP filter file http://791224.com/06014.htm VBS/TrojanDownloader.Psyme.LS trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 14:52:07 HTTP filter file http://791224.com/r.htm JS/Exploit.RealPlay.E trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 14:52:05 HTTP filter file http://791224.com/06014.htm VBS/TrojanDownloader.Psyme.LS trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 14:52:05 HTTP filter file http://791224.com/r.htm JS/Exploit.RealPlay.E trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 14:43:31 Real-time file system protection file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZF7ZI2P7\r[1].htm JS/Exploit.RealPlay.E trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe.
20.03.2008 14:43:31 HTTP filter file http://791224.com/06014.htm VBS/TrojanDownloader.Psyme.LS trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 14:43:30 HTTP filter file http://791224.com/r.htm JS/Exploit.RealPlay.E trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 14:41:58 HTTP filter file http://791224.com/06014.htm VBS/TrojanDownloader.Psyme.LS trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 14:41:56 HTTP filter file http://791224.com/06014.htm VBS/TrojanDownloader.Psyme.LS trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 14:41:53 Real-time file system protection file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0A48B52W\r[1].htm JS/Exploit.RealPlay.E trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe.
20.03.2008 14:41:51 HTTP filter file http://791224.com/06014.htm VBS/TrojanDownloader.Psyme.LS trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 14:41:51 HTTP filter file http://791224.com/r.htm JS/Exploit.RealPlay.E trojan connection terminated - quarantined HOME-1234567891\Administrator

The first thing I did was to remove RealPlayer, but it didn't help, so here is the hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:54:39, on 20.03.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6039 bytes

Thanks again for helping! Please reply ASAP and feel free to request any aditional information you need.

#2
Essexboy

Posted 20 March 2008 - 03:02 PM

GeekU Moderator

Retired Staff
69,964 posts

Hi there I would like to look a little deeper

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

#3
Arkanu

Posted 20 March 2008 - 07:01 PM

Member

Topic Starter
Member
13 posts

There seems to be a problem: dss can't perform it's scan - I get the "this program has encoutered a problem and needs to close" message near the end of the scan. I'm sure I closed all the windows - tried running it in safe mode too, with the same result.

Let me be more specific: the first time NOD32 alerted me was while running Yahoo! Messenger. It showed the messages I posted in my first post. Meanwhile, I uninstalled realplayer, uninstalled and then reinstalled Yahoo! Messenger. I didn't get any other alert from NOD32 after doing this but I'm not at all sure that the problem is gone for good. Anyway, my internet connection is fast again and my computer runs much better after what I did so I can now quickly try any fixing detection tool needed.

Thanks for helping, do you know any other tool I could use to give you more information about this?

Edited by Arkanu, 20 March 2008 - 07:05 PM.

#4
Essexboy

Posted 21 March 2008 - 03:59 AM

GeekU Moderator

Retired Staff
69,964 posts

Yep sure can this is a big report so it will need to be attached

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

Close ALL OTHER PROGRAMS.
Open the OTScanit folder and double-click on OTScanit.exe to start the program.
Check the box that says Scan All User Accounts
Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
Under Additional Scans check the following:
- File - Additional Folder Scans
- File - Purity Scan
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

#5
Arkanu

Posted 21 March 2008 - 04:09 AM

Member

Topic Starter
Member
13 posts

Ok, I did everything exactly as you said. Here is the log file you requested.

OTScanIt.Txt 296.1KB 71 downloads

#6
Essexboy

Posted 21 March 2008 - 04:28 AM

GeekU Moderator

Retired Staff
69,964 posts

Well that looked noce and clean - one final sweep on the other areas not covered

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

#7
Arkanu

Posted 21 March 2008 - 04:58 AM

Member

Topic Starter
Member
13 posts

Hi again

It found only two infected items:
Files Infected:
C:\WINDOWS\system32\Services.cpi (Heuristic.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Services.cpl (Heuristic.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

It didn't request any reboot so I guess everything is clean now. Please let me know if you feel I should run any other test.
Thank you very much for helping, you did a great job!

#8
Essexboy

Posted 21 March 2008 - 06:36 AM

GeekU Moderator

Retired Staff
69,964 posts

Ok lets secure you so you won't get the byte verify and exploit problem again

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:

Download the latest version of Java Runtime Environment (JRE) 6 Update 5 and save it to your desktop.
Scroll down to where it says "JJava Runtime Environment (JRE) 6 Update 5...allows end-users to run Java applications".
Click the "Download" button to the right.
Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version.

THEN

Now the best part of the day ----- Your log now appears clean

Double click OTScanit once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTScanit wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself. MBAM can be rmoved via the Add/remove programme

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:

SpywareBlaster to help prevent spyware from installing in the first place.
SuperAntispyware Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

Microsoft Windows Update

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Keep safe

#9
Arkanu

Posted 21 March 2008 - 03:22 PM

Member

Topic Starter
Member
13 posts

I did exactly what you said and I also installed Zone Alarm Pro as a firewall. In addition to that, I've checked and got all the recent updates. Hope that's gonna keep me clean for a long time

Thanks again for helping!

#10
Essexboy

Posted 21 March 2008 - 04:07 PM

GeekU Moderator

Retired Staff
69,964 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

#11
Arkanu

Posted 22 March 2008 - 12:26 PM

Member

Topic Starter
Member
13 posts

Yeah...same problem
Yesterday I thought installing a fresh copy of windows and adding the protection would be better, so I did that. I formated the partition and installed a new copy of windows (with the network cable unplugged). I then installed NOD32 and the adware solutions you suggested above.
Whenever I use yahoo messenger (downloaded from messenger.yahoo.com) or use IE it seems IE tries to connect to 791224.com/r.htm, or 06014.htm or lz.htm
At the moment I'm trying the online scanner from kaspersky but it's downloading extremely slow.

Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:04 PM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Last.fm\LastFM.exe
C:\PROGRA~1\MOZILL~2\FIREFOX.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

--
End of file - 3953 bytes

Thanks...

#12
Essexboy

Posted 22 March 2008 - 12:35 PM

GeekU Moderator

Retired Staff
69,964 posts

Are you using a slipstreamed copy of windows ? The reason I ask is this

O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')

OK we will start off this time with an online scan

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

Follow the Instruction Here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

#13
Arkanu

Posted 22 March 2008 - 12:40 PM

Member

Topic Starter
Member
13 posts

It might be since it isn't my own cd. Meanwhile, the kaspersky scan failed so I started a bitdefender one. The program failed in deleting the infected files but I will attach/post the scan log as soon as it finishes scanning. After that, I will try F-Secure.

#14
Arkanu

Posted 22 March 2008 - 06:02 PM

Member

Topic Starter
Member
13 posts

Glad to be back again

Sorry for the double posting, here is the log:

Scanning Report
Sunday, March 23, 2008 01:05:39 - 02:01:11

Computer name: NONE-3A70F27D10
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\ E:\
Result: 4 malware found
HTML/Exploit!IFrame.G (virus)

* C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\CHEJGD67\791224[1].HTM (Submitted)
* C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\8XARCXA7\791224[1].HTM (Submitted)

Trojan:W32/Agent.EDP (virus)

* System
* C:\WINDOWS\SYSTEM32\FYPEME.EXE

Statistics
Scanned:

* Files: 67320
* System: 2517
* Not scanned: 7

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 4
* Submitted: 2

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CMDOW.EXE
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Hydra: 2.8.8110, 2008-03-21
* F-Secure AVP: 7.0.171, 2008-03-21
* F-Secure Pegasus: 1.20.0, 2008-02-20
* F-Secure Blacklight: 1.0.64

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

And another one found as I installed f-secure on my computer:

Computer name: NONE-3A70F27D10
Scanning type: Scan target
Target: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CHEJGD67\lz[1].0tm
Result: 1 malware found
HTML/IFrameBoF (virus)

* C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CHEJGD67\lz[1].0tm Action: deleted

It looks like my system wasn't as clean as I thought...should I do another thing?

Edited by Arkanu, 22 March 2008 - 06:29 PM.

#15
Essexboy

Posted 23 March 2008 - 06:46 AM

GeekU Moderator

Retired Staff
69,964 posts

What we have here is either you are going to a hacked site or one of the slipstreamed files is infected. I also note you have IE6 I would recommend Upgrading to IE7 as it is more secure. This will not beat us

Especially as this is a clean install

So lets go on a killing spree and see what results

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\CHEJGD67
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\8XARCXA7
C:\WINDOWS\SYSTEM32\FYPEME.EXE

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
Purity
```
Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

THEN

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.