Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan-Spy.HTML.Smitfraud.c


  • Please log in to reply

#16
derukureetsu

derukureetsu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Okay, I'm rebooting into normal mode, as you just mentioned that I should only remove those which I can find, which is none of them. ^^''
  • 0

Advertisements


#17
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
You did mention you ran a lot of scanners, so that is very well possible that they were already removed.

Makes it easier for us. :tazz:

Regards,
  • 0

#18
derukureetsu

derukureetsu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Okay, cool. ;)

I'll keep you updated if I get anymore problems. :tazz:

Thanks a lot!

Deru
  • 0

#19
derukureetsu

derukureetsu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Almost finished...just rebooting after deleting the System folder. ^^ Thanks yet again! :tazz:
  • 0

#20
derukureetsu

derukureetsu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
With the Cleanup...does it delete Cookies?
  • 0

#21
derukureetsu

derukureetsu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Here it is!

Logfile of HijackThis v1.99.1
Scan saved at 10:30:38 PM, on 4/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\mysql\bin\mysqld.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Picasa\PicasaMediaDetector.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\ATC\Web\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: prjBHO_New.CBrowserHelpObj - {A2E1AE65-BB68-11D6-B1B2-96787719A248} - C:\Program Files\SimCastMedia\SimCast\prjBHO.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Dynalink\Adsl\dslagent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai....GAPANEL_USA.cab
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld.exe

Thanks,

Deru
  • 0

#22
derukureetsu

derukureetsu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Oh yea, the tabs for the display appeared again and I changed my desktop to the one I had before. :)

Edited to add:
AKA, there seems to be no more errors, nor pop-ups, no blank pages, and no desktop wallpaper changes. :tazz: Great work! ;)

Though, I'm still not sure if it would happen again, etc, or there is something that I have overlooked. ;)

Edited by derukureetsu, 30 April 2005 - 06:40 AM.

  • 0

#23
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ...
3. Then post the results here please, along with the new HijackThis log.

I'll be off for about an hour or so, if you get bored, follow the link in my signature. :tazz:

Regards,
  • 0

#24
derukureetsu

derukureetsu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
WOW! AVG Resident Shield just detected like a million trojan horses. >.<
  • 0

#25
derukureetsu

derukureetsu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 04/30/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\HWIN32.DLL
* UPX! C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 6439-DEE6

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 6439-DEE6

Directory of C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».
  • 0

Advertisements


#26
derukureetsu

derukureetsu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
If you've already left...well...I have to go now, cause its 10.49pm and I have to wake up at 5:30am tomorrow morning.

Thank you for your help and I'll check back tomorrow.
:tazz:
  • 0

#27
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
One thing I'd like you to do is have this file scanned:
C:\WINDOWS\HWIN32.DLL
at http://virusscan.jotti.org/

I'd like to know the results.

Regards,
  • 0

#28
derukureetsu

derukureetsu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Here are the results! Seems like it is still there.

File: HWIN32.DLL
Status: INFECTED/MALWARE
MD5 66a2da7eb67ce4ce5fb89fc75cd7e40f
Packers detected: UPX
Scanner results
AntiVir Found PMS/Hidd.B possible malicious software
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.NtRootKit.23
F-Prot Antivirus Found security risk or a "backdoor" program
Fortinet Found W32/HideProc.C-tr
Kaspersky Anti-Virus Found HackTool.Win32.Hidd.b
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found W32/Delf.VN
VBA32 Found nothing


Thanks,
Deru
  • 0

#29
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts

Troj/HideProc-C is a DLL used for hiding processes.

Malicious software may install Troj/HideProc-C in order to prevent itself from being listed by the Windows Task Manager.


Run Killbox, choose Delete on reboot and select:
C:\WINDOWS\HWIN32.DLL

Let your computer reboot and post a new HijackThis log.
We'll see if and what it was hiding.

Regards,
  • 0

#30
derukureetsu

derukureetsu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Okay. I'll get back to this tomorrow, or maybe in 2hrs or so, because I'm currently really busy.

Thanks for your help throughout!

Deru
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP