Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Really sneaky infection

Started by mekilljoo , Dec 30 2004 03:37 AM

  • Please log in to reply

#1
mekilljoo
Posted 30 December 2004 - 03:37 AM

mekilljoo

    New Member

  • Member
  • Pip
  • 2 posts
Ok so I recently booted up my computer to find a fake microsoft security warning telling me that I had a "Possible spyware infection". The page was well made and even had fake microsoft warnings. It was all done in the style of the Security Center. I quickly ran hijack this which revealed no abnormalities in the registry entries, but suspicious programs occasionally begin running(often up to 15 minutes after startup). Hijack this log is as follows:

Logfile of HijackThis v1.99.0
Scan saved at 1:34:42 AM, on 12/30/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\system32\taskopen.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nick\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.turnitin.com
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe


The computer will act totally normal, then randomally a spyware program will load and popups will be displayed. Spybot and Ad-Aware detect nothing. BitDefender detects numerous trojans in Java.

The bitdefender log is:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-13478d8d-13648a6c.class: infected with Java.Trojan.ClassLoader.K
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-16f9f9b-6b8198f5.class: infected with Java.Trojan.ClassLoader.K
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-18e40133-3e086755.class: infected with Trojan.Java.ClassLoader.C
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-1b4842bc-37ff3002.class: infected with Trojan.Java.ClassLoader.C
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Counter.class-33488af8-19e92fc5.class: infected with Java.Trojan.Exploit.Bytverify
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Counter.class-3626833c-60974975.class: infected with Java.Trojan.Exploit.Bytverify
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Counter.class-5d1bbb39-45c058f8.class: infected with Java.Trojan.Exploit.Bytverify
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-222c8acf-1bdab4d1.class: infected with Trojan.Java.ClassLoader.D
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-4ae9b430-7cb2875f.class: infected with Trojan.Java.ClassLoader.D
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-65d09445-5237433b.class: infected with Trojan.Java.ClassLoader.D
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-690bea91-16cacdd1.class: infected with Trojan.Java.ClassLoader.D
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-70bda4ef-132f390e.class: infected with Java.Trojan.Exploit.Bytverify
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-ecf18a8-181e820e.class: infected with Trojan.Java.ClassLoader.D
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-39f96a7-5501dfce.class: infected with Java.Trojan.Exploit.Bytverify
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-4953e328-1414094b.class: infected with Java.Trojan.Exploit.Bytverify
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-5b66cfeb-6a894413.class: infected with Java.Trojan.Exploit.Bytverify
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\in_s.class-295d7f3a-5e67e7e6.class: infected with Java.Trojan.Exploit.Bytverify
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-6fd9f626-240b12c5.class: infected with Trojan.Downloader.Small.WV
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-1cd1453e-4c87ce56.class: infected with Trojan.Exploit.Java.Bytverify
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-2578fac6-1df7519a.class: infected with Trojan.Exploit.Java.Bytverify
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-39d9577b-1b693915.class: infected with Java.Trojan.Femad.A
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-3dd72467-3001cc8e.class: infected with Trojan.Exploit.Java.Bytverify
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-430cff25-387f50e5.class: infected with Trojan.Exploit.Java.Bytverify
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-4c19219b-7a8f3aaf.class: infected with Trojan.Exploit.Java.Bytverify
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-6a65fe-3322aaa7.class: infected with Java.Trojan.Femad.A
C:\Documents and Settings\Nick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-98a2fba-58e4c6ae.class: infected with Java.Trojan.Femad.A
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\2ZYJIHQJ\codepro[1].htm: infected with Exploit.Html.MhtRedir.Gen
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\2ZYJIHQJ\counter[1].htm: infected with Exploit.Html.MhtRedir.Gen
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\2ZYJIHQJ\src5[1].htm: infected with JS.Bofra.A
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\3XB9K0QD\counter[1].htm: infected with Exploit.Html.MhtRedir.Gen
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\G393EEBD\adv254[1].htm: infected with Exploit.Html.MhtRedir.Gen
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\G393EEBD\adv254[1].htm: disinfection failed
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\G393EEBD\adv413[1].htm: infected with Exploit.Html.MhtRedir.Gen
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\G393EEBD\adv413[1].htm: disinfection failed
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\LIZH3SW4\[bleep][1].htm: suspect Exploit.Html.MhtRedir.Gen
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\LIZH3SW4\counter[1].htm: infected with Exploit.Html.MhtRedir.Gen
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\LN73DLSA\exploit[1].htm: infected with VBS.Trojan.Psyme.V
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\MXJOXSBM\1[1].htm: infected with Exploit.Html.MhtRedir.Gen
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\MXJOXSBM\stats[1].htm: suspect Exploit.Html.MhtRedir.Gen
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\QP9E3IH0\1[1].htm: infected with Exploit.Html.MhtRedir.Gen
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\QP9E3IH0\index[2].htm: infected with Exploit.Html.MhtRedir.Gen
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\QP9E3IH0\stats[1].htm: suspect Exploit.Html.MhtRedir.Gen
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\RYWRJLWD\juk1[1].htm: infected with Exploit.Html.MhtRedir.Gen
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\RYWRJLWD\wow[1].htm: infected with Exploit.Html.MhtRedir.Gen
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\VVTJV1SK\installer[1].htm: infected with JS.Exploit.DialogArg.B
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\WFFJEOXL\in[1].htm: infected with Exploit.ADODB.StreamDrop.Gen
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\WFFJEOXL\x[2].htm: suspect Exploit.Html.MhtRedir.Gen
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\WPK5QJK5\1[1].htm: infected with Exploit.Html.MhtRedir.Gen
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\X7V77W46\in[1].htm: infected with Exploit.Html.MhtRedir.Gen
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\YHKR65YH\files[1].htm: infected with Exploit.Html.MhtRedir.Gen
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\YHKR65YH\x3[1].htm: infected with Exploit.Html.MhtRedir.Gen
  • 0

Advertisements

#2
mekilljoo
Posted 30 December 2004 - 03:46 AM

mekilljoo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
ooh and i just found so more juice stuff. I found "menu.txt" contianing:
[Hotspots]
Party poker http://www.girlsforg...p?g=Party poker
Viagra http://www.trustedph...said=t&q=viagra
Spyware unistall http://www.findspywa...pyware unistall
Domain registration http://www.fastsearc...in registration
Online gambling http://www.fastsearc...Online gambling
Webhosting http://www.fastsearc...hp?q=Webhosting
Adware http://www.findspywa...said=t&q=Adware
Online Pharmacy http://www.trustedph...Online Pharmacy
Carisoprodol http://www.trustedph...&q=Carisoprodol
Phentermine online http://www.trustedph...ntermine online
Xanax http://www.trustedph...?said=t&q=Xanax

[Remove Toolbar]
Remove Toolbar http://www.fastsearc...lbar/remove.php

[Gambling]
Party Poker http://www.girlsforg...p?g=Party poker
Texas holdem http://fastsearchweb...?q=Texas holdem
Roulette http://fastsearchweb....php?q=Roulette
Play Poker http://www.girlsforg...hp?g=Play Poker
Online gambling http://fastsearchweb...Online gambling
Casino http://fastsearchweb...rh.php?q=Casino
Play blackjack http://fastsearchweb...=Play blackjack
Slots http://fastsearchweb...srh.php?q=Slots
Adult poker http://www.girlsforg...p?g=Party poker
Craps http://fastsearchweb...srh.php?q=Craps

[Internet]
Web Hosting http://fastsearchweb...p?q=Web Hosting
Domain name registry http://fastsearchweb...n name registry
Bonus Server http://fastsearchweb...rh.php?q=Server
Merchant account http://fastsearchweb...erchant account
Voice mail http://fastsearchweb...hp?q=Voice mail

[Pharmacy]
Online Pharmacy http://www.trustedph...Online Pharmacy
Phentermine http://www.trustedph...t&q=Phentermine
Carisoprodol http://www.trustedph...&q=Carisoprodol
Hydrocodone http://www.trustedph...t&q=Hydrocodone
Valium http://www.trustedph...said=t&q=Valium
Xanax http://www.trustedph...?said=t&q=Xanax
Viagra http://www.trustedph...said=t&q=viagra
Cialis http://www.trustedph...said=t&q=Cialis
Fioricet http://www.trustedph...id=t&q=Fioricet

[Finance]
Make Money http://fastsearchweb...erchant account
Work at home http://fastsearchweb...?q=Work at home
Nevada incorporation http://www.fastsearc...a incorporation
Rv Finance http://www.fastsearc...hp?q=Rv Finance
Rv Loan http://www.fastsearc...h.php?q=Rv Loan
Plainum Visa http://www.fastsearc...?q=Plainum Visa
Merchant account http://www.fastsearc...erchant account
Mortgage for bad credit http://www.fastsearc... for bad credit
Cash Loans Online http://www.fastsearc...sh Loans Online
Bad Credit http://www.fastsearc...hp?q=Bad Credit
Credit card debt consolidation http://www.fastsearc...t consolidation
Personal Loan http://fastsearchweb...q=Personal Loan
Mortgage Rate http://fastsearchweb...q=Mortgage Rate
Cash loan http://fastsearchweb...php?q=Cash loan

[Insurance]
Cheapest Car Insurance http://fastsearchweb...t Car Insurance
Individual health insurance http://fastsearchweb...ealth insurance
Auto Insurance http://fastsearchweb...=Auto Insurance
Online auto insurance quote http://fastsearchweb...insurance quote
Health Insurance http://fastsearchweb...ealth Insurance
Boat Insurance http://fastsearchweb...=Boat Insurance
Life Insurance online http://fastsearchweb...nsurance online
Motorcycle insurance http://fastsearchweb...cycle insurance
Renters insurance http://fastsearchweb...nters insurance

[Adult]
Personal photos http://www.personal-...l photos&said=t
Poker with girls http://www.girlsforg...p?g=Party poker
Free online dating http://www.personal-...=Dating Service
Web Cam http://www.girlsforg...t.php?q=Web Cam
Adult Movies http://www.girlsforg...?q=Adult Movies
Fetish http://www.girlsforg...lt.php?q=Fetish
Interracial http://www.girlsforg...p?q=Interracial
XXX dvd http://www.girlsforg...t.php?q=XXX dvd
Asian sex http://www.girlsforg...php?q=Asian sex
Gay http://www.girlsforg...adult.php?q=Gay
  • 0

#3
admin
Posted 30 December 2004 - 10:41 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Welcome mekilljoo. I'm pretty sure this is the culprit:

C:\WINDOWS\system32\taskopen.exe

Please submit the file here, and reply with the results:
http://www.kaspersky.com/scanforvirus
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP