Dropper.small.5.u ...and others.

[Crimsonedge]

After I went to bed last night, my girlfriend used the computer, and woke me up this morning telling me that the computer was messed up. (not my ideal start to the morning!!! lol)

Anyway, it turns out that she was happily browsing the web, when all of a sudden, she clicked on a link to a webpage, and chaos ensued.

To cut a long story short, I've spent all morning trying to repair the damage...

The internet Explorer startpage has been hijacked, and I suspect that this may be something to do with the fact that when my girlfriend clicked that link, AVG 6 free editions Resident shield started reporting a succession of virii/trojans/downloaders.. I can't seem to find any details of the hijack on Google, nor any other search engine. AVG has no info available for them,, and searching for them in these forums produces no results.

Can anybody identify these names for me, or otherwise help me repair this machine? a couple of files were healed, but most of them have been moved to the virus vault...

C:\X.exe - Downloader.small.bg

C:\Documents and Settings\RHIA\Local Settings\Temporary Internet Files\CONTENT.IE5\6PQIA2UD\CHILD_~1.EXE - Downloader.Small.4.BB

C:\Documents and Settings\RHIA\Local Settings\Temporary Internet Files\CONTENT.IE5\I1BC4NXY\MSITS_~1.EXE - backdoor.jeemp.a

C:\Documents and Settings\RHIA\Local Settings\Temporary Internet Files\CONTENT.IE5\I1BC4NXY\PAGE_1~1.HTA - dropper.inor.j

C:\Documents and Settings\RHIA\Local Settings\Temporary Internet Files\CONTENT.IE5\YZRJKCV5\MSTASK~1.TXT - PSW.Banker.N
C:\WINDOWS\MSTASKS1.EXE - PSW.Banker.N

C:\Documents and Settings\RHIA\Local Settings\Temporary Internet Files\CONTENT.IE5\YZRJKCV5\SEKSDI~1.EXE - Dialer.7.B
C:\WINDOWS\SEKSDI~1.EXE - Dialer.7.B

C:\Documents and Settings\RHIA\Local Settings\Temporary Internet Files\CONTENT.IE5\YZRJKCV5\SETUP_~1.EXE - Downloader.Small.5.BH
C:\Program Files\Internet Explorer\SETUP.EXE - Downloader.Small.5.BH

C:\Documents and Settings\RHIA\DESKTOP\SYSTEM~1.REN - Trojan horse Startpage.6.T

C:\Documents and Settings\RHIA\Local Settings\Temporary Internet Files\CONTENT.IE5\QRATCV5X\LOAD_1~1.EXE - Trojan horse Downloader.Harnig.L
C:\WINDOWS\Downloaded Program Files\LOAD.EXE - Trojan horse Downloader.Harnig.L

C:\WINDOWS\MSTASKS4.EXE - Trojan Horse collected.z

C:\WINDOWS\SYSTEM.EXE - Trojan horse Startpage.6.U

C:\WINDOWS\SYSTEM32\WINTIME.EXE - Trojan horse Dropper.Small.5.U

So there you have it. A long list of things that I can't find any information on.

I do believe though, that my startpage hijack is the result of the file "system.exe", but I can't be sure. There are 6 reappearing registry entries referring to the page I am hijacked too.

Any help would be greatly appreciated.

Many thanks,
Crimsonedge

[Crimsonedge]

Oh, and heres a list of my active connections....

C:\Documents and Settings\Rhia>netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP brigid:epmap brigid:0 LISTENING
TCP brigid:microsoft-ds brigid:0 LISTENING
TCP brigid:1025 brigid:0 LISTENING
TCP brigid:1026 brigid:0 LISTENING
TCP brigid:1032 brigid:0 LISTENING
TCP brigid:1049 brigid:0 LISTENING
TCP brigid:1053 brigid:0 LISTENING
TCP brigid:1054 brigid:0 LISTENING
TCP brigid:1056 brigid:0 LISTENING
TCP brigid:1058 brigid:0 LISTENING
TCP brigid:1061 brigid:0 LISTENING
TCP brigid:1062 brigid:0 LISTENING
TCP brigid:1063 brigid:0 LISTENING
TCP brigid:1242 brigid:0 LISTENING
TCP brigid:1461 brigid:0 LISTENING
TCP brigid:3154 brigid:0 LISTENING
TCP brigid:3308 brigid:0 LISTENING
TCP brigid:3311 brigid:0 LISTENING
TCP brigid:3386 brigid:0 LISTENING
TCP brigid:5000 brigid:0 LISTENING
TCP brigid:6699 brigid:0 LISTENING
TCP brigid:1031 brigid:0 LISTENING
TCP brigid:1031 cracks.am:1032 ESTABLISHED
TCP brigid:1032 cracks.am:1031 ESTABLISHED
TCP brigid:3385 brigid:0 LISTENING
TCP brigid:3385 cracks.am:3386 ESTABLISHED
TCP brigid:3386 cracks.am:3385 ESTABLISHED
TCP brigid:1049 220-245-10-254-vic.tpgi.com.au:6699
ESTABLISHED

TCP brigid:1053 host190-196.pool80117.interbusiness.it:8888 ESTABLISHED
TCP brigid:1054 host182-49.pool8250.interbusiness.it:8888 ESTABLISHED
TCP brigid:1056 host111-243.pool8175.interbusiness.it:8888 ESTABLISHED
TCP brigid:1058 host84-18.pool80180.interbusiness.it:8888 ESTABLISHED
TCP brigid:1061 82-70-26-126.dsl.in-addr.zen.co.uk:6644 ESTABLISHED
TCP brigid:1062 h-67-101-1-125.sttnwaho.dynamic.covad.net:5678ESTABLISHED
TCP brigid:1063 HSE-Windsor-ppp250473.sympatico.ca:7575 ESTABLISHED
TCP brigid:1461 host5-94.pool80116.interbusiness.it:8888 ESTABLISHED
TCP brigid:3308 p50817F14.dip.t-dialin.net:7777 ESTABLISHED
TCP brigid:3311 61-23-208-43.home.ne.jp:6699 ESTABLISHED
TCP brigid:6699 user-118bh6u.cable.mindspring.com:60885 ESTABLISHED
TCP brigid:6699 pcp02974119pcs.grey01.tn.comcast.net:2904 ESTABLISHED
TCP brigid:6699 cm1879.npcm.nebi.com:4449 ESTABLISHED
TCP brigid:6699 adsl-69-110-43-35.dsl.pltn13.pacbell.net:36626ESTABLISHED
TCP brigid:6699 adsl-69-209-0-99.dsl.emhril.ameritech.net:3359ESTABLISHED
TCP brigid:6699 c51473a4d.cable.wanadoo.nl:1929 ESTABLISHED
TCP brigid:6699 host29-253.pool8175.interbusiness.it:4907 ESTABLISHED
TCP brigid:6699 client-82-2-91-4.mant.adsl.virgin.net:3104 ESTABLISHED
TCP brigid:6699 host207-68.pool8250.interbusiness.it:1200 ESTABLISHED
TCP brigid:6699 CPE-144-137-150-133.qld.bigpond.net.au:10813 ESTABLISHED
TCP brigid:6699 pool-151-197-168-3.phil.east.verizon.net:2020 ESTABLISHED
TCP brigid:6699 ACBC9858.ipt.aol.com:4479 ESTABLISHED
TCP brigid:6699 209.11.134.184:41522 ESTABLISHED
TCP brigid:6699 213.156.61.100:39051 ESTABLISHED
TCP brigid:6699 host217-42-180-54.range217-42.btcentralplus.com:1233 ESTABLISHED
TCP brigid:6699 host138-77.pool21759.interbusiness.it:1380 ESTABLISHED
TCP brigid:6699 220.91.212.100:4695 ESTABLISHED
UDP brigid:microsoft-ds *:*
UDP brigid:isakmp *:*
UDP brigid:1039 *:*
UDP brigid:1369 *:*
UDP brigid:1430 *:*
UDP brigid:6257 *:*
UDP brigid:ntp *:*
UDP brigid:1046 *:*
UDP brigid:1900 *:*
UDP brigid:ntp *:*
UDP brigid:1900 *:*

C:\Documents and Settings\Rhia>

Where all those connections came from I don't know. I can only guess...

[Crimsonedge]

And joy of joy's my hosts file has been edited too.

127.0.0.1 ruworld.com
127.0.0.1 maxxxhosters.com
127.0.0.1 therealsearch.com
127.0.0.1 thumbest-traffic.com
127.0.0.1 600pics.com
127.0.0.1 tonser.4-counter.com
127.0.0.1 free.sinpussy.com
127.0.0.1 hightcalldialer.com
127.0.0.1 bestpornnews.com
127.0.0.1 thumberland.com
127.0.0.1 greg-search.com
127.0.0.1 connect.online-dialer.com
127.0.0.1 0190-dialer.com
127.0.0.1 approvedlinks.com
127.0.0.1 install.xxxtoolbar.com
127.0.0.1 download.buxomatic.com
127.0.0.1 dia.4-counter.com
127.0.0.1 vse-moe.biz
127.0.0.1 crue.global-counter.com
127.0.0.1 line-plus.com
127.0.0.1 porno-links.biz
127.0.0.1 download.tntdialer.com
127.0.0.1 freelivesex.org
127.0.0.1 free3xmatures.com
127.0.0.1 bestpics.net
127.0.0.1 dikai.com
127.0.0.1 world-search.biz
127.0.0.1 1-se.com
127.0.0.1 58q.com
127.0.0.1 aifind.cc
127.0.0.1 aifind.info
127.0.0.1 allneedsearch.com
127.0.0.1 auto.ie.searchforge.com
127.0.0.1 awebfind.biz
127.0.0.1 best.royalsearch.net
127.0.0.1 cracks.am
127.0.0.1 default-homepage-network.com
127.0.0.1 find.microgirls.com
127.0.0.1 find4u.net
127.0.0.1 freshvideogals.com
127.0.0.1 i-lookup.com
127.0.0.1 ie-search.com
127.0.0.1 in.webcounter.cc
127.0.0.1 itseasy.us
127.0.0.1 just.find-itnow.com
127.0.0.1 link.startmake.com
127.0.0.1 mysearchnow.com
127.0.0.1 nativehardcore.com
127.0.0.1 qwertysearch123.biz
127.0.0.1 search.ieplugin.com
127.0.0.1 search.psn.cn
127.0.0.1 searchbar.findthewebsiteyouneed.com
127.0.0.1 searchcentrix.com
127.0.0.1 searchmyrequest.com
127.0.0.1 super-spider.com
127.0.0.1 t.rack.cc
127.0.0.1 teen-biz.com
127.0.0.1 teenhqpics.com
127.0.0.1 tits.hardcore4ever.net
127.0.0.1 webcoolsearch.com
127.0.0.1 wmmse.com
127.0.0.1 008i.com
127.0.0.1 2fastsearch.net
127.0.0.1 8095.com
127.0.0.1 alfa-search.com
127.0.0.1 boredlife.com
127.0.0.1 couldnotfind.com
127.0.0.1 cracks.am
127.0.0.1 daum.net
127.0.0.1 dreamwiz.com
127.0.0.1 find-itnow.com
127.0.0.1 find4u.net
127.0.0.1 firstbookmark.com
127.0.0.1 gajai.com
127.0.0.1 hand-book.com
127.0.0.1 hao123.com
127.0.0.1 hotsearchbox.com
127.0.0.1 hotwebsearch.com
127.0.0.1 hugesearch.net
127.0.0.1 iquicksearch.com
127.0.0.1 lookfor.cc
127.0.0.1 naver.com
127.0.0.1 nkvd.us
127.0.0.1 nova****.com
127.0.0.1 ohcorea.com
127.0.0.1 omega-search.com
127.0.0.1 onet.pl
127.0.0.1 power-search.info
127.0.0.1 rightfinder.net
127.0.0.1 search-1.net
127.0.0.1 search-and-go.com
127.0.0.1 search-dot.com
127.0.0.1 search-space.com
127.0.0.1 searchforge.com
127.0.0.1 searching-the-net.com
127.0.0.1 searchv.com
127.0.0.1 searchxl.com
127.0.0.1 seznam.cz
127.0.0.1 slotch.com
127.0.0.1 spidersearch.com
127.0.0.1 startium.com
127.0.0.1 ttjj.com
127.0.0.1 viewpornkey.com
127.0.0.1 wazzupnet.com
127.0.0.1 websearch.com
127.0.0.1 windowws.cc
127.0.0.1 xgmm.com
127.0.0.1 xwebsearch.biz
127.0.0.1 yourbookmarks.ws
127.0.0.1 collections.inhost.info
127.0.0.1 collections.inhost2.info
127.0.0.1 w[]ww.ruworld.com
127.0.0.1 w[]ww.maxxxhosters.com
127.0.0.1 w[]ww.therealsearch.com
127.0.0.1 w[]ww.thumbest-traffic.com
127.0.0.1 w[]ww.600pics.com
127.0.0.1 w[]ww.hightcalldialer.com
127.0.0.1 w[]ww.bestpornnews.com
127.0.0.1 w[]ww.thumberland.com
127.0.0.1 w[]ww.greg-search.com
127.0.0.1 w[]ww.0190-dialer.com
127.0.0.1 w[]ww.approvedlinks.com
127.0.0.1 w[]ww.vse-moe.biz
127.0.0.1 w[]ww.line-plus.com
127.0.0.1 w[]ww.porno-links.biz
127.0.0.1 w[]ww.freelivesex.org
127.0.0.1 w[]ww.free3xmatures.com
127.0.0.1 w[]ww.bestpics.net
127.0.0.1 w[]ww.dikai.com
127.0.0.1 w[]ww.world-search.biz
127.0.0.1 w[]ww.1-se.com
127.0.0.1 w[]ww.58q.com
127.0.0.1 w[]ww.aifind.cc
127.0.0.1 w[]ww.aifind.info
127.0.0.1 w[]ww.allneedsearch.com
127.0.0.1 w[]ww.awebfind.biz
127.0.0.1 w[]ww.cracks.am
127.0.0.1 w[]ww.default-homepage-network.com
127.0.0.1 w[]ww.find4u.net
127.0.0.1 w[]ww.freshvideogals.com
127.0.0.1 w[]ww.i-lookup.com
127.0.0.1 w[]ww.ie-search.com
127.0.0.1 w[]ww.itseasy.us
127.0.0.1 w[]ww.mysearchnow.com
127.0.0.1 w[]ww.nativehardcore.com
127.0.0.1 w[]ww.qwertysearch123.biz
127.0.0.1 w[]ww.searchcentrix.com
127.0.0.1 w[]ww.searchmyrequest.com
127.0.0.1 w[]ww.super-spider.com
127.0.0.1 w[]ww.teen-biz.com
127.0.0.1 w[]ww.teenhqpics.com
127.0.0.1 w[]ww.webcoolsearch.com
127.0.0.1 w[]ww.wmmse.com
127.0.0.1 w[]ww.008i.com
127.0.0.1 w[]ww.2fastsearch.net
127.0.0.1 w[]ww.8095.com
127.0.0.1 w[]ww.alfa-search.com
127.0.0.1 w[]ww.boredlife.com
127.0.0.1 w[]ww.couldnotfind.com
127.0.0.1 w[]ww.cracks.am
127.0.0.1 w[]ww.daum.net
127.0.0.1 w[]ww.dreamwiz.com
127.0.0.1 w[]ww.find-itnow.com
127.0.0.1 w[]ww.find4u.net
127.0.0.1 w[]ww.firstbookmark.com
127.0.0.1 w[]ww.gajai.com
127.0.0.1 w[]ww.hand-book.com
127.0.0.1 w[]ww.hao123.com
127.0.0.1 w[]ww.hotsearchbox.com
127.0.0.1 w[]ww.hotwebsearch.com
127.0.0.1 w[]ww.hugesearch.net
127.0.0.1 w[]ww.iquicksearch.com
127.0.0.1 w[]ww.lookfor.cc
127.0.0.1 w[]ww.naver.com
127.0.0.1 w[]ww.nkvd.us
127.0.0.1 w[]ww.nova****.com
127.0.0.1 w[]ww.ohcorea.com
127.0.0.1 w[]ww.omega-search.com
127.0.0.1 w[]ww.onet.pl
127.0.0.1 w[]ww.power-search.info
127.0.0.1 w[]ww.rightfinder.net
127.0.0.1 w[]ww.search-1.net
127.0.0.1 w[]ww.search-and-go.com
127.0.0.1 w[]ww.search-dot.com
127.0.0.1 w[]ww.search-space.com
127.0.0.1 w[]ww.searchforge.com
127.0.0.1 w[]ww.searching-the-net.com
127.0.0.1 w[]ww.searchv.com
127.0.0.1 w[]ww.searchxl.com
127.0.0.1 w[]ww.seznam.cz
127.0.0.1 w[]ww.slotch.com
127.0.0.1 w[]ww.spidersearch.com
127.0.0.1 w[]ww.startium.com
127.0.0.1 w[]ww.ttjj.com
127.0.0.1 w[]ww.viewpornkey.com
127.0.0.1 w[]ww.wazzupnet.com
127.0.0.1 w[]ww.websearch.com
127.0.0.1 w[]ww.windowws.cc
127.0.0.1 w[]ww.xgmm.com
127.0.0.1 w[]ww.xwebsearch.biz
127.0.0.1 w[]ww.yourbookmarks.ws

Not being sure whether or not URLs are allowed here, I've voided them.

I note that I am connected to cracks.am, and it's in here too. I wonder why? annoying!

[Jooske]

Hi there! looks like quite a collection. Could it be related to those infected emails, using the object data exploit? (if you look in the source of the infected emails you know what i mean -- google for fatbonuscasino in the newsgroups and promise yourself to click on none of the links written about in their examples; most are dead links now but some could be working.)
I knew from the description it could be really bad, (made quite a study of it by now) but this looks terrible in action!

What it does:
email with exploit redirects to a site with only a download file via a script, installs mstask.exe, gets x.exe and more scripts and downloads collection, installing a tiny proxy server changing your system into a zombie proxy (bandwirdth stealing) and spitting out stuff to the outside world, you see the collection of downloaders and passwordstealers, dialers, etc. Stealing startpage, infecting HOSTS file and the whole lot.
You see lots of your files were in the TIF folders so either you copy those infections to another place to zip and submit them to the lab or you clean caches and lots has gone already but lot has been installed as well as you can see in your connections and HOSTS file.

Anyway, first of all read how to post your HijackThis log in the sticky's above in this same forum, http://www.wilderssecurity.com/showthread.php?t=15913
and the experts will help you cleaning out.
And if so, you'll be advised to make sure to have all security updates for windows and internet explorer.
You'll have lots to do, changing passwords when all is clean, etc etc.