Dropper.small.5.u ...and others.

Discussion in 'adware, spyware & hijack cleaning' started by Crimsonedge, Jun 3, 2004.

Thread Status:
Not open for further replies.
  1. Crimsonedge

    Crimsonedge Registered Member

    Jun 3, 2004
    After I went to bed last night, my girlfriend used the computer, and woke me up this morning telling me that the computer was messed up. (not my ideal start to the morning!!! lol)

    Anyway, it turns out that she was happily browsing the web, when all of a sudden, she clicked on a link to a webpage, and chaos ensued.

    To cut a long story short, I've spent all morning trying to repair the damage...

    The internet Explorer startpage has been hijacked, and I suspect that this may be something to do with the fact that when my girlfriend clicked that link, AVG 6 free editions Resident shield started reporting a succession of virii/trojans/downloaders.. I can't seem to find any details of the hijack on Google, nor any other search engine. AVG has no info available for them,, and searching for them in these forums produces no results.

    Can anybody identify these names for me, or otherwise help me repair this machine? a couple of files were healed, but most of them have been moved to the virus vault...

    C:\X.exe - Downloader.small.bg

    C:\Documents and Settings\RHIA\Local Settings\Temporary Internet Files\CONTENT.IE5\6PQIA2UD\CHILD_~1.EXE - Downloader.Small.4.BB

    C:\Documents and Settings\RHIA\Local Settings\Temporary Internet Files\CONTENT.IE5\I1BC4NXY\MSITS_~1.EXE - backdoor.jeemp.a

    C:\Documents and Settings\RHIA\Local Settings\Temporary Internet Files\CONTENT.IE5\I1BC4NXY\PAGE_1~1.HTA - dropper.inor.j

    C:\Documents and Settings\RHIA\Local Settings\Temporary Internet Files\CONTENT.IE5\YZRJKCV5\MSTASK~1.TXT - PSW.Banker.N

    C:\Documents and Settings\RHIA\Local Settings\Temporary Internet Files\CONTENT.IE5\YZRJKCV5\SEKSDI~1.EXE - Dialer.7.B
    C:\WINDOWS\SEKSDI~1.EXE - Dialer.7.B

    C:\Documents and Settings\RHIA\Local Settings\Temporary Internet Files\CONTENT.IE5\YZRJKCV5\SETUP_~1.EXE - Downloader.Small.5.BH
    C:\Program Files\Internet Explorer\SETUP.EXE - Downloader.Small.5.BH

    C:\Documents and Settings\RHIA\DESKTOP\SYSTEM~1.REN - Trojan horse Startpage.6.T

    C:\Documents and Settings\RHIA\Local Settings\Temporary Internet Files\CONTENT.IE5\QRATCV5X\LOAD_1~1.EXE - Trojan horse Downloader.Harnig.L
    C:\WINDOWS\Downloaded Program Files\LOAD.EXE - Trojan horse Downloader.Harnig.L

    C:\WINDOWS\MSTASKS4.EXE - Trojan Horse collected.z

    C:\WINDOWS\SYSTEM.EXE - Trojan horse Startpage.6.U

    C:\WINDOWS\SYSTEM32\WINTIME.EXE - Trojan horse Dropper.Small.5.U

    So there you have it. A long list of things that I can't find any information on.

    I do believe though, that my startpage hijack is the result of the file "system.exe", but I can't be sure. There are 6 reappearing registry entries referring to the page I am hijacked too.

    Any help would be greatly appreciated.

    Many thanks,
    Last edited: Jun 3, 2004
  2. Crimsonedge

    Crimsonedge Registered Member

    Jun 3, 2004
    Oh, and heres a list of my active connections....

    C:\Documents and Settings\Rhia>netstat -a

    Active Connections

    Proto Local Address Foreign Address State
    TCP brigid:epmap brigid:0 LISTENING
    TCP brigid:microsoft-ds brigid:0 LISTENING
    TCP brigid:1025 brigid:0 LISTENING
    TCP brigid:1026 brigid:0 LISTENING
    TCP brigid:1032 brigid:0 LISTENING
    TCP brigid:1049 brigid:0 LISTENING
    TCP brigid:1053 brigid:0 LISTENING
    TCP brigid:1054 brigid:0 LISTENING
    TCP brigid:1056 brigid:0 LISTENING
    TCP brigid:1058 brigid:0 LISTENING
    TCP brigid:1061 brigid:0 LISTENING
    TCP brigid:1062 brigid:0 LISTENING
    TCP brigid:1063 brigid:0 LISTENING
    TCP brigid:1242 brigid:0 LISTENING
    TCP brigid:1461 brigid:0 LISTENING
    TCP brigid:3154 brigid:0 LISTENING
    TCP brigid:3308 brigid:0 LISTENING
    TCP brigid:3311 brigid:0 LISTENING
    TCP brigid:3386 brigid:0 LISTENING
    TCP brigid:5000 brigid:0 LISTENING
    TCP brigid:6699 brigid:0 LISTENING
    TCP brigid:1031 brigid:0 LISTENING
    TCP brigid:1031 cracks.am:1032 ESTABLISHED
    TCP brigid:1032 cracks.am:1031 ESTABLISHED
    TCP brigid:3385 brigid:0 LISTENING
    TCP brigid:3385 cracks.am:3386 ESTABLISHED
    TCP brigid:3386 cracks.am:3385 ESTABLISHED
    TCP brigid:1049 220-245-10-254-vic.tpgi.com.au:6699

    TCP brigid:1053 host190-196.pool80117.interbusiness.it:8888 ESTABLISHED
    TCP brigid:1054 host182-49.pool8250.interbusiness.it:8888 ESTABLISHED
    TCP brigid:1056 host111-243.pool8175.interbusiness.it:8888 ESTABLISHED
    TCP brigid:1058 host84-18.pool80180.interbusiness.it:8888 ESTABLISHED
    TCP brigid:1061 82-70-26-126.dsl.in-addr.zen.co.uk:6644 ESTABLISHED
    TCP brigid:1062 h-67-101-1-125.sttnwaho.dynamic.covad.net:5678ESTABLISHED
    TCP brigid:1063 HSE-Windsor-ppp250473.sympatico.ca:7575 ESTABLISHED
    TCP brigid:1461 host5-94.pool80116.interbusiness.it:8888 ESTABLISHED
    TCP brigid:3308 p50817F14.dip.t-dialin.net:7777 ESTABLISHED
    TCP brigid:3311 61-23-208-43.home.ne.jp:6699 ESTABLISHED
    TCP brigid:6699 user-118bh6u.cable.mindspring.com:60885 ESTABLISHED
    TCP brigid:6699 pcp02974119pcs.grey01.tn.comcast.net:2904 ESTABLISHED
    TCP brigid:6699 cm1879.npcm.nebi.com:4449 ESTABLISHED
    TCP brigid:6699 adsl-69-110-43-35.dsl.pltn13.pacbell.net:36626ESTABLISHED
    TCP brigid:6699 adsl-69-209-0-99.dsl.emhril.ameritech.net:3359ESTABLISHED
    TCP brigid:6699 c51473a4d.cable.wanadoo.nl:1929 ESTABLISHED
    TCP brigid:6699 host29-253.pool8175.interbusiness.it:4907 ESTABLISHED
    TCP brigid:6699 client-82-2-91-4.mant.adsl.virgin.net:3104 ESTABLISHED
    TCP brigid:6699 host207-68.pool8250.interbusiness.it:1200 ESTABLISHED
    TCP brigid:6699 CPE-144-137-150-133.qld.bigpond.net.au:10813 ESTABLISHED
    TCP brigid:6699 pool-151-197-168-3.phil.east.verizon.net:2020 ESTABLISHED
    TCP brigid:6699 ACBC9858.ipt.aol.com:4479 ESTABLISHED
    TCP brigid:6699 ESTABLISHED
    TCP brigid:6699 ESTABLISHED
    TCP brigid:6699 host217-42-180-54.range217-42.btcentralplus.com:1233 ESTABLISHED
    TCP brigid:6699 host138-77.pool21759.interbusiness.it:1380 ESTABLISHED
    TCP brigid:6699 ESTABLISHED
    UDP brigid:microsoft-ds *:*
    UDP brigid:isakmp *:*
    UDP brigid:1039 *:*
    UDP brigid:1369 *:*
    UDP brigid:1430 *:*
    UDP brigid:6257 *:*
    UDP brigid:ntp *:*
    UDP brigid:1046 *:*
    UDP brigid:1900 *:*
    UDP brigid:ntp *:*
    UDP brigid:1900 *:*

    C:\Documents and Settings\Rhia>

    Where all those connections came from I don't know. I can only guess... :(
  3. Crimsonedge

    Crimsonedge Registered Member

    Jun 3, 2004
    And joy of joy's my hosts file has been edited too. ruworld.com maxxxhosters.com therealsearch.com thumbest-traffic.com 600pics.com tonser.4-counter.com free.sinpussy.com hightcalldialer.com bestpornnews.com thumberland.com greg-search.com connect.online-dialer.com 0190-dialer.com approvedlinks.com install.xxxtoolbar.com download.buxomatic.com dia.4-counter.com vse-moe.biz crue.global-counter.com line-plus.com porno-links.biz download.tntdialer.com freelivesex.org free3xmatures.com bestpics.net dikai.com world-search.biz 1-se.com 58q.com aifind.cc aifind.info allneedsearch.com auto.ie.searchforge.com awebfind.biz best.royalsearch.net cracks.am default-homepage-network.com find.microgirls.com find4u.net freshvideogals.com i-lookup.com ie-search.com in.webcounter.cc itseasy.us just.find-itnow.com link.startmake.com mysearchnow.com nativehardcore.com qwertysearch123.biz search.ieplugin.com search.psn.cn searchbar.findthewebsiteyouneed.com searchcentrix.com searchmyrequest.com super-spider.com t.rack.cc teen-biz.com teenhqpics.com tits.hardcore4ever.net webcoolsearch.com wmmse.com 008i.com 2fastsearch.net 8095.com alfa-search.com boredlife.com couldnotfind.com cracks.am daum.net dreamwiz.com find-itnow.com find4u.net firstbookmark.com gajai.com hand-book.com hao123.com hotsearchbox.com hotwebsearch.com hugesearch.net iquicksearch.com lookfor.cc naver.com nkvd.us nova****.com ohcorea.com omega-search.com onet.pl power-search.info rightfinder.net search-1.net search-and-go.com search-dot.com search-space.com searchforge.com searching-the-net.com searchv.com searchxl.com seznam.cz slotch.com spidersearch.com startium.com ttjj.com viewpornkey.com wazzupnet.com websearch.com windowws.cc xgmm.com xwebsearch.biz yourbookmarks.ws collections.inhost.info collections.inhost2.info w[]ww.ruworld.com w[]ww.maxxxhosters.com w[]ww.therealsearch.com w[]ww.thumbest-traffic.com w[]ww.600pics.com w[]ww.hightcalldialer.com w[]ww.bestpornnews.com w[]ww.thumberland.com w[]ww.greg-search.com w[]ww.0190-dialer.com w[]ww.approvedlinks.com w[]ww.vse-moe.biz w[]ww.line-plus.com w[]ww.porno-links.biz w[]ww.freelivesex.org w[]ww.free3xmatures.com w[]ww.bestpics.net w[]ww.dikai.com w[]ww.world-search.biz w[]ww.1-se.com w[]ww.58q.com w[]ww.aifind.cc w[]ww.aifind.info w[]ww.allneedsearch.com w[]ww.awebfind.biz w[]ww.cracks.am w[]ww.default-homepage-network.com w[]ww.find4u.net w[]ww.freshvideogals.com w[]ww.i-lookup.com w[]ww.ie-search.com w[]ww.itseasy.us w[]ww.mysearchnow.com w[]ww.nativehardcore.com w[]ww.qwertysearch123.biz w[]ww.searchcentrix.com w[]ww.searchmyrequest.com w[]ww.super-spider.com w[]ww.teen-biz.com w[]ww.teenhqpics.com w[]ww.webcoolsearch.com w[]ww.wmmse.com w[]ww.008i.com w[]ww.2fastsearch.net w[]ww.8095.com w[]ww.alfa-search.com w[]ww.boredlife.com w[]ww.couldnotfind.com w[]ww.cracks.am w[]ww.daum.net w[]ww.dreamwiz.com w[]ww.find-itnow.com w[]ww.find4u.net w[]ww.firstbookmark.com w[]ww.gajai.com w[]ww.hand-book.com w[]ww.hao123.com w[]ww.hotsearchbox.com w[]ww.hotwebsearch.com w[]ww.hugesearch.net w[]ww.iquicksearch.com w[]ww.lookfor.cc w[]ww.naver.com w[]ww.nkvd.us w[]ww.nova****.com w[]ww.ohcorea.com w[]ww.omega-search.com w[]ww.onet.pl w[]ww.power-search.info w[]ww.rightfinder.net w[]ww.search-1.net w[]ww.search-and-go.com w[]ww.search-dot.com w[]ww.search-space.com w[]ww.searchforge.com w[]ww.searching-the-net.com w[]ww.searchv.com w[]ww.searchxl.com w[]ww.seznam.cz w[]ww.slotch.com w[]ww.spidersearch.com w[]ww.startium.com w[]ww.ttjj.com w[]ww.viewpornkey.com w[]ww.wazzupnet.com w[]ww.websearch.com w[]ww.windowws.cc w[]ww.xgmm.com w[]ww.xwebsearch.biz w[]ww.yourbookmarks.ws

    Not being sure whether or not URLs are allowed here, I've voided them. :)

    I note that I am connected to cracks.am, and it's in here too. I wonder why? annoying!
    Last edited: Jun 3, 2004
  4. Jooske

    Jooske Registered Member

    Feb 12, 2002
    Netherlands, EU near the sea
    Hi there! looks like quite a collection. Could it be related to those infected emails, using the object data exploit? (if you look in the source of the infected emails you know what i mean -- google for fatbonuscasino in the newsgroups and promise yourself to click on none of the links written about in their examples; most are dead links now but some could be working.)
    I knew from the description it could be really bad, (made quite a study of it by now) but this looks terrible in action!

    What it does:
    email with exploit redirects to a site with only a download file via a script, installs mstask.exe, gets x.exe and more scripts and downloads collection, installing a tiny proxy server changing your system into a zombie proxy (bandwirdth stealing) and spitting out stuff to the outside world, you see the collection of downloaders and passwordstealers, dialers, etc. Stealing startpage, infecting HOSTS file and the whole lot.
    You see lots of your files were in the TIF folders so either you copy those infections to another place to zip and submit them to the lab or you clean caches and lots has gone already but lot has been installed as well as you can see in your connections and HOSTS file.

    Anyway, first of all read how to post your HijackThis log in the sticky's above in this same forum, http://www.wilderssecurity.com/showthread.php?t=15913
    and the experts will help you cleaning out.
    And if so, you'll be advised to make sure to have all security updates for windows and internet explorer.
    You'll have lots to do, changing passwords when all is clean, etc etc.
Thread Status:
Not open for further replies.