help needed!!

I have found a possible trojan in my computer,it is in C:\Windows\system32\service.exe. it tries to connect when i use any page to log on, presumably to steal my user names and passwords. How do i find the name of this trojan and how can i get rid or it ,it wont delete. My trojan hunter says it is a UPX packed file... thanks in advance john h

 

Hi john,

Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log as a .txt file, and copy and paste its contents into your next post.

Most of what it lists will be harmless, so do not fix anything yet.

Regards,

Pieter

 

Logfile of HijackThis v1.97.7
Scan saved at 6:43:44 PM, on 15/01/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\essspk.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\System32\service.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\Customizer XP\RAMIdle.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Service] C:\WINDOWS\System32\service.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.7\THGuard.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Startup: DI Daily Exposure Calculator Vr 2.52.LNK = C:\Program Files\DI Daily Exposure Calculator Vr 2.52\DI_DXP_Calc_Vr_2_52.exe
O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.games.yahoo.com/games/clients/y/cct0_x.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37767.0352430556
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF82C78C-C263-4AEB-A788-953A033F8C9E}: NameServer = 192.189.54.17 203.8.183.1

Thanks pieter

 

Hi john,

Check the item below in HijackThis, close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [Service] C:\WINDOWS\System32\service.exe

Then boot into safe mode and rename C:\WINDOWS\System32\service.exe to service.bak
Please send the file to the address in my profile.

TIA,

Pieter

 

pieter,
clicked on the yes button on the fix it window after i fix checked and the file has dissapeared ,dont know how to boot into safe mode, am i in big trouble now. john...

 

Pieter, have sent you email,,,john..

 

Hi john,

Did you notice that the words safe mode in my earlier post were a link to this site: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 ?

Regards,

Pieter

 

Pieter, i noticed it after i did the dissapearing thing with the file , I have printed out how to put the system in safe mode, but ive lost the file. when i go to my computer and then to the windows file 'service Exe' is still there,,, bear with me as you have figured out by now ,im new at this;-] john...

 

Hi John,

I'm sorry. I don't quite folow.
Did you find the file?

If you did not the file could be hidden.
To "unhide" hidden files and folders:
Launch My Computer from the Desktop Icon.
Select View, Details.
Select the Folders button.
Select Tools, Folder Options. Then select the View Tab. Select the Show hidden files and folders radio button is selected
and that the Hide file extensions for known file types check box is unchecked. Once this is done, select Apply and then
Like Current Folder (located near the top of the Folder Options box). Then select OK.

Regards,

Pieter

 

Pieter cant find "like current folder",,,ive got apply to all folders and reset all folders john

 

Apply to all folders then john.
Something must have gotten lost in the translation.

Regards,

Pieter

 

Pieter, have sent you an email with service.bak in the att ...i have explained what i have done before you open it ....john...

 

Hi john,

I won't be able to have a look until I get home.
That will take a few more hours. I'll answer you from there.

Regards,

Pieter

 

Thanks Pieter,
Its 10.30pm here in western australia,i will give you a break while i have a sleep and ill contact you tomorrow,or then i could be calling you from tomorrow, or yesterday, depending where we are in the world,,,,,i need some sleep
cheers john...

 

Then get some. You'll feel better.

Regards,

Pieter

 

Hi Pieter,
noticed you online, did you have a chance to look at the file i sent to your email.... john..

 

Hi john,

The file is UPX packed, so all I had was a quick glance, but it looks to be a "otherwise harmless" hijacker.

No need for you to keep it. I will unpack it over the weekend and post my findings.

Regards,

Pieter

 

thanks Pieter,

 

Hi john,

I had to send the file to someone more knowledgeable then me, because it was too complex for me to analyze (I'm just a rookie in that regard)

Here is the answer I got:

So if you use that computer for online banking or payments, better prepare yourself for the worst.

Regards,

Pieter

 

Hi Pieter,
Yes thats how i found it ,had my egold hacked , lost $500us,,,now i have changed all passwords and put in more security.... appreciate any help you can give to get it out of my computer....cheers john..

 

Hi John,

Do you have TDS installed?

Regards,

Pieter

 

what is tds...thanks pieter

 

Hi john,

You can download TDS-3 from http://tds.diamondcs.com.au/
and update it following the instructions here:
http://tds.diamondcs.com.au/index.php?page=update
Then click System Testing > Full System scan.

When you are done you can export the findings in the lower part of the program window to a .txt file.
Please copy and paste that into your next post.

Regards,

Pieter

 

Pieter,
tds didnt pick up the service exe file, but i got another bad file tonight,this is what tds got
Scan Control Dumped @ 23:25:43 20-01-04
Positive identification <Adv>: Possible WebDownloader
File: c:\a.exe

I also used trojanhunter that was quicker and gave a better detail. i will get file and post john

 

Hi john,

a.exe is probably the realphx AIM hijacker.
You can delete that one.

Looking forward to your logs.
Don't uninstall TDS yet.

Regards,

Pieter