help needed!!

Discussion in 'malware problems & news' started by john h, Jan 15, 2004.

Thread Status:
Not open for further replies.
  1. john h

    john h Registered Member

    Joined:
    Jan 15, 2004
    Posts:
    16
    I have found a possible trojan in my computer,it is in C:\Windows\system32\service.exe. it tries to connect when i use any page to log on, presumably to steal my user names and passwords. How do i find the name of this trojan and how can i get rid or it ,it wont delete. My trojan hunter says it is a UPX packed file... thanks in advance john h
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi john,

    Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log as a .txt file, and copy and paste its contents into your next post.

    Most of what it lists will be harmless, so do not fix anything yet.

    Regards,

    Pieter
     
  3. john h

    john h Registered Member

    Joined:
    Jan 15, 2004
    Posts:
    16
    Logfile of HijackThis v1.97.7
    Scan saved at 6:43:44 PM, on 15/01/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\essspk.exe
    C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    C:\WINDOWS\System32\service.exe
    C:\WINDOWS\FSScrCtl.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\Program Files\IncrediMail\bin\IncMail.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
    O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\Customizer XP\RAMIdle.exe
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [Service] C:\WINDOWS\System32\service.exe
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.7\THGuard.exe"
    O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - Startup: DI Daily Exposure Calculator Vr 2.52.LNK = C:\Program Files\DI Daily Exposure Calculator Vr 2.52\DI_DXP_Calc_Vr_2_52.exe
    O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
    O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
    O16 - DPF: Yahoo! Chinese Checkers - http://download.games.yahoo.com/games/clients/y/cct0_x.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37767.0352430556
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DF82C78C-C263-4AEB-A788-953A033F8C9E}: NameServer = 192.189.54.17 203.8.183.1

    Thanks pieter
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi john,

    Check the item below in HijackThis, close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [Service] C:\WINDOWS\System32\service.exe

    Then boot into safe mode and rename C:\WINDOWS\System32\service.exe to service.bak
    Please send the file to the address in my profile.

    TIA,

    Pieter
     
  5. john h

    john h Registered Member

    Joined:
    Jan 15, 2004
    Posts:
    16
    pieter,
    clicked on the yes button on the fix it window after i fix checked and the file has dissapeared ,dont know how to boot into safe mode, am i in big trouble now. john...
     
  6. john h

    john h Registered Member

    Joined:
    Jan 15, 2004
    Posts:
    16
    Pieter, have sent you email,,,john..
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi john,

    Did you notice that the words safe mode in my earlier post were a link to this site: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 ?

    Regards,

    Pieter
     
  8. john h

    john h Registered Member

    Joined:
    Jan 15, 2004
    Posts:
    16
    Pieter, i noticed it after i did the dissapearing thing with the file , I have printed out how to put the system in safe mode, but ive lost the file. when i go to my computer and then to the windows file 'service Exe' is still there,,, bear with me as you have figured out by now ,im new at this;-] john...
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi John,

    I'm sorry. I don't quite folow.
    Did you find the file?

    If you did not the file could be hidden.
    To "unhide" hidden files and folders:
    Launch My Computer from the Desktop Icon.
    Select View, Details.
    Select the Folders button.
    Select Tools, Folder Options. Then select the View Tab. Select the Show hidden files and folders radio button is selected
    and that the Hide file extensions for known file types check box is unchecked. Once this is done, select Apply and then
    Like Current Folder (located near the top of the Folder Options box). Then select OK.

    Regards,

    Pieter
     
  10. john h

    john h Registered Member

    Joined:
    Jan 15, 2004
    Posts:
    16
    Pieter cant find "like current folder",,,ive got apply to all folders and reset all folders john
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Apply to all folders then john.
    Something must have gotten lost in the translation. :)

    Regards,

    Pieter
     
  12. john h

    john h Registered Member

    Joined:
    Jan 15, 2004
    Posts:
    16
    Pieter, have sent you an email with service.bak in the att ...i have explained what i have done before you open it ....john...
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi john,

    I won't be able to have a look until I get home.
    That will take a few more hours. I'll answer you from there.

    Regards,

    Pieter
     
  14. john h

    john h Registered Member

    Joined:
    Jan 15, 2004
    Posts:
    16
    Thanks Pieter,
    Its 10.30pm here in western australia,i will give you a break while i have a sleep and ill contact you tomorrow,or then i could be calling you from tomorrow, or yesterday, depending where we are in the world,,,,,i need some sleep o_O
    cheers john...
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Then get some. You'll feel better. :)

    Regards,

    Pieter
     
  16. john h

    john h Registered Member

    Joined:
    Jan 15, 2004
    Posts:
    16
    Hi Pieter,
    noticed you online, did you have a chance to look at the file i sent to your email.... john..
     
  17. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi john,

    The file is UPX packed, so all I had was a quick glance, but it looks to be a "otherwise harmless" hijacker.

    No need for you to keep it. I will unpack it over the weekend and post my findings.

    Regards,

    Pieter
     
  18. john h

    john h Registered Member

    Joined:
    Jan 15, 2004
    Posts:
    16
    thanks Pieter,
    :D :D :D
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi john,

    I had to send the file to someone more knowledgeable then me, because it was too complex for me to analyze (I'm just a rookie in that regard)

    Here is the answer I got:
    So if you use that computer for online banking or payments, better prepare yourself for the worst.

    Regards,

    Pieter
     
  20. john h

    john h Registered Member

    Joined:
    Jan 15, 2004
    Posts:
    16
    Hi Pieter,
    Yes thats how i found it ,had my egold hacked , lost $500us,,,now i have changed all passwords and put in more security.... appreciate any help you can give to get it out of my computer....cheers john..
     
  21. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi John,

    Do you have TDS installed?

    Regards,

    Pieter
     
  22. john h

    john h Registered Member

    Joined:
    Jan 15, 2004
    Posts:
    16
    what is tds...thanks pieter
     
  23. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi john,

    You can download TDS-3 from http://tds.diamondcs.com.au/
    and update it following the instructions here:
    http://tds.diamondcs.com.au/index.php?page=update
    Then click System Testing > Full System scan.

    When you are done you can export the findings in the lower part of the program window to a .txt file.
    Please copy and paste that into your next post.

    Regards,

    Pieter
     
  24. john h

    john h Registered Member

    Joined:
    Jan 15, 2004
    Posts:
    16
    Pieter,
    tds didnt pick up the service exe file, but i got another bad file tonight,this is what tds got
    Scan Control Dumped @ 23:25:43 20-01-04
    Positive identification <Adv>: Possible WebDownloader
    File: c:\a.exe

    I also used trojanhunter that was quicker and gave a better detail. i will get file and post john
     
  25. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi john,

    a.exe is probably the realphx AIM hijacker.
    You can delete that one.

    Looking forward to your logs.
    Don't uninstall TDS yet.

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.