HijackThis log-PWSteal.Trojan

Discussion in 'adware, spyware & hijack cleaning' started by Schuey, Apr 26, 2004.

Thread Status:
Not open for further replies.
  1. Schuey

    Schuey Registered Member

    Joined:
    Apr 26, 2004
    Posts:
    4
    PWSteal.Trojan- Real or Hoax?

    I did a routine NAV scan & found this apparent Trojan in the following folder:

    C:\Documents & Settings|user\local settings\Temporary Internet Files\Content.IE5\K7DVQQJ9\dtc.32_EN_XP(1).cab

    NAV detected it but can't quarantine or delete it. Of course I panicked when I looked in the web & found that PWSteal.Trojan steals password/online banking details.

    I also checked the Norton website & followed the instructions: disable system restore, run in safe mode but still can't get rid of it. I also tried the other suggested solution i.e. delete manually. As suggested on the website, I tried looking for msdos98.exe, uninstallms.exe, mine.exe, mi*.zip, but couldn't find any of these files. I even tried manually deleting the temporary internet files folder but was told that was not possible.

    Heard that some of these may be hoaxes rather than actual trojans. Can someone advice on its removal, be it a Trojan or hoax? Thanks, I'm coming to my wits' end.
    o_O
     
    Last edited by a moderator: Apr 27, 2004
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Last edited: Apr 27, 2004
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Re: PWSteal.Trojan- Real or Hoax?

    just empty the temporary internet files foldr

    open IE/tools/options/ general. press delete files that will get rid of it


    when you use XP antiviruses cannot clean in temp internet files folder

    while it's still in the .cab form it's pretty harmless

    to check if you have been actually infected do this please

    please follow instructions here
    https://www.wilderssecurity.com/showthread.php?t=15913
    and post a hjt log in the hiajck forum
     
    Last edited by a moderator: Apr 27, 2004
  4. Schuey

    Schuey Registered Member

    Joined:
    Apr 26, 2004
    Posts:
    4
    Re: PWSteal.Trojan- Real or Hoax?

    I already tried IE>tools>internet options>delete temp int files but NAV is still persistently detecting 2things (I copied & pasted NAV's activity log):

    1)The compressed file test.ocx within C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\85Q3SLY3\download[1].CAB is a Security risk threat.
    Click for more information about this threat : SecurityRisk.Downldr

    2)The compressed file dtc32.dll within C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\K7DVQQJ9\dtc32_EN_XP[1].cab is infected with the PWSteal.Trojan virus.
    Click for more information about this threat : PWSteal.Trojan

    But when I used online antivirus scanners (Norton,Trend Micro, Panda, GFI Trojanscan, Bitdefender, McAfee), none picked up the above problems.

    Anyway, followed your suggestion; have scanned using Adaware & Spybot & got rid of all spywares & here's my HJT Log: (Thank you in advance)


    Logfile of HijackThis v1.97.7
    Scan saved at 12:21:40 AM, on 4/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\System32\RunDll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
    C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    C:\IBMTOOLS\UTILS\ibmprc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
    C:\Program Files\BBC Ticker\BBCTicker.exe
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\Documents and Settings\user\My Documents\hijackthis1977\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {91DE4477-9CDC-4806-9BCB-28A963988E94} - C:\Program Files\Cerience\RepliGo\RepliGoIEHelper.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &RepliGo - {81F4066B-F330-4872-8094-3E9FBCCEC8C1} - C:\Program Files\Cerience\RepliGo\RepliGoIEBar.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
    O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
    O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - HKCU\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe
    O4 - Startup: BBCTicker.lnk = C:\Program Files\BBC Ticker\BBCTicker.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Startup: Skyscape smARTupdate.lnk = C:\RECYCLER\NPROTECT\00055602.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: iSiloX Clipper (HKCU)
    O9 - Extra 'Tools' menuitem: iSiloX Clipper... (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15979c7b86c18747e017/netzip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-306.ibm.com/pc/support/IbmEgath.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.visiblehumanexperience.com/install/setup.cab
    O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-3.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4353/mcfscan.cab
     
    Last edited by a moderator: Apr 27, 2004
  5. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Re: PWSteal.Trojan- Real or Hoax?

    Hi Schuey :)

    Now that u have posted a HijackThis log, i will move your thread to the Hijack cleaning forums for better attention.


    snowbouns
     
    Last edited: Apr 27, 2004
  6. Schuey

    Schuey Registered Member

    Joined:
    Apr 26, 2004
    Posts:
    4
    Re: PWSteal.Trojan- Real or Hoax?

    Thanks Snowbound, I did everything with the system restore disabled. When it is enabled, my NAV just could not stop scanning. It kept repeating the whole system scan & picked up duplicates of the same trojans/viruses as above. Why is that happening (don't fully understand this system restore thingy)?
     
    Last edited by a moderator: Apr 27, 2004
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Schuey,

    Before I forget, do you have this software installed:
    http://www.jenneth.info/archives/000171.html

    Then boot into safe mode and click Start > Programs > Accessories > DiskCleanup. Put a checkmark in all the options.
    Once that is done use the Delete Files in IE once more and make sure to include offline content.

    Then boot normally and scan again.

    Regards,

    Pieter
     
  8. Schuey

    Schuey Registered Member

    Joined:
    Apr 26, 2004
    Posts:
    4
    Hi Pieter,

    Thanks for your help. What's the significance of:
    http://www.jenneth.info/archives/000171.html ?

    Can't remember when I last access that website but I do have the software, Repligo by Cerience (a Palm software)

    By the way, I finally managed to get rid of the 2 problematic files/virus?/trojan? I followed your instruction>cleanup disk>ticked all the options, then>IE >delete temp files, but the scan was still positive. Then I tried cleanup disk again, but the second time, I highlighted the temp internet files & press "view files". To my surprise, i could see the problematic files in the "temp int files" folder which I could not access elsewhere. I just manually deleted the 2 offending files. The NAV scan was finally clean as a whistle, first time in 1 week!!!!!!!!!

    Do you think I had a spyware, a virus or a trojan?? If it's a trojan, is it really a password stealer or is it a hoax? How do you think I could have got it?

    Many thanks for your prompt reply again. This website is great, will definitely refer to my friends.

    Cheers
    Schuey
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    That one is no hoax. It is hard however to accomplish whether it did relay information about you.

    The safest way would be to change any and all online passwords that were used on that computer.

    Read here how you can protect yourself:
    https://www.wilderssecurity.com/showthread.php?t=27971

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.