Fr33m4n Posted February 10, 2008 Share Posted February 10, 2008 I am pretty sure I'm infected with a trojan. Whenever I use IE7 to browse in general I get this error message:System Error!Your computer was infected by unknown trojan.It's dangerous for your system (critical files can be lost)!Click OK to download the antispyware program to clean your system! (Recommended)If I hit OK I get redirected to a bogus anti-spyware site.My system is Windows XP pro. I have ESET Smart Security up to date and I have spybot up to date. Neither catches this thing. Further more I tried running SmitfraudFix in SafeMode which did not work either. plz help. Here is my HijackThis log file:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 20:38:48, on 10.02.2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.20696)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exeC:\Program Files\ESET\ESET Smart Security\ekrn.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\VistaDrive\VistaDrive.exeC:\WINDOWS\system32\mmm.exeC:\Program Files\ESET\ESET Smart Security\egui.exeC:\WINDOWS\system32\updater\explorer.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\dvd43\dvd43_tray.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\WallChan.exeC:\DOCUME~1\Spike\LOCALS~1\Temp\ir_ext_temp_0\autorun.exeC:\Program Files\FirefoxPortable\App\firefox\firefox.exeC:\WINDOWS\system32\Notepad2.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeO2 - BHO: IE7Pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dllO2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dllO2 - BHO: Adobe PDF Reader Link Helper - {445A3D12-EBA3-4054-AB54-587BF3FF40EA} - C:\WINDOWS\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dllO4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exeO4 - HKLM\..\Run: [PowerTweak Menu] C:\WINDOWS\system32\mmm.exeO4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitserviceO4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exeO4 - HKLM\..\Run: [Updater] C:\WINDOWS\system32\updater\explorer.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [CMWallpaperChanger] "C:\WINDOWS\system32\WallChan.exe"O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automountO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htmO8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htmO8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dllO9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dllO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLLO9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exeO9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exeO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO16 - DPF: {5CE72DD0-4695-4D18-A4D3-3367ACD37578} (F-Secure Health Check 1.0) - http://support.f-secure.com/enu/home/onlineservices/fshc/fscax.cabO23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exeO23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exeO23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe--End of file - 6069 bytes Link to comment Share on other sites More sharing options...
PC_LOAD_LETTER Posted February 10, 2008 Share Posted February 10, 2008 first off, get Iceswordopen it and go to the processes section. end task on everything listed below (might wanna kill Spybot/ESET to to keep them from detecting the hijackthis removal process and blocking it) do not end task on these items individually. hold down ctrl and select all the processes you want to kill and then right click and click terminate process. then right click and refresh your view (Icesword doesnt auto refresh like taskmgr) if any of your processes are back in the list, then there is another helper process restarting them. attempt to locate it in the list and terminate both at the some time to prevent them from restarting each other.after the icesword task list is clean, use hijackthis! to remove the following itemsC:\WINDOWS\VistaDrive\VistaDrive.exeC:\WINDOWS\system32\mmm.exeC:\WINDOWS\system32\updater\explorer.exeC:\WINDOWS\system32\WallChan.exeC:\DOCUME~1\Spike\LOCALS~1\Temp\ir_ext_temp_0\autorun.exeO4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exeO4 - HKLM\..\Run: [PowerTweak Menu] C:\WINDOWS\system32\mmm.exeO4 - HKLM\..\Run: [Updater] C:\WINDOWS\system32\updater\explorer.exeO4 - HKCU\..\Run: [CMWallpaperChanger] "C:\WINDOWS\system32\WallChan.exe" Link to comment Share on other sites More sharing options...
Fr33m4n Posted February 10, 2008 Author Share Posted February 10, 2008 But why those programs? VistaDrive is a program I installed and use. mmm.exe is a program I installed and use. WallChan.exe is a program I installed and use. All of these I know are safe and have always been present. Explorer.exe I'm fairly sure is safe and autorun.exe is most likely a copy of the autorun on a disc I've inserted. Anyway, that file is located in the temp dir and crapcleaner will remove it promptly. Sorry, not to be rude or anything, and I appreciate the effort, but I don't see why that is good advice? Link to comment Share on other sites More sharing options...
PC_LOAD_LETTER Posted February 10, 2008 Share Posted February 10, 2008 i just quickly searched for all those and found they are associated with spyware the legit vistadrive is stored in %windir%\Resources from what ive seen (never used it)after looking some more mmm.exe may be related to Kelsenellenelvian stuffwallchan may be legit as well not i couldnt find any credible source for itif autorun.exe is run from a cd, i've rarely seen them copy themselves to the hard disk (U3 pen drives that emulate a cd drive will however)explorer.exe is NOT safe. the real explorer.exe (taskbar, start menu,etc) resides in c:\windows not c:\windows\updaterany way you look at it, terminating all the processes i listed will not harm your system. if you remove the 'O4 - HKLM\..\Run' entries in hijackthis! it will prevent them from running at system start but rerunning/reinstalling them will fix that issuedefinatly kill autorun.exe and the explorer.exe on the updater folder also, the thing i thought i had included in my above post was if you see tha process in icesword in red text, that means that process is hidden by a rootkit (not a biggie though cause icesword can terminate it) Link to comment Share on other sites More sharing options...
Fr33m4n Posted February 11, 2008 Author Share Posted February 11, 2008 you are correct that mmm.exe is kellsnellenelvian stuff, as is vistadrive and wallchange. Because my OS is nLited with plenty of addons a re-install will get me 90% of my system back to scratch with all the apps that I use. I know I perhaps shouldn't have because then we won't find the solution but I did do a re-install last night. I can say that the vistadrive that I now have and that is working and that came from kel is indeed located at the above listed location. But explorer and autorun is gone. thx for your help and time. Link to comment Share on other sites More sharing options...
DonDamm Posted February 17, 2008 Share Posted February 17, 2008 Just a note of caution. Doing a reinstall was probably the best move to be certain. However, I'm surprised a bit that you got fooled into clicking onto malware so easily. That basically means you need to do some research and learning about how these things work so you can recognize real from bogus. Don't get me wrong, I'm not criticizing you for not knowing, only surprised. Usually, someone who's unafraid of reinstalling has been around enough to have come across these "offers" which are all spyware/malware in themselves. Most of us have been through this at one point in time or other.Eset Smart Security has a very decent spyware module in it. However, it can't know every new program out there. You might want to get a second opion sometimes and if you go to Google Pack and uncheck everything but the PC Tools Spyware Doctor free version, you can have a very good on-demand scanner at no cost. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now