Unknown Trojan

[Fr33m4n]

I am pretty sure I'm infected with a trojan. Whenever I use IE7 to browse in general I get this error message:

System Error!

Your computer was infected by unknown trojan.

It's dangerous for your system (critical files can be lost)!

Click OK to download the antispyware program to clean your system! (Recommended)

If I hit OK I get redirected to a bogus anti-spyware site.

My system is Windows XP pro. I have ESET Smart Security up to date and I have spybot up to date. Neither catches this thing. Further more I tried running SmitfraudFix in SafeMode which did not work either. plz help. Here is my HijackThis log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:38:48, on 10.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20696)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\VistaDrive\VistaDrive.exe
C:\WINDOWS\system32\mmm.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\updater\explorer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\dvd43\dvd43_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WallChan.exe
C:\DOCUME~1\Spike\LOCALS~1\Temp\ir_ext_temp_0\autorun.exe
C:\Program Files\FirefoxPortable\App\firefox\firefox.exe
C:\WINDOWS\system32\Notepad2.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: IE7Pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Adobe PDF Reader Link Helper - {445A3D12-EBA3-4054-AB54-587BF3FF40EA} - C:\WINDOWS\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe
O4 - HKLM\..\Run: [PowerTweak Menu] C:\WINDOWS\system32\mmm.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [Updater] C:\WINDOWS\system32\updater\explorer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CMWallpaperChanger] "C:\WINDOWS\system32\WallChan.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {5CE72DD0-4695-4D18-A4D3-3367ACD37578} (F-Secure Health Check 1.0) - http://support.f-secure.com/enu/home/onlineservices/fshc/fscax.cab
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6069 bytes

[PC_LOAD_LETTER]

first off, get Icesword

open it and go to the processes section. end task on everything listed below (might wanna kill Spybot/ESET to to keep them from detecting the hijackthis removal process and blocking it) do not end task on these items individually. hold down ctrl and select all the processes you want to kill and then right click and click terminate process. then right click and refresh your view (Icesword doesnt auto refresh like taskmgr) if any of your processes are back in the list, then there is another helper process restarting them. attempt to locate it in the list and terminate both at the some time to prevent them from restarting each other.

after the icesword task list is clean, use hijackthis! to remove the following items

C:\WINDOWS\VistaDrive\VistaDrive.exe
C:\WINDOWS\system32\mmm.exe
C:\WINDOWS\system32\updater\explorer.exe
C:\WINDOWS\system32\WallChan.exe
C:\DOCUME~1\Spike\LOCALS~1\Temp\ir_ext_temp_0\autorun.exe

O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe
O4 - HKLM\..\Run: [PowerTweak Menu] C:\WINDOWS\system32\mmm.exe
O4 - HKLM\..\Run: [Updater] C:\WINDOWS\system32\updater\explorer.exe
O4 - HKCU\..\Run: [CMWallpaperChanger] "C:\WINDOWS\system32\WallChan.exe"

[Fr33m4n]

But why those programs? VistaDrive is a program I installed and use. mmm.exe is a program I installed and use. WallChan.exe is a program I installed and use. All of these I know are safe and have always been present. Explorer.exe I'm fairly sure is safe and autorun.exe is most likely a copy of the autorun on a disc I've inserted. Anyway, that file is located in the temp dir and crapcleaner will remove it promptly. Sorry, not to be rude or anything, and I appreciate the effort, but I don't see why that is good advice?

[PC_LOAD_LETTER]

i just quickly searched for all those and found they are associated with spyware

the legit vistadrive is stored in %windir%\Resources from what ive seen (never used it)

after looking some more mmm.exe may be related to Kelsenellenelvian stuff

wallchan may be legit as well not i couldnt find any credible source for it

if autorun.exe is run from a cd, i've rarely seen them copy themselves to the hard disk (U3 pen drives that emulate a cd drive will however)

explorer.exe is NOT safe. the real explorer.exe (taskbar, start menu,etc) resides in c:\windows not c:\windows\updater

any way you look at it, terminating all the processes i listed will not harm your system. if you remove the 'O4 - HKLM\..\Run' entries in hijackthis! it will prevent them from running at system start but rerunning/reinstalling them will fix that issue

definatly kill autorun.exe and the explorer.exe on the updater folder also, the thing i thought i had included in my above post was if you see tha process in icesword in red text, that means that process is hidden by a rootkit (not a biggie though cause icesword can terminate it)

[Fr33m4n]

you are correct that mmm.exe is kellsnellenelvian stuff, as is vistadrive and wallchange. Because my OS is nLited with plenty of addons a re-install will get me 90% of my system back to scratch with all the apps that I use. I know I perhaps shouldn't have because then we won't find the solution but I did do a re-install last night. I can say that the vistadrive that I now have and that is working and that came from kel is indeed located at the above listed location. But explorer and autorun is gone. thx for your help and time.

[DonDamm]

Just a note of caution. Doing a reinstall was probably the best move to be certain. However, I'm surprised a bit that you got fooled into clicking onto malware so easily. That basically means you need to do some research and learning about how these things work so you can recognize real from bogus. Don't get me wrong, I'm not criticizing you for not knowing, only surprised. Usually, someone who's unafraid of reinstalling has been around enough to have come across these "offers" which are all spyware/malware in themselves. Most of us have been through this at one point in time or other.

Eset Smart Security has a very decent spyware module in it. However, it can't know every new program out there. You might want to get a second opion sometimes and if you go to Google Pack and uncheck everything but the PC Tools Spyware Doctor free version, you can have a very good on-demand scanner at no cost.