Bad Trojan [HELP]
1
(45 posts, started )
Bad Trojan [HELP]
Hey guys.

I Just scanned my pc with Trend micro Housecall (online scanner)

My pc found 2 trojan's
1 got removed and the other can't

its called TSPY_SINOWAL.TR

I want to remove it manually but can find the file itself (used search too)

I wanted to know how to remove it?
I read what this trojan does and it doesnt feel good.


This spyware is a DLL component dropped by TSPY_SINOWAL variants.
It is injected into various running processes in order to achieve memory-residency.
It steals account-related information from the affected system. It does the said routine by logging keystrokes and then sending all gathered information to a predetermined email address via its own Simple Mail Transfer Protocol (SMTP) engine.
This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 23:19:02, on 27-8-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\UssGo\Bureaublad\Programma's\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A693A87-FBEA-4EE4-B124-8ABB66214F00}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{5A693A87-FBEA-4EE4-B124-8ABB66214F00}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS3\Services\Tcpip\..\{5A693A87-FBEA-4EE4-B124-8ABB66214F00}: NameServer = 208.67.222.222,208.67.220.220
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6460 bytes

And i guess that this Trojan isnt running?

It will be really helpfull if there was a program that only remove's file's like this.

Rick
#2 - JTbo
Jesus, you have lot of unneeded crap running, but no Antivirus ???

Now install avast or antivir (this seem to be improved a lot in last 6 months, however not sure if it is free anymore)


www.avast.com is where avast is, don't remember antivir, google is your friend.

Then update antivirus of your choice and run full scan removing everything it finds.

Try also www.evido.net antispyware solution, could do wonders for your system.

Small guidelines, tool bars are bad, those are from hell, there is perfect alternatives for quicktime and real player that don't need processes to be run whole time.

I don't know how is net in your place, but in here we get automatic ip-addresses and if hijack this shows nameserver being something, then usually that is some kind of hijacker and one should remove those entries.


Well, try with those first
Simply I dont use any Antyvirus things.

I already scanned my PC with AD-aware SE personal.

I'm now downloading Avast.

and thank you for your fast reply.
#4 - JTbo
Quote from Takumi_lfs :Simply I dont use any Antyvirus things.

I already scanned my PC with AD-aware SE personal.

I'm now downloading Avast.

and thank you for your fast reply.

Well, if you are not going to use such programs, then you are not getting rid of those bastards either.

Browsing internet without anti virus software is like having sex with commercial lady without protection, you never know what surprises you afterwards
Quote from JTbo :Well, if you are not going to use such programs, then you are not getting rid of those bastards either.

Browsing internet without anti virus software is like having sex with commercial lady without protection, you never know what surprises you afterwards

Nice comparison!

Takumi, you should really get some antivirus software on there. Or you could find yourself with something alot worse than a Trojan.
Apparently there's nothing particularly suspect in the log. You should perform another scan with HouseCall and compare the results to the previous scan.

The only way to be sure about the presence of malware would be analysing each running process and each autorun object (legitimate or not) using additional software. Process Explorer and Autoruns by Sysinternals are exceptionally well made for a thorough manual inspection.

If you suspect the file is hidden because of a rootkit, use an antirootkit. AVG, Sophos and F-Secure (Blacklight) provide one-click solutions. They're not the best, but sometimes they're enough. Attributes and permissions may be another cause of 'invisibility'. Be sure to show all files, included hidden ones.
#7 - ajp71
Quote from JTbo :
Browsing internet without anti virus software is like having sex with commercial lady without protection, you never know what surprises you afterwards

Well since the rest of the family started using a newer computer I've exclusively used this PC and not had 1 virus or piece of spyware in 3 years of not running any virus scans, I usually run an Avast scan each time I re-install Windows on the other PC, which I think I've probably done about 7 times. It's not as though this computers web browsing is squeeky clean I just use Firefox and when I come across an un-exploded nuclear warhead I don't poke it with a stick.
#8 - JTbo
Quote from ajp71 :Well since the rest of the family started using a newer computer I've exclusively used this PC and not had 1 virus or piece of spyware in 3 years of not running any virus scans, I usually run an Avast scan each time I re-install Windows on the other PC, which I think I've probably done about 7 times. It's not as though this computers web browsing is squeeky clean I just use Firefox and when I come across an un-exploded nuclear warhead I don't poke it with a stick.

So you are basically saying that you are using only clean commercial womens, why does this bring smile to my face?

Firefox is not fail proof either and lets not get started with email and attachments of it
#9 - ajp71
Quote from JTbo :
Firefox is not fail proof either and lets not get started with email and attachments of it

Well G-Mail and Hotmail both seem pretty bullet proof. I use G-mail for writing e-mails and find it far more convenient than e-mail programs which seem to be a more likely weak point. I don't use the tightest security settings in Firefox.

TBH I think an anti-virus scanner offers about as much protection as wearing a rubber glove in a tank of piranhas, just don't push your luck and you'll be fine
#10 - JTbo
Quote from ajp71 :Well G-Mail and Hotmail both seem pretty bullet proof. I use G-mail for writing e-mails and find it far more convenient than e-mail programs which seem to be a more likely weak point. I don't use the tightest security settings in Firefox.

TBH I think an anti-virus scanner offers about as much protection as wearing a rubber glove in a tank of piranhas, just don't push your luck and you'll be fine

Good anti virus is working actively at background and does not let anything harmful to enter your HDD, that is the idea, however for example f-secure works completely wrong way, it let's stuff to HDD and then tries to remove it, however file is in use and cannot be removed is more of rule than exception with it.

You can't predict what will come up from internet, those banners there tend to contain all kind of crap, there is new company every second so ad blockers are not perfectly effective, shitty part is you don't need to click anything, it is when you see it you get it, with IE even worse than with firefox, but one should not believe Firefox would be immune, there is some pests designed directly for firefox and there will be more in future.

Game reviews and cheats providing sites seem to have all kind of this crap on their websites, some are even not banners but like in megaupload there is some popups doing things to your machine you don't like if you don't cripple your browser to stone-age, really sad how it is.
Almost the same case as with ajp71 here - after using the computer with everyone in the family without any means of anti virus there have been 4 viruses. The PRIMARY trick of keeping yourself clean is BROWSING USING AN USER ACCOUNT. The SECONDARY trick is use a good web browser - currently Opera is the best in most means, it's the fastest way ahead of others on Windows (not so good on other OS's tough). And it has way less security bugs, and those bugs get fixed quickly. (Firefox has had about 30 this year with 10 still not fixed, Opera has had 6 and all of them have been fixed and none of them have been major)
A good antivirus traps some kernel calls modifying the NT System Service Descriptor Table. For instance Kaspersky traps NtClose, NtCreateProcess, NtCreateProcessEx, NtCreateSection, NtOpenProcess, NTQueryInformationFile, NtSetInformationProcess and NtTerminateProcess to handle them with the driver klif.sys. All these kernel calls are usually handled by ntoskrnl.exe, but in case of Kaspersky the SSDT is manipulated and extended to offer the functionality needed to open the file, check it and pass it back to the operating system if clean.

This is the way most antiviruses work these days. It's fairly easy to check this, just run a simple antirootkit like IceSword and check the SSDT.

This metodology is used also by some rootkits.

There are some additional possible checks, such as the usage of an LSP to scan network traffic for incoming malware. Such technique is used for instance by Microworld E-Scan, which is based on Kaspersky Engine but adds an interesting and sometimes annoying feature called Winsock Layer. They say it prevents malware from entering blocking the relative network traffic, but that doesn't work always.
It doesn't matter if you have an Anti Virus or not because if you don't know where you keep getting them from an Anti Virus will never tell you that, unless the name of the virus/spyware, is linked in name to a website you went on.

If you keep persisting to go on HACKING sites, to get one up on your friends and lans, just think about it. And think about the Horsey you got last week k?
LOL, I just Bootscanned my PC with AVAST. Is detected some nice infected files by the Trojan???

Anyway because I and USB keyboard i couldnt press any keys and damn i waited 5 hours for that.

I'm gonna scan my PC again but not the Boot-scan.
#15 - JTbo
Quote from Takumi_lfs :LOL, I just Bootscanned my PC with AVAST. Is detected some nice infected files by the Trojan???

Anyway because I and USB keyboard i couldnt press any keys and damn i waited 5 hours for that.

I'm gonna scan my PC again but not the Boot-scan.

Set boottime scan to automatically delete or enable USB legacy support from bios, I have usb keyboard and mouse and no trouble at all
Quote from JTbo :Browsing internet without anti virus software is like having sex with commercial lady without protection, you never know what surprises you afterwards

Antivirus is more akeen to going to the doctor and asking for a shot against every known virus or disease. You'd then be weighed down by the extra 5 pints of fluid in your system.
ah nvm, im already scanning it (thorough scan).

Anyway good prog. I'll ask my dad to buy it.
#18 - JTbo
Quote from Takumi_lfs :ah nvm, im already scanning it (thorough scan).

Anyway good prog. I'll ask my dad to buy it.

You don't need to, it is free for home use, also light and efficient
well, but why did it ask me to write a licence code then?

and why 59 days left?
Quote from Takumi_lfs :well, but why did it ask me to write a licence code then?

and why 59 days left?

IIRC you have to register at their website to get the activation code for the free version. It's either that or you've downloaded one of their commercial products.
#21 - JTbo
Quote from ajp71 :IIRC you have to register at their website to get the activation code for the free version. It's either that or you've downloaded one of their commercial products.

Downloading Avast home free version, then support -> avast home registration and he should be okay, supplied with code that gives 1 year license, then after one year do it again and another year license, I have used 2-3 years now and even I have not paid anything their support is A1 if one needs it
Quote from JTbo :Downloading Avast home free version, then support -> avast home registration and he should be okay

The best thing in Avast is that's free. Their virus database is odd and fails to locate lots of trojans. I'd go with Avira Antivir if I had to choose a free antivirus, it does a better job.

Kaspersky remains my antivirus of choice, and the most respected one by people who have an interest in fighting malware. The Holy Father used it as a benchmark to detect his excellent rootkit, hacker defender.

Apparently the Holy Father died in a road accident last year, but I didn't check if this is only a rumour. The old homepage is unavailable. The old presentation he made for hxdef is still on YouTube.
Quote from Takumi_lfs :Simply I dont use any Antyvirus things.

that's exactly what leads to problems like yours...
AVG is a good fast working antivirus software, that not only works, but also is free
Quote from squidhead :that's exactly what leads to problems like yours...

This isn't quite right. You can perfectly live without an antivirus, but you have to understand what you're doing and accept the fact you have to manage security proactively on your own.

I for once accept the thesis of the Holy Father: the approach of most antiviruses is inherently flawed because they prevent only what they know, and this leads to a false sense of security. Nonetheless it's still a valid approach because most people don't know how to audit or manage the security of their computer. Trouble is, should they do it or not? Ideally they shouldn't do it, but OSes are far from perfect. To each his own.
#25 - JTbo
Quote from Albieg :The best thing in Avast is that's free. Their virus database is odd and fails to locate lots of trojans. I'd go with Avira Antivir if I had to choose a free antivirus, it does a better job.

Kaspersky remains my antivirus of choice, and the most respected one by people who have an interest in fighting malware. The Holy Father used it as a benchmark to detect his excellent rootkit, hacker defender.

Apparently the Holy Father died in a road accident last year, but I didn't check if this is only a rumour. The old homepage is unavailable. The old presentation he made for hxdef is still on YouTube.

Avira Antivir is indeed rather nice product nowdays, nothing like few years ago when Avast was still far superior to any other, they have been sleeping on their bearings it seems indeed, but last time I mailed to them they were quite sorry about situation and at least expressed will to improve, which is good sign, imo.

Still Avast beats Norton and F-Secure hands down, but Avira is something you could check out too. I have no long term experience with Avira (other than some old version which was really bad) so might put to one box for a test
1

Bad Trojan [HELP]
(45 posts, started )
FGED GREDG RDFGDR GSFDG