CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
spacer spacer
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsSelect FavForums 

Trojan Horse Dropper Swicer.A

 
Post new topic   Reply to topic       All -> FavForums -> Trend Micro HijackThis Logs [del.icio.us!] [digg it!] [reddit!]
View previous topic :: View next topic  
Author Message
NIall

Guest
IP: 196.39.*.*
PostPosted: Sun Nov 30, 2003 6:29 pm    Post subject: Trojan Horse Dropper Swicer.A
Reply with quote

Ive also picked up the trojan horse dropper Swicer.A from a download
Here is the HijackThis Log: (PLease HELP)

Logfile of HijackThis v1.97.7
Scan saved at 8:33:57 PM, on 11/30/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Window Active\winactive.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\QuickTime\qttask.exe
C:\DOCUME~1\Reddy\APPLIC~1\shckweoc.exe
C:\WINDOWS\kdx\KHost.exe
C:\WINDOWS\System32\wjview.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Reddy\LOCALS~1\Temp\Gyv1.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\mdm.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\WebSavingsfromEbates\WebSavingsfromEbates.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVG6\avgw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Reddy\My Documents\Niall\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sbnl.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://sbnl.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = sbnl.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://sbnl.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sbnl.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://sbnl.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://sbnl.com/searchbar.html
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {80052003-d3b2-46b5-97f6-252d3b18161e} - C:\DOCUME~1\Reddy\APPLIC~1\frxlbchyss.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: eoogrthnyny - {0599af76-0cad-4caf-8780-84d51c7d6566} - C:\DOCUME~1\Reddy\APPLIC~1\frxlbchyss.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cchyx] C:\DOCUME~1\Reddy\APPLIC~1\shckweoc.exe -QuieT
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Morpheus] "C:\Program Files\StreamCast\Morpheus\Morpheus.exe" -min
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: InstallWatch Pro.lnk = ?
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://195.161.116.154/MP3/MP3_DOWNLOAD_PLUGIN.EXE
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BAD0BBB0-DAAF-4F21-B77B-8B343C2FC83E}: NameServer = 168.210.2.2 196.14.239.2

Thanx!
Back to top
TonyKlein

Site Moderator
Microsoft MVP

Joined: Oct 15, 2002
Posts: 13120
Location: Netherlands
MIRT Moderators MVP Premium Security Experts

PostPosted: Sun Nov 30, 2003 6:32 pm    Post subject:
Reply with quote

Hi! Smile

Check and have Hijack This fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sbnl.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://sbnl.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = sbnl.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://sbnl.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sbnl.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://sbnl.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://sbnl.com/searchbar.html

O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {80052003-d3b2-46b5-97f6-252d3b18161e} - C:\DOCUME~1\Reddy\APPLIC~1\frxlbchyss.dll

O3 - Toolbar: eoogrthnyny - {0599af76-0cad-4caf-8780-84d51c7d6566} - C:\DOCUME~1\Reddy\APPLIC~1\frxlbchyss.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [cchyx] C:\DOCUME~1\Reddy\APPLIC~1\shckweoc.exe -QuieT
O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"

O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm

O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://195.161.116.154/MP3/MP3_DOWNLOAD_PLUGIN.EXE

Reboot, and delete:

Folders:

C:\Program Files\MyWay
C:\Program Files\E2G
C:\Program Files\Window Active
C:\Program Files\WebSavingsfromEbates

And the C:\Documents and Settings\Reddy\Application Data\shckweoc.exe file

Cheers,
Back to top
View users profile Send private message
Display posts from previous:   
Post new topic   Reply to topic       All -> FavForums -> Trend Micro HijackThis Logs All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001 phpBB Group
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
77ppm 0.218s (0.056s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer