trojandownloader.pysme

Hello fellows!

First of all, thanks for your help. I'll be posting an hijackthis log since I couldn't download SUPERAntiSpyware. However, I'll try and provide you all the information I have:

Eset NOD32 antivirus detected and quarantined the following (as I can see, exploit.realplay.e and trojandownloader.psyme.LS were found during a hidden connection to the site mentioned below):

20.03.2008 15:22:48 Real-time file system protection file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZF7ZI2P7\r[1].htm JS/Exploit.RealPlay.E trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE.
20.03.2008 15:22:46 HTTP filter file http://791224.com/06014.htm VBS/TrojanDownloader.Psyme.LS trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 15:22:46 HTTP filter file http://791224.com/r.htm JS/Exploit.RealPlay.E trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 15:11:38 HTTP filter file http://791224.com/06014.htm VBS/TrojanDownloader.Psyme.LS trojan connection terminated - quarantined HOME-1234567891\Administrator Threat was detected upon access to web by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
20.03.2008 15:11:37 HTTP filter file http://791224.com/r.htm JS/Exploit.RealPlay.E trojan connection terminated - quarantined HOME-1234567891\Administrator Threat was detected upon access to web by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
20.03.2008 15:01:10 Real-time file system protection file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\7K6TXJJ4\r[1].htm JS/Exploit.RealPlay.E trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe.
20.03.2008 15:01:03 HTTP filter file http://791224.com/06014.htm VBS/TrojanDownloader.Psyme.LS trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 15:00:57 HTTP filter file http://791224.com/06014.htm VBS/TrojanDownloader.Psyme.LS trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 15:00:57 HTTP filter file http://791224.com/r.htm JS/Exploit.RealPlay.E trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 14:52:08 Real-time file system protection file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\68H5DR0S\r[1].htm JS/Exploit.RealPlay.E trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe.
20.03.2008 14:52:08 HTTP filter file http://791224.com/06014.htm VBS/TrojanDownloader.Psyme.LS trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 14:52:07 HTTP filter file http://791224.com/r.htm JS/Exploit.RealPlay.E trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 14:52:05 HTTP filter file http://791224.com/06014.htm VBS/TrojanDownloader.Psyme.LS trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 14:52:05 HTTP filter file http://791224.com/r.htm JS/Exploit.RealPlay.E trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 14:43:31 Real-time file system protection file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZF7ZI2P7\r[1].htm JS/Exploit.RealPlay.E trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe.
20.03.2008 14:43:31 HTTP filter file http://791224.com/06014.htm VBS/TrojanDownloader.Psyme.LS trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 14:43:30 HTTP filter file http://791224.com/r.htm JS/Exploit.RealPlay.E trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 14:41:58 HTTP filter file http://791224.com/06014.htm VBS/TrojanDownloader.Psyme.LS trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 14:41:56 HTTP filter file http://791224.com/06014.htm VBS/TrojanDownloader.Psyme.LS trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 14:41:53 Real-time file system protection file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0A48B52W\r[1].htm JS/Exploit.RealPlay.E trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe.
20.03.2008 14:41:51 HTTP filter file http://791224.com/06014.htm VBS/TrojanDownloader.Psyme.LS trojan connection terminated - quarantined HOME-1234567891\Administrator
20.03.2008 14:41:51 HTTP filter file http://791224.com/r.htm JS/Exploit.RealPlay.E trojan connection terminated - quarantined HOME-1234567891\Administrator



The first thing I did was to remove RealPlayer, but it didn't help, so here is the hijackthis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:54:39, on 20.03.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6039 bytes


Thanks again for helping! Please reply ASAP and feel free to request any aditional information you need.

Hi there I would like to look a little deeper

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

There seems to be a problem: dss can't perform it's scan - I get the "this program has encoutered a problem and needs to close" message near the end of the scan. I'm sure I closed all the windows - tried running it in safe mode too, with the same result.

Let me be more specific: the first time NOD32 alerted me was while running Yahoo! Messenger. It showed the messages I posted in my first post. Meanwhile, I uninstalled realplayer, uninstalled and then reinstalled Yahoo! Messenger. I didn't get any other alert from NOD32 after doing this but I'm not at all sure that the problem is gone for good. Anyway, my internet connection is fast again and my computer runs much better after what I did so I can now quickly try any fixing detection tool needed.

Thanks for helping, do you know any other tool I could use to give you more information about this?

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

... * Close ALL OTHER PROGRAMS.
... * Open the OTScanit folder and double-click on OTScanit.exe to start the program.
... * Check the box that says Scan All User Accounts
... * Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
... * Under Additional Scans check the following:
...........o File - Additional Folder Scans
...........o File - Purity Scan
... * Now click the Run Scan button on the toolbar.
... * Let it run unhindered until it finishes.
... * When the scan is complete Notepad will open with the report file loaded in it.
... * Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

I uploaded the file so here it is:

http://www.mediafire.com/?2xb0phvdcxx

Well that looked nice and clean - one final sweep on the other areas not covered .

Please download Malwarebytes' Anti-Malware from here or here

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply.


Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

it found only two infected items:
Files Infected:
C:\WINDOWS\system32\Services.cpi (Heuristic.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Services.cpl (Heuristic.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

It didn't request any reboot so I guess everything is clean now. Please let me know if you feel I should run any other test.
Thank you very much for helping, you did a great job!

Ok lets secure you so you won't get the byte verify and exploit problem again

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:

* Download the latest version of Java Runtime Environment (JRE) 6 Update 5 and save it to your desktop.
* Scroll down to where it says "JJava Runtime Environment (JRE) 6 Update 5...allows end-users to run Java applications".
* Click the "Download" button to the right.
* Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
* Click on the link to download Windows Offline Installation and save the file to your desktop.
* Close any programs you may have running - especially your web browser.
* Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
* Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
* Click the Remove or Change/Remove button.
* Repeat as many times as necessary to remove each Java versions.
* Reboot your computer once all Java components are removed.
* Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version.



THEN

Now the best part of the day ----- Your log now appears clean!

Double click OTScanit once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTScanit wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself. MBAM can be rmoved via the Add/remove programme


Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done

I did exactly what you said and I also installed Zone Alarm Pro as a firewall. In addition to that, I've checked and got all the recent updates. Hope that's gonna keep me clean for a long time

Thanks again for helping!