Author Topic: Trojan.Cinmus (New problem)  (Read 14748 times)

0 Members and 1 Guest are viewing this topic.

zone12

  • Guest
Trojan.Cinmus (New problem)
« on: December 09, 2009, 05:26:35 AM »
So sometime ago I found this on my computer, now I don't know which verison it is(google states there being a Trojan./Adware. verison)I deleted it along with it's registry files.Now a couple day's ago,about 2 minutes into the scan I found another registry of this.What I'm wondering how was this missed and if it has been there the whole time.Now I do go on somesites that do have pop-ups such as armor games, but avast should of picked it up as malware shouldn't it?

Pctools states that the program(.adware) is installed as a browser helper tool that displays ads at random intervals.I'm wondering if this could have been installed on some private sites that I've been on. So I'm mostly wondering if this installed it's self onto my computer through a web page or was it bundeled with something else.The computer this registry bit is a shared computer and I do not know what the other people go onto.However I do know that most of the sites are of chinese orgin.Now asuming that these installed them selves through a web page avast should of pop'd-up right?Would this be a possable place in which the adware came from?
[NSFW][google link]http://www.google.com/search?q=pornhub&rls=com.microsoft:*:IE-SearchBox&ie=UTF-8&oe=UTF-8&sourceid=ie7&rlz=1I7GGLL_en
avast did not detect anything however the site did have links that created pop-ups while opening an actual page.

Malwarbytes:
Trojan.Cinmus,  Registry Key, HKEY_CURRENT USER\SOFTWARE\Microsoft\Windows\CurrentVerison\Ext\Settings\{b580cf65-e151-49c3(unreadable symbols)}        





« Last Edit: December 22, 2009, 04:03:50 AM by zone12 »

zone12

  • Guest
Re: Trojan.Cinmus
« Reply #1 on: December 09, 2009, 05:28:43 AM »
hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:15 ??, on 2009-12-8
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\HP\HP LaserJet M1319 MFP Series\ReceiveFaxUtility.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {889D2FEB-5411-4565-8998-1DD2C5261283} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: (no name) - -{B580CF65-E151-49C3-B73F-70B13FCA8E86} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: ????5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: ????5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: ???? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: cwt - {774E529C-2458-48A2-8F57-3ED3105D8612} - C:\Program Files\CaseWare\cwproto.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP M1319 Receive Fax Service (HPM1319RcvFaxSrvc) - Marvell - C:\Program Files\HP\HP LaserJet M1319 MFP Series\ReceiveFaxUtility.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

--
End of file - 7487 bytes

I am aware that I have orbit downloader, some of the no names are parts of a removed baidu bar

Offline Yanto.Chiang

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1371
  • Soli Deo Gloria
    • PT Garuda Sinatriya Globalindo
Re: Trojan.Cinmus
« Reply #2 on: December 09, 2009, 06:30:28 AM »
Hi Zone,

After scan your HijackThis log, there is not harmful application which running on your system. But some registry you need to fixed likes :

O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)

O2 - BHO: (no name) - {889D2FEB-5411-4565-8998-1DD2C5261283} - (no file)

O3 - Toolbar: (no name) - -{B580CF65-E151-49C3-B73F-70B13FCA8E86} - (no file


And then for your referenced website, after i analyzed that website is not harmful website too.

http://www.mywot.com/en/scorecard/www.google.com

Because google only search engine, but instead of that if you clicked on go to this porn website. I am not sure, in there safe or not safe?

But to make sure, please follow these steps :

1. Download Combofix
2. Download it and save with rename the file, like example : 123.exe
3. Please stop all of windows activity included avast antivirus protection
4. Please click your download fil and start the scan

Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

After the scan has did, please submit your combofix.txt in to this forum.

Referenced to : http://forum.avast.com/index.php?topic=52019.0



Yanto Chiang | IT Security Consultants | AVAST Premium Security | GarudaSinatriya

Jtaylor83

  • Guest
Re: Trojan.Cinmus
« Reply #3 on: December 09, 2009, 11:21:24 PM »
Avast should detect and remove Cinmus. Try running a boot time scan and send to the virus chest (quarantine) whatever avast! finds.

zone12

  • Guest
Re: Trojan.Cinmus
« Reply #4 on: December 10, 2009, 05:00:42 AM »
now avast did not find anything on the site , I guess what I'm trying to say is that could malware's bytes missed one registry bit?

zone12

  • Guest
Re: Trojan.Cinmus
« Reply #5 on: December 11, 2009, 03:47:21 AM »
Does anybody know were to get a list of websites that may contain this?

Edit: So if this was installed by  website avast would of picked it up right? The only way for it to get in would be an installation for another program.
« Last Edit: December 11, 2009, 03:54:01 AM by zone12 »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33929
  • malware fighter
Re: Trojan.Cinmus
« Reply #6 on: December 11, 2009, 01:32:23 PM »
This is a typical adware BHO that can be removed with BHO demon: http://www.definitivesolutions.com/bhodemon.htm

Here we provide you with the manual removal instructions for this maware:

Adware.Cinmus is an annoying adware program that bombards you with hundreds of popup advertisments based on your browsing habits. Adware.Cinmus will also monitor your web surfing habit and send information to the third parties. Adware.Cinmus embeds itself into your system as a Browser Helper Object (BHO) and it may be difficult to remove it manually

Kill processes:
Step 1 : Use Windows Task Manager to Remove Adware.Cinmus Processes
Remove the "Adware.Cinmus" processes files:
ad3673.exe
malware.exe
 


Step 2 : Detect and Delete Other Adware.Cinmus Files
Remove the "Adware.Cinmus" processes files:
mtlrd
mtlrd.sys
ad3673.exe

Unregister DLLs:
syswindrv.dll

 
Delete files:
ntptdb.sys syswindrv.dll malware.exe

Step 3 : View the Adware.Cinmus Components with its MD5s
Remove the "Adware.Cinmus" components:
File Name File Size MD5
ad3673.exe 113799 5dae169ac924696ec0deff8886ae55f9
mtlrd.sys 349444 2e523abd368262b0bc74e15f8e224a0c
ntptdb.sys 212996 38bcbc5547a3d7bc5c870e7f9ce722bc
mtlrd.sys 349188 423809dc3187938880e3d480d6191f7b
malware.exe 228752 0663acb0972c48a194248b8ab0e8a56e
syswindrv.dll 189440 b8c1acb7b49eaaf3228b369e83c258b4

polonus


 
« Last Edit: December 11, 2009, 02:50:31 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

zone12

  • Guest
Re: Trojan.Cinmus
« Reply #7 on: December 12, 2009, 04:17:11 AM »
This is a typical adware BHO that can be removed with BHO demon: http://www.definitivesolutions.com/bhodemon.htm

Here we provide you with the manual removal instructions for this maware:

Adware.Cinmus is an annoying adware program that bombards you with hundreds of popup advertisments based on your browsing habits. Adware.Cinmus will also monitor your web surfing habit and send information to the third parties. Adware.Cinmus embeds itself into your system as a Browser Helper Object (BHO) and it may be difficult to remove it manually


polonus


(Shortened)

That link opens a 404- Error, but its a costom one...

zone12

  • Guest
Re: Trojan.Cinmus
« Reply #8 on: December 15, 2009, 02:01:19 AM »
O3 - Toolbar: (no name) - -{B580CF65-E151-49C3-B73F-70B13FCA8E86} - (no file

Anyone know how to remove this? It just comes back after every scan

Edit: It also seems to be able to close your browser, avast didn't detect a virus. So is this just an error? I think that this is because I closed the pop-ups before it finished loading.Could some one provide an answer and maybe check out my guess on why it closes the browser?
« Last Edit: December 15, 2009, 03:27:34 AM by zone12 »

pinnacle

  • Guest
Re: Trojan.Cinmus
« Reply #9 on: December 15, 2009, 03:28:21 AM »
Malwarebytes removes this according to thier list of trojans they detect and remove this one, Trojan.Cinmus listed as number 2075 at the time of this post, http://www.malwarebytes.org/malwarenet.php

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89326
  • No support PMs thanks
Re: Trojan.Cinmus
« Reply #10 on: December 15, 2009, 03:47:59 AM »
O3 - Toolbar: (no name) - -{B580CF65-E151-49C3-B73F-70B13FCA8E86} - (no file

Anyone know how to remove this? It just comes back after every scan
<snip>

Check out this link, http://www.systemlookup.com/search.php?type=clsid&client=malwaresearch-ff&search={B580CF65-E151-49C3-B73F-70B13FCA8E86}, are any of the dlls mentioned on your system ?

Does the domain name ring any bells ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

zone12

  • Guest
Re: Trojan.Cinmus
« Reply #11 on: December 16, 2009, 02:40:21 AM »
O3 - Toolbar: (no name) - -{B580CF65-E151-49C3-B73F-70B13FCA8E86} - (no file

Anyone know how to remove this? It just comes back after every scan
<snip>

Check out this link, http://www.systemlookup.com/search.php?type=clsid&client=malwaresearch-ff&search={B580CF65-E151-49C3-B73F-70B13FCA8E86}, are any of the dlls mentioned on your system ?

Does the domain name ring any bells ?

Yup, I still don't know how to remove'em I thought Spybot qurantine'd them

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89326
  • No support PMs thanks
Re: Trojan.Cinmus
« Reply #12 on: December 16, 2009, 03:39:49 AM »
Yes, but do any of the dlls mentioned in the article on your system ?
If so they should be checked against virustotal and if multiple detections send the sample/s to avast.

Or are any of them quarantines by Spybot ?

The idea being if any files are quarantined by spybot which aren't detected by avast you should send a sample/s to avast.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

zone12

  • Guest
Re: Trojan.Cinmus
« Reply #13 on: December 22, 2009, 12:27:19 AM »
Yes, but do any of the dlls mentioned in the article on your system ?
If so they should be checked against virustotal and if multiple detections send the sample/s to avast.

Or are any of them quarantines by Spybot ?

The idea being if any files are quarantined by spybot which aren't detected by avast you should send a sample/s to avast.

I think Spybot has'em qurrantined

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89326
  • No support PMs thanks
Re: Trojan.Cinmus
« Reply #14 on: December 22, 2009, 12:45:18 AM »
OK, that's fine, provided you aren't having any further problems.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security