Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Weird Processes, trojan unpackers, smitfraud. The usual.

  • Please log in to reply
2 replies to this topic

#1 Qlaxis


  • Members
  • 8 posts
  • Local time:08:53 AM

Posted 07 December 2008 - 12:59 AM

Hello, this is my first post here in the bleeping computer forums.
I seem to have come across some problems lately. It started, just about 2 days ago, when my windows notified me that my Dr.Watson post-mortem had encountered an error. Didn't think anything about it, and later when I looked, the application folder is empty. After that I was surfing the net when random exe programs began to ask for internet access. Their file names consisted of numbers. Of course, I denied these, but they just keep coming. I thought I had it fixed for a few moments until I received a registry edit notification from Spybot S&D.

Anyway, to start off, I had recently run a game that had some issues. In order to uninstall this game, you had to run a registry edit entry to remove it, and the rest of the files were to be deleted. However, when I ran the regedit file, the error came up "registry editing has been disabled by your administrator." Now, this confused me, considering I'm the only person who uses this computer (lol). Now, of course, to anyone with a bit of computer skills, this is bad news. Normally, the regedit options can only be changed by admins...or trojans. I ran a scan with Zone Alarm for spyware and trojans. There were about 2 or 3 trojan entries and around 7 spyware entries. The 3 trojan entries were backdoors, but the spyware were the usual, so, I figured I was done.
Instead, about 5 minutes later, the same events continued to reoccur. So I ran ad-aware and found about 24 spyware entries. I was a little miffed that this free-ware security program had found a lot more than my paid for one. Again, thought nothing of it. Again, problems came back. I figured I would run CCleaner since I hadn't run it for awhile. The windows and application scans showed 30 or so issues, but nothing looked out of place (cookies, recycling bin files, the usual). The registry went nuts though. I had about 60 entries. Things leading to nowhere, about 3 or 4 windows components of some sort were missing. This is not good. So, I restarted my comp and went into straight safe mode. Ran scans with CCleaner, Zonalarm, and Adaware.
CCleaner found about 40 odd files I wasn't even sure of in the windows section. Registry came up with a bunch of stuff I had no clue about. Adaware fell short and gave me the normal burstmedia and other tracking cookie junk. Zone alarm said there were 7 trojans, and 39 infected files of spyware. Ran the fixes and seemed good...for about 10 or 15 minutes.
I looked around and found Spybot S&D. I'd run it a few times before on some previous computers, but had moved on to other programs. I ran S&D and got some really exotic result. I had a unpacker, 3 backdoors, a Smitfraud C, and some registry edited items. Odd thing is, I've had Smitfraud C before, and I haven't had any of the symptoms. No changed background, no psguard. Nothing. I found this odd but let S&D do its thing. It fixed quite a bit, I think. I ran the immunize option and had all files immunized. Looking good.
Once again, wrong. Will the problems ever cease? So, I checked my computer for anything unusual manually looking through as many folders and files I felt like. Low-and-behold, when I got to the temp folder I found some files. I use a lot software and what-not's, so when I found some stuff in there, I thought I would go ahead and delete it manually. A few of the items in there confused me though. The file names were something like "Perflib_Perfdata_1b0, Perlib_Perfdata_1e5" and some other odd names. They wouldn't let me delete them. The rtdrvmon would, but when I searched that, I got a result of a driver for my lexmark 1150 printer. Now why the heck is that there, I asked. Anyway, I had run another scan or two, deleted the items again from the temp folder, emptied the recycle bin what felt like a hundred times, and now my temp still has Perflib_Perdata_1b0, rtdrvmon, WMP54Gv4_(I1, S2, and 51), and ZLTO6d47.tmp. The WMP's are gif files with what look like router based images. The perflib, however, is being read by nero as a video cd movie .dat file that's 16kb. Obviously, that can't be right. So, here is where I am now. I fixed most of the problems (I think) and I am left with the single entry edit that I had pop-up when I just ran windows again. I also still have Smitfraud C, and a registry value of some sort called "PWS.LDPinchIE", which I thought was a password stealer. But here is what S&D says, "Functionality-Supposed to be an update for the Internet Explorer. Description-This trojan horse pretends to be an update for Internet Explorer. It massively connects to the internet in background. It hijacks the host file to block security sites and redirects banking websites to a fixed IP address. The trojan downloads other malicious software and adds them to the winlogon and system start. There are also services to have additional ways of starting the trojans. Variants start themselves in winlogon as "parnershipreg" without giving the user a possibility to cancel that process. Also user profile settings (desktop icons, mapped drives, etc.) get deleted upon initial boot."
When I just read this, I was reminded about a few times IE was bugging me about a Adobe Flash Player update. I downloaded it without thinking twice. This is probably where it got me good. I've only had 2 icons be disconnected with their programs though, one of which I can't even find the actual program folder anymore, but will run if I run the installer .exe :thumbsup: .
So, sorry for the long explanation, but I hope and wish for the best help. I hope you can pull enough info to make sense of it. Thanks ahead of time.

Edit:12:07am I am now getting registry edit pop-ups from S&D, I can deny the first, but not the second, which with the second comes a invalid float point(?).

Edited by Qlaxis, 07 December 2008 - 01:08 AM.

BC AdBot (Login to Remove)


#2 garmanma


    Computer Masochist

  • Members
  • 27,809 posts
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:09:53 AM

Posted 07 December 2008 - 11:21 AM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Qlaxis

  • Topic Starter

  • Members
  • 8 posts
  • Local time:08:53 AM

Posted 07 December 2008 - 02:37 PM

Thank you for the quick return garmanma.
Did the scan and the rest that you requested. Immediately afterwards, spybot alerted me of the registry changes made by Malwarebytes, which I allowed, followed by another registry that was added with a random entry name.

Here are the results of the log:
Malwarebytes' Anti-Malware 1.31
Database version: 1471
Windows 5.1.2600 Service Pack 3

12/7/2008 1:27:18 PM
mbam-log-2008-12-07 (13-27-18).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|)
Objects scanned: 111685
Time elapsed: 32 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 12
Registry Values Infected: 6
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\hsef73uhef.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\jsne87fidgf.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c5af42a3-94f3-42bd-f434-3604832c897d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5af42a3-94f3-42bd-f434-3604832c897d} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4897bba6-48d9-468c-8efa-846275d7701b} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{4509d3cc-b642-4745-b030-645b79522c6d} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{32c620d6-cc10-4e6a-9715-bacacd5b0e61} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati2utxx (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ati2utxx (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ati2utxx (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\ati2utxx (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati2utxx (Rootkit.Agent) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5af42a3-94f3-42bd-f434-3604832c897d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{ca3eb689-8f09-4026-aa10-b9534c691ce0} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jnskdfmf9eldfd (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebProxy (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb6319 (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\hsef73uhef.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\jsne87fidgf.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\system32\drivers\ati2utxx.sys (Rootkit.Agent) -> Delete on reboot.
C:\Documents and Settings\admin\Local Settings\Temp\2001555712.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temp\2329142930.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temp\3066882774.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temp\3682722162.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temp\3732525916.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temp\736552088.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temp\1057267930.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temp\1164778824.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temp\1192943820.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temp\1491573898.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temp\157042648.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temp\1970356602.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> Delete on reboot.

Now I'm going for the reboot.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users