Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Lighty and Fasec Trojan and others


  • This topic is locked This topic is locked
3 replies to this topic

#1 rarewish

rarewish

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 04 January 2009 - 04:01 PM

I have been infected with the Lighty Cryp and Fasec Tjn. It's affecting numerous files. I can do very little with my system now without further causing harm. It directly affects IE and has caused internet connection issues. Programs run slower if they even start up at all.

Can you please help? Below are the following log files: DDS and Kaspersky.

DDS LOG
DDS (Version 1.1.0) - NTFSx86
Run by Nadine at 21:29:06.76 on Fri 01/02/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.5.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.989 [GMT -8:00]

AV: avast! antivirus 4.8.1296 [VPS 090102-0] *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZScanner.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Nadine\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
TB: The Pirate Bay Toolbar: {a33fa729-d155-4b23-842b-2c665ecabdb6} - c:\program files\the_pirate_bay\tbThe_.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [HijackThis startup scan] c:\program files\trend micro\hijackthis\HijackThis.exe /startupscan
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Hwenogoyinebago] rundll32.exe "c:\windows\Psadubaseb.dll",e
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Kzene] rundll32.exe "c:\windows\icozuneseyomeb.dll",e
StartupFolder: c:\documents and settings\nadine\start menu\programs\startup\OneNote Table Of Contents.onetoc2
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: c:\program files\common files\is3\anti-spyware\iS3lsp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {D5BF49A2-94F1-42BD-F434-3604812C807D} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nadine\applic~1\mozilla\firefox\profiles\41wei749.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJPI150_12.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPOJI610.dll
FF - HiddenExtension: XUL Cache: {3C484463-3599-4005-9236-7BC58F96DE5B} - c:\documents and settings\nadine\local settings\application data\{3C484463-3599-4005-9236-7BC58F96DE5B}

============= SERVICES / DRIVERS ===============

R0 szkg5;szkg;c:\windows\system32\drivers\szkg.sys [2008-12-2 54656]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-2 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-2 20560]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-01-02 19:55 960 a------- c:\windows\system32\drivers\kgpfr2.cfg
2009-01-02 19:55 6,200 a------- c:\windows\system32\drivers\kgpcpy.cfg
2009-01-02 19:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-01-02 19:53 <DIR> --d----- c:\program files\STOPzilla!
2009-01-02 19:53 <DIR> --d----- c:\program files\common files\iS3
2009-01-02 19:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-01-02 17:56 133,120 a------- c:\windows\icozuneseyomeb.dll
2009-01-02 02:15 <DIR> --d----- c:\program files\Trend Micro
2008-12-31 16:45 7,334 a------- c:\windows\bcmD.tmp
2008-12-31 14:03 255 ---shr-- C:\autorun.inf
2008-12-31 14:01 7,442 a------- c:\windows\bcm1B9.tmp
2008-12-31 13:53 5,830 a------- c:\windows\bcm179.tmp
2008-12-31 05:12 20,480 a------- c:\windows\ocuvagoxoyi.dll
2008-12-30 23:38 30,048 a------- c:\windows\UNWISE.EXE
2008-12-30 23:38 <DIR> --d----- C:\ydkj
2008-12-30 22:51 72,192 a------- c:\windows\system32\drivers\msqpdxserv.sys
2008-12-30 22:51 <DIR> --dshr-- C:\resycled
2008-12-30 18:07 20,480 a------- c:\windows\evakunosesoxi.dll
2008-12-30 17:56 2,710 a------- c:\windows\system32\TDSSunsa.dll
2008-12-30 17:56 441 a------- c:\windows\system32\TDSSwhct.dat
2008-12-30 17:55 15,000 a------- c:\windows\system32\tyshb36rfjdf.dll
2008-12-30 17:54 41,984 a------- c:\windows\Psadubaseb.dll
2008-12-30 17:48 <DIR> --d----- c:\windows\ydkjv3
2008-12-26 18:11 <DIR> -cdsh--- c:\program files\common files\WindowsLiveInstaller
2008-12-24 22:27 <DIR> --d----- c:\program files\Western Digital
2008-12-24 22:26 <DIR> --d----- c:\program files\Western Digital Technologies
2008-12-21 01:02 <DIR> --d----- c:\program files\Bonjour
2008-12-20 01:30 44 a------- c:\windows\SYMGAMES.INI
2008-12-17 17:26 17,408 a----r-- c:\windows\system32\SZIO5.dll
2008-12-17 17:25 282,624 a----r-- c:\windows\system32\SZBase5.dll
2008-12-17 17:24 540,672 a----r-- c:\windows\system32\SZComp5.dll
2008-12-16 19:00 <DIR> --d----- c:\program files\MSXML 4.0
2008-12-15 23:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\WEBREG
2008-12-15 23:17 <DIR> --d----- c:\program files\common files\Hewlett-Packard
2008-12-15 23:16 <DIR> --d----- c:\program files\common files\HP
2008-12-15 23:15 16,496 a----r-- c:\windows\system32\drivers\HPZipr12.sys
2008-12-15 23:15 49,920 a----r-- c:\windows\system32\drivers\HPZid412.sys
2008-12-15 23:15 271,704 a----r-- c:\windows\system32\hpzids01.dll
2008-12-15 23:15 118,272 a------- c:\windows\system32\hpz3l5ha.dll
2008-12-15 23:15 21,568 a----r-- c:\windows\system32\drivers\HPZius12.sys
2008-12-15 23:14 970,752 a----r-- c:\windows\system32\hpotiop5.dll
2008-12-15 23:14 729,088 a----r-- c:\windows\system32\hpowiax5.dll
2008-12-15 23:14 364,544 a----r-- c:\windows\system32\hppldcoi.dll
2008-12-15 23:14 309,760 a----r-- c:\windows\system32\difxapi.dll
2008-12-15 23:14 303,104 a----r-- c:\windows\system32\hpovst12.dll
2008-12-15 23:11 <DIR> --d----- c:\program files\HP
2008-12-15 23:05 165,074 a------- c:\windows\hpoins21.dat
2008-12-15 23:05 7,262 -------- c:\windows\hpomdl21.dat
2008-12-14 15:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll

==================== Find3M ====================

2009-01-02 19:35 47,104 a------- c:\windows\system32\rpcnet.dll
2009-01-02 19:35 17,408 a------- c:\windows\system32\rpcnetp.dll
2009-01-02 19:22 17,408 a------- c:\windows\system32\rpcnetp.exe
2008-12-09 19:32 47,104 a------- c:\windows\system32\rpcnet.exe
2008-12-02 15:20 54,656 a----r-- c:\windows\system32\drivers\SZKG.sys
2008-11-24 16:19 126,976 a----r-- c:\windows\system32\IS3HTUI5.dll
2008-11-24 16:19 364,544 a----r-- c:\windows\system32\IS3DBA5.dll
2008-11-24 16:18 372,736 a----r-- c:\windows\system32\IS3UI5.dll
2008-11-24 16:18 61,440 a----r-- c:\windows\system32\IS3Hks5.dll
2008-11-24 16:18 23,040 a----r-- c:\windows\system32\IS3XDat5.dll
2008-11-24 16:17 212,992 a----r-- c:\windows\system32\IS3Win325.dll
2008-11-24 16:17 94,208 a----r-- c:\windows\system32\IS3Inet5.dll
2008-11-24 16:17 90,112 a----r-- c:\windows\system32\IS3Svc5.dll
2008-11-24 16:14 708,608 a----r-- c:\windows\system32\IS3Base5.dll
2008-11-02 20:14 249,856 -------- c:\windows\Setup1.exe
2008-11-02 20:14 73,216 a------- c:\windows\ST6UNST.EXE
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 12:38 826,368 a------- c:\windows\system32\wininet.dll
2008-07-12 00:23 604 a---h--- c:\program files\STLL Notifier
2008-07-03 22:35 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008070320080704\index.dat

============= FINISH: 21:32:31.23 ===============


Kaspersky LOG
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, January 4, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, January 03, 2009 20:04:02
Records in database: 1554918
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
H:\
I:\

Scan statistics:
Files scanned: 147468
Threat name: 5
Infected objects: 26
Suspicious objects: 0
Duration of the scan: 18:35:00


File name / Threat name / Threats count
C:\Documents and Settings\Nadine\Local Settings\Temp\TDSS3eef.tmp Infected: Trojan.Win32.Patched.dw 1
C:\Documents and Settings\Nadine\Local Settings\Temp\tmp163.tmp Infected: Trojan.Win32.Patched.dw 1
C:\Documents and Settings\Nadine\Local Settings\Temp\tmp1C.tmp Infected: Trojan.Win32.Patched.dw 1
C:\Documents and Settings\Nadine\Local Settings\Temp\tmp9.tmp Infected: Trojan.Win32.Patched.dw 1
C:\Documents and Settings\Nadine\Local Settings\Temp\tmpA.tmp Infected: Trojan.Win32.Patched.dw 1
E:\Nadine's Files\My Software\AT&T\ATT_SST_Installer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 2
E:\SAVE\Personal\Ntheuzillot.rar Infected: Virus.MSWord.Ded.b 1
E:\SAVE\Personal\Ntheuzillot.rar Infected: Virus.MSWord.Cap 1
E:\SAVE\Personal\Other\Ntheuzillot.rar Infected: Virus.MSWord.Ded.b 1
E:\SAVE\Personal\Other\Ntheuzillot.rar Infected: Virus.MSWord.Cap 1
E:\My Personal Docs\Pre-maternityLeave-WorkFiles\Personal\Other\Ntheuzillot.rar Infected: Virus.MSWord.Ded.b 1
E:\My Personal Docs\Pre-maternityLeave-WorkFiles\Personal\Other\Ntheuzillot.rar Infected: Virus.MSWord.Cap 1
E:\My Personal Docs\Other docs\Personal\Ntheuzillot.rar Infected: Virus.MSWord.Ded.b 1
E:\My Personal Docs\Other docs\Personal\Ntheuzillot.rar Infected: Virus.MSWord.Cap 1
E:\My Personal Docs\Other docs\Personal\Other\Ntheuzillot.rar Infected: Virus.MSWord.Ded.b 1
E:\My Personal Docs\Other docs\Personal\Other\Ntheuzillot.rar Infected: Virus.MSWord.Cap 1
E:\autorun.inf Infected: Worm.Win32.AutoRun.spw 1
F:\Nadine's Files\My Software\AT&T\ATT_SST_Installer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 2
F:\Nadine's Files\DOCUMENTS\Pre-maternityLeave-WorkFiles\Personal\Other\Ntheuzillot.rar Infected: Virus.MSWord.Ded.b 1
F:\Nadine's Files\DOCUMENTS\Pre-maternityLeave-WorkFiles\Personal\Other\Ntheuzillot.rar Infected: Virus.MSWord.Cap 1
F:\SAVE\Personal\Ntheuzillot.rar Infected: Virus.MSWord.Ded.b 1
F:\SAVE\Personal\Ntheuzillot.rar Infected: Virus.MSWord.Cap 1
F:\SAVE\Personal\Other\Ntheuzillot.rar Infected: Virus.MSWord.Ded.b 1
F:\SAVE\Personal\Other\Ntheuzillot.rar Infected: Virus.MSWord.Cap 1

The selected area was scanned.

Attached Files



BC AdBot (Login to Remove)

 


#2 rarewish

rarewish
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 04 January 2009 - 04:06 PM

I have attached the additional files that you may need to assist me further: DDS and ATTACH. Thank you.

Attached Files



#3 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:42 PM

Posted 05 January 2009 - 08:37 AM

Hello Rarewish and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder

Edited by Thunder, 05 January 2009 - 08:37 AM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:42 PM

Posted 03 February 2009 - 05:43 PM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users