Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans galore - Computer 2/ please advise, thanks.


  • Please log in to reply
1 reply to this topic

#1 sach_1600

sach_1600

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 02 February 2009 - 07:44 PM

Hi,

I have some trojans on my laptop (I have recently made a seperate post for my desktop - probably the same virus; but if i could choose i'd rather the laptop be looked at first).


Laptop running vista home premium (not sp1), kaspersky 7 (up to date) and superantispyware (up to date); firewall disabled and relevant services disabled (the laptop was never intended for net use).

I must have transmitted the virus to my laptop when I foolishly tried to use my usb mobile broadband from my infected desktop, on my laptop.

Below are the DDS text and superantispyware logs. I have attempted no cleaning other than through superantispyware. Kaspersky is currently running but is taking a long time to run, so I'll post now and add a Kaspersky log if requested.

Thank you very much for your help.




DDS (Ver_09-02-01.01) - NTFSx86
Run by Sache at 0:25:03.64 on 03/02/2009
Internet Explorer: 7.0.6001.18000

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
BHO: c:\windows\system32\hgdfhsiueme.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} - c:\windows\system32\hgdfhsiueme.dll
uRun: [FX Teleport Server] d:\sequencers\fx teleport\Server.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 7.0\avp.exe"
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 7.0\SCIEPlgn.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kaspersky lab\kaspersky anti-virus 7.0\r3hook.dll
STS: c:\windows\system32\hgdfhsiueme.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} - c:\windows\system32\hgdfhsiueme.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-02-02 23:44 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-02-02 23:44 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-02-02 23:44 <DIR> --d----- c:\users\sache\appdata\roaming\SUPERAntiSpyware.com
2009-02-02 23:44 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-02 23:44 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-02-02 23:31 <DIR> --d----- C:\keys
2009-02-02 23:31 96,976 a------- c:\windows\system32\drivers\klin.dat
2009-02-02 23:31 87,855 a------- c:\windows\system32\drivers\klick.dat
2009-02-02 23:31 4,413,728 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-02-02 23:31 33,788 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-02-02 23:31 <DIR> --d----- c:\programdata\Kaspersky Lab
2009-02-02 23:31 <DIR> --d----- c:\program files\Kaspersky Lab
2009-02-02 23:31 <DIR> --d----- c:\progra~2\Kaspersky Lab
2009-02-02 23:30 <DIR> --d----- c:\programdata\Kaspersky Lab Setup Files
2009-02-02 23:30 <DIR> --d----- c:\progra~2\Kaspersky Lab Setup Files
2009-02-02 23:12 <DIR> --d----- C:\SDFix
2009-02-02 22:34 147,425 a------- c:\windows\system32\SYNSOACC-Aide.chm
2009-02-02 22:34 120,468 a------- c:\windows\system32\SYNSOACC-Hilfe.chm
2009-02-02 22:34 114,279 a------- c:\windows\system32\SYNSOACC-Help.chm
2009-02-02 22:34 401,462 a------- c:\windows\system32\temp.006
2009-02-02 22:34 65,536 a------- c:\windows\system32\Synsopos.exe
2009-02-02 22:34 147,456 a------- c:\windows\system32\SynsoLChk.dll
2009-02-02 22:34 <DIR> --d----- c:\program files\Syncrosoft
2009-02-02 22:14 15,000 -------- c:\windows\system32\hgdfhsiueme.dll
2009-02-02 22:12 <DIR> --d----- c:\windows\system32\UnSyncrosoft
2009-02-02 21:54 <DIR> --d----- c:\program files\uTorrent
2009-02-02 21:54 <DIR> --d----- c:\users\sache\appdata\roaming\uTorrent
2009-02-02 20:36 401,462 a------- c:\windows\system32\temp.005
2009-02-02 20:34 401,462 a------- c:\windows\system32\temp.004
2009-02-02 20:26 401,462 a------- c:\windows\system32\temp.003
2009-02-02 20:00 401,462 a------- c:\windows\system32\temp.002
2009-02-02 19:52 401,462 a------- c:\windows\system32\temp.001
2009-02-01 14:21 <DIR> --d----- c:\users\sache\appdata\roaming\Malwarebytes
2009-02-01 14:21 <DIR> --d----- c:\programdata\Malwarebytes
2009-02-01 14:21 <DIR> --d----- c:\progra~2\Malwarebytes
2009-02-01 14:11 3,821,568 a------- c:\windows\system32\BCMWLCPL.CPL
2009-02-01 14:11 2,756,608 a------- c:\windows\system32\bcmttls.dll
2009-02-01 14:11 2,700,288 a------- c:\windows\system32\vcredist_x86.exe
2009-02-01 14:11 1,744,896 a------- c:\windows\system32\BCMWLTRY.EXE
2009-02-01 14:11 1,568,768 a------- c:\windows\system32\WLTRAY.EXE
2009-02-01 14:11 962,560 a------- c:\windows\system32\BCMLogon.dll
2009-02-01 14:11 282,624 a------- c:\windows\system32\bcmwlu00.exe
2009-02-01 14:11 65,536 a------- c:\windows\system32\wltrynt.dll
2009-02-01 14:11 65,536 a------- c:\windows\system32\bcmwlrmt.dll
2009-02-01 14:11 41,472 a------- c:\windows\system32\WLTRYSVC.EXE
2009-02-01 14:11 416 a------- c:\windows\system32\vcredist_x86.bat
2009-02-01 14:08 21,469 a------- C:\newkey
2009-02-01 14:08 21,469 a------- C:\newfile.enc
2009-02-01 13:53 <DIR> --d----- c:\program files\Cisco
2009-01-25 20:49 <DIR> --d----- c:\users\sache\appdata\roaming\Xlutop
2009-01-25 18:02 69,632 a------- c:\windows\system32\NI_DFD_KOMPAKT.dll
2009-01-25 18:02 69,632 a------- c:\windows\system32\NI_DFD_1_2_9.dll
2009-01-25 18:02 69,632 a------- c:\windows\system32\NI_DFD_1_2_7.dll
2009-01-25 18:02 69,632 a------- c:\windows\system32\NI_DFD_1_2_4.dll
2009-01-25 18:02 69,632 a------- c:\windows\system32\NI_DFD.dll
2009-01-25 18:02 65,536 a------- c:\windows\system32\NI_DFD_1_2_8.dll
2009-01-25 17:33 <DIR> --d----- c:\users\sache\appdata\roaming\KORG
2009-01-25 17:32 <DIR> --d----- c:\programdata\KORG
2009-01-25 17:32 <DIR> --d----- c:\progra~2\KORG
2009-01-25 14:01 30 a------- c:\windows\forte.INI
2009-01-25 13:40 <DIR> --d----- c:\users\sache\appdata\roaming\brainspawn
2009-01-19 20:37 12 a------- c:\windows\bthservsdp.dat

==================== Find3M ====================

2009-02-02 23:56 112,144 a------- c:\windows\system32\drivers\kl1.sys
2009-02-02 23:31 86,016 a------- c:\windows\inf\infstrng.dat
2009-02-02 23:31 86,016 a------- c:\windows\inf\infstor.dat
2009-02-02 23:31 51,200 a------- c:\windows\inf\infpub.dat
2008-12-12 11:36 27,839 a------- c:\programdata\nvModes.dat
2008-12-12 11:36 27,839 a------- c:\progra~2\nvModes.dat
2008-12-10 14:40 645,488 a------- C:\autoruns.exe
2008-12-06 01:13 174 a--sh--- c:\program files\desktop.ini
2008-12-06 01:09 665,600 a------- c:\windows\inf\drvindex.dat
2008-12-06 01:03 101,888 a------- c:\windows\system32\ifxcardm.dll
2008-12-06 01:02 82,432 a------- c:\windows\system32\axaltocm.dll
2008-12-06 00:50 152,576 a------- c:\windows\system32\SPWizUI.dll
2008-12-06 00:50 47,560 a------- c:\windows\system32\SPReview.exe
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-02-21 20:49 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 0:25:35.03 ===============





SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/03/2009 at 00:15 AM

Application Version : 4.25.1012

Core Rules Database Version : 3740
Trace Rules Database Version: 1708

Scan type : Quick Scan
Total Scan Time : 00:11:06

Memory items scanned : 442
Memory threats detected : 1
Registry items scanned : 353
Registry threats detected : 0
File items scanned : 13004
File threats detected : 1

Trojan.Smitfraud Variant-Gen/Bensorty
C:\WINDOWS\SYSTEM32\HGDFHSIUEME.DLL
C:\WINDOWS\SYSTEM32\HGDFHSIUEME.DLL





SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/03/2009 at 00:03 AM

Application Version : 4.25.1012

Core Rules Database Version : 3740
Trace Rules Database Version: 1708

Scan type : Quick Scan
Total Scan Time : 00:01:58

Memory items scanned : 435
Memory threats detected : 1
Registry items scanned : 358
Registry threats detected : 10
File items scanned : 200
File threats detected : 26

Trojan.Smitfraud Variant-Gen/Bensorty
C:\WINDOWS\SYSTEM32\HGDFHSIUEME.DLL
C:\WINDOWS\SYSTEM32\HGDFHSIUEME.DLL

Trojan.Csrssc/Systemc-B
[tezrtsjhfr84iusjfo84f] C:\WINDOWS\TEMP\CSRSSC.EXE
C:\WINDOWS\TEMP\CSRSSC.EXE
[tezrtsjhfr84iusjfo84f] C:\WINDOWS\TEMP\CSRSSC.EXE

Adware.Vundo Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5BF49A2-94F3-42BD-F434-3604812C8955}
HKCR\CLSID\{C5BF49A2-94F3-42BD-F434-3604812C8955}
HKCR\CLSID\{C5BF49A2-94F3-42BD-F434-3604812C8955}
HKCR\CLSID\{C5BF49A2-94F3-42BD-F434-3604812C8955}#ThreadingModel
HKCR\CLSID\{C5BF49A2-94F3-42BD-F434-3604812C8955}\InProcServer32
HKCR\CLSID\{C5BF49A2-94F3-42BD-F434-3604812C8955}\InProcServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{C5BF49A2-94F3-42BD-F434-3604812C8955}
HKU\S-1-5-21-1901913259-1669075004-2874805293-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5BF49A2-94F3-42BD-F434-3604812C8955}

Adware.Tracking Cookie
C:\Users\Sache\AppData\Roaming\Microsoft\Windows\Cookies\sache@adserver.adreactor[1].txt
C:\Users\Sache\AppData\Roaming\Microsoft\Windows\Cookies\sache@kontera[2].txt
C:\Users\Sache\AppData\Roaming\Microsoft\Windows\Cookies\sache@adopt.euroclick[1].txt
C:\Users\Sache\AppData\Roaming\Microsoft\Windows\Cookies\sache@ads.techguy[3].txt
C:\Users\Sache\AppData\Roaming\Microsoft\Windows\Cookies\sache@chitika[1].txt
C:\Users\Sache\AppData\Roaming\Microsoft\Windows\Cookies\sache@doubleclick[1].txt
C:\Users\Sache\AppData\Roaming\Microsoft\Windows\Cookies\sache@smiley.smileycentral[1].txt
C:\Users\Sache\AppData\Roaming\Microsoft\Windows\Cookies\sache@ads.bleepingcomputer[1].txt
C:\Users\Sache\AppData\Roaming\Microsoft\Windows\Cookies\sache@ads.bittorrent[2].txt
C:\Users\Sache\AppData\Roaming\Microsoft\Windows\Cookies\sache@statcounter[1].txt
C:\Users\Sache\AppData\Roaming\Microsoft\Windows\Cookies\sache@tribalfusion[1].txt
C:\Users\Sache\AppData\Roaming\Microsoft\Windows\Cookies\sache@ad.yieldmanager[2].txt
C:\Users\Sache\AppData\Roaming\Microsoft\Windows\Cookies\sache@ad3.clickhype[1].txt
C:\Users\Sache\AppData\Roaming\Microsoft\Windows\Cookies\sache@clicktorrent[1].txt
C:\Users\Sache\AppData\Roaming\Microsoft\Windows\Cookies\sache@zedo[1].txt
C:\Users\Sache\AppData\Roaming\Microsoft\Windows\Cookies\sache@www.technologyquestions[1].txt
C:\Users\Sache\AppData\Roaming\Microsoft\Windows\Cookies\sache@mediaplex[2].txt
C:\Users\Sache\AppData\Roaming\Microsoft\Windows\Cookies\sache@technologyquestions[2].txt
C:\Users\Sache\AppData\Roaming\Microsoft\Windows\Cookies\sache@adbrite[2].txt
C:\Users\Sache\AppData\Roaming\Microsoft\Windows\Cookies\sache@kaspersky.122.2o7[1].txt
C:\Users\Sache\AppData\Roaming\Microsoft\Windows\Cookies\sache@ads.widgetbucks[2].txt
C:\Users\Sache\AppData\Roaming\Microsoft\Windows\Cookies\sache@yadro[2].txt
C:\Users\Sache\AppData\Roaming\Microsoft\Windows\Cookies\sache@rambler[1].txt
C:\Users\Sache\AppData\Roaming\Microsoft\Windows\Cookies\sache@media6degrees[2].txt

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:02 PM

Posted 15 February 2009 - 10:25 AM

Hello sach_1600

Welcome to BleepingComputer :thumbup2:
========================

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.
================
Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users