Trojan Droppers

Hi!

Looking for the same.
Exactly the same problem with the trojan droppers.
Superantispyware crashes after around 5 minutes. I also stopped it after it detected the droppers and wanted to click next to get rid of them and it crashed again.
Basically exact the same problems as user lstp0136.
The positive - I am not alone with this
The negative - Cannot find a solution anywhere!

There must be some solution.

Edited by dave17, 10 December 2010 - 06:50 AM.

Hi Dave, I split you to your own topic. Did you run the RKill and from safe mode with the SUPERAntispyware scan? Is this XP or another ?

Please perform a scan with Eset Online Antiivirus Scanner.
This scan requires Internet Explorer to work. Vista/Windows 7 users need to run Internet Explorer as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.

• Click the green button.
• Read the End User License Agreement and check the box:
• Check .
• Click the button.
• Accept any security warnings from your browser.
• Check
• Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
• Click the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer.
• If offered the option to get information or buy software at any point, just close the window.
• The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
• When the scan completes, push
• Push , and save the file to your desktop as ESETScan.txt.
• Push the button, then Finish.
• Copy and paste the contents of ESETScan.txt in your next reply.

Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt

• Click Ok and the scan results will open in Notepad.
• Copy and paste the contents of log.txt in your next reply.

-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

NOTE: In some instances if no malware is found there will be no log produced.

Hi boopme!
Yes I did rkill with superantivirusscan in safe mode.
Rkill showed it killed the "\\.\globalroot\Device\svchost.exe\svchost.exe" and it shows that every time I let rkill run.

I tried th eset online scanner.
As soon as it wants to download the virus definations (Initializing) I get after a minute or so "Unexpected error 101"

Basically every antivirus or antimalware that I can get to scan crashes after a couple of minutes.
True sword didn't. But it showed me so many malware, I don't believe it. Still I let True sword handle them, but then it crashed too.

Hello again, what we have here is a Globalroot ,rootkit. To remove we need to start a new topic.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.

Hi again!

I checked the stealth mode box and now it's running.
Shall I keep it running or shall I do the preperation guide?

Yes the malware Team in the other forum still have to dig the Kit out with specialized tools.

This eset scanner is really digging deep. 14:25 hours and still at 13%
Shows already 19 infected files.

Is it still running?

Yes.
It's at Step 3 - 68% and really slow.
My Broadband isn't that fast here in the highlands but this has now been running 1.5 days nonstop.
By now it's showing 70 threats.

Hi boopme

The computer has finally frozen after 24 + 15:22 hours, at step three of four, 68%, 348783 files scanned, 70 threats detected.
Nothing moving anymore.
As the antivirus/internet security is peranently turned off I am getting very concerned now.
What do you suggest?

Are you dead in the water, PC will not boot?

Well, I had to use the big button, I could use the mouse but nothing was accessable/usable on the screen and the taskbar was unvisable/dark.
So I switched off and I'm letting esetscan run again. Funny that it scans 12% in 40 seconds, but then scans 13% for ages and ages.
I'm not at the computer for about 10 hours, but it will be scanning.

Make sure all other apps and browsers are closed.

If possible if you can look at the the log while its scanning and note if it'e finding a lot of the same things,if so wrute iy doen and post it here.

I left home when it was running at 13% and it did not find any threats by then, unlike it did yesterday.
As soon as I get home (10 hours) I'll write all the stuff it finds by then that I can see on the scanner.

I got a final result from the scan.

The scan:

C:\WINDOWS\system32\drivers\usbhub.sys a variant of Win32/Rootkit.Agent.NSF trojan unable to clean
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll probably a variant of Win32/Kryptik.YQ trojan unable to clean
G:\Files From Small Drive\EBooks\EBooks\Extracted\create_an_ebook\Creating\EBook Creating.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan cleaned by deleting - quarantined
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\class2002.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan cleaned by deleting - quarantined
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\credit2002.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan cleaned by deleting - quarantined
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\ebay2002.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan cleaned by deleting - quarantined
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\ebcover.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan cleaned by deleting - quarantined
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\edmplan.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan cleaned by deleting - quarantined
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\marketer.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan cleaned by deleting - quarantined
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\selfpub.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan cleaned by deleting - quarantined
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\thought.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan cleaned by deleting - quarantined
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\ws2002.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan cleaned by deleting - quarantined
G:\Files From Small Drive\Web Sites\250 books old\download\inside2222r.exe probably a variant of Win32/Agent.DEPZSZM trojan cleaned by deleting - quarantined
G:\Look At\Web Sites\Cashgang.net\ebookstore\ebooks\inside2222r.exe probably a variant of Win32/Agent.DEPZSZM trojan cleaned by deleting - quarantined
G:\Look At\Web Sites\Cashgang.net\Membership Site\downloads\inside2222r.exe probably a variant of Win32/Agent.DEPZSZM trojan cleaned by deleting - quarantined
G:\Testfolder\CD & Downloads\EZ Greet\EZGreetSoftware.exe probably a variant of Win32/Agent.BLNIBPI trojan cleaned by deleting - quarantined
G:\Web Sites\Cashgang.net\ebookstore\ebooks\inside2222r.exe probably a variant of Win32/Agent.DEPZSZM trojan cleaned by deleting - quarantined
G:\Web Sites\Cashgang.net\Membership Site\downloads\inside2222r.exe probably a variant of Win32/Agent.DEPZSZM trojan cleaned by deleting - quarantined
G:\Web Sites\Cashgang.net\membership_site\downloads\Not Ready\inside2222r.exe probably a variant of Win32/Agent.DEPZSZM trojan cleaned by deleting - quarantined



The log:



ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
can not get scanner. e_gle=1001
DLL:pipe not connected. attempts=120
can not get scanner. e_gle=1001
DLL:pipe not connected. attempts=120
can not get scanner. e_gle=1001
DLL:pipe not connected. attempts=120
can not get scanner. e_gle=1001
DLL:pipe not connected. attempts=120
ESETSmartInstaller@High as downloader log:
all ok
can not get scanner. e_gle=1001
DLL:pipe not connected. attempts=120
# version=7
# sbrowser.exe=5.00.138
# OnlineScanner.ocx=1.0.0.6415
# api_version=3.0.2
# EOSSerial=e902ef0fa3e6af4fb9a0cc23d4a4f611
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-12 04:14:13
# local_time=2010-12-12 04:14:13 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1280 16777175 100 0 30215720 30215720 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=5889 16768382 100 95 353613 132923628 0 400482
# compatibility_mode=8192 67108863 100 0 165360 165360 0 0
# scanned=66448
# found=0
# cleaned=0
# scan_time=7172
# version=7
# sbrowser.exe=5.00.138
# OnlineScanner.ocx=1.0.0.6415
# api_version=3.0.2
# EOSSerial=e902ef0fa3e6af4fb9a0cc23d4a4f611
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-13 04:15:00
# local_time=2010-12-13 04:15:00 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1280 16777175 100 0 30228074 30228074 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=5889 16768382 100 95 365967 132935982 0 412836
# compatibility_mode=8192 67108863 100 0 177714 177714 0 0
# scanned=466039
# found=19
# cleaned=17
# scan_time=38065
C:\WINDOWS\system32\drivers\usbhub.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll probably a variant of Win32/Kryptik.YQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\Files From Small Drive\EBooks\EBooks\Extracted\create_an_ebook\Creating\EBook Creating.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\class2002.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\credit2002.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\ebay2002.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\ebcover.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\edmplan.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\marketer.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\selfpub.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\thought.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\ws2002.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Files From Small Drive\Web Sites\250 books old\download\inside2222r.exe probably a variant of Win32/Agent.DEPZSZM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Look At\Web Sites\Cashgang.net\ebookstore\ebooks\inside2222r.exe probably a variant of Win32/Agent.DEPZSZM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Look At\Web Sites\Cashgang.net\Membership Site\downloads\inside2222r.exe probably a variant of Win32/Agent.DEPZSZM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Testfolder\CD & Downloads\EZ Greet\EZGreetSoftware.exe probably a variant of Win32/Agent.BLNIBPI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Web Sites\Cashgang.net\ebookstore\ebooks\inside2222r.exe probably a variant of Win32/Agent.DEPZSZM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Web Sites\Cashgang.net\Membership Site\downloads\inside2222r.exe probably a variant of Win32/Agent.DEPZSZM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Web Sites\Cashgang.net\membership_site\downloads\Not Ready\inside2222r.exe probably a variant of Win32/Agent.DEPZSZM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C