Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Trojan Droppers


  • This topic is locked This topic is locked
19 replies to this topic

#1 Guest_dave17_*

Guest_dave17_*

  • Guests
  • OFFLINE
  •  

Posted 10 December 2010 - 06:49 AM

Hi!

Looking for the same.
Exactly the same problem with the trojan droppers.
Superantispyware crashes after around 5 minutes. I also stopped it after it detected the droppers and wanted to click next to get rid of them and it crashed again.
Basically exact the same problems as user lstp0136.
The positive - I am not alone with this
The negative - Cannot find a solution anywhere!

There must be some solution.

Edited by dave17, 10 December 2010 - 06:50 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA

Posted 10 December 2010 - 10:30 AM

Hi Dave, I split you to your own topic. Did you run the RKill and from safe mode with the SUPERAntispyware scan? Is this XP or another ?

Please perform a scan with Eset Online Antiivirus Scanner.
This scan requires Internet Explorer to work. Vista/Windows 7 users need to run Internet Explorer as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Guest_dave17_*

Guest_dave17_*

  • Guests
  • OFFLINE
  •  

Posted 10 December 2010 - 12:36 PM

Hi boopme!
Yes I did rkill with superantivirusscan in safe mode.
Rkill showed it killed the "\\.\globalroot\Device\svchost.exe\svchost.exe" and it shows that every time I let rkill run.

I tried th eset online scanner.
As soon as it wants to download the virus definations (Initializing) I get after a minute or so "Unexpected error 101"

Basically every antivirus or antimalware that I can get to scan crashes after a couple of minutes.
True sword didn't. But it showed me so many malware, I don't believe it. Still I let True sword handle them, but then it crashed too.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:15 PM

Posted 10 December 2010 - 12:40 PM

Hello again, what we have here is a Globalroot ,rootkit. To remove we need to start a new topic.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Guest_dave17_*

Guest_dave17_*

  • Guests
  • OFFLINE
  •  

Posted 10 December 2010 - 12:48 PM

Hi again!

I checked the stealth mode box and now it's running.
Shall I keep it running or shall I do the preperation guide?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA

Posted 10 December 2010 - 12:54 PM

Yes the malware Team in the other forum still have to dig the Kit out with specialized tools.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Guest_dave17_*

Guest_dave17_*

  • Guests
  • OFFLINE
  •  

Posted 11 December 2010 - 03:09 AM

This eset scanner is really digging deep. 14:25 hours and still at 13%
Shows already 19 infected files.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:15 PM

Posted 11 December 2010 - 07:52 PM

Is it still running?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Guest_dave17_*

Guest_dave17_*

  • Guests
  • OFFLINE
  •  

Posted 12 December 2010 - 05:01 AM

Yes.
It's at Step 3 - 68% and really slow.
My Broadband isn't that fast here in the highlands but this has now been running 1.5 days nonstop.
By now it's showing 70 threats.

#10 Guest_dave17_*

Guest_dave17_*

  • Guests
  • OFFLINE
  •  

Posted 12 December 2010 - 07:02 AM

Hi boopme

The computer has finally frozen after 24 + 15:22 hours, at step three of four, 68%, 348783 files scanned, 70 threats detected.
Nothing moving anymore.
As the antivirus/internet security is peranently turned off I am getting very concerned now.
What do you suggest?

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA

Posted 12 December 2010 - 02:17 PM

Are you dead in the water, PC will not boot?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 Guest_dave17_*

Guest_dave17_*

  • Guests
  • OFFLINE
  •  

Posted 12 December 2010 - 04:02 PM

Well, I had to use the big button, I could use the mouse but nothing was accessable/usable on the screen and the taskbar was unvisable/dark.
So I switched off and I'm letting esetscan run again. Funny that it scans 12% in 40 seconds, but then scans 13% for ages and ages.
I'm not at the computer for about 10 hours, but it will be scanning.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:15 PM

Posted 12 December 2010 - 04:31 PM

Make sure all other apps and browsers are closed.

If possible if you can look at the the log while its scanning and note if it'e finding a lot of the same things,if so wrute iy doen and post it here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Guest_dave17_*

Guest_dave17_*

  • Guests
  • OFFLINE
  •  

Posted 12 December 2010 - 04:36 PM

I left home when it was running at 13% and it did not find any threats by then, unlike it did yesterday.
As soon as I get home (10 hours) I'll write all the stuff it finds by then that I can see on the scanner.

#15 Guest_dave17_*

Guest_dave17_*

  • Guests
  • OFFLINE
  •  

Posted 13 December 2010 - 02:47 AM

I got a final result from the scan.

The scan:

C:\WINDOWS\system32\drivers\usbhub.sys a variant of Win32/Rootkit.Agent.NSF trojan unable to clean
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll probably a variant of Win32/Kryptik.YQ trojan unable to clean
G:\Files From Small Drive\EBooks\EBooks\Extracted\create_an_ebook\Creating\EBook Creating.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan cleaned by deleting - quarantined
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\class2002.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan cleaned by deleting - quarantined
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\credit2002.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan cleaned by deleting - quarantined
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\ebay2002.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan cleaned by deleting - quarantined
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\ebcover.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan cleaned by deleting - quarantined
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\edmplan.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan cleaned by deleting - quarantined
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\marketer.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan cleaned by deleting - quarantined
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\selfpub.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan cleaned by deleting - quarantined
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\thought.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan cleaned by deleting - quarantined
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\ws2002.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan cleaned by deleting - quarantined
G:\Files From Small Drive\Web Sites\250 books old\download\inside2222r.exe probably a variant of Win32/Agent.DEPZSZM trojan cleaned by deleting - quarantined
G:\Look At\Web Sites\Cashgang.net\ebookstore\ebooks\inside2222r.exe probably a variant of Win32/Agent.DEPZSZM trojan cleaned by deleting - quarantined
G:\Look At\Web Sites\Cashgang.net\Membership Site\downloads\inside2222r.exe probably a variant of Win32/Agent.DEPZSZM trojan cleaned by deleting - quarantined
G:\Testfolder\CD & Downloads\EZ Greet\EZGreetSoftware.exe probably a variant of Win32/Agent.BLNIBPI trojan cleaned by deleting - quarantined
G:\Web Sites\Cashgang.net\ebookstore\ebooks\inside2222r.exe probably a variant of Win32/Agent.DEPZSZM trojan cleaned by deleting - quarantined
G:\Web Sites\Cashgang.net\Membership Site\downloads\inside2222r.exe probably a variant of Win32/Agent.DEPZSZM trojan cleaned by deleting - quarantined
G:\Web Sites\Cashgang.net\membership_site\downloads\Not Ready\inside2222r.exe probably a variant of Win32/Agent.DEPZSZM trojan cleaned by deleting - quarantined



The log:



ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
can not get scanner. e_gle=1001
DLL:pipe not connected. attempts=120
can not get scanner. e_gle=1001
DLL:pipe not connected. attempts=120
can not get scanner. e_gle=1001
DLL:pipe not connected. attempts=120
can not get scanner. e_gle=1001
DLL:pipe not connected. attempts=120
ESETSmartInstaller@High as downloader log:
all ok
can not get scanner. e_gle=1001
DLL:pipe not connected. attempts=120
# version=7
# sbrowser.exe=5.00.138
# OnlineScanner.ocx=1.0.0.6415
# api_version=3.0.2
# EOSSerial=e902ef0fa3e6af4fb9a0cc23d4a4f611
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-12 04:14:13
# local_time=2010-12-12 04:14:13 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1280 16777175 100 0 30215720 30215720 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=5889 16768382 100 95 353613 132923628 0 400482
# compatibility_mode=8192 67108863 100 0 165360 165360 0 0
# scanned=66448
# found=0
# cleaned=0
# scan_time=7172
# version=7
# sbrowser.exe=5.00.138
# OnlineScanner.ocx=1.0.0.6415
# api_version=3.0.2
# EOSSerial=e902ef0fa3e6af4fb9a0cc23d4a4f611
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-13 04:15:00
# local_time=2010-12-13 04:15:00 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1280 16777175 100 0 30228074 30228074 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=5889 16768382 100 95 365967 132935982 0 412836
# compatibility_mode=8192 67108863 100 0 177714 177714 0 0
# scanned=466039
# found=19
# cleaned=17
# scan_time=38065
C:\WINDOWS\system32\drivers\usbhub.sys a variant of Win32/Rootkit.Agent.NSF trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll probably a variant of Win32/Kryptik.YQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\Files From Small Drive\EBooks\EBooks\Extracted\create_an_ebook\Creating\EBook Creating.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\class2002.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\credit2002.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\ebay2002.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\ebcover.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\edmplan.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\marketer.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\selfpub.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\thought.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Files From Small Drive\EBooks\EBooks\Extracted\Package 4\E-Books CD\Ebook2\ws2002.exe probably a variant of Win32/PSW.LdPinch.NKFXPKC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Files From Small Drive\Web Sites\250 books old\download\inside2222r.exe probably a variant of Win32/Agent.DEPZSZM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Look At\Web Sites\Cashgang.net\ebookstore\ebooks\inside2222r.exe probably a variant of Win32/Agent.DEPZSZM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Look At\Web Sites\Cashgang.net\Membership Site\downloads\inside2222r.exe probably a variant of Win32/Agent.DEPZSZM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Testfolder\CD & Downloads\EZ Greet\EZGreetSoftware.exe probably a variant of Win32/Agent.BLNIBPI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Web Sites\Cashgang.net\ebookstore\ebooks\inside2222r.exe probably a variant of Win32/Agent.DEPZSZM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Web Sites\Cashgang.net\Membership Site\downloads\inside2222r.exe probably a variant of Win32/Agent.DEPZSZM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
G:\Web Sites\Cashgang.net\membership_site\downloads\Not Ready\inside2222r.exe probably a variant of Win32/Agent.DEPZSZM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users