2 replies to this topic

[12056]

It all started after a port scanner, scanned my PC, then...

*I am infected with Adware.eSeller, it has two .dll files on my computer, C:\Windows\System32\eseller.dll and C:\Windows\System32\esellercore.dll

*Norton AntiVirus 2009 detected "Perfect Keylogger (Spyware.Perfect)" and Spyware.Ardakey which were automatically removed.

* I found files that have been downloaded by some bot!
tiny.exe (backdoor), which I have uploaded to UploadNET.
keylogger.exe (keylogger), which I have uploaded to UploadNET
backdoor.exe (backdoor), which I have uploaded to UploadNET

And tools used to hide them:
Encrypters
Process Killers

I'm sure it has more than two files on my computer, so I used Hijackthis -- see the attachments.

Please help me!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:54:13 PM, on 12/30/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Rhett\Desktop\Malware\Keyloggers\keylogger\bin\svchost.exe
C:\Program Files\Mozilla Firefox 3 Beta 4\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...rio&pf=cndt
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...rio&pf=cndt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...rio&pf=cndt
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdiebar.dll
O4 - HKLM\..\Run: [majmonitor] C:\Program Files\MajMonitoring1\majmonitoring.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WengoPhoneNG] C:\Program Files\WengoPhone\qtwengophone.exe -b
O4 - HKCU\..\Run: [majmonitor] C:\Program Files\MajMonitoring1\majmonitoring.exe
O4 - HKUS\S-1-5-21-746021148-1913252787-1857551035-1000\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - HKUS\S-1-5-21-746021148-1913252787-1857551035-1000\..\Run: [WengoPhoneNG] C:\Program Files\WengoPhone\qtwengophone.exe -b (User '?')
O4 - HKUS\S-1-5-21-746021148-1913252787-1857551035-1000\..\Run: [majmonitor] C:\Program Files\MajMonitoring1\majmonitoring.exe (User '?')
O4 - S-1-5-21-746021148-1913252787-1857551035-1000 Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User '?')
O4 - S-1-5-21-746021148-1913252787-1857551035-1000 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User '?')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Download &All by FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx2.htm
O8 - Extra context menu item: Download with &FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx.htm
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{68EB49BA-A4E3-46CF-99E0-CECFF98CB6B7}: NameServer = 205.188.146.145
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4359 bytes

Rhett Trappman
trappmanrhett@yahoo.com

[12056]

I found some more, NONE of the are currently detected!

[AdvancedSetup]

Sorry for the delay. If you still need help please run the following but DO NOT attach any logs or use any other Tags for posting, just post your logs directly into the post please, thanks.


Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

The RESTART the computer again and AFTER the restart run HJT Scan and Save log and post back all NEW logs.