ryan3k3 Posted February 28, 2011 ID:394520 Share Posted February 28, 2011 HDD.exe.exe keeps reappearing. I have not really had any issues with my computer or any other virus symptoms besides system slowness. Below are my MBAM and dds logs.Malwarebytes' Anti-Malware 1.50.1.1100www.malwarebytes.orgDatabase version: 5906Windows 6.0.6000Internet Explorer 7.0.6000.169822/28/2011 3:20:18 PMmbam-log-2011-02-28 (15-20-18).txtScan type: Quick scanObjects scanned: 175590Time elapsed: 23 minute(s), 14 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{T5TBB77L-4678-0MKC-421Q-14416031DYU6} (Password.Stealer) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{T5TBB77L-4678-0MKC-421Q-14416031DYU6} (Password.Stealer) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HDD (Password.Stealer) -> Value: HDD -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\Windows\System32\System32\hdd.exe.exe (Password.Stealer) -> Quarantined and deleted successfully.DDS (Ver_10-12-12.02) - NTFSx86 Run by Dad at 15:25:14.67 on Mon 02/28/2011Internet Explorer: 7.0.6000.16982 BrowserJavaVersion: 1.6.0_22Microsoft Link to post Share on other sites More sharing options...
Staff screen317 Posted March 1, 2011 Staff ID:394728 Share Posted March 1, 2011 Hi and welcome to Malwarebytes.I'm afraid I have bad news.Your logs reveal a keylogging trojan. A keylogger severely compromises system integrity.A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallShould you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.Should you have any questions, please feel free to ask.Let me know what you decide. Link to post Share on other sites More sharing options...
ryan3k3 Posted March 1, 2011 Author ID:394756 Share Posted March 1, 2011 I don't do any online banking or anything else with a credit card at all on this computer, so I don't think i would be at risk for CC fraud. I would like to continue to try and clean this computer up. Thank you. Link to post Share on other sites More sharing options...
Staff screen317 Posted March 1, 2011 Staff ID:394928 Share Posted March 1, 2011 Okay thanks for letting me know.Please go to VirusTotal, and upload the following files for analysis:c:\users\dad\appdata\roaming\snkbot42\snkbot42.exec:\program files\java\jre6\bin\jvm.exePost the results in your reply.Next, update MBAM, run a Quick Scan, and post its log.Next, please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofixWhen the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.-screen317 Link to post Share on other sites More sharing options...
ryan3k3 Posted March 1, 2011 Author ID:395020 Share Posted March 1, 2011 Hello. I was unable to find the snkbot file where you said it would be located, and a search of the system did not reveal it. I uploaded the other file and it had no results at all. Below are the MBAM, ComboFix, and DDS logs.Malwarebytes' Anti-Malware 1.50.1.1100www.malwarebytes.orgDatabase version: 5919Windows 6.0.6000Internet Explorer 7.0.6000.169823/1/2011 2:58:40 PMmbam-log-2011-03-01 (14-58-40).txtScan type: Quick scanObjects scanned: 175788Time elapsed: 16 minute(s), 43 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 3Registry Values Infected: 4Registry Data Items Infected: 0Folders Infected: 1Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{J71T6Q7B-70SW-C8J8-32PK-8361QR5M1G54} (Backdoor.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{J71T6Q7B-70SW-C8J8-32PK-8361QR5M1G54} (Backdoor.Agent) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{J71T6Q7B-70SW-C8J8-32PK-8361QR5M1G54} (Backdoor.Agent) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies (Backdoor.Agent) -> Value: Policies -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies (Backdoor.Agent) -> Value: Policies -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\snkbot42 (Backdoor.Agent) -> Value: snkbot42 -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\snkbot42 (Backdoor.Agent) -> Value: snkbot42 -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:c:\Users\Dad\AppData\Roaming\snkbot42 (Backdoor.Agent) -> Quarantined and deleted successfully.Files Infected:c:\program files\common files\Google\windir86.exe (Backdoor.Agent) -> Quarantined and deleted successfully.c:\Users\Dad\AppData\Roaming\snkbot42\snkbot42.exe (Backdoor.Agent) -> Quarantined and deleted successfully.ComboFix 11-02-28.07 - Dad 03/01/2011 15:26:16.1.2 - x86Microsoft Link to post Share on other sites More sharing options...
Staff screen317 Posted March 1, 2011 Staff ID:395024 Share Posted March 1, 2011 Hi,What security software are you currently running?Please update MBAM again, run a Quick Scan, and post its log.Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.Next, please open Notepad - don't use any other text editor than notepad or the script will fail.Copy/paste the text in the box below into Notepad:DDS::TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No FileTB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No FileTB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No FileTB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No FileKILLALL::File::c:\windows\System32\drivers\ciqq.sysDriver::svkswfTKFsAcTKFsAvTKFsFtTKRgAcTKRgFtXDva310XDva311XDva315XDva317XDva327XDva328XDva337XDva341XDva342XDva343XDva344XDva345XDva346XDva347XDva348XDva349XDva352XDva358XDva359XDva365XDva366XDva370XDva374XDva377XDva379XDva380XDva382Save this as CFScript Then drag the CFScript into ComboFix.exe as you see in the screenshot below.This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.-screen317 Link to post Share on other sites More sharing options...
ryan3k3 Posted March 1, 2011 Author ID:395049 Share Posted March 1, 2011 Hello. After running the combofix script, an IE icon appeared on my desktop. I didn't click on it at all, but the homepage is something from Norton. To your other question, im using Norton Internet Security 2009. Here are the logs you wanted.Malwarebytes' Anti-Malware 1.50.1.1100www.malwarebytes.orgDatabase version: 5920Windows 6.0.6000Internet Explorer 7.0.6000.169823/1/2011 4:37:01 PMmbam-log-2011-03-01 (16-37-01).txtScan type: Quick scanObjects scanned: 176927Time elapsed: 7 minute(s), 34 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)ComboFix 11-02-28.07 - Dad 03/01/2011 16:43:01.2.2 - x86Microsoft Link to post Share on other sites More sharing options...
Staff screen317 Posted March 4, 2011 Staff ID:396071 Share Posted March 4, 2011 Hi,My apologies for the delay.Next, please run a free online scan with the ESET Online ScannerNote: You will need to use Internet Explorer for this scan.Tick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the ActiveX control to installClick StartMake sure that the options Remove found threats and the option Scan unwanted applications is checkedClick ScanWait for the scan to finishUse Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txtCopy and paste that log as a reply to this topicNext, download my Security Check from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.Let me know how things are running now and what issues remain.-screen317 Link to post Share on other sites More sharing options...
ryan3k3 Posted March 5, 2011 Author ID:396208 Share Posted March 5, 2011 Here are the logs. Things have been going well, but on a side note, for some time, I have been unable to install Windows updates of any kind. Should i make a new thread in PC help or continue here? Results of screen317's Security Check version 0.99.9 Windows Vista (UAC is disabled!) Out of date service pack!! `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Disabled! ESET Online Scanner v3 Norton Internet Security WMI entry may not exist for antivirus; attempting automatic update. ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware CCleaner Java 6 Update 22 Java SE Development Kit 6 Update 21 Out of date Java installed! Adobe Flash Player 10.1.102.64 Adobe Reader 9.2 Out of date Adobe Reader installed! Mozilla Firefox (3.5.11) Firefox Out of Date! ```````````````````````````````` Process Check: objlist.exe by Laurent Norton ccSvcHst.exe ``````````End of Log```````````` ESETSmartInstaller@High as CAB hook log:OnlineScanner.ocx - registred OK# version=7# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)# OnlineScanner.ocx=1.0.0.6425# api_version=3.0.2# EOSSerial=a850d5f0515bf54cbdfba110549408d0# end=finished# remove_checked=true# archives_checked=false# unwanted_checked=true# unsafe_checked=false# antistealth_checked=true# utc_time=2011-03-05 01:55:16# local_time=2011-03-04 08:55:16 (-0500, Eastern Standard Time)# country="United States"# lang=9# osver=6.0.6000 NT # compatibility_mode=512 16777215 100 0 0 0 0 0# compatibility_mode=3588 16777190 85 82 364056 8382354 0 0# compatibility_mode=5892 16776573 100 100 0 135886562 0 0# compatibility_mode=8192 67108863 100 0 0 0 0 0# scanned=216796# found=2# cleaned=2# scan_time=11145C:\Program Files\Java\jre6\bin\proc.exe a variant of MSIL/Injector.EA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Program Files\Java\jre6\bin\proc2.exe a variant of MSIL/Injector.EA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C Link to post Share on other sites More sharing options...
Staff screen317 Posted March 7, 2011 Staff ID:397088 Share Posted March 7, 2011 Hi,Open Firefox, then click Help --> Check for Updates; ensure that you get version 3.6.15After that, navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstallThis uninstalls all of ComboFix's components.Delete SecurityCheck.After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):Java Link to post Share on other sites More sharing options...
ryan3k3 Posted March 7, 2011 Author ID:397116 Share Posted March 7, 2011 I get two errors. One is "Windows cannot check for updates" with the error code 8024D008. I also have many failed attempts (Seems like over two years) at updating Windows Update software 7.4.7600.226.Installation date: ?3/?6/?2011 11:33 PMInstallation status: FailedError details: Code 8007041DUpdate type: Important Link to post Share on other sites More sharing options...
Staff screen317 Posted March 7, 2011 Staff ID:397121 Share Posted March 7, 2011 Do you know what Service Pack you currently have installed? Link to post Share on other sites More sharing options...
ryan3k3 Posted March 7, 2011 Author ID:397311 Share Posted March 7, 2011 I checked what service pack I have in the properties under My Computer, but it does not say I have any installed. It says it was successfully installed SP1 under my update history though. Link to post Share on other sites More sharing options...
Staff screen317 Posted March 7, 2011 Staff ID:397385 Share Posted March 7, 2011 Download Service Pack 2 manually from here:http://www.microsoft.com/downloads/en/details.aspx?FamilyID=a4dd31d5-f907-4406-9012-a5c3199ea2b3&displaylang=enEnsure that you are disconnected from the Internet and that all security programs are disabled while installing it.When it finishes, restart your computer, enable your security software, and reconnect to the Internet. See if you can access Windows Update now. Link to post Share on other sites More sharing options...
ryan3k3 Posted March 8, 2011 Author ID:397818 Share Posted March 8, 2011 Just a heads up on what i'm doing. I never did have SP1 installed, so i guess it was a failed installation. I downloaded the standalone SP1 which i installed successfully, and i'm in the middle of installing SP2 at the moment. Link to post Share on other sites More sharing options...
ryan3k3 Posted March 10, 2011 Author ID:398257 Share Posted March 10, 2011 I have now successfully installed both SP1 and SP2, but I am still failing the update for windows update. Link to post Share on other sites More sharing options...
Staff screen317 Posted March 11, 2011 Staff ID:398734 Share Posted March 11, 2011 Are you still getting both errors?Can you post a screenshot of them? Link to post Share on other sites More sharing options...
ryan3k3 Posted March 12, 2011 Author ID:399032 Share Posted March 12, 2011 Well, I tried updating last night and I installed multiple security fixes and others successfully, but I am still failing Windows Update software 7.4.7600.226. When I tried to search for updates, I got this.. Link to post Share on other sites More sharing options...
ryan3k3 Posted March 12, 2011 Author ID:399147 Share Posted March 12, 2011 Well, It looks my problem is fixed. I looked some things up online and re-registered wuaeng.dll, and I successfully downloaded that update for Windows update. Thank you for all your help. Link to post Share on other sites More sharing options...
Staff screen317 Posted March 12, 2011 Staff ID:399334 Share Posted March 12, 2011 Glad to hear it! Run SecurityCheck again please (get a fresh copy) and post its log. Link to post Share on other sites More sharing options...
ryan3k3 Posted March 13, 2011 Author ID:399344 Share Posted March 13, 2011 Here you go. Results of screen317's Security Check version 0.99.9 Windows Vista Service Pack 2 (UAC is disabled!) `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Disabled! ESET Online Scanner v3 Norton Internet Security WMI entry may not exist for antivirus; attempting automatic update. ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware CCleaner Java 6 Update 24 Java SE Development Kit 6 Update 24 Java DB 10.6.2.1 Mozilla Firefox (3.6.15) ```````````````````````````````` Process Check: objlist.exe by Laurent Norton ccSvcHst.exe ``````````End of Log```````````` Link to post Share on other sites More sharing options...
Staff screen317 Posted March 15, 2011 Staff ID:400130 Share Posted March 15, 2011 Hi,Things look good from here. Delete SecurityCheck.If there are no further issues, then please take the following steps to help prevent reinfection:1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.2) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.3) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.5) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:Green to go Yellow for caution Red to stop WOT has an addon available for both Firefox and IE.6) Be sure to update your Antivirus and Antispyware programs often!Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?Safe surfing,-screen317 Link to post Share on other sites More sharing options...
Staff screen317 Posted March 25, 2011 Staff ID:404762 Share Posted March 25, 2011 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts