Jump to content

HDD.exe


ryan3k3

Recommended Posts

HDD.exe.exe keeps reappearing. I have not really had any issues with my computer or any other virus symptoms besides system slowness. Below are my MBAM and dds logs.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5906

Windows 6.0.6000

Internet Explorer 7.0.6000.16982

2/28/2011 3:20:18 PM

mbam-log-2011-02-28 (15-20-18).txt

Scan type: Quick scan

Objects scanned: 175590

Time elapsed: 23 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{T5TBB77L-4678-0MKC-421Q-14416031DYU6} (Password.Stealer) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{T5TBB77L-4678-0MKC-421Q-14416031DYU6} (Password.Stealer) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HDD (Password.Stealer) -> Value: HDD -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\System32\System32\hdd.exe.exe (Password.Stealer) -> Quarantined and deleted successfully.

DDS (Ver_10-12-12.02) - NTFSx86

Run by Dad at 15:25:14.67 on Mon 02/28/2011

Internet Explorer: 7.0.6000.16982 BrowserJavaVersion: 1.6.0_22

Microsoft

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

I'm afraid I have bad news.

Your logs reveal a keylogging trojan. A keylogger severely compromises system integrity.

A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Let me know what you decide.

Link to post
Share on other sites

  • Staff

Okay thanks for letting me know.

Please go to VirusTotal, and upload the following files for analysis:

c:\users\dad\appdata\roaming\snkbot42\snkbot42.exe

c:\program files\java\jre6\bin\jvm.exe

Post the results in your reply.

Next, update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hello. I was unable to find the snkbot file where you said it would be located, and a search of the system did not reveal it. I uploaded the other file and it had no results at all. Below are the MBAM, ComboFix, and DDS logs.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5919

Windows 6.0.6000

Internet Explorer 7.0.6000.16982

3/1/2011 2:58:40 PM

mbam-log-2011-03-01 (14-58-40).txt

Scan type: Quick scan

Objects scanned: 175788

Time elapsed: 16 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{J71T6Q7B-70SW-C8J8-32PK-8361QR5M1G54} (Backdoor.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{J71T6Q7B-70SW-C8J8-32PK-8361QR5M1G54} (Backdoor.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{J71T6Q7B-70SW-C8J8-32PK-8361QR5M1G54} (Backdoor.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies (Backdoor.Agent) -> Value: Policies -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies (Backdoor.Agent) -> Value: Policies -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\snkbot42 (Backdoor.Agent) -> Value: snkbot42 -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\snkbot42 (Backdoor.Agent) -> Value: snkbot42 -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

c:\Users\Dad\AppData\Roaming\snkbot42 (Backdoor.Agent) -> Quarantined and deleted successfully.

Files Infected:

c:\program files\common files\Google\windir86.exe (Backdoor.Agent) -> Quarantined and deleted successfully.

c:\Users\Dad\AppData\Roaming\snkbot42\snkbot42.exe (Backdoor.Agent) -> Quarantined and deleted successfully.

ComboFix 11-02-28.07 - Dad 03/01/2011 15:26:16.1.2 - x86

Microsoft

Link to post
Share on other sites

  • Staff

Hi,

What security software are you currently running?

Please update MBAM again, run a Quick Scan, and post its log.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

DDS::
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
KILLALL::
File::
c:\windows\System32\drivers\ciqq.sys
Driver::
svkswf
TKFsAc
TKFsAv
TKFsFt
TKRgAc
TKRgFt
XDva310
XDva311
XDva315
XDva317
XDva327
XDva328
XDva337
XDva341
XDva342
XDva343
XDva344
XDva345
XDva346
XDva347
XDva348
XDva349
XDva352
XDva358
XDva359
XDva365
XDva366
XDva370
XDva374
XDva377
XDva379
XDva380
XDva382

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Link to post
Share on other sites

Hello. After running the combofix script, an IE icon appeared on my desktop. I didn't click on it at all, but the homepage is something from Norton. To your other question, im using Norton Internet Security 2009. Here are the logs you wanted.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5920

Windows 6.0.6000

Internet Explorer 7.0.6000.16982

3/1/2011 4:37:01 PM

mbam-log-2011-03-01 (16-37-01).txt

Scan type: Quick scan

Objects scanned: 176927

Time elapsed: 7 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ComboFix 11-02-28.07 - Dad 03/01/2011 16:43:01.2.2 - x86

Microsoft

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the delay.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Here are the logs. Things have been going well, but on a side note, for some time, I have been unable to install Windows updates of any kind. Should i make a new thread in PC help or continue here?

Results of screen317's Security Check version 0.99.9

Windows Vista (UAC is disabled!)

Out of date service pack!!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

ESET Online Scanner v3

Norton Internet Security

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

CCleaner

Java 6 Update 22

Java SE Development Kit 6 Update 21

Out of date Java installed!

Adobe Flash Player 10.1.102.64

Adobe Reader 9.2

Out of date Adobe Reader installed!

Mozilla Firefox (3.5.11) Firefox Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Norton ccSvcHst.exe

``````````End of Log````````````

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)

# OnlineScanner.ocx=1.0.0.6425

# api_version=3.0.2

# EOSSerial=a850d5f0515bf54cbdfba110549408d0

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-03-05 01:55:16

# local_time=2011-03-04 08:55:16 (-0500, Eastern Standard Time)

# country="United States"

# lang=9

# osver=6.0.6000 NT

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=3588 16777190 85 82 364056 8382354 0 0

# compatibility_mode=5892 16776573 100 100 0 135886562 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=216796

# found=2

# cleaned=2

# scan_time=11145

C:\Program Files\Java\jre6\bin\proc.exe a variant of MSIL/Injector.EA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Program Files\Java\jre6\bin\proc2.exe a variant of MSIL/Injector.EA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

  • Staff

Hi,

Open Firefox, then click Help --> Check for Updates; ensure that you get version 3.6.15

After that, navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java

Link to post
Share on other sites

I get two errors. One is "Windows cannot check for updates" with the error code 8024D008. I also have many failed attempts (Seems like over two years) at updating Windows Update software 7.4.7600.226.

Installation date: ?3/?6/?2011 11:33 PM

Installation status: Failed

Error details: Code 8007041D

Update type: Important

Link to post
Share on other sites

  • Staff

Download Service Pack 2 manually from here:

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=a4dd31d5-f907-4406-9012-a5c3199ea2b3&displaylang=en

Ensure that you are disconnected from the Internet and that all security programs are disabled while installing it.

When it finishes, restart your computer, enable your security software, and reconnect to the Internet. See if you can access Windows Update now.

Link to post
Share on other sites

Here you go.

Results of screen317's Security Check version 0.99.9

Windows Vista Service Pack 2 (UAC is disabled!)

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

ESET Online Scanner v3

Norton Internet Security

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

CCleaner

Java 6 Update 24

Java SE Development Kit 6 Update 24

Java DB 10.6.2.1

Mozilla Firefox (3.6.15)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Norton ccSvcHst.exe

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi,

Things look good from here. Delete SecurityCheck.

If there are no further issues, then please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

3) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

6) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.