Solve : sdbot detected in webroot spysweeper 2011 and some weird file

1.	Solve : sdbot detected in webroot spysweeper 2011 and some weird file call hn.exe?
Answer» When I ran a webroot spysweeper 2011 full scan, it detected something call sdbot. Also when I run a eset online scan, it detects something call hn.exe in the c:/recycler/(bunch of numbers and letters here)/hn.exe. When I try to go into that folder, I can't find it anywhere even though view hidden folders is checked. Here are my logs. SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 12/04/2010 at 03:39 PM Application Version : 4.46.1000 Core Rules Database Version : 5953 Trace Rules Database Version: 3765 Scan type : Complete Scan Total Scan Time : 00:37:01 Memory items scanned : 569 Memory threats detected : 0 Registry items scanned : 6178 Registry threats detected : 4 File items scanned : 50067 File threats detected : 0 Malware.Trace HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon#Taskman Disabled.SecurityCenterOption HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#ANTIVIRUSDISABLENOTIFY HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#FIREWALLDISABLENOTIFY HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#UPDATESDISABLENOTIFY Malwarebytes' Anti-Malware 1.50 www.malwarebytes.org Database version: 5241 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 12/4/2010 3:54:43 PM mbam-log-2010-12-04 (15-54-43).txt Scan type: Quick scan Objects scanned: 131705 Time elapsed: 3 minute(s), 27 second(s) Memory Processes Infected: 1 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: c:\program files\Trillian\trillian.exe (Trojan.Backdoor) -> 2576 -> Unloaded process successfully. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian (Trojan.Backdoor) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\program files\Trillian\trillian.exe (Trojan.Backdoor) -> Quarantined and deleted successfully. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 4:05:09 PM, on 12/4/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer V8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Microsoft Security Essentials\MsMpEng.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe C:\WINDOWS\system32\Wacom_Tablet.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Microsoft Security Essentials\msseces.exe C:\Program Files\COMODO\COMODO Internet Security\cfp.exe C:\Program Files\COMODO\COMODO GeekBuddy\CLPS.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Elements Organizer 8.0\ElementsOrganizerSyncAgent.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HiJackThis\sniper.exe C:\Program Files\Java\jre6\bin\javaws.exe C:\Program Files\Java\jre6\bin\javaw.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName O4 - HKLM\..\Run: [RTHDCPL] "C:\WINDOWS\RTHDCPL.EXE" O4 - HKLM\..\Run: [Alcmtr] "C:\WINDOWS\ALCMTR.EXE" O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] "C:\WINDOWS\KHALMNPR.EXE" O4 - HKLM\..\Run: [nwiz] "C:\Program Files\NVIDIA Corporation\nView\nwiz.exe" /installquiet O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h O4 - HKLM\..\Run: [COMODO] "C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLA.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe" O4 - HKCU\..\Run: [PhotoshopElements8SyncAgent] "C:\Program Files\Adobe\Elements Organizer 8.0\ElementsOrganizerSyncAgent.exe" O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user') O4 - S-1-5-18 Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe (User 'SYSTEM') O4 - .DEFAULT Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe (User 'Default user') O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe O4 - Global Startup: Logitech SetPoint.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000 O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{9FF52E4B-50F7-4CB3-82B2-D0968132D4E7}: NameServer = 156.154.70.22,156.154.71.22 O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O20 - Winlogon Notify: !SASWinLogon - Invalid registry found O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Adobe Active File Monitor V8 (AdobeActiveFileMonitor8.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe O23 - Service: COMODO livePCsupport Service (CLPSLS) - COMODO - C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing) O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe -- End of file - 8946 bytes Hello and welcome back. Unfortunately, I have some bad NEWS. Please read below. Since you have just reformatted, my suggestion would be to re-format once more, install your AV and Firewall before going back on-line because we cannot guarantee the security of your computer. Please let me know what you intend to do. One or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information and Download and Execute files Read this article: Danger: Remote Access Trojans. If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be CHANGED immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one! If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. I would counsel you to disconnect this PC from the Internet immediately. Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? When Should I Format, How Should I Reinstall? We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards. Should you have any questions, please feel free to ask. Please let us know what you have decided to do in your next postThanks! And Hi again. I'm sorry but my question is if the trojan cause by trilliann.exe? What about the sdbot or the hn.exe from c:/recycler/21421nuisad/? I feel less concern about the trojan because base on what I read, the noticeable things it do is just stealing bank accounts and passwords. I haven't been on anything of up-most importance to me. However, the sdbot and hn.exe, I don't even know what they are or why they are there, so you should know why I'm worry. It's been four days already and I already have 33gb worth of files on my computer with a lot of tedious updating and installing. Remember how I said I will do anything besides a reformat? lol. I know.. I'm stubborn. I have some questions though if you don't mind answering, I'm not very intelligent when it comes to these things. Firstly, I don't understand how come there is no guarantee for the security of my computer even after the removal process. How does the backdoor function? Secondly, is the backdoor trojan similar to a keylogger? For example, can they read what I am typing as of now? Do they know what I am doing on this computer for every moment I'm on it? And lastly, if my computer is disconnected from the internet, the hacker will have no way of accessing my computer, right? I think those are the major questions I have so far. Btw, I have install Comodo Firewall since the previous topic, you said something about blocking out and in connections as oppose to the windows pre-installed firewall where it only blocks out side connections. Not sure if I got those mixed up. Would Comodo Firewall detect any outgoing connections that are used to send crucial system and personal information to the hacker? Thanks for bearing with me this whole time, I'm very grateful lol. I am not sure of my intentions at this point, so please if you have the time, answer what ever you know. I hope you understand me.Quote hn.exe Here. Quote sdbot Here. Quote Firstly, I don't understand how come there is no guarantee for the security of my computer even after the removal process. How does the backdoor function? Backdoor Trojan Quote is the backdoor trojan similar to a keylogger? For example, can they read what I am typing as of now? Do they know what I am doing on this computer for every moment I'm on it? Keyloggers. Quote And lastly, if my computer is disconnected from the internet, the hacker will have no way of accessing my computer, right? Correct. It is isolated from all outside influences but it must be a physical disconnect such as unplugging the cable from the MODEM. Quote Would Comodo Firewall detect any outgoing connections that are used to send crucial system and personal information to the hacker? That is correct. That's why it's so important to block out-going traffic.Quote from: SuperDave on December 05, 2010, 04:03:40 PM Quote Would Comodo Firewall detect any outgoing connections that are used to send crucial system and personal information to the hacker? Correct. It is isolated from all outside influences but it must be a physical disconnect such as unplugging the cable from the modem. That is correct. That's why it's so important to block out-going traffic. As you noted previously though SD once the system is compromised like this, you cannot trust any of the software that is installed, firewalls included.I read all of them and what I still don't know is, what is hn.exe? For some reason when I type c:\recycler\k-1-3542-4232123213-7676767-8888886\ into my windows explorer, it automatically erases. And about the keylogger, "is the backdoor trojan similar to a keylogger? For example, can they read what I am typing as of now? Do they know what I am doing on this computer for every moment I'm on it?" I can't find anywhere on that site that answers this. I knew what it does but it doesn't answer my question. I was going to ask about the backdoor trojan and why its still not safe but BC_Programmer just answer two of my questions a few minutes earlier before I was about to post, thanks lol. So does this mean the 100% outgoing traffic from chrome.exe from comodo firewall as of this post can not be trusted? Quote from: iusexp on December 05, 2010, 09:43:13 PM So does this mean the 100% outgoing traffic from chrome.exe from comodo firewall as of this post can not be trusted? Basically, it goes like this. With malware/viruses like this, you can never be sure if they installed a rootkit, or other "hider" type of malware. For example, the reason you cannot see hn.exe is because it is, most likely, hidden to the Windows API (which most windows programs use to view files) Technically, this is done rather easily by redirecting all calls to the file find functions, like FindFirstFile, FindNextFile, as well as the functions to open files (CreateFile) and if the file is something the malware wants to "hide" returning a value that says "file not found" or simply skipping that file; otherwise, it will just pass along all the various stuff it was given to the standard Windows function (so you can still see all other files and everything "seems" normal. This same thing can be done for anything; network activity can be hidden to firewalls by simply not allowing the firewalls to see that activity; it's not as hard as it may seem, either. Some firewalls hook directly into the network driver; but a rootkit can always replace that network driver with it's own and simply not tell the firewall about the malicious activity. The entire point of a rootkit is to make a computer seem clean when it really isn't. So, you might wonder how the online scan found the file, if it's so well hidden. Most AV programs don't rely merely on the windows API; some go directly to the disk or file-system driver level and retrieve file information that way, and in most cases this goes below any rootkit-type malware and allows it to see the files that would be otherwise hidden. Quote from: iusexp on December 05, 2010, 09:43:13 PM is the backdoor trojan similar to a keylogger? There is some confusion here; A virus/malware doesn't have to be merely one form or another; most malware counts as a number of various "classes". a backdoor is merely a way for the malware writer to gain access to your PC; these are often hidden with root kits (so you and your AV (unless properly designed) cannot see the port it's keeping open, and oftentimes they throw in a keylogger portion as a extra bonus (which is usually also hidden by the rootkit) Any time you are connected to the net the PC/malware could be uploading your keystrokes to a remote server; the activity could be hidden, and you'd never be the wiser. Of course unplugging the network cable could circumvent this, but for all we can guess the program simply logs the keystrokes to a file and then the next time it has access uploads them elsewhere; the malware writer at that point can go through your keystrokes looking for things like web passwords and especially passwords/information that gives them access to finances, paypal, ebay, and so forth. There is no way to know what parts are present, even when you use a special rootkirevealer, you can't know if it found all the various bits; and if one thing remains it could very well be used to rebuild the others, and so on. I was going to ask about the backdoor trojan and why its still not safe but BC_Programmer just answer two of my questions a few minutes earlier before I was about to post, thanks lol. So does this mean the 100% outgoing traffic from chrome.exe from comodo firewall as of this post can not be trusted? [/quote]Wow! scary stuff. This raises another question. Can the hacker access my data when my computer is turn off when it is still physically connected to the internet? Because if the computer is really stealing my data when I am online. I should be lagging right? So far I haven't notice this yet. Unless the hacker can control the sending speed to a minimum level, in which case I wouldn't notice the lag difference?Quote from: iusexp on December 06, 2010, 10:36:28 AM Wow! scary stuff. This raises another question. Can the hacker access my data when my computer is turn off when it is still physically connected to the internet? The computer could be sending the "logs" at regular intervals. There is absolutely no way to know. It's all hidden from you. It could be accumulating the logs until there is a connection and sending them off. Quote Because if the computer is really stealing my data when I am online. I should be lagging right? err... no... that doesn't even make much sense. a few days worth of keystrokes might be a few hundred K. Oh my bad, I meant, wouldn't I lag when it sends the data? Like, I would lag for a few seconds when it is sending the few hundred K. Okay, I just want to give it a shot by cleaning it before I reformat. Superdave, are you still there?I fully realize it's a bi*** to reformat but it would really be worth the effort to get a clean computer.Quote from: iusexp on December 07, 2010, 01:26:23 PM Oh my bad, I meant, wouldn't I lag when it sends the data? Like, I would lag for a few seconds when it is sending the few hundred K. Maybe. If you were using a 3600 baud Modem. (that's a no for all practical PURPOSES )

Solve : sdbot detected in webroot spysweeper 2011 and some weird file call hn.exe?

Answer»

When I ran a webroot spysweeper 2011 full scan, it detected something call sdbot. Also when I run a eset online scan, it detects something call hn.exe in the c:/recycler/(bunch of numbers and letters here)/hn.exe. When I try to go into that folder, I can't find it anywhere even though view hidden folders is checked. Here are my logs.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/04/2010 at 03:39 PM

Application Version : 4.46.1000

Core Rules Database Version : 5953
Trace Rules Database Version: 3765

Scan type : Complete Scan
Total Scan Time : 00:37:01

Memory items scanned : 569
Memory threats detected : 0
Registry items scanned : 6178
Registry threats detected : 4
File items scanned : 50067
File threats detected : 0

Malware.Trace
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon#Taskman

Disabled.SecurityCenterOption
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#ANTIVIRUSDISABLENOTIFY
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#FIREWALLDISABLENOTIFY
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#UPDATESDISABLENOTIFY

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5241

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/4/2010 3:54:43 PM
mbam-log-2010-12-04 (15-54-43).txt

Scan type: Quick scan
Objects scanned: 131705
Time elapsed: 3 minute(s), 27 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
c:\program files\Trillian\trillian.exe (Trojan.Backdoor) -> 2576 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian (Trojan.Backdoor) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\Trillian\trillian.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:05:09 PM, on 12/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer V8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\COMODO\COMODO GeekBuddy\CLPS.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Elements Organizer 8.0\ElementsOrganizerSyncAgent.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HiJackThis\sniper.exe
C:\Program Files\Java\jre6\bin\javaws.exe
C:\Program Files\Java\jre6\bin\javaw.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [RTHDCPL] "C:\WINDOWS\RTHDCPL.EXE"
O4 - HKLM\..\Run: [Alcmtr] "C:\WINDOWS\ALCMTR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] "C:\WINDOWS\KHALMNPR.EXE"
O4 - HKLM\..\Run: [nwiz] "C:\Program Files\NVIDIA Corporation\nView\nwiz.exe" /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [COMODO] "C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLA.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [PhotoshopElements8SyncAgent] "C:\Program Files\Adobe\Elements Organizer 8.0\ElementsOrganizerSyncAgent.exe"
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - S-1-5-18 Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe (User 'Default user')
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FF52E4B-50F7-4CB3-82B2-D0968132D4E7}: NameServer = 156.154.70.22,156.154.71.22
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - Invalid registry found
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Active File Monitor V8 (AdobeActiveFileMonitor8.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
O23 - Service: COMODO livePCsupport Service (CLPSLS) - COMODO - C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--
End of file - 8946 bytes

Hello and welcome back. Unfortunately, I have some bad NEWS. Please read below. Since you have just reformatted, my suggestion would be to re-format once more, install your AV and Firewall before going back on-line because we cannot guarantee the security of your computer. Please let me know what you intend to do.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Read this article: Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be CHANGED immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one! If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

I would counsel you to disconnect this PC from the Internet immediately.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall?

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next postThanks! And Hi again.

I'm sorry but my question is if the trojan cause by trilliann.exe? What about the sdbot or the hn.exe from c:/recycler/21421nuisad/? I feel less concern about the trojan because base on what I read, the noticeable things it do is just stealing bank accounts and passwords. I haven't been on anything of up-most importance to me. However, the sdbot and hn.exe, I don't even know what they are or why they are there, so you should know why I'm worry.
It's been four days already and I already have 33gb worth of files on my computer with a lot of tedious updating and installing. Remember how I said I will do anything besides a reformat? lol. I know.. I'm stubborn.

I have some questions though if you don't mind answering, I'm not very intelligent when it comes to these things.

Firstly, I don't understand how come there is no guarantee for the security of my computer even after the removal process. How does the backdoor function?

Secondly, is the backdoor trojan similar to a keylogger? For example, can they read what I am typing as of now? Do they know what I am doing on this computer for every moment I'm on it?

And lastly, if my computer is disconnected from the internet, the hacker will have no way of accessing my computer, right?

I think those are the major questions I have so far.

Btw, I have install Comodo Firewall since the previous topic, you said something about blocking out and in connections as oppose to the windows pre-installed firewall where it only blocks out side connections. Not sure if I got those mixed up. Would Comodo Firewall detect any outgoing connections that are used to send crucial system and personal information to the hacker?

Thanks for bearing with me this whole time, I'm very grateful lol. I am not sure of my intentions at this point, so please if you have the time, answer what ever you know. I hope you understand me.Quote

hn.exe

Here.

Quote

sdbot

Here.

Quote

Firstly, I don't understand how come there is no guarantee for the security of my computer even after the removal process. How does the backdoor function?

Backdoor Trojan

Quote

is the backdoor trojan similar to a keylogger? For example, can they read what I am typing as of now? Do they know what I am doing on this computer for every moment I'm on it?

Keyloggers.

Quote

And lastly, if my computer is disconnected from the internet, the hacker will have no way of accessing my computer, right?

Correct. It is isolated from all outside influences but it must be a physical disconnect such as unplugging the cable from the MODEM.

Quote

Would Comodo Firewall detect any outgoing connections that are used to send crucial system and personal information to the hacker?

That is correct. That's why it's so important to block out-going traffic.Quote from: SuperDave on December 05, 2010, 04:03:40 PM

Quote
Would Comodo Firewall detect any outgoing connections that are used to send crucial system and personal information to the hacker?
Correct. It is isolated from all outside influences but it must be a physical disconnect such as unplugging the cable from the modem.
That is correct. That's why it's so important to block out-going traffic.

As you noted previously though SD once the system is compromised like this, you cannot trust any of the software that is installed, firewalls included.I read all of them and what I still don't know is, what is hn.exe? For some reason when I type c:\recycler\k-1-3542-4232123213-7676767-8888886\ into my windows explorer, it automatically erases.

And about the keylogger, "is the backdoor trojan similar to a keylogger? For example, can they read what I am typing as of now? Do they know what I am doing on this computer for every moment I'm on it?" I can't find anywhere on that site that answers this. I knew what it does but it doesn't answer my question.

I was going to ask about the backdoor trojan and why its still not safe but BC_Programmer just answer two of my questions a few minutes earlier before I was about to post, thanks lol. So does this mean the 100% outgoing traffic from chrome.exe from comodo firewall as of this post can not be trusted? Quote from: iusexp on December 05, 2010, 09:43:13 PM

So does this mean the 100% outgoing traffic from chrome.exe from comodo firewall as of this post can not be trusted?

Basically, it goes like this. With malware/viruses like this, you can never be sure if they installed a rootkit, or other "hider" type of malware. For example, the reason you cannot see hn.exe is because it is, most likely, hidden to the Windows API (which most windows programs use to view files) Technically, this is done rather easily by redirecting all calls to the file find functions, like FindFirstFile, FindNextFile, as well as the functions to open files (CreateFile) and if the file is something the malware wants to "hide" returning a value that says "file not found" or simply skipping that file; otherwise, it will just pass along all the various stuff it was given to the standard Windows function (so you can still see all other files and everything "seems" normal.

This same thing can be done for anything; network activity can be hidden to firewalls by simply not allowing the firewalls to see that activity; it's not as hard as it may seem, either. Some firewalls hook directly into the network driver; but a rootkit can always replace that network driver with it's own and simply not tell the firewall about the malicious activity. The entire point of a rootkit is to make a computer seem clean when it really isn't.

So, you might wonder how the online scan found the file, if it's so well hidden. Most AV programs don't rely merely on the windows API; some go directly to the disk or file-system driver level and retrieve file information that way, and in most cases this goes below any rootkit-type malware and allows it to see the files that would be otherwise hidden.

Quote from: iusexp on December 05, 2010, 09:43:13 PM

is the backdoor trojan similar to a keylogger?

There is some confusion here; A virus/malware doesn't have to be merely one form or another; most malware counts as a number of various "classes". a backdoor is merely a way for the malware writer to gain access to your PC; these are often hidden with root kits (so you and your AV (unless properly designed) cannot see the port it's keeping open, and oftentimes they throw in a keylogger portion as a extra bonus (which is usually also hidden by the rootkit) Any time you are connected to the net the PC/malware could be uploading your keystrokes to a remote server; the activity could be hidden, and you'd never be the wiser. Of course unplugging the network cable could circumvent this, but for all we can guess the program simply logs the keystrokes to a file and then the next time it has access uploads them elsewhere; the malware writer at that point can go through your keystrokes looking for things like web passwords and especially passwords/information that gives them access to finances, paypal, ebay, and so forth. There is no way to know what parts are present, even when you use a special rootkirevealer, you can't know if it found all the various bits; and if one thing remains it could very well be used to rebuild the others, and so on.

I was going to ask about the backdoor trojan and why its still not safe but BC_Programmer just answer two of my questions a few minutes earlier before I was about to post, thanks lol. So does this mean the 100% outgoing traffic from chrome.exe from comodo firewall as of this post can not be trusted?
[/quote]Wow! scary stuff. This raises another question. Can the hacker access my data when my computer is turn off when it is still physically connected to the internet? Because if the computer is really stealing my data when I am online. I should be lagging right? So far I haven't notice this yet. Unless the hacker can control the sending speed to a minimum level, in which case I wouldn't notice the lag difference?Quote from: iusexp on December 06, 2010, 10:36:28 AM

Wow! scary stuff. This raises another question. Can the hacker access my data when my computer is turn off when it is still physically connected to the internet?

The computer could be sending the "logs" at regular intervals. There is absolutely no way to know. It's all hidden from you. It could be accumulating the logs until there is a connection and sending them off.

Quote

Because if the computer is really stealing my data when I am online. I should be lagging right?

err... no... that doesn't even make much sense. a few days worth of keystrokes might be a few hundred K.
Oh my bad, I meant, wouldn't I lag when it sends the data? Like, I would lag for a few seconds when it is sending the few hundred K.
Okay, I just want to give it a shot by cleaning it before I reformat. Superdave, are you still there?I fully realize it's a bi*** to reformat but it would really be worth the effort to get a clean computer.Quote from: iusexp on December 07, 2010, 01:26:23 PM

Oh my bad, I meant, wouldn't I lag when it sends the data? Like, I would lag for a few seconds when it is sending the few hundred K.

Maybe. If you were using a 3600 baud Modem. (that's a no for all practical PURPOSES )

Solve : sdbot detected in webroot spysweeper 2011 and some weird file call hn.exe?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment