PDA

View Full Version : Help with Trojan Horse



drhost
2009-10-10, 00:15
I am getting the following Trojan horse caught by spybot. It causes a message to appear from any run executable stating that the DLL: gasfkykdbqosat.dll is not a valid windows image.

Spybot did report the dll as a trojan horse in the registry. I indicated I wanted it removed, but it looks like it did not work.

Any help would be greatly appreciated.

The lastest spybot (version 1.6.2.46) reports the following:
Win32.TDSS.rtk: [SBI $CC549FA0] File (File, nothing done)
C:\WINDOWS\system32\drivers\gasfkyhhlxdjol.sys
Properties.size=0
Properties.md5=B56631ADC3056AEAFAFAD7641CE59D9E
Win32.TDSS.rtk: [SBI $44B45F45] File (File, nothing done)
C:\WINDOWS\system32\gasfkykasxwbab.dll
Properties.size=0
Properties.md5=D3CBC32902FF1CAF060906953124D0BD
Win32.TDSS.rtk: [SBI $44B45F45] File (File, nothing done)
C:\WINDOWS\system32\gasfkykdbqosat.dll
Properties.size=0
Properties.md5=DF5A1543E794DCFB9845DDCCC5E45AF6
Win32.TDSS.rtk: [SBI $44B45F45] File (File, nothing done)
C:\WINDOWS\system32\gasfkymlqrmupo.dll
Properties.size=0
Properties.md5=61E935C36E124655EB0E8A054AE279B2
Win32.TDSS.rtk: [SBI $4430B36D] File (File, nothing done)
C:\WINDOWS\system32\gasfkyouiqcyrg.dat
Properties.size=0
Properties.md5=27C8093752A0E06C70E4339AC552FDD6
Win32.TDSS.rtk: [SBI $4430B36D] File (File, nothing done)
C:\WINDOWS\system32\gasfkytgeboepj.dat
Properties.size=0
Properties.md5=06F2237369FDDAE451C62260C7313578
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-10-09 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-09-07 advcheck.dll (1.6.4.18)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-10-06 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-08-10 Includes\Dialer.sbi (*)
2009-10-06 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-10-06 Includes\HijackersC.sbi (*)
2009-09-29 Includes\Keyloggers.sbi (*)
2009-10-06 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-10-06 Includes\Malware.sbi (*)
2009-10-06 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-10-06 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-10-06 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-10-06 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-10-06 Includes\Trojans.sbi (*)
2009-10-06 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Shaba
2009-10-12, 22:36
Hi drhost

Click here (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to download HJTInstall.exe
Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.