Removed: ..\SystemProc\lsass.exe (trojan Dursg)

Malware: C:\sand-box\blacko_DpAnOrOlBEnGo.exe

Removed: C:\Documents and Settings\Administrator\Application Data\SystemProc\lsass.exe

—————————————————————————————————————————-
Detected by UnHackMe:

Item Name: RTHDBPL
Author: QJwQtGUCTFJj
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\SYSTEMPROC\LSASS.EXE
Type: Explorer Run

Item Name: lsass.exe
Author:
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\SYSTEMPROC\LSASS.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1
—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
F-Secure 9.0.15370.0 2010.04.26 Trojan.Generic.KD.8566
Kaspersky 7.0.0.125 2010.04.26 -
Microsoft 1.5703 2010.04.26 Trojan:Win32/Meredrop
NOD32 5062 2010.04.26 Win32/Dursg.A

—————————————————————————————————————————-
Additional information
File size: 65536 bytes
MD5 : ee2a09abe232bd3ad05b9aec448b1d14
SHA1 : fcf59e02c35fcf58705a06ec9fe8a260b6465af6
SHA256: af2223ea95cd03c5cf0cb6b69c4835f939b3a41730e0e34d0c070ecbc4f99a9f
—————————————————————————————————————————-
Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys added:5
———————————-
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\Software\Microsoft\DownloadManager
HKCU\Software\Microsoft\Visual Basic
HKCU\Software\Microsoft\Visual Basic\6.0

———————————-
Values added:7
———————————-
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\RTHDBPL: 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 41 70 70 6C 69 63 61 74 69 6F 6E 20 44 61 74 61 5C 53 79 73 74 65 6D 50 72 6F 63 5C 6C 73 61 73 73 2E 65 78 65 00 3F 00 3F A0 00 00 54 A0 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 00 3F 3F A0 3F 00 3F A0 00 00 00 00 01 00 3F A0 00 00 01 00 00 3F 3F 3F 3F A0 01 00 3F A0 10 11
HKCU\Identities\Curr version: 31 30 00 3F 3F
HKCU\Identities\Last Date: 32 36 2D 34 2D 32 30 31 30 00 6D 50 72 6F 63 5C 6C 73 61 73 73 2E 65 78 65 00
HKCU\Identities\Inst Date: 32 36 2D 34 2D 32 30 31 30 00 00 00 00 00 08 0A 3F 3F 3F 00 00 00 3F 12 00
HKCU\Identities\Popup count: 30 00 3F 12 3F 12 3F 00 3F 3F 00 00 00 00 4D 00 3F 12 3F 3F 4D 00 02 00 3F
HKCU\Identities\Popup time: 30 00 00 41 3F 12 3F 3F 00 00 00 00 3F 12 C5 3F CE 3F 3F 00 3F 12 3F 12 3F
HKCU\Identities\Popup date: 30 00 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41

———————————-
Files added:5
———————————-
C:\Documents and Settings\Administrator\Application Data\SystemProc\lsass.exe
C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
C:\confin.sys

———————————-
Files deleted:1
———————————-
C:\sand-box\blacko_DpAnOrOlBEnGo.exe

———————————-
Folders added:6
———————————-
C:\Documents and Settings\Administrator\Application Data\SystemProc
C:\Program Files\Mozilla Firefox
C:\Program Files\Mozilla Firefox\extensions
C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome
C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content

———————————-
Total changes:24
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com

Fix it immediately!

Free Download

UnHackMe removes malware invisible for your antivirus!

Leave a Reply