Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Downloader-RECYCLER Trojan


  • This topic is locked This topic is locked

#1
fishtheorange

fishtheorange

    Member

  • Member
  • PipPip
  • 23 posts
Hi,

I have a problem with a few computers in my office. Our computers are all connected to the internet via a local server. The IT guys that installed the system do not realise that the USB drives they use to install software contain viruses and so every computer that was set-up by them has the same virus. Without going into too much detail, I live and work in Thailand, and this is not the first time I have come across this same situation, and will certainly not be the last.
So, I believe that not only are these computers in this particular office infected, but I would not be surprised if the main server was also infected.

If I am able to remove the virus from these computers, would it be futile if the server was still infected? Would the virus be able to spread from the server without hindrance even if I install a decent anti-virus?
Should I be isolating the computers from the network and telling the IT guys upstairs how stupid they are being?

I will create and add an OTL log asap.

The trojan is described as a Downloader and creates files in the System32 folder named 1.exe, 2.exe, 3.exe, etc. There is also RECYCLER, I don't know if they are one and the same.
I have tried scanning in safe-mode but while it finds and removes some files, they return upon restart, though I believe that some are more deeply embedded.
  • 0

Advertisements


#2
fishtheorange

fishtheorange

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
OTL logfile created on: 6/28/2011 9:54:42 AM - Run 1
OTL by OldTimer - Version 3.2.24.1 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.58 Gb Available Physical Memory | 78.91% Memory free
3.85 Gb Paging File | 3.62 Gb Available in Paging File | 94.20% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 87.89 Gb Total Space | 80.37 Gb Free Space | 91.45% Space Free | Partition Type: NTFS
Drive D: | 144.99 Gb Total Space | 143.97 Gb Free Space | 99.30% Space Free | Partition Type: NTFS

Computer Name: DR-F9DEF48F10A9 | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/28 09:51:44 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
PRC - [2010/09/07 22:12:02 | 002,838,912 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/09/07 22:11:59 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2009/04/24 11:38:11 | 000,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/09/08 00:19:27 | 000,015,872 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerAssistant.exe


========== Modules (SafeList) ==========

MOD - [2011/06/28 09:51:44 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
MOD - [2008/04/14 05:42:52 | 001,054,208 | R--- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2006/09/08 00:18:56 | 000,004,608 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerHook.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/09/07 22:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/09/07 22:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/09/07 22:11:59 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/06/17 08:20:26 | 000,095,536 | R--- | M] (BUFFALO INC.) [Auto | Stopped] -- C:\Program Files\BUFFALO\SLManagerEasy\Bufssvr.exe -- (Bufssvr)


========== Driver Services (SafeList) ==========

DRV - [2010/09/07 21:53:58 | 000,340,048 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2010/09/07 21:52:25 | 000,046,672 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/09/07 21:52:03 | 000,165,584 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/09/07 21:47:46 | 000,023,376 | ---- | M] (AVAST Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/09/07 21:47:19 | 000,100,176 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/09/07 21:47:07 | 000,017,744 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/09/07 21:46:51 | 000,028,880 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2008/04/14 00:26:08 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2007/11/01 13:38:56 | 004,620,288 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/10/17 19:12:00 | 000,030,720 | R--- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l251x86.sys -- (AtcL002)
DRV - [2006/02/28 19:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2006/02/28 19:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2004/08/13 09:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.th/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: [email protected]:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/02/03 09:47:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/01/14 16:23:36 | 000,000,000 | ---D | M]

[2011/02/03 09:47:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2011/02/03 09:47:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\4d0sxbtd.default\extensions
[2011/06/28 09:53:28 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/01/14 15:34:29 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF

O1 HOSTS File: ([2006/02/28 19:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()
O4 - HKLM..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe (Hewlett-Packard)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe ()
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKCU..\Run: [12CFG214-K641-12SF-N85P] File not found
O4 - HKCU..\Run: [Tnaww] File not found
O4 - HKCU..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O4 - HKCU..\Run: [Xflalx] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 8.8.8.8 203.146.15.9
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1413\syitm.exe) - File not found
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/01/14 15:32:57 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{07dadcb4-3016-11e0-b725-0018f33c06f4}\Shell - "" = AutoRun
O33 - MountPoints2\{07dadcb4-3016-11e0-b725-0018f33c06f4}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{07dadcb4-3016-11e0-b725-0018f33c06f4}\Shell\AutoRun\command - "" = J:\Windows\CHECK\DriveNavigator.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (aswBoot.exe /M:41c272541169) - C:\WINDOWS\System32\aswBoot.exe (AVAST Software)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/28 09:51:04 | 000,579,072 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2011/06/27 10:15:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011/06/17 16:45:11 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/06/10 16:51:12 | 000,000,000 | ---D | C] -- C:\My_Game
[2011/06/07 15:08:42 | 000,000,000 | ---D | C] -- C:\Program Files\uTorrent
[2011/06/07 15:08:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\uTorrent
[2011/06/07 14:40:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
[2011/06/07 14:30:01 | 000,165,584 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2011/06/07 14:30:01 | 000,017,744 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2011/06/07 14:30:00 | 000,340,048 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2011/06/07 14:30:00 | 000,023,376 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2011/06/07 14:29:59 | 000,046,672 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2011/06/07 14:29:58 | 000,100,176 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2011/06/07 14:29:58 | 000,094,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2011/06/07 14:29:58 | 000,028,880 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2011/06/07 14:29:51 | 000,038,848 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2011/06/07 14:29:50 | 000,167,592 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2011/06/07 14:29:46 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2011/06/07 14:29:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2011/06/07 14:29:33 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\User\Desktop\Avast! Pro Antivirus Ver 5.0.677
[2011/06/07 14:27:45 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/06/07 12:37:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Tracing
[2011/06/07 12:37:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Live
[2011/06/07 12:37:19 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2011/06/07 12:37:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft
[2011/06/07 12:37:03 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live SkyDrive
[2011/06/07 12:36:53 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live
[2011/06/07 12:35:28 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
[2011/06/07 11:54:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\Downloads
[2011/06/06 13:47:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/06/03 14:37:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Macromedia
[2011/06/03 14:36:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Start Menu\Programs\Google Chrome
[2011/06/03 14:34:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Temp
[2011/06/03 14:34:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Google
[2011/06/03 14:33:39 | 000,568,680 | ---- | C] (Google Inc.) -- C:\Documents and Settings\User\Desktop\ChromeSetup.exe
[5 C:\Documents and Settings\User\Application Data\*.tmp files -> C:\Documents and Settings\User\Application Data\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/06/28 09:51:44 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2011/06/28 09:44:50 | 000,002,463 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Microsoft Office Word 2003.lnk
[2011/06/28 09:43:06 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2011/06/28 09:39:00 | 000,000,972 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-682003330-999371212-1003UA.job
[2011/06/28 06:46:52 | 000,248,739 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2011/06/28 06:43:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/27 14:39:00 | 000,000,920 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-682003330-999371212-1003Core.job
[2011/06/27 06:47:57 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/06/17 16:45:11 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/06/15 15:24:15 | 000,051,229 | ---- | M] () -- C:\Documents and Settings\User\My Documents\C50D2E75ADAEA0AF79669D54435FF5A1862BF606.torrent
[2011/06/15 09:43:34 | 000,002,277 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Google Chrome.lnk
[2011/06/15 09:43:34 | 000,002,255 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/06/10 20:10:20 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/06/07 16:57:44 | 000,309,992 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/06/07 14:40:09 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2011/06/07 14:29:58 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/06/07 10:47:49 | 000,311,740 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/06/07 10:47:49 | 000,040,128 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/06/06 14:57:48 | 000,001,789 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2011/06/03 14:33:43 | 000,568,680 | ---- | M] (Google Inc.) -- C:\Documents and Settings\User\Desktop\ChromeSetup.exe
[5 C:\Documents and Settings\User\Application Data\*.tmp files -> C:\Documents and Settings\User\Application Data\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/06/15 15:24:14 | 000,051,229 | ---- | C] () -- C:\Documents and Settings\User\My Documents\C50D2E75ADAEA0AF79669D54435FF5A1862BF606.torrent
[2011/06/10 20:02:58 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2011/06/07 14:40:09 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2011/06/03 14:36:16 | 000,002,277 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Google Chrome.lnk
[2011/06/03 14:36:16 | 000,002,255 | ---- | C] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/06/03 14:34:30 | 000,000,972 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-682003330-999371212-1003UA.job
[2011/06/03 14:34:30 | 000,000,920 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-682003330-999371212-1003Core.job
[2011/02/04 11:20:47 | 000,009,305 | R--- | C] () -- C:\WINDOWS\UN090430.INI
[2011/02/03 09:47:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/01/17 09:45:52 | 000,442,368 | R--- | C] () -- C:\WINDOWS\System32\zshp1020.exe
[2011/01/17 09:45:52 | 000,106,496 | R--- | C] () -- C:\WINDOWS\System32\vshp1020.dll
[2011/01/14 22:24:13 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/01/14 22:23:19 | 000,309,992 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/01/14 16:04:51 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2011/01/14 15:59:33 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2011/01/14 15:59:32 | 000,010,289 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2011/01/14 15:59:21 | 000,012,536 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2011/01/14 15:49:20 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011/01/14 15:34:47 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/01/14 15:30:34 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/08/06 06:50:00 | 001,597,690 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2008/04/14 05:55:28 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2006/12/31 07:57:08 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/28 19:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/28 19:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/28 19:00:00 | 000,311,740 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/28 19:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/28 19:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/28 19:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/28 19:00:00 | 000,040,128 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/28 19:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/28 19:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/28 19:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Files - Unicode (All) ==========
[2011/06/07 15:08:42 | 000,000,648 | ---- | M] ()(C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\?Torrent.lnk) -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2011/06/07 15:08:42 | 000,000,648 | ---- | C] ()(C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\?Torrent.lnk) -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2011/06/07 15:08:42 | 000,000,630 | ---- | M] ()(C:\Documents and Settings\All Users\Desktop\?Torrent.lnk) -- C:\Documents and Settings\All Users\Desktop\µTorrent.lnk
[2011/06/07 15:08:42 | 000,000,630 | ---- | C] ()(C:\Documents and Settings\All Users\Desktop\?Torrent.lnk) -- C:\Documents and Settings\All Users\Desktop\µTorrent.lnk

< End of report >
  • 0

#3
fishtheorange

fishtheorange

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Looking through the Avast logs, the first trojan I came across was Win32:Kryptik - DIK and the second was Win32:Downloader - IEW. Avast also found the worm BV:Autorun-G a few days ago.
1 day after Avast removes the infection, it returns, possibly by somebody's infected USB, possibly through the network if that is possible.
  • 0

#4
fishtheorange

fishtheorange

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
With fear of bumping a topic and being chastised, is there anyone who can help or give any suggestions?
  • 0

#5
ali.B

ali.B

    Trusted Helper

  • Malware Removal
  • 3,086 posts
hi

Step 1

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O4 - HKCU..\Run: [12CFG214-K641-12SF-N85P] File not found
    O4 - HKCU..\Run: [Xflalx] File not found
    O33 - MountPoints2\{07dadcb4-3016-11e0-b725-0018f33c06f4}\Shell - "" = AutoRun
    O33 - MountPoints2\{07dadcb4-3016-11e0-b725-0018f33c06f4}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{07dadcb4-3016-11e0-b725-0018f33c06f4}\Shell\AutoRun\command - "" = J:\Windows\CHECK\DriveNavigator.exe
    [2011/01/17 09:45:52 | 000,442,368 | R--- | C] () -- C:\WINDOWS\System32\zshp1020.exe
    [2011/01/17 09:45:52 | 000,106,496 | R--- | C] () -- C:\WINDOWS\System32\vshp1020.dll
    [2011/06/07 15:08:42 | 000,000,648 | ---- | M] ()(C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\?Torrent.lnk) -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
    [2011/06/07 15:08:42 | 000,000,648 | ---- | C] ()(C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\?Torrent.lnk) -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
    [2011/06/07 15:08:42 | 000,000,630 | ---- | M] ()(C:\Documents and Settings\All Users\Desktop\?Torrent.lnk) -- C:\Documents and Settings\All Users\Desktop\µTorrent.lnk
    [2011/06/07 15:08:42 | 000,000,630 | ---- | C] ()(C:\Documents and Settings\All Users\Desktop\?Torrent.lnk) -- C:\Documents and Settings\All Users\Desktop\µTorrent.lnk
    
    :Services
    
    :Reg
    
    :Files
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Step 2

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Things I would like to see in your reply:
  • OTL log
  • MBAM log

  • 0

#6
fishtheorange

fishtheorange

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Apologies for the late reply. I will get this done and reply again asap. Thank you for your help.
  • 0

#7
ali.B

ali.B

    Trusted Helper

  • Malware Removal
  • 3,086 posts
OK
  • 0

#8
fishtheorange

fishtheorange

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I must apologise again for the late replies, what with little free time and the computers being used by others I have been unable to find the time to sort these things out. The next reply maybe as long as a week away as the school I work at will be closing for a break next week.

The computer I was using has decided that it doesn't want to connect to the internet anymore, so I am using another of the machines here in the office which has the same symptoms.

As a side note, the MBAM link you provided is broken, the site is down I presume.

OTL Log:

All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\12CFG214-K641-12SF-N85P deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Xflalx not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{07dadcb4-3016-11e0-b725-0018f33c06f4}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{07dadcb4-3016-11e0-b725-0018f33c06f4}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{07dadcb4-3016-11e0-b725-0018f33c06f4}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{07dadcb4-3016-11e0-b725-0018f33c06f4}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{07dadcb4-3016-11e0-b725-0018f33c06f4}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{07dadcb4-3016-11e0-b725-0018f33c06f4}\ not found.
File J:\Windows\CHECK\DriveNavigator.exe not found.
C:\WINDOWS\system32\ZSHP1020.EXE moved successfully.
File C:\WINDOWS\System32\vshp1020.dll not found.
File C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk not found.
File C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk not found.
File C:\Documents and Settings\All Users\Desktop\µTorrent.lnk not found.
File C:\Documents and Settings\All Users\Desktop\µTorrent.lnk not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 946645 bytes

User: User
->Temp folder emptied: 117413125 bytes
->Temporary Internet Files folder emptied: 12926204 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 65726391 bytes
->Google Chrome cache emptied: 131559658 bytes
->Flash cache emptied: 3685 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 116224 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 37229265 bytes

Total Files Cleaned = 351.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: User
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.26.1 log created on 07132011_105300

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\User\Local Settings\Temp\Perflib_Perfdata_b98.dat not found!
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
File\Folder C:\WINDOWS\temp\_asw_aisI.tm~a03296\setup.lok not found!

Registry entries deleted on Reboot...



MBAM Log:


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7097

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/13/2011 11:04:10 AM
mbam-log-2011-07-13 (11-04-10).txt

Scan type: Quick scan
Objects scanned: 153402
Time elapsed: 3 minute(s), 26 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 6
Registry Data Items Infected: 5
Folders Infected: 3
Files Infected: 52

Memory Processes Infected:
c:\WINDOWS\aadrive32.exe (Trojan.Agent) -> 3508 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup (Trojan.Agent) -> Value: Microsoft Driver Setup -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup (Trojan.Agent) -> Value: Microsoft Driver Setup -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ejvmvq (Trojan.Agent) -> Value: Ejvmvq -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tnaww (Trojan.Agent) -> Value: Tnaww -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Worm.AutoRun) -> Value: Shell -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman (Trojan.Agent) -> Value: Taskman -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman (Trojan.Agent) -> Bad: (c:\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\acleaner.exe) Good: () -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1413\syitm.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\RECYCLER\s-1-5-21-0243936033-3052116371-381863308-1811 (Trojan.Agent) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-0243556031-888888379-781863308-1413 (Worm.AutoRun) -> Quarantined and deleted successfully.
c:\RECYCLER\r-1-5-21-1482476501-1644491937-682003330-1013 (Worm.AutoRun.Gen) -> Delete on reboot.

Files Infected:
c:\WINDOWS\aadrive32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\User\application data\Ejvmvq.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-0243556031-888888379-781863308-1413\syitm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\RECYCLER\r-1-5-21-1482476501-1644491937-682003330-1013\acleaner.exe (Trojan.Agent) -> Delete on reboot.
c:\documents and settings\user\application data\3.tmp (Backdoor.IRCBot.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\user\application data\34.tmp (Backdoor.IRCBot.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\user\application data\37.tmp (Backdoor.IRCBot.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\user\application data\4.tmp (Backdoor.IRCBot.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\user\application data\5.tmp (Backdoor.IRCBot.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\User\application data\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\User\application data\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\user\application data\8.tmp (Backdoor.IRCBot.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\User\application data\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\User\application data\C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\User\application data\D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\User\application data\F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\system32\03.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\05.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\06.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\07.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\system32\40.exe (Backdoor.IRCBot) -> Quarantined and deleted successfully.
c:\windows\system32\47.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\system32\48.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\50.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\system32\53.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\system32\54.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\system32\55.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\system32\62.exe (Trojan.Agent) -> Quarantined and deleted successfully.
[/u][/u]c:\windows\system32\65.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\system32\15.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\18.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\system32\21.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\system32\23.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\system32\25.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\27.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\system32\28.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\system32\30.exe (Backdoor.IRCBot) -> Quarantined and deleted successfully.
c:\windows\system32\31.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\system32\34.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\38.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\71.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\74.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\system32\75.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\78.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\86.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\system32\87.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\system32\88.exe (Backdoor.IRCBot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-0243936033-3052116371-381863308-1811\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-0243556031-888888379-781863308-1413\Desktop.ini (Worm.AutoRun) -> Quarantined and deleted successfully.
c:\RECYCLER\r-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Worm.AutoRun.Gen) -> Quarantined and deleted successfully.

Edited by fishtheorange, 13 July 2011 - 12:26 AM.

  • 0

#9
ali.B

ali.B

    Trusted Helper

  • Malware Removal
  • 3,086 posts
hi

Step 1

Update MalwareBytes AntiMalware and Run a Quick Scan.
Post the log it produces

Step 2

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Things i would like to see in your reply:
  • Malwarebytes Results.
  • Eset scanner report.
  • Update on how your computer is running

  • 0

#10
ali.B

ali.B

    Trusted Helper

  • Malware Removal
  • 3,086 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

Advertisements


#11
ali.B

ali.B

    Trusted Helper

  • Malware Removal
  • 3,086 posts
topic reopened , post the logs when you are ready, i missed the part of your delay sorry about that.
  • 0

#12
fishtheorange

fishtheorange

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Thanks for reopening the topic. Again, sorry about the constant delays, I hope it is not too annoying!
The ESET Online scanner is down for some reason. Either that or my pc refuses connection to the site...

MBAM Log


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7278

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/26/2011 10:00:40 AM
mbam-log-2011-07-26 (10-00-34).txt

Scan type: Quick scan
Objects scanned: 155980
Time elapsed: 3 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Worm.AutoRun) -> Value: Shell -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1413\syitm.exe) Good: (Explorer.exe) -> No action taken.

Folders Infected:
c:\RECYCLER\s-1-5-21-0243556031-888888379-781863308-1413 (Worm.AutoRun) -> No action taken.

Files Infected:
c:\documents and settings\user\application data\2.tmp (Trojan.Agent) -> No action taken.
c:\documents and settings\user\application data\5.tmp (Worm.AutoRun) -> No action taken.
c:\documents and settings\user\application data\ejvmvq.exe (Backdoor.Bot.WPMH) -> No action taken.
c:\recycler\s-1-5-21-0243556031-888888379-781863308-1413\trz2.tmp (Worm.AutoRun) -> No action taken.
c:\documents and settings\networkservice\local settings\temporary internet files\content.ie5\z6gv4hu6\z[1].exe (Backdoor.IRCBot) -> No action taken.
c:\windows\trz1.tmp (Trojan.Agent) -> No action taken.
c:\RECYCLER\s-1-5-21-0243556031-888888379-781863308-1413\Desktop.ini (Worm.AutoRun) -> No action taken.
  • 0

#13
ali.B

ali.B

    Trusted Helper

  • Malware Removal
  • 3,086 posts
hi

Step 1

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    c:\documents and settings\user\application data\2.tmp
    c:\documents and settings\user\application data\5.tmp
    c:\documents and settings\user\application data\ejvmvq.exe
    c:\recycler\s-1-5-21-0243556031-888888379-781863308-1413\trz2.tmp
    c:\documents and settings\networkservice\local settings\temporary internet files\content.ie5\z6gv4hu6\z[1].exe
    c:\windows\trz1.tmp
    
    :Files
    c:\documents and settings\user\application data\*.tmp
    c:\documents and settings\user\application data\*.exe
    
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Step 2

The previous Malwarebytes Scan shows that you did NOT remove what it found, when the scan is done you must click on Show results then click on Remove selected.
Update MalwareBytes AntiMalware and Run a Quick Scan.
Post the log it produces


Things I would like to see in your reply:
  • OTL log
  • MBAM log

  • 0

#14
fishtheorange

fishtheorange

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hello,

Sorry, I thought I removed the infections in MBAM...

OTL



All processes killed
========== OTL ==========
========== FILES ==========
c:\documents and settings\user\application data\3.tmp moved successfully.
c:\documents and settings\user\application data\4.tmp moved successfully.
c:\documents and settings\user\application data\6.tmp moved successfully.
c:\documents and settings\user\application data\7.tmp moved successfully.
c:\documents and settings\user\application data\8.tmp moved successfully.
c:\documents and settings\user\application data\9.tmp moved successfully.
c:\documents and settings\user\application data\A.tmp moved successfully.
c:\documents and settings\user\application data\B.tmp moved successfully.
c:\documents and settings\user\application data\C.tmp moved successfully.
c:\documents and settings\user\application data\D.tmp moved successfully.
c:\documents and settings\user\application data\E.tmp moved successfully.
File\Folder c:\documents and settings\user\application data\*.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 87862 bytes

User: User
->Temp folder emptied: 279567 bytes
->Temporary Internet Files folder emptied: 42944348 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 338549624 bytes
->Flash cache emptied: 2340 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 65536 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 364.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: User
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.26.1 log created on 07292011_094125

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...


MBAM


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7313

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/29/2011 9:55:29 AM
mbam-log-2011-07-29 (09-55-29).txt

Scan type: Quick scan
Objects scanned: 155908
Time elapsed: 3 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman (Trojan.Agent) -> Value: Taskman -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman (Worm.AutoRun.Gen) -> Bad: (c:\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\acleaner.exe) Good: () -> Delete on reboot.

Folders Infected:
c:\RECYCLER\r-1-5-21-1482476501-1644491937-682003330-1013 (Worm.AutoRun.Gen) -> Delete on reboot.

Files Infected:
c:\RECYCLER\r-1-5-21-1482476501-1644491937-682003330-1013\acleaner.exe (Worm.AutoRun.Gen) -> Delete on reboot.
c:\RECYCLER\r-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Worm.AutoRun.Gen) -> Quarantined and deleted successfully.
  • 0

#15
ali.B

ali.B

    Trusted Helper

  • Malware Removal
  • 3,086 posts
hi

Step 1

Update MalwareBytes AntiMalware and Run a Quick Scan.
Post the log it produces

Step 2

ESET Online Scanner


  • Click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Things i would like to see in your reply:
  • Malwarebytes Results.
  • Eset scanner report.
  • Update on how your computer is running

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP