I initially ran malware bytes with the following results:
Files Infected:
c:\Windows\System32\eszitsoslh.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\Windows\System32\jjegqyxwkvozy1d.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\eszitsoslh.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\jjegqyxwkvozy1d.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
I then ran a scan using Avast with the following results:
Started on: Friday, October 07, 2011 3:24:13 PM
*
10/7/2011 5:27:05 PM C:\Windows\assembly\tmp\U\80000032.@ [L] Win32:DNSChanger-VJ [Trj] (0)
File was successfully moved to chest...
I then ran a boot time scan the next morning with the following results:
10/08/2011 07:21
Scan of all local drives
File C:\Users\carlos\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\4ccf37f8-72948610|>bpac\a$1.class is infected by Java:Agent-BJ [Expl], Moved to chest
File C:\Users\carlos\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\4ccf37f8-72948610|>bpac\a.class is infected by Java:Agent-BW [Trj], Moved to chest
File C:\Users\carlos\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\4ccf37f8-72948610|>bpac\b.class is infected by Other:Malware-gen, Moved to chest
File C:\Users\carlos\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\4ccf37f8-72948610|>bpac\KAVS.class is infected by Java:Agent-BM [Expl], Moved to chest
File C:\Windows\assembly\tmp\U\00000002.@|>[Embedded_R#00290] is infected by Win32:Malware-gen, Moved to chest
File C:\Windows\assembly\tmp\U\80000032.@ is infected by Win32:DNSChanger-VJ [Trj], Moved to chest
Number of searched folders: 66631
Number of tested files: 1140979
Number of infected files: 6
I ran another Avast scan with no infections being found.
An hour later after connecting to the internet I was getting trojan alerts. I again ran avast with the following results:
*
10/8/2011 11:58:05 AM C:\Windows\assembly\TMP\kwrd.dll [L] Win32:Malware-gen (0)
File was successfully moved to chest...
10/8/2011 12:05:12 PM C:\Windows\assembly\TMP\U\80000032.@ [L] Win32:DNSChanger-VJ [Trj] (0)
File was successfully moved to chest...
10/8/2011 1:27:08 PM C:\Windows\assembly\TMP\U\80000032.@ [L] Win32:DNSChanger-VJ [Trj] (0)
File was successfully moved to chest...
*
The next morning I ran the boot time scan with these results:
10/09/2011 08:29
Scan of all local drives
File C:\Windows\assembly\tmp\U\00000002.@|>[Embedded_R#00290] is infected by Win32:Malware-gen, Moved to chest
File C:\Windows\assembly\tmp\U\80000032.@ is infected by Win32:DNSChanger-VJ [Trj], Moved to chest
Number of searched folders: 66606
Number of tested files: 1141461
Number of infected files: 2
I connected again to the internet and again started getting trojan alerts. Ran Avast again with these results:
10/9/2011 10:28:23 AM C:\Windows\ASSEMBLY\TMP\kwrd.dll [L] Win32:Malware-gen (0)
File was successfully moved to chest...
10/9/2011 10:28:42 AM C:\Windows\ASSEMBLY\TMP\U\80000032.@ [L] Win32:DNSChanger-VJ [Trj] (0)
File was successfully moved to chest...
10/9/2011 10:35:47 AM C:\Windows\ASSEMBLY\TMP\U\80000032.@ [L] Win32:DNSChanger-VJ [Trj] (0)
File was successfully moved to chest...
10/9/2011 2:23:54 PM C:\Windows\ASSEMBLY\TMP\U\80000032.@ [L] Win32:DNSChanger-VJ [Trj] (0)
File was successfully moved to chest...
10/9/2011 3:27:20 PM C:\Windows\ASSEMBLY\TMP\U\80000032.@ [L] Win32:DNSChanger-VJ [Trj] (0)
File was successfully moved to chest...
*
It appears to be the same thing recurring every time. Malware bytes no longer finds anything even when Avast finds the infections.
I have attached my OTL report as it was too long to cut/paste and I'm hoping someone will be able to help me finally get rid of this thing.