TechSpot

Infected by worms and trojans

By mimo450
Dec 27, 2008
Topic Status:
Not open for further replies.
  1. Hello guys I really need your help here
    After opening network sharing My AVG antivirus sent 5 pop ups for Trojan Horses I really forgot their names when I heal them they appear after 5-10min again
    Task Manager and Regedit.exe are disabled when I enable them using the gpedit.msc trick I open them once and fix the entries and when I close them they are disabled again
    HIJACK scan was done once and it can't be opened again,,,AVG antivirus scan and virus vault also can't be opened now
    and it also created a shared file called XPcode with exe's of sex screensaver-sex games and such things
    And I have found now that Autorun.BO worm is also detected and when I heal it ,it also reappears again
    My HIjack log file is

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:13:13 PM, on 12/27/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal
    Moderator Edit:
    Pasted log removed, you must attach these logs not paste them in


    Plz help me I rely on you
  2. gillianbrown

    gillianbrown Banned Posts: 141

    Please go HERE and follow the instructions. Then, post the 3 log files as attachments.

    Also, don't forget to rename HijackThis.exe as follows.

    You need to rename HijackThis.exe to Crusty.exe. This is because some malware can hide from HijackThis.exe. Follow these instructions in order to do so.

    Go to the C:\Program Files\Trend Micro\HijackThis\HijackThis.exe file and right click on HijackThis.exe. Choose rename. Click in the title box and hit the enter key to clear what`s there.

    Now type Crusty.exe into the title box and hit the enter key. Right click on the Crusty.exe file and choose "Send to desktop Create Shortcut".

    You can now close the HJT directory.
  3. mimo450

    mimo450 TS Rookie Topic Starter

    First SuperAntispyware log is

    SUPERAntiSpyware Scan Log


    Generated 12/28/2008 at 02:27 AM

    Application Version : 4.24.1004

    Core Rules Database Version : 3686
    Trace Rules Database Version: 1663

    Scan type : Complete Scan
    Total Scan Time : 00:33:41

    Memory items scanned : 336
    Memory threats detected : 0
    Registry items scanned : 5912
    Registry threats detected : 0
    File items scanned : 18405
    File threats detected : 0


    Malware just gave me before that no threat is found so maybe it isn't important to post it

    Java is up to date

    AVG Antivirus gives only the following infection(my hard drive is divided into 3 compartments)

    C:\Autorun.inf which is detected as Worm\Autorun.BO
    D:\Autorun.inf which is detected as Worm\Autorun.BO
    E:\Autorun.inf which is detected as Worm\Autorun.BO



    HIJACKTHIS log file is attached

    thnx for helping me
  4. gillianbrown

    gillianbrown Banned Posts: 141

    Ok, please do the following.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager(if you can), by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    zaSetup_en.exe
    gwrs.exe
    winosrqhy.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKUS\S-1-5-19\..\RunOnce: [nltide2] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,L,,4,N (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-20\..\RunOnce: [nltide2] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,L,,4,N (User 'NETWORK SERVICE')

    O4 - Global Startup: Adobe Update.lnk = C:\Program Files\Common Files\AdobeUpdate.exe

    O4 - Global Startup: AdobeUpdate.exe

    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or folders(if there).

    C:\Documents and Settings\USER\Desktop\zaSetup_en.exe

    C:\DOCUME~1\USER\LOCALS~1\Temp\gwrs.exe

    C:\DOCUME~1\USER\LOCALS~1\Temp\winosrqhy.exe

    Reboot into normal mode and rehide your protected OS files.

    Check that you can now use Task manager and let me know.

    Download combofix.exe to your desktop. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "1" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

    Combofix will automatically save the log file to C:\combofix.txt

    Please post the Combofix log as well as a fresh HJT log as attachments.
  5. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

  6. gillianbrown

    gillianbrown Banned Posts: 141

    Sorry Kimsland, but mimo450 really needs to follow my instructions.

    I know the 8 step instructions are good, but in this case I really want to see a Combofix log.
  7. mimo450

    mimo450 TS Rookie Topic Starter

    I really appreciate your help , but when I went to manage Safe Mode from Msconfig,the computer restarted and gave me that he couldn't load the Safe Mode due to hardware or software failure,,but the worst was that I couldn't load normal mode either so the computer kept restarting .
    I consulted my computer manager and he said that the computer was infected by an advanced mode of the known worm autorun.inf because it was BO this time and it shut off all the possible solutions and if it had more time it could cause severe damage to the hardware too
    So I reformatted the computer and the problem's solved
    thnx for your concern and if anything happens again I will consult you:cool:
  8. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Thanks for the update :grinthumb
    Actually with member gillianbrown now banned, it may have helped a lot too ;)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.