TechSpot

Trojan Horse

By schang1146
Oct 19, 2010
  1. Hi, I'm pretty new to getting rid of viruses so please bear with me.
    I recently accidentally hit "Run" when a pop up came up and asked me if I wished to run a program. (I was on Megaupload.com)
    Almost immediately afterwards, a fake "Microsoft Security Essentials Alert" popped up saying that I was infected with "Unknown Win32/Trojan." The message also pops up whenever I try to open Firefox or IE. I still have a wireless internet connection. There are some files that are "locked." When I ran a scan with AVG in safe mode, it told me there were things that were locked and could not be tested. After running Spybot Search and Destroy, it came up with 15+ items and I "removed" them all. I ran Malwarebytes' Anti-Malware and it caught 14 items and removed only some of them.
    I can't access the report because the folder C;\Documents and Settings is locked. Can anyone help?
     
  2. schang1146

    schang1146 Topic Starter

    Oh nevermind. I found the log for my scan:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4877

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    10/18/2010 11:39:45 PM
    mbam-log-2010-10-18 (23-39-45).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 270924
    Time elapsed: 44 minute(s), 50 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 1
    Registry Keys Infected: 0
    Registry Values Infected: 3
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 8

    Memory Processes Infected:
    C:\Users\Sammy Chang\AppData\Roaming\hotfix.exe (Trojan.Agent.Gen) -> Unloaded process successfully.

    Memory Modules Infected:
    C:\Users\Sammy Chang\AppData\Local\AutEA32.dll (Trojan.Hiloti) -> Delete on reboot.

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bpuqi (Trojan.Hiloti) -> Delete on reboot.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jricore (Trojan.Agent.U) -> Delete on reboot.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Users\Sammy Chang\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Users\Sammy Chang\AppData\Local\AutEA32.dll (Trojan.Hiloti) -> Delete on reboot.
    C:\Users\Sammy Chang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2EFM6L23\lltaitbvdo[1].htm (Trojan.Clicker) -> Quarantined and deleted successfully.
    C:\Users\Sammy Chang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G49H06PF\gkemxszusa[1].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.
    C:\Users\Sammy Chang\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
    C:\Users\Sammy Chang\AppData\Roaming\hotfix.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
    C:\Users\Sammy Chang\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
    C:\Users\Sammy Chang\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Doctor.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
    C:\Users\Sammy Chang\AppData\Local\asenurif.dll (Trojan.Agent.U) -> Delete on reboot.
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE

    Since you have run Malwarebytes and included that log, you can skip running it again, but please follow the other steps. When you have finished, leave the logs for review in your next reply .

    Please add this online scan:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  4. schang1146

    schang1146 Topic Starter

    Hi, sorry for the wait but it did not make a log. (Was it because I was using Firefox?)
    But after the scan it found 5 viruses and I did a copy to clipboard and pasted here.

    C:\$Recycle.Bin\S-1-5-21-863956178-3063865544-3871530153-1000\$RJH2SSC.zip multiple threats
    C:\$Recycle.Bin\S-1-5-21-863956178-3063865544-3871530153-1000\$RZ8AD8A\AQ Elite [Lore3542].rar probably a variant of Win32/Agent.LTWZODE trojan
    C:\ProgramData\Spybot - Search & Destroy\Recovery\WinMuollo1.zip Win32/Bagle.gen.zip worm
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\WinMuollo1.zip Win32/Bagle.gen.zip worm
    C:\Users\Sammy Chang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UUAKODV7\zpwrlte[1].htm a variant of Win32/Kryptik.HMU trojan

    EDIT:

    I tried to include the DDS but when I downloaded it, it did not allow me to run the program. For some reason, it says the file is a Microstation file and it won't let me open it with anything else.

    I forgot to mention that now after running Malware getting rid of (trying to get rid of?) the viruses, I am free to open IE and Firefox. When I use regular programs and when I go on the internet, there seems to be no apparent problem/virus. When I try to open specific folders however, it won't let me saying that I do not have permission or that it is not accessible and that access was denied. This happens to my C:\Documents and Settings folder.
    (I also can't see the Documents and Settings folder when I go to C:\
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please Empty the Recycle Bin You have infected files in it.
    Please delete the files and folders in Sybot S&D that have been Quarantined.
    Please run TFC again:

    TFC (Temp File Cleaner)

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean
    =========================================
    Then download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      :Files  
      C:\$Recycle.Bin\S-1-5-21-863956178-3063865544-3871530153-1000\$RJH2SSC.zip 
      C:\$Recycle.Bin\S-1-5-21-863956178-3063865544-3871530153-1000\$RZ8AD8A\AQ Elite [Lore3542].rar 
      C:\ProgramData\Spybot - Search & Destroy\Recovery\WinMuollo1.zip 
      C:\Users\All Users\Spybot - Search & Destroy\Recovery\WinMuollo1.zip 
      C:\Users\Sammy Chang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UUAKODV7\zpwrlte[1].htm 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ========================================
    We will handle the permissions issue if it persist after the system is clean.
    I have no idea why you got the Microstation message for DDS. The setup files saves as dds.scr and sometimes, depending on your security, there is a message related to the scr extension. I know McAfee fusses about it. Please bypass it as it is safe.I'd like you to remove it if it's on the desktop and download again. It produces 2 logs and works fine in Firefox. If you get the same message again, I'll have you check the file extension settings:
    • Download DDS by sUBs and save it to your desktop.

      After downloading the tool, disconnect from the internet and disable all antivirus protection.
    • Double click on the DDS icon, allow it to run.
    • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
    • Notepad will open with the results, click no to the Optional_Scan
    • Follow the instructions that pop up for posting the results.
    • When done, DDS will open two (2) logs: Please paste both in your next reply.
      [o]DDS.txt
      [o]Attach.txt
    • Close the program window, and delete the program from your desktop.
    • Enable your Antivirus protection and reconnect to the internet.
    Please note: You may have to disable any script protection running if the scan fails to run.
     
  6. schang1146

    schang1146 Topic Starter

    I'm just wondering if I could use CCleaner in place of TFC?
    Sorry for the late response, I haven't been online for a few days.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Don't apologize- I'm running behind! I'd prefer you use TFC, but it's up to you. I don't want any Registry changes- CCleaner has a bad habit of doing that.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please let me know if you require further help. Threads are closed after 5 days of inactivity.
     
  9. schang1146

    schang1146 Topic Starter

    Sorry I haven't been on my laptop since I had a huge essay for school lately. I'll make sure to run TFC and OTMoveIt and get back to you today.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay. Take your time.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...