Trojan keeps replicating - I can't wipe it!

Ideo · 20-11-2009 8:14pm #1

There's a trojan on my comp and it keeps replicating itself as different files. My anti virus keeps detecting it and deleting it but it's to no avail! I ran malawarebytes and that deleted a couple of files but it appeared again after a few weeks! Any ideas on how to kill the bastaard for good! Please!!!!

ActorSeeksJob · 20-11-2009 11:08pm

do you have a log from mbam or your anti-virus of this infection ?

Please download OTM

Save it to your desktop.
Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
:Processes

:Services

:Reg

:Files
C:\WINDOWS\Tasks\At*.job

:Commands
[purity]
[emptytemp]
[Reboot]
```
Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

don't attach the logs by the way

Ideo · 20-11-2009 11:41pm

ok, i got the following upon the reboot. the help is greatly appreciated!

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\WINDOWS\Tasks\At1.job moved successfully.
C:\WINDOWS\Tasks\At10.job moved successfully.
C:\WINDOWS\Tasks\At11.job moved successfully.
C:\WINDOWS\Tasks\At12.job moved successfully.
C:\WINDOWS\Tasks\At13.job moved successfully.
C:\WINDOWS\Tasks\At14.job moved successfully.
C:\WINDOWS\Tasks\At2.job moved successfully.
C:\WINDOWS\Tasks\At3.job moved successfully.
C:\WINDOWS\Tasks\At4.job moved successfully.
C:\WINDOWS\Tasks\At5.job moved successfully.
C:\WINDOWS\Tasks\At6.job moved successfully.
C:\WINDOWS\Tasks\At7.job moved successfully.
C:\WINDOWS\Tasks\At8.job moved successfully.
C:\WINDOWS\Tasks\At9.job moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 436249 bytes

User: My Documents

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 482310 bytes

User: Paul Dalton
->Temp folder emptied: -869228744 bytes
->Temporary Internet Files folder emptied: 504041471 bytes
->Java cache emptied: 22023284 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 5650449 bytes
Windows Temp folder emptied: 28943777 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23919900 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
RecycleBin emptied: 45043190 bytes

Total Files Cleaned = -227.52 mb

OTM by OldTimer - Version 3.1.2.0 log created on 11202009_232328

Files moved on Reboot...
File C:\Documents and Settings\Paul Dalton\Local Settings\Temp\~DF1863.tmp not found!
File C:\Documents and Settings\Paul Dalton\Local Settings\Temp\~DF1884.tmp not found!
File C:\WINDOWS\temp\mcmsc_raEdKdWtfObmleT not found!
File C:\WINDOWS\temp\mcmsc_u7wuEDRh83kkMCI not found!

Registry entries deleted on Reboot...

ActorSeeksJob · 21-11-2009 11:58am

hi

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Ideo · 22-11-2009 4:44pm

Ok I've tried everything to download that file and it wont work. Disabled antivirus and windows firewall but it just wont download. gets to 99% and cancels! Any other suggestions ASJ?

ActorSeeksJob · 22-11-2009 5:19pm

when you download it, rename it to svchost.com

does it download fully then ?

Kinky Slinky · 22-11-2009 5:23pm

maybe try Microsoft Security Essentials,it's a free program might be of some use
http://www.microsoft.com/Security_Essentials/

Ideo · 22-11-2009 9:58pm

ActorSeeksJob wrote: »

when you download it, rename it to svchost.com

does it download fully then ?

No unfortunately that doesn't work? Tried calling it adsf.doc but nothing seems to work. Running XP SP3 if it matters

ActorSeeksJob · 22-11-2009 10:44pm

ok try this

Download OTL to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Under the Custom Scan box paste this in

netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5
%SYSTEMDRIVE%\nvatabus.sys /s /md5
%SYSTEMDRIVE%\viamraid.sys /s /md5
%SYSTEMDRIVE%\nvata.sys /s /md5
%SYSTEMDRIVE%\nvgts.sys /s /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time

Ideo · 24-11-2009 8:16pm

The text is huge from these files so I thought it owuld be better to attach them, hope this helps!

ActorSeeksJob · 24-11-2009 11:27pm

don't attach these ones if possible

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe -- File not found
O33 - MountPoints2\{6f84d1ab-732e-11dc-bb66-001676b7766e}\Shell\AutoRun\command - "" = wd_windows_tools\setup.exe
O33 - MountPoints2\{ff715859-d396-11dd-bdd7-001676b7766e}\Shell - "" = AutoRun
O33 - MountPoints2\{ff715859-d396-11dd-bdd7-001676b7766e}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ff715859-d396-11dd-bdd7-001676b7766e}\Shell\AutoRun\command - "" = D:\mTrust_Launcher.exe -- File not found

:Services

:Reg

:Files
C:\Documents and Settings\All Users\Application Data\*.tmp /s

:Commands
[purity]
[emptytemp]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done

1. Please download The Avenger by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Files to delete:
C:\WINDOWS\jestertb.dll
C:\WINDOWS\quadriga.ini
C:\WINDOWS\System32\tcusbdrv.dll
Files to move:
C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\iaStor.sys | C:\WINDOWS\system32\drivers\iaStor.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply

Ideo · 29-11-2009 2:20pm

i ran that OTL and the computer rebooted but completely froze and now i keep getting the BSOD! Any ideas? Think I might just get a new hard drive and completely wipe the old one and use it for a spare back up

tpotter · 29-11-2009 2:57pm

To be honest, I almost always just reinstall windows rather than trying to fight a trojan/virus.

In all the time you usually spend researching how to fix it or trying other fixes, you almost always are better off doing a fresh install. Especially if your computer has a restore partition, in which case you just need to backup your files first. Of course, you need to back up all you files in any case when doing a fresh install.

Aside from just saving time, when you do a fresh install, you can be reasonably sure the virus is gone...

ActorSeeksJob · 29-11-2009 3:01pm

ideo can you boot up in normal or safe mode ?

Ideo · 11-12-2009 9:46pm

No it wont run in safe mode.

The error message I get reads

0X0000007B (0XF78D663C, 0XC0000034, 0X00000000, 0X00000000)

Any suggestions? Tried google to no avail. Actually invested in a new hard drive and when I plugged that in I got the same error message. Could it be the graphics card? Something else?!?

ActorSeeksJob · 12-12-2009 12:51pm

Boot from the Windows XP installation CD.

At the "Welcome to Setup" screen, press R to start Recovery Console. Choose the installation to be repaired by number (usually 1) and press "Enter".

When you are asked for the Administrator password, leave it blank and press "Enter".

At the command prompt, type chkdsk /r and press "Enter". (Note the space before /r) The disk check operation will start.

This will be a very thorough check of the hard drive and the file system...be patient and let it complete. It may appear to hang or even back up a few times...this is normal. 60 to 90 minutes is not unusual for this check...it may take longer in some cases.

Once the check completes and you are back at the command prompt, type exit and press "Enter". Let your computer boot normally to Windows.

Ideo · 12-12-2009 5:03pm

welllllllllll,

i installed my new hard drive and took out some ram leaving just 1 1gb stick in the comp. Start up the comp> selected boot from cdrom> windows xp checked for some info along the bottom of the page and then Bam! 0x0000007b error!! Google tells me that 0x0000007b errors are usually hard drive errors, but surely that can't be with two hard drives!! This is wrecking my head!

Ideo · 12-12-2009 5:04pm

should I just look at getting a new basic comp and harvesting parts from the old one? I dont realy want to, i just want this to work!!

ActorSeeksJob · 12-12-2009 8:06pm

It can be fixed don't worry

Its a bit of a tech issue so will send you to some friends

Post here in the Windows XP/Vista forum

http://www.geekstogo.com/forum/forums.html

and they can fix you up

Ideo · 05-01-2010 8:44pm

Got this sorted in the end, installed windows 7 instead!!

Trojan keeps replicating - I can't wipe it!

Comments