Multiple virus in drives-keeps changing-incl trojan dwnldr

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by evolutionpill, Jul 12, 2009.

  1. evolutionpill

    evolutionpill Private E-2

    Hi

    Would be very thankful for your assistance in helping r-solve and understand my PC issues, as I have been struggling for last few days. Hope its not too much detail.

    Last few days I noticed pc little slower, decided to do a full clean out, include re organised my files and folders in all drives, ( main purpose was to clean (organise) out folders before moving them to new and formatted portable drive – as my backup).

    I proceeded to do a number of check and that’s when problems surfaced: Viruses found, using different programs, thought deleted and then reappear and interfere with virus programs.

    Below, in order, the issues:

    Thurs to Friday

    1. AVG does a full scan & update everyday, nothing detected

    2. I performed malwarebytes scan, nothing detected, 1st time.

    3. Performed a Drweb “Complete” Scan it detected following:

    New-Mera.pps;I:\D Backup secondary\Shaun\funnies;Probably office.exploit.16;;
    344E~1.DOC;I:\D Backup secondary\Thomas\Thomas\Cherry's documents\Cherry of 07.29\My Document\My Documents\thomas\8ED5~1\Cherry\149E~1;Probably office.exploit.gen;;
    344E~1.DOC;I:\D Backup secondary\Thomas\Thomas\Cherry's documents\My Documents\thomas\Cherry\149E~1;Probably office.exploit.gen;;

    4. I deleted all, then did re scan and Dr web would scan C & D drive identify new warning but as it continued to drive E & F it would stop and a application error box appeared :

    The instruction 0x000x00345….. The memory could not be written” and the program closed.

    5. I re-run Dr web but this time “custom scan”, each drive at a time, nothing was detected.

    6. I proceeded to run (at considerable length) KASPERSKY. It Identified:

    File name / Threat name / Threats count
    C:\Documents and Settings\user\DoctorWeb\Quarantine\A0006746.exe Infected: Trojan.Win32.Obfuscated.en 1
    C:\Documents and Settings\user\DoctorWeb\Quarantine\autorun.inf Infected: Virus.Win32.Small.f 1
    C:\Documents and Settings\user\DoctorWeb\Quarantine\autorun0.inf Infected: Virus.Win32.Small.f 1
    C:\Documents and Settings\user\DoctorWeb\Quarantine\autorun1.inf Infected: Virus.Win32.Small.f 1
    C:\Documents and Settings\user\DoctorWeb\Quarantine\autorun2.inf Infected: Virus.Win32.Small.f 1
    C:\Documents and Settings\user\DoctorWeb\Quarantine\autorun3.inf Infected: Virus.Win32.Small.f 1
    C:\Documents and Settings\user\DoctorWeb\Quarantine\autorun4.inf Infected: Virus.Win32.Small.f 1
    D:\FoHRUm Shaun\Fohrum\From Graeme's flash disk\Outlook.pst Infected: Email-Worm.Win32.Mydoom.q 3
    D:\LAN CLUB\wines\jan\s\wine list\food of wine matching translation.doc Infected: Trojan-Dropper.MSWord.1Table.gw 1
    D:\LAN CLUB\wines\jan\Wines out of stock.doc Infected: Trojan-Dropper.MSWord.1Table.
    gw



    I deleted these files, and then for safety, re-ran program again, 2nd time it only identified

    D:\RECYCLER\S-1-5-21-220523388-1993962763-1343024091-1003\Dd17.pst Infected: Email-Worm.Win32.Mydoom.q 3

    To locate recyclers I had to go to tools in explore to unclick “hide protected operating system files”, however could not deleted.

    8. I re –ran Dr web Full scan it identified,

    A0068353.exe in c:/system volume info/_restore(86c7-85b…………. ) tool.prockill
    Copy of communication and culture.ppt in D:/ Michael training/Data from convergys Probably office.exploit.gen

    Then when it got to F drive an u82ad.exe application error box appeared again.
    Instruction at “0x01x408….” Referenced memory at “0x000000000”

    9. My AVG identified in D drive Virus found "W97m/trojan"

    Saturday-Sunday

    10. thats when I decided to contact Majorgeeks.

    11. First followed your required steps to the letter T, after following standard clean out I noticed on loggin it took much longer.

    12 Superanit spyware identified Trojan agent GEN

    13. Rooroeat ran then error box appeared "error on disk corruption detected run chkdsk" which i dod not as im not sure how or if i should



    I really look forward to you insight as to what the problem is, and the best way we can resolve it.

    Thank you :confused

    SF
     

    Attached Files:

  2. evolutionpill

    evolutionpill Private E-2

    Multiple virus second set of attachments

    Below my second set of attachments which is the mgtools log

    thnks
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Your logs are all clean. You just have some minor non-malware things to attend to.

    What is the below folder? If unknown, delete it.
    2009-07-11 15:09 . 2009-03-06 14:31 -------- d-----w- c:\program files\aaaa 2009 virus clean out

    The below are not malware but they should not be saved in the Program Files folder. If you want these then move them somewhere else. Otherwise delete them.
    Code:
    2008-09-09 10:18 . 2008-09-09 10:17 3480292 ----a-w- c:\program files\cam.zip
    2008-05-16 11:08 . 2008-05-16 11:06 13665632 -c--a-w- c:\program files\winzip112.exe
    2008-05-16 10:48 . 2008-05-16 10:43 1206366 -c--a-w- c:\program files\wrar371.exe
    2008-04-16 05:57 . 2008-04-16 05:57 19596318 -c--a-w- c:\program files\AllMusicConverter_3.4.1-Setup.exe
    2008-04-08 17:50 . 2008-04-08 17:50 13321968 -c--a-w- c:\program files\ymsgr_inst_us.exe
    2008-04-08 17:48 . 2008-04-08 17:48 18832168 -c--a-w- c:\program files\Install_Messenger8.1.exe
    2008-04-08 17:37 . 2008-04-08 17:37 13460852 -c--a-w- c:\program files\quicktimealt251.exe
    2008-04-08 17:18 . 2008-04-08 17:18 9409224 -c--a-w- c:\program files\Install_MSN_Messenger.exe
    2008-04-08 16:55 . 2008-04-08 16:55 1813872 -c--a-w- c:\program files\WLinstaller-1.exe
    2008-04-08 16:44 . 2008-04-08 16:44 2400784 -c--a-w- c:\program files\WLinstaller.exe
    2008-04-08 16:19 . 2008-04-08 16:19 12413440 -c--a-w- c:\program files\avgas-setup-7.5.1.43.exe
    2008-04-08 15:41 . 2008-04-08 15:41 15452536 -c--a-w- c:\program files\IE7-WindowsXP-x86-enu.exe
    2008-04-08 15:34 . 2008-04-08 15:34 1427520 -c--a-w- c:\program files\Silverlight.exe
    2008-01-08 12:03 . 2008-04-08 16:19 265949336 -c--a-w- c:\program files\AcroPro80_efg.exe
    2006-09-09 01:28 . 2008-09-09 10:19 3666448 -c--a-w- c:\program files\scnow.exe
    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

    After clicking Fix, exit HJT.

    Then I suggest that you toggle System Restore off and then back on to remove any old restore points containing old infected info.
     
  4. evolutionpill

    evolutionpill Private E-2

    Hi Chaslang

    Appreciate your reply, know you folk are busy, followed your instructions, good to ear that this was only minor problem.

    Question I have, is that my AVg is still picking up trojan horse in my d folder:

    D system volume/..restor/abdce3837..........trojan horse back door,

    I have moved to virus vault, but my concern initially is that since D drive holds all my working folders & Files and this is where I keept getting virus notifications, is this folder now clean or is their something I can do to double check.

    Much thanks
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As stated in my last message!!!
     
  6. evolutionpill

    evolutionpill Private E-2

    Thanks your assistance much appreciated.

    :wave
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds