Obviously infected; Cannot find info anywhere!

traptfreak_44 · Mar 28, 2006

Okay I'm POSITIVE that I have been infected, with what I am not sure. About a week ago I found a process, "GU.exe", running in my task manager and quickly ended it. I did a search for it on my system and it was located in "C:\documents and settings\owner\temp". I did a search for it on a few search engines with no luck. I scanned the file with several of my own trojan, antivirus, and spyware scanners with no infection detected. I then scanned it with several online scanners and it still came out clean. I erased the file and cleaned out all of my temp folders with CCLEANER.

The next day after I'd erased it, it popped up under my services. It was stopped but was set to automatic and had no path associated with it. Then, a few days ago I noticed an entry under services that I did not recognize named "XNSWOWIR". The path associated with it was "C:\documents and settings\owner\local settings\temp\XNSWOWIR.exe". It was stopped, but was set to run under automatic. I disabled it and went to my temp folder, which was empty. This isn't surprising though because I use CCLEANER quite often and I have set it to delete files in the temp folder less than 48 days old. I did a registry search and nothing came up. I searched online and couldn't find one thing about it. I've ran Kaspersky, NOD32, Panda, BitDefender, SpySweeper, TrojanHunter, Norton, McAfee, Microsoft Antispyware, Xoftspy, Housecall, A-Squared...Everything I could think of, but my system comes out clean. Then I remembered Ewido and tried the trial version. It found one file to be infected with a trojan "downloader.vb.ts". It was a file that I had thought to be legit and that no other scanner had identified. I had used that file a couple of times so I was unsure if it had done any damage. Again, looking online I found very little on it. What I did find was in Spanish mostly, so it wasn't really any help.

After I deleted this file, two more services popped up. One is "NURED" running from "C:\DOCUME~1\ADMINI~1.AGE\LOCALS~1\Temp\NURED.exe", and the other is "FNLYEPBU", which runs from "C:\DOCUME~1\ADMINI~1.AGE\LOCALS~1\Temp\FNLYEPBU.exe" Doing an online search returned nothing, and yet again these files were not in the folder it said they were. I then ran HijackThis! Here's my log file:

Edit by chaslang: Inline log removed! Cleaning steps not followed.

And now, as I'm writing this, my c:\documents and settings\owner\local settings\temp folder is filling up with many different exe files then they are disappearing, only to reappear a minute later and switch out. Now most of the exe files are gone except a couple. Now there are many htm, html, and js files filling up the temp folder. One of them is namted "content[2].htm". The other ones are happening so fast I can't read them...I scanned the ones that stayed there long enough and all of them came out clean...Now I am REALLY at a loss! All of a sudden my "C:\windows\temp" folder has bloated to about 60 something megabytes. Also, in my temporary internet files there are many files which again are blinking and disappearing then reappearing. There appears to be many js files, although there should be nothing in here really since I don't use internet explorer at all, under any circumstances. Here is a list of what each folder contains [at the moment anyway]:

-- C:\windows\temp --

C:\WINDOWS\TEMP\drm1B8.tmp 0 bytes
C:\WINDOWS\TEMP\drm1B9.tmp 0 bytes
C:\WINDOWS\TEMP\drm1BA.tmp 0 bytes
C:\WINDOWS\TEMP\drm314.tmp 0 bytes
C:\WINDOWS\TEMP\drm315.tmp 0 bytes
C:\WINDOWS\TEMP\drm316.tmp 0 bytes
C:\WINDOWS\TEMP\drm317.tmp 0 bytes
C:\WINDOWS\TEMP\drm318.tmp 0 bytes
C:\WINDOWS\TEMP\drm319.tmp 0 bytes
C:\WINDOWS\TEMP\drm31A.tmp 0 bytes
C:\WINDOWS\TEMP\drm31B.tmp 0 bytes
C:\WINDOWS\TEMP\drm31C.tmp 0 bytes
C:\WINDOWS\TEMP\drm31D.tmp 0 bytes
C:\WINDOWS\TEMP\drm31E.tmp 0 bytes
C:\WINDOWS\TEMP\JETC9D7.tmp 0 bytes
C:\WINDOWS\TEMP\JETCF65.tmp 0 bytes
C:\WINDOWS\TEMP\JETE908.tmp 0 bytes
C:\WINDOWS\TEMP\JETFED2.tmp 0 bytes
C:\WINDOWS\TEMP\Perflib_Perfdata_598.dat 16.00KB
C:\WINDOWS\TEMP\Perflib_Perfdata_5b8.dat 16.00KB
C:\WINDOWS\TEMP\Perflib_Perfdata_61c.dat 16.00KB
C:\WINDOWS\TEMP\Perflib_Perfdata_640.dat 16.00KB
C:\WINDOWS\TEMP\tmp000011c9\tmp00000000 0 bytes
C:\WINDOWS\TEMP\tmp0000296b\tmp00000000 0 bytes
C:\WINDOWS\TEMP\tmp0000296b\tmp00000307 2.09MB
C:\WINDOWS\TEMP\tmp0000296b\tmp000007c2 2.54MB
C:\WINDOWS\TEMP\tmp0000296b\tmp000009cd 2.78MB
C:\WINDOWS\TEMP\tmp00004d58\tmp00000000 0 bytes
C:\WINDOWS\TEMP\tmp00004d58\tmp00001726 4.27MB
C:\WINDOWS\TEMP\tmp00004d58\tmp00001727 4.27MB
C:\WINDOWS\TEMP\tmp00004d58\tmp00001729 4.27MB
C:\WINDOWS\TEMP\tmp00004d58\tmp00002eec 2.78MB
C:\WINDOWS\TEMP\tmp00004d58\tmp00002efe 2.09MB
C:\WINDOWS\TEMP\tmp00004d58\tmp00003fec 2.54MB
C:\WINDOWS\TEMP\tmp00004d58\tmp000040a0 3.91MB
C:\WINDOWS\TEMP\tmp00004d58\tmp0000447d 3.91MB
C:\WINDOWS\TEMP\tmp00004d58\tmp00004493 2.54MB
C:\WINDOWS\TEMP\tmp00004d58\tmp00004516 3.91MB
C:\WINDOWS\TEMP\tmp00004d58\tmp00004632 3.54MB
C:\WINDOWS\TEMP\tmp00004d58\tmp00004654 3.91MB
C:\WINDOWS\TEMP\tmp00004d58\tmp000048c5 3.91MB
C:\WINDOWS\TEMP\tmp00004d58\tmp0000494b 2.78MB
C:\WINDOWS\TEMP\tmp00004d58\tmp00004961 2.78MB
C:\WINDOWS\TEMP\tmp00006670\tmp00000000 0 bytes
C:\WINDOWS\TEMP\tmp000067f8\tmp00000000 0 bytes
C:\WINDOWS\TEMP\tmp00006e91\tmp00000000 0 bytes
C:\WINDOWS\TEMP\tmp00006e91\tmp000001fd 2.09MB
C:\WINDOWS\TEMP\tmp00006e91\tmp000002fa 2.78MB

-- C:\documents and settings\owner\local settings\temp --

C:\DOCUME~1\Owner\LOCALS~1\Temp\2Vl9Dq.exe 3.60MB
C:\DOCUME~1\Owner\LOCALS~1\Temp\doFuSdm.exe 1.54MB
C:\DOCUME~1\Owner\LOCALS~1\Temp\java_install_reg.log 416 bytes
C:\DOCUME~1\Owner\LOCALS~1\Temp\Perflib_Perfdata_8e0.dat 16.00KB
C:\DOCUME~1\Owner\LOCALS~1\Temp\TopStyle3.exe 1.16MB
C:\DOCUME~1\Owner\LOCALS~1\Temp\ZunzBix.exe 0.16MB
C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF726.tmp 32.00KB
C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFB21A.tmp 1.19MB
C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFD583.tmp 16.00KB
C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFFAF1.tmp 32.00KB

-- C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files --

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0JTRUTRD\desktop.ini 67 bytes
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0JTRUTRD\menuimage[1].gif 537 bytes
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0JTRUTRD\SOUNDBUZZ_logo_15x15[1].png 1.07KB
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0JTRUTRD\uuid_000f-66c4-2fd10000c2dc[1] 3.14KB
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\D16YERYQ\16_16_ico[1].gif 616 bytes
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\D16YERYQ\d1357803236[1].jpg 9.13KB
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\D16YERYQ\desktop.ini 67 bytes
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\D16YERYQ\sm_menu_logo[1].png 611 bytes
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini 67 bytes
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\T6186DWX\d1357803236[1].jpg 2.30KB
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\T6186DWX\desktop.ini 67 bytes
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\T6186DWX\menuicon[1].png 429 bytes
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\T6186DWX\MNdisc_16x16[1].png 675 bytes
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\T6186DWX\rhap_16x16[1].png 816 bytes
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UXHUPZ6A\allservices[1].aspx 5.47KB
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UXHUPZ6A\desktop.ini 67 bytes
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UXHUPZ6A\msnlogo[1].png 18.29KB
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UXHUPZ6A\msnsmall[1].png 769 bytes
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UXHUPZ6A\radiopresets[1].asp 7.36KB
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\desktop.ini 67 bytes

I just scanned with Avast Professional Version instead of the personal and it has found "Win32:Trojan-gen. {Other}" in one of my files that I have run in the past. This also seems to be an obscure trojan. Most of the temporary internet files are gone now...they deleted themselves in front of my eyes. Also, the programs in owner temp folder are the ones that stayed there. At one point there were in excess of 20 to 30 randomly moving through. Any help would be very much appreciated!

chaslang · Mar 28, 2006

Welcome to Majogeeks!

Please do not post any logs inline! Also before HijackThis logs will be reviewed, standard cleaning procedures must be followed. See below.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

Also please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

Note: This program is for Windows XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No[/b] at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)

Bitdefender

Panda Scan

HijackThis

.

Log in or Sign up

Obviously infected; Cannot find info anywhere!

traptfreak_44 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member