Virus (Trojan???)... Help please!

Hey, I have Norton Antivirus and every day for the past 3 or so weeks I get a daily result of a "trojan.dropper" in my Temporary Internet Files. I also get a Virus in my System Volume Information folder also. My computer as a result isn't performing optimally. I don't know a lot about computers, but my cousin is a programmer and sent me your way. I followed the steps in a tutorial and will attach the logs I have created. Thanks!

 

Hi koopdeezy!
Welcome to Major Geeks!

One of us will look at your logs and get back to you. This takes some time. Thanks for being patient!

abri

 

Hi koopdeezy!
Sorry this took so long!

1) Go to add/remove programs and uninstall the below:

- Java(TM) 6 Update 2

2) Reboot after uninstalling the above.

3) Install the current version of Sun Java from: Sun Java Runtime Environment



4) If you don't know what either of the following files is, please scan the following file(s) at either
jotti or VirusTotal and let me know the results.


C:\WINDOWS\SD218296B.tmp
C:\dump_dvd.vob


5) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe

After you click fix, just close hijackthis.


6) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run
Disable/Remove Windows Messenger


7) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

7) Now run CCleaner in the default setting with the Windows tab as the active one. Do not check anything which is not already checked. After you hit the Run Cleaner button, there will be a warning that all the files will be permanently deleted. Click on ok and allow it to run. When it's finished, just close it.


8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Thanks for the reply.
I ran through everything and am yet to get anything to show up on my antivirus in quite some time. My computer seems to be running back to normal so I'm hoping everything is taken care of. I scanned those files online and it said something like "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file" and I can no longer find it on my computer so I think it's been taken care of. The avenger thing isnt creating a log though for me. I don't know why, but when i close it out it says something like "No action has been queued for next reboot. Are you sure you want to quit Avenger?" So I don't really know about that one. Here is my MGLogs in case you find anything else though. Thanks a lot!

 

Hi koopdeezy,

Avenger didn't produce a log because it didn't run. The temporary files were probably deleted because they were temporary and fell in the deletion period.

The file dump_dvd.vob came in on Dec. 15th. Do you remember downloading anything at that time that might have had to do with dvd's? You have a link on your desktop to anydvd and I wondered if it might be part of that.

1) Please rename C:\dump_dvd.vob to C:\dump_dvd.zzz Let me know if this causes any trouble. You'd probably notice it after a reboot.

Also on your desktop is this file. spybotsd15.exe.part Do you know how it got that name?

2) Now, please download and install Erunt. Use it to create a backup of your registry.

Then do the following:

3) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

4) Let me know if the registry patch gives you a success message.

5) After doing the registry patch please, run analyse.exe in the C:\MGTools folder and allow it to create a log. That one entry is an 04 entry for Router.exe which you can check for yourself. If that is gone, I don't see anything else in your logs that is related to malware.

Other than the above, your logs are clean. I don't like the appearance of the temporary files, but would like for you to simply continue emptying your temporary files with CCleaner at the default setting whenever you finish using the internet and let me know if you get any further complaints from your antivirus.

6) If there are no other symptoms, you can remove the tools and logs we've been using here as follows:

abri

 

Yea I'm pretty sure I downloaded the AnyDVD thing about that time because it was a 21 day trial so that seems right. I would assume that is due to it. I removed that program tho and it no longer exists. I think I'm good on things now. Thanks a lot, the Erunt went successful and I did not notice the named entry on the MGtools analyze.exe log. I will continue to use CCleaner and other than that if you say my logs looks clean I'll assume they are and keep you posted if anything happens again, thanks a lot!

 

Hi koopdeezey!

Did you get a success message when you ran the registry patch?

If so, I'm glad to hear things are working better. Do run through the final two links in the instructions I gave you for finishing up.

abri

 

Yea I got a success message when I ran that. I followed the above mentioned steps also, but when i disabled and enabled system restore it seems it slowed my CD/DVD drive up somehow. I read online that it reverted to PIO mode or something and I needed it in DMA? It isn't seeming to return to the same burn speed even after I returned it to DMA and rebooted. I am not sure if this is the right forum for this, but is this a likely thing to happen when disabling/enabling the system restore? I also got a disc read error the first run through also so that might have caused it too. If you have no idea about my yammering on and on I understand, other than that everything is great. Thanks so much!

 

Hi koopdeezey!
I'm glad that in general your computer is doing better, but sorry for the problems you're having with your cd/dvd burner. Did you see the following Microsoft article?

http://www.microsoft.com/whdc/device/storage/IDE-DMA.mspx

I don't know much about this and I've not heard about it happening as the result of system restore, but what you've mentioned with PIO and DMA modes sounds relevant. In Microsoft the article refers to file corruption and mentions that it might be necessary to reinstall the drive, but you should read it yourself. Also ....

In Post #5 I asked you to rename one of your files. Please rename it back to what it was and see if that does anything. I'm not sure what the word dump in the file name refers to and I don't know if it is a file which is in use on your computer anyway. Just thought of it in relation to the dvd software.

This is an area where your chances for additional information and experience would be increased by asking in the Software or Hardware Forums as well.

Abri

 

Nice info that was a good read. Yea from what I've gathered there and a few other places is a scratched CD triggers an error and after 6 it bumps your DMA mode down a grade so I'm thinking that this problem was just a coincidence and had nothing to do with the system restore. My cousin is a software engineer he might be able to figure something out if i can ever get him over here so I'll hold off on things till then. If all else fails I'll get a new drive I could use one anyway. As for the dvd file I can't seem to locate it anymore. I removed the program AnyDVD because the trial was over so maybe it went along with it? Thanks for everything! I think I'll stop buggin you with my problems now you have done enough for me lol. Malware is a non-issue wooooohoooooo!

 

Thanks koopdeezy!
Here at the last post, I finally vowed to spell your name correctly!
Many safe and happy computing endeavors to you!
abri