Folder.exe - Win32:Trojan-gen. {Other} infection

[araspopovic]

Hello all,

my computer has been infected by a trojan or something. I've borrowed my flash drive to a colleague and when she returned it

there was a new folder - DataAdministrator, in fact an .exe pretending to be a folder (the same familiar icon), and

unfortunately, in a hurry I clicked it. The crap has immediately replicated itself into the surrounding folders, taking

their names. It has infected some system files, avast detected it, but couldn't repair files. Could somebody give a piece of

advice as how to remove it? I have read many posts with similar problem, but different solutions, so I could not decide on

some universal method to do it myself, without someone's precise directions. Below I have attached logs of avast, avg

antispyware and hijackthis. Thank you in advance. Greets!

***AVAST LOG***

1/15/2007 11:06:48 AM   Administrator   1584   Sign of "Win32:Trojan-gen. {Other}" has been found in "E:\Data

Administrator.exe" file. 
1/15/2007 11:07:37 AM   Administrator   1584   Sign of "Win32:Trojan-gen. {Other}" has been found in "E:\.exe" file. 
1/15/2007 11:12:30 AM   Administrator   3208   Sign of "Win32:Trojan-gen. {Other}" has been found in "E:\korisna

literatura\Njemci uÜli u upravu (Telekoma) Vijesti 27.06.06_files\Njemci uÜli u upravu (Telekoma) Vijesti 27.06.exe" file. 
1/15/2007 11:12:35 AM   Administrator   3208   Sign of "Win32:Trojan-gen. {Other}" has been found in "E:\korisna

literatura\korisna literatura.exe" file. 
1/15/2007 12:49:25 PM   Administrator   3536   Sign of "Win32:Trojan-gen. {Other}" has been found in "c:\documents and

settings\administrator\start menu\programs\startup\windows.pif" file. 
1/15/2007 12:49:35 PM   Administrator   3536   Sign of "Win32:Trojan-gen. {Other}" has been found in "c:\documents and

settings\all users\start menu\programs\startup\empty.pif" file. 
1/16/2007 8:17:15 AM   Administrator   1028   Sign of "Win32:Trojan-gen. {Other}" has been found in "c:\documents and

settings\administrator\start menu\programs\startup\windows.pif" file. 
1/16/2007 8:17:38 AM   Administrator   1028   Sign of "Win32:Trojan-gen. {Other}" has been found in "c:\documents and

settings\all users\start menu\programs\startup\empty.pif" file. 
1/16/2007 10:52:20 AM   Administrator   1588   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Documents and

Settings\All Users\Start Menu\Programs\Startup\Empty.pif" file. 
1/16/2007 10:52:33 AM   Administrator   1588   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Documents and

Settings\Administrator\Start Menu\Programs\Startup\windows.pif" file. 

***END AVAST LOG***


***AVG ANTISPYWARE LOG***

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

 + Created at:   3:47:20 PM 1/16/2007

 + Scan result:   

C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt -> TrackingCookie.2o7 : Marked for delete on

rebootUnkown Error
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : Marked for

delete on rebootUnkown Error
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt -> TrackingCookie.Questionmarket :

Marked for delete on rebootUnkown Error
C:\Documents and Settings\Administrator\Application Data\explorer.exe -> Trojan.VB.aqx : Ignored.
C:\Documents and Settings\Administrator\Local Settings\Application Data\lsass.exe -> Trojan.VB.aqx : Ignored.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP44\A0012943.pif -> Trojan.VB.aqx : Ignored.

::Report end

***END AVG ANTISPYWARE LOG***


***HIJACKTHIS LOG***

Logfile of HijackThis v1.99.1
Scan saved at 1:11:55 PM, on 1/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\BackBone\Client\BackBone.exe
C:\msets\Client\msets.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Novita\Trading System\1.6\Client\Client.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
c:\Documents and Settings\Administrator\My Documents\SASHA\VIRUSI\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.moneta.cg.yu/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: windows.pif
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Empty.pif
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.b92.net
O15 - Trusted Zone: www.bloomberg.com
O15 - Trusted Zone: http://www.radiotrogir.hr
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E07F146-9AF6-42EC-B680-6455994226CB}: NameServer = 127.0.0.1,127.0.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{3E07F146-9AF6-42EC-B680-6455994226CB}: NameServer = 127.0.0.1,127.0.0.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file

missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file

missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware

7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog

Devices\SoundMAX\SMAgent.exe

***END HIJACKTHIS LOG***

[Lisandro]

I suggest:

1. Run a boot time scanning with avast where:
    a. try to repair and, if fails, send to Chest the infected .exe files.
    b. delete infected cookies and temporary files (like prefeched, etc.).
    c. post here any system file that is infected and, at most, send it to Chest.

2. Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405

3. Run avast at boot time again.

4. Use a-squared, Free AVG Antispyware or  SUPERantispyware (trojan removers).

[FreewheelinFrank]

Hi aleks,

This looks like Agobot:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

Try running these removal tools:

http://www.sophos.com/support/disinfection/agobot.html

http://www.f-secure.com/download-purchase/tools.shtml

Direct download link: http://www.f-secure.com/tools/f-agobot.zip

This looks like Rbot:

O4 - Startup: windows.pif

again a tool to try:

http://www.sophos.com/support/disinfection/rbotek.html

This looks like Brontok:

O4 - Global Startup: Empty.pif

Some tools to try:

http://www.sophos.com/support/disinfection/brontok.html

http://www.bitdefender.com/VIRUS-157247-en--Win32.Brontok.A@mm.html

[araspopovic]

Hi, Tech

boot time scanning helped remove it, it couldn't repair the files, so I moved them to the chest. Below are reports, it seems to me that everything is clear. Am I right? Thanks a lot.

***aswBoot***

01/17/2007 10:52
Scan of all local drives
File C:\Documents and Settings\Administrator\Application Data\explorer.exe is infected by Win32:Trojan-gen. {Other}, Repair: Error 42060 {The file was not repaired.}, Moved to chest
File C:\Documents and Settings\Administrator\Local Settings\Application Data\lsass.exe is infected by Win32:Trojan-gen. {Other}, Repair: Error 42060 {The file was not repaired.}, Moved to chest
File C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\windows.pif is infected by Win32:Trojan-gen. {Other}, Repair: Error 42060 {The file was not repaired.}, Moved to chest
File C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Empty.pif is infected by Win32:Trojan-gen. {Other}, Repair: Error 42060 {The file was not repaired.}, Moved to chest
File C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP44\A0012943.pif is infected by Win32:Trojan-gen. {Other}, Repair: Error 42060 {The file was not repaired.}, Moved to chest
File C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP47\A0014039.exe is infected by Win32:Trojan-gen. {Other}, Repair: Error 42060 {The file was not repaired.}, Moved to chest
File C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP47\A0014040.exe is infected by Win32:Trojan-gen. {Other}, Repair: Error 42060 {The file was not repaired.}, Moved to chest
File C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP47\A0014041.pif is infected by Win32:Trojan-gen. {Other}, Repair: Error 42060 {The file was not repaired.}, Moved to chest
File C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP47\A0014042.pif is infected by Win32:Trojan-gen. {Other}, Repair: Error 42060 {The file was not repaired.}, Moved to chest

Number of searched folders: 4276
Number of tested files: 51475
Number of infected files: 9

----------------------------------------
01/17/2007 11:18
Scan of all local drives

Number of searched folders: 4196
Number of tested files: 46583
Number of infected files: 0

***end aswBoot***


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

 + Created at:   11:51:56 AM 1/17/2007

 + Scan result:   

   Nothing found.

::Report end


a-squared Free - Version 2.1

Scan settings:

Objects: Memory, Traces, Cookies, C:\
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start:   1/17/2007 12:00:08 PM


Scanned

Files:    153040
Traces:    94195
Cookies:    16
Processes:    28

Found

Files:    0
Traces:    0
Cookies:    0
Processes:    0
Registry keys:    0

Scan end:   1/17/2007 12:29:14 PM
Scan time:   12:29:06 AM

[araspopovic]

FreewheelinFrank,

none of the tools, except http://www.sophos.com/support/disinfection/brontok.html, have found anything. The sophos antibrontok tool recognized 4 infected files, but removed none of them. I don't know why. However, the avast did the thing. Thanks for your tips!

[DavidR]

Trojans generally can't be repaired (either by the VRDB or avast virus cleaner), because the entire content of the file is malware, so it is either move to chest or delete, move to the chest being the best option (first do no harm). When a file is in the chest it can't do any harm and you can investigate the infected warning.

The VRDB only protects certain files, .exe, dll and other system files, it doesn't protect data files or all files, it is not a back-up program, so there are going to be many occasions where repair won't be an option.

Only true virus infection can be repaired, e.g. when a virus infects a file it adds a small part to it, provided that file is one that avast's VRDB would monitor and you have run the VRDB, then it may be possible to repair the file to its uninfected state.
However, for the most part so called viruses, trojans (adware/spyware/malware, etc.) can't be repaired because the complete content of the file is malicious.