Win32:Trojan-gen {Other}

[oldman]

use the additional options button on the reply page. scroll down a iif you can't see the browse button.

[DavidR]

See image.

[bodomchild]

sorry

[oldman]

Hi.

According to the combofix log it was ran twice. Please post the other one before doing the following steps. It will be at C:\combofix. It will have the earlier time stamp. I need it to see what was removed so far. Thanks.



Open HJT, run a system scan only, check mark these lines if present

O4 - HKCU\..\Run: [meow date] "C:\ProgramData\WindowPlayPlay.43lqtgw"
O4 - HKCU\..\Run: [LESS CITY AMEN SETUP] "C:\ProgramData\IDOL SEEK LOUD.w9q45"

Close all other browsers/windows, click fix, close HJT.




Please follow all previous instructions regarding security programs.


Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

KillAll::

File::
C:\ProgramData\WindowPlayPlay.43lqtgw
C:\ProgramData\IDOL SEEK LOUD.w9q45
C:\delete.bat

Folder::
C:\ProgramData\WindowPlayPlay.43lqtgw
C:\ProgramData\IDOL SEEK LOUD.w9q45

DirLook::
C:\ProgramData\BIASFREEDEFAULT
C:\ProgramData\Tool Eggs Less City

This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[bodomchild]

Before I follow through with the last step I wanted to say that the infected files that where in "C:\ProgramData\BIASFREEDEFAULT" (except for one) where moved to avasts virus chest or whatever folder is used to store viruses found by avast. Will this make a difference? Also avast found a virus in the "C:\ProgramData\Tool Eggs Less City" folder and it is in the virus chest now as well. Another thing, I see in that text document you had me made that it will make combo-fix perform a direct scan on BIASFREEDEFAULT. Since the Tools Eggs Less City folder obviously has viruses in it as well do you want to update that text document to tell combo-fix to run a direct scan on that folder too? One last thing, the reason the combo fix log I gave you is from a second scan is because I could not find the text document it created so I just ran it another time and copied the log. I am uploading the file C:\Combofix.txt I guess this is the right one, tell me if it's not.

[oldman]

That's the same log we had before. If you can't find it, you can't find it. 

I amended the combofix script to include the other folder. Thanks for reminding me about it, it's not in the log. We are having  look at the contents of those two folders with the current script. Don't be alarmed if your desktop disappears, it will come back.

[bodomchild]

Bad news, I ran Combo-Fix like you said by dragging the CFScript notepad on it. On that little blue box that comes up when it's running it didn't say it was scanning any particular error. When my computer rebooted a combo-fix log didn't come up and combo-fix didn't open. BIASFREEDEFAULT and Tool Eggs Less City still exist in ProgramData and theres another thing that is in there too now that I didn't really notice before, It's ezsid.dat I don't know if that is anything to worry about either but I was just wondering if you'd maybe heard of it before. Also just wanted to make sure you know that most of the viruses found in BIASFREEDEFAULT and Tool Eggs Less City are in the avast virus chest. Ok that being said here's a new hijackthis log.

[polonus]

Hi bodomchild & "oldman",

Consider this: O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\Windows\PSEXESVC.EXE (file missing)
=======================
PsExec is a light weight Telnet program that is used by Backdoor Trojans. It
can be installed remotely through an open/unsecure NetBios connection. You can
disable the service and remove the file, but if your machine has been open to a
backdoor, there is no telling what they may have done. The only safe fix is to
wipe the disk and reinstall.

J.A. Coutts
Systems Engineer
MantaNet/TravPro

1. COVERT ANALYSIS OF: PSEXESVC.EXE

    * File Names Used: 3
    * Paths Used: 4
    * Common File Name: PSEXESVC.EXE
    * Common Path: %WINDIR%\SYSTEM32\
    * Vendor Information: Sysinternals
    * Product Information: PsExec Service
    * Version Information: 1.42
    * PSEXESVC.EXE may use 3 or more path and file names, these are the most common:
    * File Name Structure: Normal
    * File and Path Structure: Normal

2. RELATIONSHIP ANALYSIS OF: PSEXESVC.EXE

    * No relationship details available for this object

3. ACTIVITY ANALYSIS OF: PSEXESVC.EXE

    * The following behaviors have been observed for this object:
    * Runs other programs.

4. PROPAGATION ANALYSIS OF: PSEXESVC.EXE

    * Malware Group Propagation Rate: Moderate (spreading)
    * Malware Group: Tool Win32 PsExec 123
    * Copyright Prevx Limited 2005, 2006
Other versions: http://spywarefiles.prevx.com/ssADJI3985/PSEXmore.html

polonus

[oldman]

Ok let's use a different tool. It's possible we can't run the script on vista.

Remember, you will have to right click Otmoveit2.exe to run it, as administrator.

Please download
 OTMoveIt2 by OldTimer.

Save it to your desktop.

Please double-click OTMoveIt2.exe to run it.


Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


C:\ProgramData\WindowPlayPlay.43lqtgw
C:\ProgramData\IDOL SEEK LOUD.w9q45
C:\delete.bat
C:\ProgramData\BIASFREEDEFAULT
C:\ProgramData\Tool Eggs Less City



Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.


Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
 C:\_OTMoveIt\MovedFiles\********_******.log



Then (again it will have to be run with right click, run as administrator)

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
  
• When it has finished, dss will open two Notepads main.txt and extra.txt  -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

[bodomchild]

Ok let's use a different tool. It's possible we can't run the script on vista.

Remember, you will have to right click Otmoveit2.exe to run it, as administrator.

Please download
 OTMoveIt2 by OldTimer.

Save it to your desktop.

Please double-click OTMoveIt2.exe to run it.


Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


C:\ProgramData\WindowPlayPlay.43lqtgw
C:\ProgramData\IDOL SEEK LOUD.w9q45
C:\delete.bat
C:\ProgramData\BIASFREEDEFAULT
C:\ProgramData\Tool Eggs Less City



Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.


Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
 C:\_OTMoveIt\MovedFiles\********_******.log



Then (again it will have to be run with right click, run as administrator)

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

    * Close all other windows before proceeding.
    * Double-click on dss.exe and follow the prompts.
    * When it has finished, dss will open two Notepads main.txt and extra.txt  -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

I plan on doing that shortly, but first I gotta ask something. Both my moms and my email and myspace passwords were stolen sometime this week and seeing how this is a relatively new computer and there's really not much on it I think I might take polonus' advice and just go out and by windows xp(I don't like vista anyways), wipe, and reinstall windows. I don't like dealing with this stuff and I have no idea how we got infected unless it was through email cause the only other thing this computer is used for is Warcraft. I guess we'll just have to stop sending/receiving emails too(except for important stuff) and even then if we get infected again its good to know we have that just in case. Sorry if I'm not making much sense I'm in a hurry. Anyways I might just do that since this computer isn't used for anything important and theres nothing irreplaceable except for a few photos which we have backed up on a disc. So if you could just tell me what I need to do this and instructions on how to do this that will be great. thanks for all your help.

[oldman]

If you can find a retail copy of XP, you can just format the Harddrive and install xp.

How you got infected is hard to say. It could have been a email, a driveby, even a game site.

If you lost passwords already, I'd suggest you get on a clean machine and change all passwords to any site you log onto on the internet.

[bodomchild]

I'm going to look into getting XP within the next week or so. Where do you think the best place to get it would be? Best Buy? Anyways maybe you can go into a little more detail on how to properly wipe my hard drive then. Anyway I'm almost completely sure that it was an email that caused all of this because my mom likes to email a lot with friends and theres no telling what might have gotten into one along the way... And besides this site my mother or I are ever on are myspace and occasionally the official WoW site and something tells me thats nothing to worry about lol. Anyway I think this is the best way, because like you and many others have said even if we do get rid of the sources there's no telling what other files may have become corrupt. I'll post back here as soon as I get Windows XP. Edit: Also one more thing, what is a driveby?

[oldman]

Any big box store should be comparable in price. Some online site might be worth checking out also. I don't know whiich ones might be available where you are. Here it's tigerdirect and Ncix that are two popular ones.

A driveby is just malware floating around looking for a place to land. If it finds an opening, in it comes.

[oldman]

Sorry I missed your other question. The xp disk will give you the option to format.

http://support.microsoft.com/kb/313348

[bodomchild]

I Bought XP today at a local PC shop and formatted my hard drive. Everything is good now, especially considering I payed under 100$. I'm going to be extra cautious about monitoring the activity of my PC. I just have two questions. What do you recommend I use as far as virus protection, or is Avast enough? My other question is how do I completely remove all the viewpoint files from my computer that came with XP? Thanks for all your help oldman.