Author Topic: LNK:Runner! Over and over again!  (Read 28467 times)

0 Members and 1 Guest are viewing this topic.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88854
  • No support PMs thanks
Re: LNK:Runner! Over and over again!
« Reply #15 on: July 15, 2011, 09:56:12 PM »
???

Ex, Spammer on forum spam listing, will be history shortly.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

dzenan

  • Guest
Re: LNK:Runner! Over and over again!
« Reply #16 on: July 18, 2011, 08:17:42 AM »

dzenan

  • Guest
Re: LNK:Runner! Over and over again!
« Reply #17 on: July 18, 2011, 08:26:56 AM »
If it isn't to late.. But i'll be very happy if it is..:)





aswMBR version 0.9.7.777 Copyright(c) 2011 AVAST Software
Run date: 2011-07-18 08:09:48
-----------------------------
08:09:48.296    OS Version: Windows 5.1.2600 Service Pack 3
08:09:48.296    Number of processors: 2 586 0x605
08:09:48.296    ComputerName: RUDNIK  UserName:
08:09:48.781    Initialize success
08:09:49.515    AVAST engine defs: 11071702
08:10:00.812    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
08:10:00.812    Disk 0 Vendor: WDC_WD2500KS-00MJB0 02.01C03 Size: 238475MB BusType: 3
08:10:00.828    Disk 0 MBR read successfully
08:10:00.828    Disk 0 MBR scan
08:10:00.828    Disk 0 Windows XP default MBR code
08:10:00.828    Disk 0 scanning sectors +488376000
08:10:00.906    Disk 0 scanning C:\WINDOWS\system32\drivers
08:10:11.234    Service scanning
08:10:12.281    Disk 0 trace - called modules:
08:10:12.296    ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
08:10:12.296    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87307ab8]
08:10:12.296    3 CLASSPNP.SYS[f74effd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x87309b00]
08:10:12.468    AVAST engine scan C:\WINDOWS
08:10:15.203    AVAST engine scan C:\WINDOWS\system32
08:11:11.484    AVAST engine scan C:\WINDOWS\system32\drivers
08:11:18.796    AVAST engine scan C:\Documents and Settings\Administrator
08:14:40.531    AVAST engine scan C:\Documents and Settings\All Users
08:15:06.265    Scan finished successfully
08:15:33.703    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
08:15:33.703    The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"
 

dzenan

  • Guest
Re: LNK:Runner! Over and over again!
« Reply #18 on: July 18, 2011, 08:36:43 AM »
Here we go again!
Avast just detected LNK infection..

dzenan

  • Guest
Re: LNK:Runner! Over and over again!
« Reply #19 on: July 18, 2011, 08:48:12 AM »
one for example..

Infection Details
URL:   file://C:\Documents and Settings\All Users\Documents\DIREKTNI SPORAZUM-ROBE.rtf.lnk
Process:   PID 4
Infection:   lnk:Runner

dzenan

  • Guest
Re: LNK:Runner! Over and over again!
« Reply #20 on: July 18, 2011, 09:30:00 AM »
or this one.. with malwarebyte's scan..


URL:   file://C:\Documents and Settings\All Users\Documents\afjru.tmp
Process:   file://C:\Program Files\Malwarebytes%27 Anti-Malware\mbam.exe
Infection:   win32:Sality-GR

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: LNK:Runner! Over and over again!
« Reply #21 on: July 18, 2011, 08:47:40 PM »
I see you have thrown everything bar the kitchen sink at this

Could you attach the latest combofix log please and also as you have AVP onboard could you run an analysis scan

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}" [HKLM] -> [Reg Error: Key error.]
< File Associations - Select to Repair > -> HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>\
YN -> .exe [@ = exefile] -> Reg Error: Key error.
[Files - No Company Name]
NY ->  3029913drv.spi -> C:\WINDOWS\3029913drv.spi
NY ->  mtbjfghn.xbe -> C:\Documents and Settings\All Users\Application Data\mtbjfghn.xbe
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

THEN

Now an analysis scan
Run AVP tool
Select the Manual Disinfection tab 
Press the Gather System Information button 
Once done Open the last report saved folder  then attach the zip file to your next post zip 
The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip
 


dzenan

  • Guest
Re: LNK:Runner! Over and over again!
« Reply #22 on: July 19, 2011, 12:28:20 PM »
thanks essexboy for help and your time..


All Processes Killed
[Registry - Safe List]
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\ not found.
Registry key HKEY_CURRENT_USER\Software\Classes\.exe\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Classes\exefile\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\shell\open\exefile\\'' updated successfully.
[Files - No Company Name]
C:\WINDOWS\3029913drv.spi moved successfully.
C:\Documents and Settings\All Users\Application Data\mtbjfghn.xbe moved successfully.
[Empty Temp Folders]
 
 
User: Administrator
->Temp folder emptied: 20231995 bytes
->Temporary Internet Files folder emptied: 229966 bytes
->Java cache emptied: 118545 bytes
->FireFox cache emptied: 321924678 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1931171 bytes
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41 bytes
 
User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41 bytes
 
User: LocalService
->Temp folder emptied: 65716 bytes
->Temporary Internet Files folder emptied: 32902 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 49286 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 329.00 mb
 
 
[EMPTYFLASH]
 
User: Administrator
->Flash cache emptied: 0 bytes
 
User: All Users
 
User: Default User
->Flash cache emptied: 0 bytes
 
User: Guest
->Flash cache emptied: 0 bytes
 
User: LocalService
 
User: NetworkService
 
Total Flash Files Cleaned = 0.00 mb
 
Restore point Set: OTS Restore Point (0)
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 07192011_081735

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

dzenan

  • Guest
Re: LNK:Runner! Over and over again!
« Reply #23 on: July 19, 2011, 12:53:23 PM »
Can't attach zip file from AVP tool.. But, I had full scan with AVP tool, it's detected and deleted 10 infections.. win32.sality..
For now (about one our), no new notification from avast about LNK infection..
Maybe, job is done.. Or not... Will see..

dzenan

  • Guest
Re: LNK:Runner! Over and over again!
« Reply #24 on: July 19, 2011, 01:04:42 PM »
..and here we go again!!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88854
  • No support PMs thanks
Re: LNK:Runner! Over and over again!
« Reply #25 on: July 19, 2011, 03:05:00 PM »
For the AVP zip file - You can use a file sharing site such as Mediafire.com - Upload to http://www.mediafire.com/ and post the sharing link.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: LNK:Runner! Over and over again!
« Reply #26 on: July 19, 2011, 08:16:08 PM »
As there are reports of Sality

Programme here 

Step 1. Preparation to disinfection:

Download the file Sality_off.rar 
Unpack the file Sality_off.rar 
Run the file Sality_off.exe with the key -m 
To do this select run from the start menu.
Select browse and locate sality_off.exe click once.
The file will now appear in the run box. 
Using the mouse double left click in the box and the cursor will then appear after the .exe part. now press the spacebar and type in -m  then select OK


Step 2. Signs of a disinfected/ clean computer

when restarted, the utility sality_off.exe –m does not detect any signs of infection (the line "infected thread terminated" is missing) 
Your Anti-Virus is running and works in normal mode 
full computer scan does not detect infected objects on the computer

Step 3. Cleaning the registry of infected computers in the domain network:

download the file Sality_RegKeys.zip ( link on the same page)
unpack the file Sality_RegKeys.zip 
run the file Disable_autorun.reg from the archive Sality_RegKeys.zip 
Click Yes to confirm adding the information to the registry

dzenan

  • Guest
Re: LNK:Runner! Over and over again!
« Reply #27 on: July 22, 2011, 09:45:03 AM »
As there are reports of Sality

Programme here 

Step 1. Preparation to disinfection:

Download the file Sality_off.rar 
Unpack the file Sality_off.rar 
Run the file Sality_off.exe with the key -m 
To do this select run from the start menu.
Select browse and locate sality_off.exe click once.
The file will now appear in the run box. 
Using the mouse double left click in the box and the cursor will then appear after the .exe part. now press the spacebar and type in -m  then select OK


Step 2. Signs of a disinfected/ clean computer

when restarted, the utility sality_off.exe –m does not detect any signs of infection (the line "infected thread terminated" is missing) 
Your Anti-Virus is running and works in normal mode 
full computer scan does not detect infected objects on the computer

Step 3. Cleaning the registry of infected computers in the domain network:

download the file Sality_RegKeys.zip ( link on the same page)
unpack the file Sality_RegKeys.zip 
run the file Disable_autorun.reg from the archive Sality_RegKeys.zip 
Click Yes to confirm adding the information to the registry


It's done..
One more time, avast detected LNK infection, but after quck scan with malwarebyt, and full scan with avast, sality-gr is deleted..
For now, everizhin is ok.. we'll see..

Thanks again ;)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: LNK:Runner! Over and over again!
« Reply #28 on: July 22, 2011, 07:14:21 PM »
Once you are happy let me know and I will remove my tools

Offline kenneth asuncion

  • Newbie
  • *
  • Posts: 1
Re: LNK:Runner! Over and over again!
« Reply #29 on: February 27, 2019, 03:33:44 PM »
Same here, I am experiencing the deletion and the RETURN of LNK:runner.
I am done with the cmd> attrib -h -r -s /s /d diskname\*.*... an autorun appears and I deleted it. After deleting the file it will return after I format it (unable to format).