Solved Possible Mebroot bot/torpig infection.

broni · 2011/06/01

Ok ....

Bee · 2011/06/01

Here are the results of ESET Scan:

C:\Users\Brian\Downloads\818cd6685689ea75a11007b012750b41534.zip probably a variant of Win32/Agent.DUXZWLA trojan
C:\Users\Brian\Downloads\Windows 7 Ultimate (32 Bit)\Other Windows 7 Activation Tools\Windows 7 Loader eXtreme Edition 3.5.0.3.exe a variant of Win32/HackKMS.A application

broni · 2011/06/01

Run OTL
Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following
Code:
:OTL

:Services

:Reg

:Files
C:\Users\Brian\Downloads\818cd6685689ea75a11007b012750b41534.zip 
C:\Users\Brian\Downloads\Windows 7 Ultimate (32 Bit)\Other Windows 7 Activation Tools\Windows 7 Loader eXtreme Edition 3.5.0.3.exe

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
Then click the [color= "#FF0000"]Run Fix[/color] button at the top

Let the program run unhindered, reboot the PC when it is done

You will get a log that shows the results of the fix. Please post it.
=====================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:
Code:
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.

Close all other programs apart from OTL as this step will require a reboot

On the OTL main screen, press the CLEANUP button

Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how your computer is doing.

Bee · 2011/06/02

Sorry I missed the bit that said "post the resulting log" unless OTL has saved it somewhere I think I may have lost them.

broni · 2011/06/02

The log should pop-up after running the fix.
Re-run the fix.

Bee · 2011/06/02

OK Back in a mo.

Bee · 2011/06/02

First log:

All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File\Folder C:\Users\Brian\Downloads\818cd6685689ea75a11007b012750b41534.zip not found.
File\Folder C:\Users\Brian\Downloads\Windows 7 Ultimate (32 Bit)\Other Windows 7 Activation Tools\Windows 7 Loader eXtreme Edition 3.5.0.3.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Brian
->Temp folder emptied: 1358555 bytes
->Temporary Internet Files folder emptied: 33575 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 21839950 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 343 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 11093 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 22.00 mb

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Brian
->Flash cache emptied: 0 bytes

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.23.0 log created on 06022011_082713

Files\Folders moved on Reboot...
C:\Users\Brian\AppData\Local\Temp\HPV3074.tmp.vdf moved successfully.
C:\Users\Brian\AppData\Local\Temp\HPV3075.tmp.vdf moved successfully.
C:\Users\Brian\AppData\Local\Temp\HPV323A.tmp.vdf moved successfully.
C:\Users\Brian\AppData\Local\Temp\HPV3AF7.tmp.vdf moved successfully.

Registry entries deleted on Reboot...

Bee · 2011/06/02

Second Log:

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Brian
->Temp folder emptied: 1357867 bytes
->Temporary Internet Files folder emptied: 33575 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 16570990 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 343 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 15321 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 17.00 mb

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Brian
->Flash cache emptied: 0 bytes

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.23.0 log created on 06022011_083354

Files\Folders moved on Reboot...
File\Folder C:\Users\Brian\AppData\Local\Temp\HPV30A2.tmp.vdf not found!
File\Folder C:\Users\Brian\AppData\Local\Temp\HPV30A3.tmp.vdf not found!
File\Folder C:\Users\Brian\AppData\Local\Temp\HPV3288.tmp.vdf not found!
C:\Users\Brian\AppData\Local\Temp\HPV416C.tmp.vdf moved successfully.

Registry entries deleted on Reboot...

Bee · 2011/06/02

The two logs look like the same thing to me.
Thanks for all your help on this.
I have just run MalwareBytes on my media centre and it has detected a trojan in Silverlight.
Am I safe to simply remove the infected program using the tools in MalwareBytes or do I need more dedicated help? ie. opening another thread.

Bee · 2011/06/02

After reinstalling AVG on this laptop (the one we have been cleaning) I ran an initial scan and it found the 2 trojans in the following log log
What is happening?

" "; "C:\Users\Brian\Downloads\sys32966.exe:\$JK\runme.exe "; "Trojan horse Generic15.CDNV "; "Moved to Virus Vault "
" "; "C:\Users\Brian\Downloads\sys32966.exe "; "Trojan horse Generic15.CDNV "; "Moved to Virus Vault "

broni · 2011/06/02

I have just run MalwareBytes on my media centre and it has detected a trojan in Silverlight.
Click to expand...

Possibly some false positive, but I can't comment without seeing a log.

After reinstalling AVG on this laptop (the one we have been cleaning) I ran an initial scan and it found the 2 trojans in the following log
Click to expand...

Since the file is in "Downloads" folder, someone (Brian?) had to download something suspicious.

Any other issues?

Bee · 2011/06/03

No other real issues on this machine just a very big thanks from me for helping me on this one.

The only thing that is still troubling me is that the only things I had downloaded to the "downloads" folder since uninstalling AVG were things relating to the removal of this threat.
When we started, my Firefox default directory for downloads was "downloads" but when I realised that you wanted me to put everything on the desktop I changed it to "always ask where to put downloads" and from then on I put everything on my desktop.
I only de-installed AVG when the instructions required and reinstalled after that instruction was completed (3 times in all). However I did NOT do an "initial scan" until the final re-install.
As my computer is set to scan every night I am fairly certain that AVG would have picked these two up had they been on the machine before we started.
When you said the computer was clean I then re-installed AVG.
On it's initial scan is when it found them.
Does this indicate that the trojans were put on my machine by one of the cleaning programs we used?

On another point I would be interested to know your thoughts on the "LastPass" program. Particularly regarding the security of it and whether if I had had it installed and managing my passwords I would have needed to change them post cleaning. (or do I need to ask this in another thread on a different forum?)

Once again thanks for your help on this.

broni · 2011/06/03

I am fairly certain that AVG would have picked these two up had they been on the machine before we started
Click to expand...

Not necessarily, as some AVG update could have brought some new malware definitions.
In any case, I wouldn't lose any sleep over it.

It's always a good idea to change your passwords once in a while.

Good luck and stay safe

Log in or Sign up

Solved Possible Mebroot bot/torpig infection.

broni Moderator Malware Analyst

Bee Inactive Thread Starter

broni Moderator Malware Analyst

Bee Inactive Thread Starter

broni Moderator Malware Analyst

Bee Inactive Thread Starter

Bee Inactive Thread Starter

Bee Inactive Thread Starter

Bee Inactive Thread Starter

Bee Inactive Thread Starter

broni Moderator Malware Analyst

Bee Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved Possible Mebroot bot/torpig infection.

broni Moderator Malware Analyst

Bee Inactive Thread Starter

broni Moderator Malware Analyst

Bee Inactive Thread Starter

broni Moderator Malware Analyst

Bee Inactive Thread Starter

Bee Inactive Thread Starter

Bee Inactive Thread Starter

Bee Inactive Thread Starter

Bee Inactive Thread Starter

broni Moderator Malware Analyst

Bee Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches