Greed got the best of me when I decided to download a torrent of a free full version of PowerDVD.
The Serial Generator was actually a trojan downloader. I realized my mistake once the background changed to a laughably poor-english warning that I had "TrojanHorses,etc." on my computer, and to use a special program to remove it, ending with a mere "thank". Not "thanks" or "thank you", just "thank".
Of course there was also a red circle with a white X in it in my System Tray, and the accompanying annoying pop-up bubble every 2 minutes.
Symantec consistently warned me of hoards of messages being sent, some of which were blocked due to appearing to be spam.
At this point (albeit much too late) the gears started turning in my head and I figured it would be a pretty good idea to just unplug my ethernet cable to stop the message sending.
I then remembered my good ol' friend MalwareBytes, and ran it, briefly reconnecting to update it.
Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3
3/15/2009 2:55:44 PM
mbam-log-2009-03-15 (14-55-44).txt
Scan type: Full Scan (C:\|F:\|G:\|)
Objects scanned: 152644
Time elapsed: 52 minute(s), 27 second(s)
Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 2
Registry Data Items Infected: 9
Folders Infected: 0
Files Infected: 7
Memory Processes Infected:
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Framework Windows (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\vmya.exe (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> Delete on reboot.
I also ran Spybot S&D, which detected and removed items from Smitfraud-C.
(HKEY_USERS\s-1-5-21-1177238915-1637723038-1801674531-1003\Software\dpcproxy
HKEY_USERS\s-1-5-21-1177238915-1637723038-1801674531-1003\TYPELIB\{daef1007-f409-426a-9e7c-cb211f2a9786}
HKEY_USERS\s-1-5-21-1177238915-1637723038-1801674531-1003\TYPELIB\{D7987436-78BF-4A81-915F-4879287D2234}
HKEY_USERS\s-1-5-21-1177238915-1637723038-1801674531-1003\SYSTEM\CurrentControlSet\Services\rdriv
HKEY_USERS\s-1-5-21-1177238915-1637723038-1801674531-1003\SYSTEM\ControlSet001\Services\Installer
HKEY_USERS\s-1-5-21-1177238915-1637723038-1801674531-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons)
and Fraud.XPAntivirus
(HKEY_USERS\s-1-5-21-1177238915-1637723038-1801674531-500\Software\Microsoft\WinID
HKEY_USERS\s-1-5-21-1177238915-1637723038-1801674531-1004\Software\Microsoft\WinID)
and Win32.Winlagons.co
(C:\WINDOWS\system32\uniq.tll)
Still encountering problems afterward, I again ran Malwarebytes.
Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3
3/15/2009 5:32:49 PM
mbam-log-2009-03-15 (17-32-49).txt
Scan type: Full Scan (C:\|)
Objects scanned: 147980
Time elapsed: 48 minute(s), 12 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{CB8025CC-6658-4101-A71E-2697569ED347}\RP349\A0090522.exe (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> Delete on reboot.
and ran it again.
Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3
3/15/2009 7:19:53 PM
mbam-log-2009-03-15 (19-19-53).txt
Scan type: Full Scan (C:\|)
Objects scanned: 147943
Time elapsed: 48 minute(s), 52 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
and ran it again this morning
Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3
3/18/2009 9:09:38 AM
mbam-log-2009-03-18 (09-09-3
.txt
Scan type: Full Scan (C:\|)
Objects scanned: 152007
Time elapsed: 49 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
It keeps coming back.
I ran NOD32 and it did not find anything unusual.
svchost.exe is hogging my CPU usage at around 50%, specifically RPCRT4.dll being the culprit.
I cannot connect to mIRC, or MapleStory, or use WindowsUpdate.
My Google searches are plastered with results from FindStuff.com, break.com, nexplore.com, etc.
--------------------------
SUPERAntiSpyware Log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 03/18/2009 at 05:01 PM
Application Version : 4.25.1014
Core Rules Database Version : 3803
Trace Rules Database Version: 1758
Scan type : Complete Scan
Total Scan Time : 00:56:06
Memory items scanned : 608
Memory threats detected : 0
Registry items scanned : 8124
Registry threats detected : 3
File items scanned : 23142
File threats detected : 107
Rootkit.Mailer/Gen
HKLM\system\controlset001\services\4404a404
C:\WINDOWS\SYSTEM32\DRIVERS\4404A404.SYS
HKLM\system\controlset002\services\4404a404
[snipped tracking cookies out]
Trojan.DNSChanger-Codec
HKU\s-1-5-21-1177238915-1637723038-1801674531-1004\Software\uninstall
Trojan.Agent/Gen-MSFake
C:\DOCUMENTS AND SETTINGS\JAMES\LOCAL SETTINGS\TEMP\1.EXE
Trojan.Unclassified/FRMWRK32-I
C:\ECYAY.EXE
----------------------------------------------------------------------------------------------------
Panda ActiveScan found the following.
Malware:
c:\documents and settings\james\local settings\temp\9.exe
C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\hn8ngggo.default\cookies.txt[.com.com/]
C:\Documents and Settings\Joe\Application Data\Mozilla\Firefox\Profiles\nfiecajj.default\cookies.txt[.com.com/]
C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\hn8ngggo.default\cookies.txt[.go.com/]
C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\hn8ngggo.default\cookies.txt[.go.com/]
C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\hn8ngggo.default\cookies.txt[.go.com/]
C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\hn8ngggo.default\cookies.txt[.go.com/]
C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\hn8ngggo.default\cookies.txt[.go.com/]
C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\hn8ngggo.default\cookies.txt[searchportal.information.com/]
C:\Documents and Settings\Joe\Application Data\Mozilla\Firefox\Profiles\nfiecajj.default\cookies.txt[searchportal.information.com/]
C:\Documents and Settings\Joe\Cookies\joe@target[2].txt
C:\Downloads\Kingston\PCInfo\batexe\mzcv.exe
C:\Downloads\Kingston\batexe\mzcv.exe
C:\Documents and Settings\Joe\Cookies\joe@pc-cleaner[2].txt
C:\ivfgftk.exe
C:\System Volume Information\_restore{CB8025CC-6658-4101-A71E-2697569ED347}\RP356\A0098011.exe
Suspects:
C:\Documents and Settings\James\Local Settings\Temp\byqfadnymc.tmp
C:\Documents and Settings\James\Local Settings\Temp\yrtfnmexta.tmp
C:\Downloads\Kingston\batexe\OpenedFilesView.exe
C:\Downloads\Kingston\PCInfo\batexe\OpenedFilesView.exe
C:\System Volume Information\_restore{CB8025CC-6658-4101-A71E-2697569ED347}\RP353\A0097853.exe[xchat.exe]
C:\System Volume Information\_restore{CB8025CC-6658-4101-A71E-2697569ED347}\RP353\A0097864.exe[C:\System Volume Information\_restore{CB8025CC-6658-4101-A71E-2697569ED347}\RP353\A0097864.exe][test.exe]
C:\System Volume Information\_restore{CB8025CC-6658-4101-A71E-2697569ED347}\RP353\A0097865.exe[C:\System Volume Information\_restore{CB8025CC-6658-4101-A71E-2697569ED347}\RP353\A0097865.exe][test.exe]
Computer Security