halp! - infected with trojan

[another.anonymous.sucker]

i have followed the helpful step-by-step procedure given on this site, and all logs are attatched. i won't bore you with excessive details, but basically:

1. was downloading .rar files (but did not unrar any of them)
2. bam! ...trojan.
apart from the fact that avg flashed up "you have been infected", the virus kept trying to do things in command prompt and also hijacked firefox.
3. everything froze up so i cut the power
4. restarted in safe mode and ran avg
5. restarted in normal mode and followed all instructions on your thread [http://www.computerhope.com/forum/index.php/topic,46313.0.html]

it says it's removed the infected files, but i thought it best to check and be certain, so i'd really appreciate any help you can offer.
[update: having run all the scans and removals suggested in your thread, i ran another avg scan and located the virus again (it's a trojan horse generic12.bsux, found in C:\system volume information) so i deleted that too. not sure if it's just regenerating itself or if it really is gone.]

also, i'd appreciate knowing for future reference: would it have been the unopened .rar files that were infected, or would the website have directly attacked my PC?

thanks very much in advance for your time and support.

[attachment deleted by admin]

[evilfantasy]

also, i'd appreciate knowing for future reference: would it have been the unopened .rar files that were infected, or would the website have directly attacked my PC?

Mess with file sharing sites and it's a coin flip what infection you might get. None are completely safe because the uploads are not monitored.

You should update to the new AVG 8.0 when we finish with the clean up.

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

• O2 - BHO: (no name) - {6A0D0F3E-5989-4488-9F89-F763F33BBF2E} - C:\WINDOWS\system32\urqPhhIc.dll (file missing)
• O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
• O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

.
Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[another.anonymous.sucker]

thank you very much. here's my combofix log.

[attachment deleted by admin]

[evilfantasy]

March 12, 2009

4 months?

Looking at the log now...

[evilfantasy]

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

File::
c:\windows\system32\lodsock32.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{544735C9-AE13-4721-9DE7-D529BE675038}]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[another.anonymous.sucker]

4 months?

long story. but i appreciate the help.

here's the new log...

[attachment deleted by admin]

[Quantos]

Long story short, in the future don't download pirates.

If you need a utility, get a known good one and if you need it bad enough buy it.

<edit>  Sorry, please don't take that the wrong way, but that's an excellent reason to buy software rather than downloading it.  </edit>

[another.anonymous.sucker]

thanks, but i wasn't pirating software.

however, i appreciate your point of view, and i agree that it's best to stay legal and stay clean, though it's worth remembering that even if you never engage in (intentional) illegal activity on the internet you still run the risk of getting a virus if you're even a little bit careless. equally, a lot of "legal" software is sold at ridiculously high prices that some people cannot afford, so it's understandable if they resort to using other means.

[Quantos]

I really don't mean this as an attack on you, or anyone else, but there is NEVER an acceptable reason for piracy.

On a side note, if you never unrared the file, it is unlikely that it affected you.  Evilfantasy knows a lot more about this than I do though.  It is possible that the site itself was what affected you. 

I really want to encourage you to use a really good anti-virus tool and anti-malware tool in the future.
Scan absolutely everything before you even think about opening it, even attachments from family.

[another.anonymous.sucker]

thank you, i didn't take it as a personal attack.

i have some strong opinions on "piracy" versus "file sharing" and the attitudes of major corporations and indeed law-makers across the western world - however, i feel this isn't the place to start that debate 

i have been running the latest version of AVG (and was doing so at the time of the attack). i am generally cautious, but in this instance i was particularly careless and now i look like a bit of an idiot. thanks again for your advice.

[Quantos]

What are you running as an anti-malware?

[another.anonymous.sucker]

there were a few programs suggested elsewhere on this forum -
do you have anything to recommend?

[Quantos]

I personally use Malwarebytes.  Everybody seems to have their own favorite, Evilfantasy would be the best one for advice on this though.

[evilfantasy]

Start Malwarebytes and go to the More Tools tab.  There you'll find a button named Run Tool to run FileASSISSIN.

Then browse to this file: c:\windows\system32\locsock32.dll

Select that file and click OK, then Yes to remove it.

----------

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

Use the ESET Online Antivirus Scanner

This scanner requires Internet Explorer

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.