An unknown trojan is/was in here... am I safe now?

[Trojaned]

Hi all!, and thanks for the help.

Twice already, I found some yt8a.exe as a hidden file in my C root directory.

Then, a pendrive seems to have something hidden in some autorun.inf file.
(I guess I might have caught the threat from some other PC, I pluged it to)

So, I kept the pendrive away (will have to deal with it later) and I run the full set of pre-post steps in the guidelines, only to confirm that there were still some menaces hidden (described as an unknown trojan in the attached logs), hopefully gone now (or not?).

Other than that, the only extrange thing that I noted is that sometimes, when double-clicking on the c-drive -or pendrive- icons, windows XP will prompt for extension file association type (as if I was trying to open some unknown-to-windows ".xyz" extension file) ... This symptom just happen again, after following the guidelined process!

By the way, if gone from c: and the PC, then how do I now clean the pendrive & avoid re-infecting c: again?

Thanks for the help!

Thanks again!


[Saving space - attachment deleted by admin]

[CBMatt]

Well, for your pendrive, you should try running Flash Disinfector...
http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe

Now, as for your computer...that's quite an infection you managed to pick up!  But thankfully, the scans appear to have cleaned out almost everything.  In fact, your HijackThis log actually looks pretty clean now.  But just to be on the safe side, go ahead and follow these instructions...

Download ComboFix and save it to your desktop.  Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says.  Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt.  Go ahead and post that here.  Note: Don't click on the window while it's running; this may cause stalls.

[Trojaned]

I run the ComboFix and here is the log attached.

Thanks again!

[Saving space - attachment deleted by admin]

[CBMatt]

Well, not every reference of the infection was removed, but at least the autoruns are gone.  Let's try a couple more steps to see if we can get rid of this for good.

Highlight and copy everything in the code box below...

Code: [Select]

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43afb942-84ad-11dd-8fd7-dd0d2c065da3}]
Paste this text into a Notepad file and go to File > Save As.  In the Save As Type section, select "All files" and then save the file as remove.reg.  Run the file and allow it be merged with your registry.

Then go ahead and look for that yt8a.exe file again.  Does it still exist?  If so, tell me exactly where it is (such as C:\Windows or C:\Windows\system32).

[Trojaned]

Cool... by now I feel like in that "war games" movie, trying to avoid world war 3 by disabling that funky virus from pentagon's automatic misile-launching systems.

I looked for that yt8a.exe and no trace. I went one step further and re-run the combo-fix (hopefully I didn´t mess-up), and it didn´t mention the yt8 either (log attached).

ok... I´m keeping my fingers crossed to see your confirmation on the full-clean-status.


One thousand new thanks for all the help!

[Saving space - attachment deleted by admin]

[CBMatt]

Never saw it, but I'm glad you're having fun with this.  Heh.

As long as that file is gone, you should be clean.  However, I just re-read your first post and realized that I should've had you look in the C:\ folder as well.  Sorry.  Go ahead and do that.  In fact, you should search the entire C drive with the Windows search function from the Start menu.

Also...since you don't need it anymore, go ahead and uninstall ComboFix.  Go to Start > Run and type in combofix /u (note the space) and click OK.

[Trojaned]

Here are some links to that movie... way innocent for today standards
http://en.wikipedia.org/wiki/WarGames
http://www.imdb.com/title/tt0086567/
http://www.youtube.com/watch?v=tAcEzhQ7oqA

OK, checked all c: and yt8a didn´t show up at all.

I also run the pendrive cleaner... so I then checked yt8a there too, and nothing.

I guess I can finally breath now!!!... right?

You guys are great help to the whole community. I thank you again and I extend my thankiness to all envolved who read this post.

[CBMatt]

Great, everything should be clean now.  There are just a couple of quick things you need to do now.  First, you need a decent firewall.  You're vulnerable without a firewall, so you should look into getting either ZoneAlarm, Kerio Personal Firewall, or Comodo.  They're all good free firewalls.  Just be sure you only have one installed at a time!  Download the firewall of your choice, disconnect from the internet, disable Windows Firewall, and install your new firewall.

You should also clear out your restore points.  This is to remove any infected files that have been backed up by Windows.  Please follow these steps...

1.  Go to Start > Programs > Accessories > System Tools > System Restore
2.  Click on System Restore Settings.
3.  Check Turn off System Restore and click OK.
4.  Restart your computer.
5.  Follow steps 1 and 2 to return to the settings, uncheck Turn off System Restore, and click OK.
6.  Create a new restore point and close the program.

System Restore will now be active again.  If you would like to learn more about System Restore, go here.



Safe surfing!  And I'll be sure to check out that movie when I have some free time this week.