The following file “D2NT Manager.exe” contained in the zip/d2nt/ archive or folder bypasses all scans from Avast. But after opening the exe, avast was unable to stop everything.
After opening in windows 7 64 ultimate (double clicked with UAC OFF), avast prompted and said it stopped vbs or something like that. My theme changed to classic (or something like it). I pulled me ethernet. I tried scanning the exe, and avast said something like it was too busy to scan.
So i schedueled a boot time scan C drive, but it wouldnt let me reboot. So I force rebooted after ctrl alt del failed with black screen. Booted into safe mode, restarted, boot scan started, it found the following:
…Users\Owner\AppData\Roaming\trz9DE7.tmp / High / Threat: Win32:rebhip-B trj DELETE Action successful
…users\Onwer\AppData\Local\Temp\trzA74A.tmp / High / Threat: MSIL:Tiny-C trj DELETE Action Successful
SnapShot:
http://i55.tinypic.com/2jc7q0i.png
Everything seems to be fine now, I havnt noticed any weird processes and have no reason to believe its still there. I ran ccleaner and checked registry.
Below are the links to the youtube video, and then the actual link to the zip folder that contains the trj from mediafire.
http://www.youtube.com/watch?v=Q8vm2ht31Mw&playnext=1&list=PL17B3B9014726BE36
http://www.mediafire.com/?mbk0d8ea04kaphc
He has more videos with more files that come up clean and do naughty things, please let me know if i should be worried!
Specs:
Running Windows 7 Ult 64 bit (UAC off and firewall restricted)
SP1 (up to date)
iMac Intel bootcamp 64
UPDATE: I have taken the following steps:
Avast boottime scan - 2 infected temp files deleted
CCleaner - Temp / Registry - clean
MalwareBytes - Full / Quick - clean
Should I have any reason to believe I am still infected?
Why was avast unable to detect the dropper (exe) compared to Nod32 - malwarebytes. AND YET still be able to detect and delete the trjns dropped by that exe?
Do you guys think this kid “inJJWeTrust” was capable of pkging at this lvl?
BTW, heres his real name: Kyle Sanger - first on facebook, “admin” of InJJWeTrust facebook - pwnd