Bad trojan/malwere/vrius - req for recognition...

Hello,
I’m posing this here as I see u guys have some common sense about the virus/trojan staff, more than ppl from other forums…
Personally I’m useing Eset nod32 now, but as I got infected, by something I will describe later, I’m switching to a better one, hopefully Avast…

The THING that infected me… First of what I’ve noticed was the processes names… which were CHANGED to e.g.: sttray .exe from sttray.exe… a SPACEBAR was added to procees name… one spacebar or more… didnt recognize any rule in this… what was done in the catalog was: original file with changed name (spacebarr added), a file with size of exectly: 30 208 bytes with the original name but WIHTOUT spacebarr added, and a file with the SAME SIZE of 30208 bytes, with name like this: e.g sttray.exe80 - in the place of the number “80” couldve been any other number… but as I saw more processes “infected” the number was growing…
However the VERY FIRST thing ive noticed was a error message from VISTA with: c .exe crashed etc…
After this, for few days, new process was beeing infected, mainly those which I used the most… my internet messanger in that case TLEN.pl was infected, the sttray,exe which I mentioned before, soem windows processes etc…
What I did, was downloading shit load of antitrojan software, whcih found NOTHING… nod32 found nothing…
The first was COMBOFIX which deleted some files and registry entries… but the virus/trojan was still working…
I admit I didnt take the screenshots with the file names… but how did I PROBABLYU got rid of the virus…?
As U saw before I knew the exact size of the copies virus made… so I look for every f*** file with this size, and checked if, it has an original file with the spacebar in the name… I deletaed every copy of with the original name, every copy with *.exe80 etc names… and during this search… I found files, which were some wdm…exe files… which had the SIZE of the 30208 bytes, but NO COPY etc…
What was VERY interesting, was the “owner” of the file which was TRUSTEDINSTALLER. The owner had the full rights, so I couldnt deleted them… I changed the owner to Administrator, gave the Admin full rights, removed the owner TRUSTEDINSTALLER, and finally deleted the files… all the search and deleting, was done in SAFE MODE… was was significant, in safe_mode there was NO processes loaded with the system startup which had the name enlarge by the spacebar… so I felt kinda safe :slight_smile:
After this, I searched all the drives I got and there was no other 30208 bytes exe files… restarting in the normal mode, doing the combofix searched didnt find nothing…

Sory for my english, but I hope, someone who got similar infection, will be able to deal with it maybe,…

I hope also any of U guys, can recognize the trojan/virus whatever it is…

If u have any questions, ask… If U hate my english, I’m sorry really :stuck_out_tongue: I just had to wrtie about this SHIT somewhere, cuz It really mad me mad, I got some infection, while I;m writing my thesis on this laptop and dont have any other PC nearby :stuck_out_tongue:

Cheers!

Cześć Marcin,

This is a likely candidate: http://www.virustotal.com/analisis/05ccc0ce344e2e5707bb5a4c7b2e930f
according to the file size.
See if this is on your machine:
Trojan.Crypt.FKM.Gen (v) has been detected in these files:
If you have the following files on your system with the corresponding md5’s you are most likely infected. You can remove Trojan.Crypt.FKM.Gen (v) by deleting the files.

Read about this here: http://www.trustedsource.org/malware-virus-description/217665/Trojan-Crypt-FKM-Gen
Side effects

* Blocks access to certain websites
* Blocks access to security websites
* Registry modification
* The host file is modified

Filename
MD5
auubsysguard.exe 5e18184589741d51a1e5913c1a3cc1b1
cqehsysguard.exe d81bb71762ed1b693b08d3fc128d7797
daeasysguard.exe a156aee217af78b50a2cf0fa754133e4
enlusysguard.exe e529223795df8973130525d7e3c5e776
gdhdsysguard.exe 6af488699f6d08561fb1ef1e19cf96df
hcnjsysguard.exe 22e553f0103f0a430a31168d8c4aab01
iehelper.dll 200808d2913c7faed6f384cf7081c155
356ff9962e5d25a1ae557fef00cfb5f2
94923b5554336c7f01399abcbbb9082d
a849aaa74ae4781658c9ca8a623faa96
b236c5dfeccc5d4be0f491e73ef07d65
b327f45508adeec0da8bda4c9db9ebe4
d143d66331f94087d80cabcd33903907
ilifsysguard.exe a7675007a175e52efe11cbe4568b7a18
kcsjsysguard.exe ae88a5c4ce06e25c878e252797bec441
kpodsysguard.exe 00ed44d68c2a797628f93184afa93b60
kvqlsysguard.exe 1fa07268b966d0e0f03daecac8a70f5f
lfmisysguard.exe 0eaab7db914e7f7818d68bbcfa0424a0
lfrosysguard.exe 4b7da9ff2de07b022794535d385b3321
lnhcsysguard.exe 7e1fa4ad5ce6020157b2c21b71e5e0de
lsevsysguard.exe 56ea42e973224b874c6c5e5e941a9a7c
ocqpsysguard.exe 2c2756233408777987a9580e6c9c1aa4
rgkfsysguard.exe 5e5fc94128b56c85f8b962433e209f7d
srbesysguard.exe 36fa1842f67a08ff4c2393ec83804631
sysguard.exe 1faab5c087879db25ac2738b2b74498f
4f5cfa984d2556d6dfc99c48bddc518e
5c79e0991b6f495aece25869c4b9e55a
7990f307966df462dd8a6a38f084c9c7
b537bc1ac461001d2fa893674ded5b68
cf8f6063daa0f60f8e5d6ffadca55f38
f750f8e32eed86d126832c4b3b9cd606
txlrsysguard.exe 6db96b36428923981e794c354327b4b3
uitysysguard.exe 01e9d985c0c09fdfa377a1070863e902
vhwusysguard.exe cffd4b16feb8dde64db6e7d3b3eb86c6
wurnsysguard.exe 1098087411f790d49965e339905420cd
wwbksysguard.exe 24653b56036b2272d862b429b7a9ed9d
xmhxsysguard.exe 5db3532e37d4af751fd70bf98991384a
xoibsysguard.exe 4b27208b77b169844d42418e95c1877f
xojxsysguard.exe a2118b5f3833dd72cf7a6337637578eb
xryrsysguard.exe f4803d6b467fed34daa50a5694d7403f
yxthsysguard.exe c3eef08048baea2a18fb571832a606e0

pozdrawiam,

polonus

Heja :slight_smile:

Unfortunately I removed every copy of the infected file… so there’s no way I can upload it to virustotal to check what was that… I searched for it once more, but cant find anything… the symptoms are gone, so I think I won it :slight_smile: but I’m so damn curios what was the trojan, I wish I had been infected by it again :smiley:

Good to know, there are tools, such as virustotal. It was my first time, some antivirus software failed to protect me and I was forced to remove it by my own hands :slight_smile:

Anyway the threat is gone… so I’m happy :slight_smile:

Have a good night :slight_smile:

Cześć Marcin,

To jest bardzo radosna wiadomość. Super.

pozdrawiam,

polonus

Delete is not the best option. Send to Chest and allow further research about the file (even extracting and submiting to virustotal).