Hello,
I’m posing this here as I see u guys have some common sense about the virus/trojan staff, more than ppl from other forums…
Personally I’m useing Eset nod32 now, but as I got infected, by something I will describe later, I’m switching to a better one, hopefully Avast…
The THING that infected me… First of what I’ve noticed was the processes names… which were CHANGED to e.g.: sttray .exe from sttray.exe… a SPACEBAR was added to procees name… one spacebar or more… didnt recognize any rule in this… what was done in the catalog was: original file with changed name (spacebarr added), a file with size of exectly: 30 208 bytes with the original name but WIHTOUT spacebarr added, and a file with the SAME SIZE of 30208 bytes, with name like this: e.g sttray.exe80 - in the place of the number “80” couldve been any other number… but as I saw more processes “infected” the number was growing…
However the VERY FIRST thing ive noticed was a error message from VISTA with: c .exe crashed etc…
After this, for few days, new process was beeing infected, mainly those which I used the most… my internet messanger in that case TLEN.pl was infected, the sttray,exe which I mentioned before, soem windows processes etc…
What I did, was downloading shit load of antitrojan software, whcih found NOTHING… nod32 found nothing…
The first was COMBOFIX which deleted some files and registry entries… but the virus/trojan was still working…
I admit I didnt take the screenshots with the file names… but how did I PROBABLYU got rid of the virus…?
As U saw before I knew the exact size of the copies virus made… so I look for every f*** file with this size, and checked if, it has an original file with the spacebar in the name… I deletaed every copy of with the original name, every copy with *.exe80 etc names… and during this search… I found files, which were some wdm…exe files… which had the SIZE of the 30208 bytes, but NO COPY etc…
What was VERY interesting, was the “owner” of the file which was TRUSTEDINSTALLER. The owner had the full rights, so I couldnt deleted them… I changed the owner to Administrator, gave the Admin full rights, removed the owner TRUSTEDINSTALLER, and finally deleted the files… all the search and deleting, was done in SAFE MODE… was was significant, in safe_mode there was NO processes loaded with the system startup which had the name enlarge by the spacebar… so I felt kinda safe
After this, I searched all the drives I got and there was no other 30208 bytes exe files… restarting in the normal mode, doing the combofix searched didnt find nothing…
Sory for my english, but I hope, someone who got similar infection, will be able to deal with it maybe,…
I hope also any of U guys, can recognize the trojan/virus whatever it is…
If u have any questions, ask… If U hate my english, I’m sorry really I just had to wrtie about this SHIT somewhere, cuz It really mad me mad, I got some infection, while I;m writing my thesis on this laptop and dont have any other PC nearby
Cheers!