Help: LNK:Runner-B[Trj] (runctf.nlk)

Viruses and worms
1

First I want to apologize for my English. It is very, very poor. I will try to explain as best as possible.

Yesterday Avast! went crazy. It detected one infection again and again and it didn’t stop. It was LNK:Runner-B[Trj]. Avast! said that it moved to the viruses box the file “runctf.nlk”. And it was true. It is about 500 times in the viruses box.

SuperAntiSpyware, Malwarebytes and Avast! were running all night. In the morning I saw the reports:

• SuperAntiSpyware detected 2 Trojans and a lot of cookies (I have no log)
• Avast! detected only several files about lgupdates.
• Malwarebytes detected the same Trojans (wgsdgsdgsdgsd.exe) and “runctf.nlk”. (I have the log)

Fist I deleted the files detected with Super. Then I deleted the files detected with Malwarebytes… And it started again. Avast again began to detect “runctf.nlk”. I restarted the computer and from then until now there have been no problems.

Anyway I am not sure that the computer was clean. So I have done all you say in this post http://forum.avast.com/index.php?topic=53253.0 and here you are the adwCleaner, Malwarebytes, OTL and aswMBR logs.

Could you be so kind to help me?

Thanks in advance.

P.D.: Tonight I am going to run the antiviruses again (Super, Malware and Avast!)

Edited: Logs removed

2
SuperAntiSpyware, Malwarebytes and Avast! were running all night. In the morning I saw the reports:
does that mean you are running all scans at the same time?

you seem to have a rootkit infection…
malware removers are notified. it may take hours before one arrive so be patient

3

Thank you very much Pondus.

Yes, all of them were running at the same time. That is why I did it at night. Tonight I have run again Super, Malware and Avast . All of them have done a complete scan.

Super: no detections (only tracking cookies)

Malware: no detections.

Avast: four detections.Two about SuperAntiSpyware, two about aTube Catcher and the other one is C:\Users.…\LocalLow\Sun\Java\Deployment\cache\6.0\54\82b2c76-60b0a978. It says Win32:Rootkit-gen [Rtk] Deleted.

4

i dont think it is smart to run all at the same time, you should run them one by one

anyway the removal experts should be in here after work hours today

5

I would like to have a second opinion on the MBR

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

6

First of all, thank you very much essexboy.

This is TDSSKiller report. It is attached because it exceeds the character limit. It has found only suspicious objects and not offer options. One question. I have run Avast! tonight and it detected one rootkit and deleted it: Win32:Rootkit-gen [Rtk]. Should I run aswMRB again?

Thanks in advance.

Edited: log removed.

7

No need aswMBR and TDSSKiller are complimentary programmes

What was the file name that Avast removed ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (a91ltnmq)
O3 - HKU\S-1-5-21-577641083-1480526843-609467307-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

8

Done!

Here is the log.

The file removed by avast! was C:\Users.…\LocalLow\Sun\Java\Deployment\cache\6.0\54\82b2c76-60b0a978 Win32:Rootkit-gen [Rtk] Removed.

Edited: Log removed

9

How is the computer behaving now ?

10

Sorry! I’ve been out all the evening.

The computer is fine. But I have to check IE. Before Runner-B I had not noticed anything. Only that IE and Firefox didn’t work fine. IE run very, very, very slow. It takes a long time to open the webs and I had to close it with the Task Manager many, many times. It was impossible to work with it. And Firefox sometimes had the same problem. But I didn’t have (and don’t have) this problem with Opera or Chrome. This is the main reason why I use Chrome.

11

OK lets look a tad deeper

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

12

I have checked IE and Mozilla Firefox and I think they work perfectly. I have opened four o five windows at the same time and no problem. All windows work good: videos, music, searching… all of them running at the same time. I even have tried to watch four or five Youtube videos at the same time and no problems. I’ll keep trying.

Thank you very, very much.

Edited: Log removed.

13

Torpon.

After all the crap that AdwCleaner removed, IE and FF should be working as expected. You should wait for Essexboy instructions to remove the tools he used to clean your system. Glad you followed my advice to post here .

Regards.

14

Thank you too, iroc9555. I answer you in the other post. I have to say to you something that I don’t know how to say in English.

15

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected Keep safe :wave:

16

Thank you very much, essexboy.

I have done all you say in your last post. Only I had a little problem to remove Combofix. First time I have tryed to do it, it has started a new scan… :o I let it finish and then I tryed it again. It started a new scan again but I stopped it with Task Manager and then it shows a message: ComboFix is uninstalled. I hope all was right.

I’ll download and install the others programs you say and I’ll try to keep clean.

17

It is something that I have noticed, it appears to start a scan and then uninstalls itself ;D

18

Thank you for your help and support.

And sorry for my English.