Help with some Trojan Horses

I ran a scan this morning and these Trojans were found:

A0124856.exe C:\System Volume Information_restore{09B46G08-2F2B-4A05-8135-A496B05CB098}\RP377
A0125871.exe C:\System Volume Information_restore{09B46G08-2F2B-4A05-8135-A496B05CB098}\RP381
A0125921.exe C:\System Volume Information_restore{09B46G08-2F2B-4A05-8135-A496B05CB098}\RP381
A0125922.exe C:\System Volume Information_restore{09B46G08-2F2B-4A05-8135-A496B05CB098}\RP381
A0125923.exe C:\System Volume Information_restore{09B46G08-2F2B-4A05-8135-A496B05CB098}\RP381
A0125924.exe C:\System Volume Information_restore{09B46G08-2F2B-4A05-8135-A496B05CB098}\RP381
bis13E.exe C:\Documents and Settings\Local Settings\Temp
bis147.exe C:\Documents and Settings\Local Settings\Temp

The description for all of them are: Win32:Swizzor-N [trj]

They have been moved to the Virus Chest, but my question is, can I just delete them and forget about them? I was going to reformat but I really don’t want to. Any advice?

They can be deleted from the chest although they are harmless there.

But they may have some friends left on your system, I can look for them if you wish

Download OTViewIt to your desktop.

[*]Close all windows and double click OTViewIt
[*]Place a tick in the Scan all Users box
[*]Click Run Scan and let the program run uninterrupted
[*]On completion it will produce two logs on the Desktop, atttach the OTViewIt.txt and Extras.txt logs in your next post.

Ok here they are:

Hi again you appear to have had a LOP infection as well, lets see if that has gone

Please download the OTMoveIt3 by OldTimer.

[*] Save it to your desktop.
[*] Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

 :Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CAMP SHIM EXIT HECK"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"beep blue"=-
[HKEY_USERS\S-1-5-21-839522115-1715567821-2145984963-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"beep blue"=-

:Files
C:\DOCUME~1\Jason\APPLIC~1\STYLEA~1
C:\Documents and Settings\All Users\Application Data\That Face Camp Shim

:Commands
[purity]
[emptytemp]

[*] Return to OTMoveIt3, right click in the “Paste Instructions for Items to be Moved” window (under the yellow bar) and choose Paste.

[*]Click the red Moveit! button.
[*]Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
[*]Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Hello again. Here is what it came up with.

========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CAMP SHIM EXIT HECK deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beep blue deleted successfully.
Registry value HKEY_USERS\S-1-5-21-839522115-1715567821-2145984963-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beep blue not found.
========== FILES ==========
File/Folder C:\DOCUME~1\Jason\APPLIC~1\STYLEA~1 not found.
C:\Documents and Settings\All Users\Application Data\That Face Camp Shim moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Jason\LOCALS~1\Temp\etilqs_1HoXab4BoAmip5TJKF93 scheduled to be deleted on reboot.
User’s Temp folder emptied.
User’s Temporary Internet Files folder emptied.
User’s Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5c0.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_640.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Jason\Local Settings\Application Data\Mozilla\Firefox\Profiles\e3a8d8il.default\Cache_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jason\Local Settings\Application Data\Mozilla\Firefox\Profiles\e3a8d8il.default\Cache_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jason\Local Settings\Application Data\Mozilla\Firefox\Profiles\e3a8d8il.default\Cache_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jason\Local Settings\Application Data\Mozilla\Firefox\Profiles\e3a8d8il.default\Cache_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jason\Local Settings\Application Data\Mozilla\Firefox\Profiles\e3a8d8il.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 11142008_113536

Files moved on Reboot…
File C:\DOCUME~1\Jason\LOCALS~1\Temp\etilqs_1HoXab4BoAmip5TJKF93 not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp_avast4_\Webshlock.txt scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_5c0.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_640.dat not found!
C:\Documents and Settings\Jason\Local Settings\Application Data\Mozilla\Firefox\Profiles\e3a8d8il.default\Cache_CACHE_001_ moved successfully.
C:\Documents and Settings\Jason\Local Settings\Application Data\Mozilla\Firefox\Profiles\e3a8d8il.default\Cache_CACHE_002_ moved successfully.
C:\Documents and Settings\Jason\Local Settings\Application Data\Mozilla\Firefox\Profiles\e3a8d8il.default\Cache_CACHE_003_ moved successfully.
C:\Documents and Settings\Jason\Local Settings\Application Data\Mozilla\Firefox\Profiles\e3a8d8il.default\Cache_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Jason\Local Settings\Application Data\Mozilla\Firefox\Profiles\e3a8d8il.default\urlclassifier3.sqlite moved successfully.

How is it running now any further problems. What I would suggest next is to run malwarebytes to clear any registry entries I missed and any orphan files

Please download Malwarebytes’ Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Ok here’s the log:

Malwarebytes’ Anti-Malware 1.30
Database version: 1398
Windows 5.1.2600 Service Pack 3

11/14/2008 1:19:56 PM
mbam-log-2008-11-14 (13-19-56).txt

Scan type: Quick Scan
Objects scanned: 50629
Time elapsed: 3 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{7545d8c8-f53c-4e2f-8fa0-d248ef4a6e61} (Rogue.Installer) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Everything seems to be running fine. Just wish I knew where these came from. Thanks for your help. Saved me from reformatting :slight_smile:

My pleasure, lets just make sure you are fully secure now

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…Download and run this small programme and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

Please download JavaRa to your desktop and unzip it to its own folder

[*]Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
[*]Accept any prompts.
[*]Open JavaRa.exe again and select Search For Updates.
[*]Select Update Using Sun Java’s Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

[*]Select Start > All Programs > Accessories > System tools > System Restore.
[*]On the dialogue box that appears select Create a Restore Point
[*]Click NEXT
[*]Enter a name e.g. Clean
[*]Click CREATE

You now have a clean restore point, to get rid of the bad ones:

[*]Select Start > All Programs > Accessories > System tools > Disk Cleanup.
[*]In the Drop down box that appears select your main drive e.g. C
[*]Click OK
[*]The System will do some calculation and the display a dialogue box with TABS
[*]Select the More Options Tab.
[*]At the bottom will be a system restore box with a CLEANUP button click this
[*]Accept the Warning and select OK again, the program will close and you are done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[]SpywareBlaster to help prevent spyware from installing in the first place.
[
]SuperAntispyware Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[]Secunia Software inspector To check your programme update status
[
]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave:

Thanks again essexboy. Everything is running fine again and no more signs of the Trojans. Just one more question…should I leave the infected files in the chest, delete them, or wait a couple of weeks and then delete them if there are no problems?


It is usually better to leave them in the chest for a couple of weeks. They can do no harm while in the chest. At that point rescan them by right clicking each of them. If your computer is running good and they still show infected, you can delete the infected files.