Trojan Virus to Dektop.ini infection

Viruses and worms
1

Good day,

I have had a bit of a roller coaster ride for the last two days with a Virus i got from my backup hardrive (sucks i know), which has infected my laptop.

Here is a quick run down:

  • Laptop infected
  • Infection disabled my Avast
  • Rebooted into Safe mode
  • Lost all Avast scanning features
  • Uninstalled Avast using Win Control Panel, then aswclear.exe
  • Above resulted in a damaged startup
  • System restore, to repair startup
  • I then was back to where i started
  • I followed the instructions posted here - http://forum.avast.com/index.php?topic=53253.0
  • I ran all the cleaners; AdwCleaner, OTL, Malwarebytes and aswMBR.
  • I then attempted another Uninstall of Avast using the same to methods (above) with success :slight_smile:
  • I reinstalled Avast, with success
  • I ran RogueKiller.exe, which picked up several infections and put them in the ‘vault’
  • Everything seams to be working fine, in fact i’m sending this from the infected computer.
  • But I now have an unusual amount of desktop.ini files all over my computer, and latest research indicates that this is the original Trojan, which has ‘mutated’ (for lack of a better word)
  • I re-ran the cleaners above AdwCleaner, OTL… - Attached are the logs

Additionally - my Backup hardrive is still infected, if i view it via Safe mode most of the files are gone, but if i scan it using Malwarebytes i can see that all the files are still there when its scans, any help here would also be very much appreciated.

Thanks in advance.

Regards

2

removers are notified

when the removers have cleand your comp…i recomend this http://amf.mycity.rs/mcshield/

3

Perfect, thanks for your help

4

Hi,

Go to systemroot partition ( C:) and attach here AdwCleaner[S1].txt logreport.
Also, attach here all RogueKiller reports.txt logs to see what RK has done.

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:Otl
IE - HKU\S-1-5-21-617215511-3753394847-3892302286-1000\..\SearchScopes\{C9B3D89F-4B5B-451E-A980-A2C2A7C4C0C4}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468
FF - prefs.js..extensions.enabledAddons: {5911488E-9D1E-40ec-8CBB-06B231CC153F}:2.5.0
FF - prefs.js..extensions.enabledAddons: {7473b6bd-4691-4744-a82b-7854eb3d70b6}:10.13.40.15

:commands
[CREATERESTOREPOINT]
[emptytemp]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that has made MCShield.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

5

RKreports

6

AdwCleaner[S1].txt + OLT report

The OLT Custom scan has removed most of desktop.ini (s) that i can see, but new shortcuts have been added, see attached screenshots.

7

Regarding the MCShield, it didnt pick up anything, i think because I ran a Melwarebytes scan before your reply came in, which caught 6 infections, i have attached that report and the MCShield log.

Thank you very much for your help!!!

Seams there is light at the end of the tunnel - thank you for your awesome support.

That OTL custom fix you gave me, seamed to help a lot. thanks!

8

from the malwarebytes log it seems you are a user of cracked software…

9

They were only keygens, I don’t use any cracked software…

10

and the keygen is used for ???

11

Hi,

I recommended to uninstall Advanced SystemCare 6 (IObit) from your computer. ← Your choice
(those files might just be created by IObit. Those files should also be a legitimate IObit use them as a backup Hives)
You may uninstall IObit from control panel or you may use GeekUninstaller (GU is advanced uninstaller that run IObit uninstaller and then scan leftovers files and registry entries … )
http://www.geekuninstaller.com/

desktop.ini are hidden and system (leght) files. They are not malware related. When we run OTL CleanUp!, these files you will “disappear”.

Of course, there is no need to mention a cracked software.
Malwarebytes comes in Free and Pro versions.
http://www.malwarebytes.org/products/malwarebytes_free/

They are charging their hard work and effort and you stealing they software via some crack.
Crack itself may also be malware …

Re-run OTL and click on CleanUp! button.

You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.

How’s your computer running now?

12

Firstly I wanted to thank you for all your help Magna86… without it I would of been in a lot of trouble - so I thank you very much for your help.

It seams my system is running very smoothly, after removing IObit (Via GeekUninstaller - which on its own is a awesome piece of software :slight_smile: ) and running the OLT Cleanup, which is great. I have managed to remove all (hopefully) virus’s from my hardrive too. So again, thank you very much for your help.

Pongus, I understand your concern regarding the cracked software, but having a couple of keygens on my external hardrive, doesn’t mean i am a ‘user’ of cracked software. In fact, i borrowed the hardrive to a college mate of mine to get some assignments, which he must of used to transport the keygens for what ever reason… which is right around the time i got the virus’s - i will be sure to Roundhouse kick him for all the trouble he has caused me, when i see him again.

Magna86, I also read the threads regarding the virus signature, so i understand why you would think I installed a cracked copy of Malwarebytes, but i didn’t. I downloaded the installer from these instructions - http://forum.avast.com/index.php?topic=53253.0 (Where is says “Please download Malwarebytes’ Anti-Malware from Here or Here.” - i used the 1st link)
which lead me to this link to download installer - http://fileforum.betanews.com/detail/Malwarebytes-AntiMalware/1186760019/1
and that is where I downloaded it from… Up until i uninstalled it, it always carried a ‘Trial’ notification in the Melwarebytes control panel.

Anyways, those two last statements are not important… the important thing is my system is working again… and i have you two to thank for that ;D

I just have one last question, now after this whole ordeal, I have installed a lot of virus removal software, apart from OTL, which delated itself on the ‘Cleanup’ most of the software are standalone applications, so wont require uninstall? Would it, in your guys opinion, be safe to say that I only keep MCShiled and Avast running on my machine going forward?

Thanks a billion Magna86

13
Pongus, I understand your concern regarding the cracked software, but having a couple of keygens on my external hardrive, doesn't mean i am a 'user' of cracked software. In fact, i borrowed the hardrive to a college mate of mine to get some assignments, which he must of used to transport the keygens for what ever reason... which is right around the time i got the virus's -[b] i will be sure to Roundhouse kick him for all the trouble he has caused me, when i see him again.[/b]
good ;D
I just have one last question, now after this whole ordeal, I have installed a lot of virus removal software, apart from OTL, which delated itself on the 'Cleanup' most of the software are standalone applications, so wont require uninstall? Would it, in your guys opinion, be safe to say that I only keep MCShiled and Avast running on my machine going forward?
I would also keep Malwarebytes as an extra scanner..... remeber to always update it befor a scan in settings you can change the default update notification from 7days to 1 OBS.... and if you want the PRO version of Malwarebytes it is a one time fee for a liftime license, so tell your friend..no need for keygen ;) then you get a protection module and auto update.....and it can run alongside avast

Some info about the IOBit company here you may want to read
http://www.malwarebytes.org/forums/index.php?showtopic=29681
http://www.malwarebytes.org/forums/index.php?showtopic=30989
http://www.malwarebytes.org/forums/index.php?showtopic=33217