I recently got a virus called Win32:OnLineGames-WK [Trj].
It keeps on adding a new file to the temp folder called 1.exe, 2.exe, 3.exe and so forth.
If i delete it, it just goes up to the next number…
Please HELP!!! 
THANKS GUYS :-\
There would appear to be other elements to this restoring the files.
What is your firewall as this could be an undetected trojan downloader downloading the files ?
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.
- If using winXP AVG anti-spyware (formerly Ewido). Or SUPERantispyware Or Spyware Terminator. Or a-Squared free if using win98/ME.
This is already in the avast VPS. http://www.avast.com/eng/vps_history.html
So, I have to ask …
how long have you had avast?
is it up-to-date or was it up-to-date when the infection occurred?
and …
do you have another anti-virus program on your computer?
Download ComboFix from Here or Here to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.
After you post the ComboFix log run Hijackthis and post its log:
Click here to download HJTsetup.exe
[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Alright Thx guys for your posts…
Firstly, DavidR
I think that i just have the original windows firewall, but i have avast, if that has a firewall?
And I downloaded SuperANTIVIRUS, ran it, and deleted the files it found.
Second, CharleyO
I have had my Avast for a while now, and I do keep it up to date, but only when it says that it is outdated or whatever. And I dont have any other anti virus programs on my computer unless Ad-Aware counts.
Third, mauserme
I downloaded combofix and posted the ComboFix.txt and the ComboFix-quarantined-files.txt, as well as the hijackthis log.
THANKS SO MUCH FOR UR HELPS GUYS
;DHOPE U CAN FIX IT ;D
I was just doing the scan from Super Anti virus, and avast found some adware.
Im not sure if it was there before but it is called Win32:Vundo-gen29 [Adw] and it is in C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32
All of the files in C:\QOOBOX are something.something.vir
I hope that isnt a bad thing… :-\
Something if definitely happening…
another one
Win32:Trojan-gen. {Other}
C:\SYSTEM VOLUME INFORMATION_RESTORE{8FA647E7-B071-4B5E-94CA-58A5F4F6F60C}\RP253\A0117502.EXE
The SUPERAntiSpyware is also finding things like
- TrojanDownloader - Gen/Hard fall
- TrojanDownloader - Gen/SwampDork
- Trojan Downloader - UNIBBB
- Trojan.net -multispan/W0
Please help
If you have system restore enabled and you delete/move a file from the system folders (which you just did with SUPERAntiSpyware) then it will save a copy in the system volume information folder as a _restore point. This can still be detected on later scans of the system volume information folder.
You should create a folder for HiJackThis (HJT) and not run it from the desktop otherwise any fixes you do may not be saved and if you need to restore anything that won’t work. Some also advise renaming the hijackthis.exe file (say HJT-202.exe or a name of your choosing) as some malware can identify that and hide from it.
The trojan downloader is likely to be what was responsible for the 1.exe, 2.exe files, etc. but a malware name in isolation isn’t very helpful, the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
The files in C:\QOOBOX are those that ComboFix placed in quarantine. They are infected but are quite safe where they are.
The infected System Restore points (C:\SYSTEM VOLUME INFORMATION\ …) are OK to leave alone for now as long as you don’t restore your computer to a previous time. We will deal with any of these that remain toward the end of the cleaning process.
As David mentioned HijackThis should be run from its own folder so the backups it creates don’t get inadvertently delete. After you’ve moved it, open HJT again and click to Do a System Scan Only. When the scan Is complete place a check mark next to these lines:
[b]O2 - BHO: (no name) - {D3626E66-B13B-C628-ACDF-BDABCFA265E1} - C:\Program Files\Common Files\Relive.dll
O2 - BHO: (no name) - {D7515C61-A66C-4319-A0E0-D416CB8059E3} - C:\Program Files\Common Files\Relive.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - (no file)
O20 - Winlogon Notify: zsydll - C:\WINDOWS\
O23 - Service: Microsoft Office Groove Audit Service - Unknown owner - --“C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe” (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - Unknown owner - --“C:\Program Files\TuneUp WinStyler\WinStylerThemeSvc.exe” (file missing)
O23 - Service: Windows Defender (WinDefend) - Unknown owner - --“C:\Program Files\Windows Defender\MsMpEng.exe” (file missing)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - --“C:\Program Files\Windows Media Player\WMPNetwk.exe” (file missing)[/b]
Make sure all other windows are closed, including your browser, and click Fix Checked. When finished close HJT.
Now download OTMoveIt by OldTimer and save it to your desktop.
Double-click OTMoveIt.exe to run it.
Copy the file path below to the clipboard by highlighting it and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\ssqro.dll
C:\WINDOWS\zsydll.dll
C:\Program Files\Common Files\Relive.dll
C:\autorun.inf
C:\ghost.pif
Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. Don’t be concerned if some of those files are not found.
Next, upload these files to Virus Total and post the results of the analyis for each…
[b]C:\WINDOWS\system32\TUKernel.exe
C:\WINDOWS\system32\2787687FE3.dll[/b]
Then, Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:
Non-Microsoft Only
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.
When i run OTMoveIt, I copy all of the files and click moveit, but it cannot create the log.
Results:
File/Folder C:\WINDOWS\system32\ssqro.dll not found.
File/Folder C:\WINDOWS\zsydll.dll not found.
File/Folder C:\Program Files\Common Files\Relive.dll not found.
File/Folder C:\autorun.inf not found.
File/Folder C:\ghost.pif not found.
Created on 07-12-2007 07:32:46
???
And David,
I don’t know where the files were from, but they wouldn’t be the ones responsible i think because the virus is still going after i deleted the files.
I hope that that isnt bad…
Let mauserme finish the process and hopefully that will stop the virus alerts.
However, you say the virus is still going, then you should be getting alerts (from avast I assume) that would tell you the file name and location. If that doesn’t resolve it we will look at the next step.
Maybe SuperAntiSpyware took care of a few things for us.
DavidR’s question is very pertintent - do you get alerts in real time or only when you scan with SuperAS of another anti-malware program?
Please make sure to follow through with the HJT fixes, Virus Total, and WinpFind as well.
EDIT: If you have removable drives please don’t use them right now. It apears that this malware has at least attempted to infect them.
Virus Total Results
TUKernel.exe
Antivirus Versión Last Update Result
AhnLab-V3 2007.7.11.1 20070711 no virus found
AntiVir 7.4.0.39 20070711 no virus found
Authentium 4.93.8 20070712 no virus found
Avast 4.7.997.0 20070712 no virus found
AVG 7.5.0.476 20070712 no virus found
BitDefender 7.2 20070712 no virus found
CAT-QuickHeal 9.00 20070711 no virus found
ClamAV devel-20070416 20070712 no virus found
DrWeb 4.33 20070712 no virus found
eSafe 7.0.15.0 20070710 no virus found
eTrust-Vet 30.8.3780 20070711 no virus found
Ewido 4.0 20070711 no virus found
FileAdvisor 1 20070712 no virus found
Fortinet 2.91.0.0 20070712 no virus found
F-Prot 4.3.2.48 20070711 no virus found
Ikarus T3.1.1.8 20070712 no virus found
Kaspersky 4.0.2.24 20070712 no virus found
McAfee 5072 20070711 no virus found
Microsoft 1.2704 20070712 no virus found
NOD32v2 2394 20070711 no virus found
Norman 5.80.02 20070711 no virus found
Panda 9.0.0.4 20070712 no virus found
Sophos 4.19.0 20070706 no virus found
Sunbelt 2.2.907.0 20070712 no virus found
Symantec 10 20070712 no virus found
TheHacker 6.1.6.145 20070712 no virus found
VBA32 3.12.0.2 20070712 no virus found
VirusBuster 4.3.23:9 20070711 no virus found
Webwasher-Gateway 6.0.1 20070712 no virus found
Aditional information
File size: 2275840 bytes
MD5: fbf08e21d2dbb3e70c55acad13f9f1d7
SHA1: 9ddb1cdfdf1396c439bcd1021ad35ea65b5f9b0f
2787687FE3.dll
Antivirus Versión Last Update Result
AhnLab-V3 2007.7.11.1 20070711 no virus found
AntiVir 7.4.0.39 20070711 no virus found
Authentium 4.93.8 20070712 no virus found
Avast 4.7.997.0 20070712 no virus found
AVG 7.5.0.476 20070712 no virus found
BitDefender 7.2 20070712 no virus found
CAT-QuickHeal 9.00 20070711 no virus found
ClamAV devel-20070416 20070712 no virus found
DrWeb 4.33 20070712 no virus found
eSafe 7.0.15.0 20070710 no virus found
eTrust-Vet 30.8.3780 20070711 no virus found
Ewido 4.0 20070711 no virus found
FileAdvisor 1 20070712 no virus found
Fortinet 2.91.0.0 20070712 no virus found
F-Prot 4.3.2.48 20070711 no virus found
Ikarus T3.1.1.8 20070712 no virus found
Kaspersky 4.0.2.24 20070712 no virus found
McAfee 5072 20070711 no virus found
Microsoft 1.2704 20070712 no virus found
NOD32v2 2394 20070711 no virus found
Norman 5.80.02 20070711 no virus found
Panda 9.0.0.4 20070712 no virus found
Sophos 4.19.0 20070706 no virus found
Sunbelt 2.2.907.0 20070712 no virus found
Symantec 10 20070712 no virus found
TheHacker 6.1.6.145 20070712 no virus found
VBA32 3.12.0.2 20070712 no virus found
VirusBuster 4.3.23:9 20070711 no virus found
Webwasher-Gateway 6.0.1 20070712 no virus found
Aditional information
File size: 80 bytes
MD5: e0050d1c97ab42c6294439ed55bd448a
SHA1: 03cc124293d996f63a20029ba6d6e897c9f07261
I get my alerts in real time.
They come up in the on-acess scanner every time i login.
It finds a files called 1.exe, so i click move to chest, than it finds 2.exe and so on.
It stops at 14.exe, then it doesnt appear anymore.
I will post the WinPFind3u results in the next post.
Im just posting the files
Posting
Ill just post the file…
hey…so did u manage to clean the virus? i cant seem to clear mine though…
Did you follow general cleaning procedures?
-
Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3).
-
Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.
-
Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
-
It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than. -
If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.
-
Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.
-
After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.
-
Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.
Also download and install the latest Java from here
http://filehippo.com/download_java_runtime/
Then open Add/Remove Programs in the Control Panel and uninstall any versions older than the one you just installed. It looks like you have some older versions - the update process will not remove them.
Then post a new HJT log but make sure to close every other window before you run it.