Inori
2009-09-14, 22:55
The questions are more important to me than problem itself, so please help me with them first.
I have a linksys router with firewall enabled and all ports closed. I have desktop and laptop PCs. My laptop is a HP Compaq-615 with 2 logic recovery drives. My laptop PC is severly infected, my desktop has Comodo firewall and Nod32 antivirus.
1.) If I will run a full format on laptop, will files in recovery drives still be infected?
2.) If I copy some of my data from laptop to desktop, is there a chance that I'll get a virus with it?
3.) If I format desktop PC (I was planning to anyway) and then copy some of the files, including anti-malware stuff from laptop, will I get infected?
4.) If I copy files from laptop to flash drive, will it get infected?
5.) If I copy some of the files from infected drive to HP recovery one, will they be infected?
The problem:
I recently bought a new laptop and installed Windows XP on it. I admit, that was very stupid of me, but I was lazy and didn't install any firewall/antivirus/spyware on it. I used this laptop for a week at University, which had a unsecured wireless network (from which I think I've got all the problems). 2 days ago it hit me to get some protection.
I installed Eset Nod32 4.0, it found a Win32/Olmarik Trojan and said that it can't delete it because it's in memory + some other viruses (don't remember names, sadly) + Kryptic.ZS trojan, which it stated to have deleted.
I then installed MalwareBytes and Spybot S&D. Ran both, they've found some minor spybots, removed. Booted in safe mode, scanned with Nod32, nothing.
Today when I turned on laptop, Nod32 found both Olmarik and Kryptic.ZS trojans again. I tried looking for .dlls, nothing. I installed Spyware Doctor, it didn't find anything. I then tried going to safe mode, but it did not boot at all (loads up all required dlls and then restarts and shows me that windows didn't turn off properly and blah blah). I then booted to Windows and it went all to hell. I've got some weird X in the tray stating that I have spyware and I should go to some bogus site and install their stuff), S&D refused to work, Nod32 flashed with virus notifications. Malwarebytes detected some, but I still have the Olmarik and Kryptic.ZS. It's a fresh windows install, so I don't mind reformatting if doing a full clean saves the hassle. My main concern are files, mentioned in questions.
Here's the Malwarebytes log
Malwarebytes' Anti-Malware 1.41
Database version: 2792
Windows 5.1.2600 Service Pack 3, v.5755
14.09.2009 22:31:42
mbam-log-2009-09-14 (22-31-42).txt
Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 134438
Time elapsed: 14 minute(s), 7 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 23
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\autochk.dll (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Delete on reboot.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\autochk.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Inori\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Inori\Local Settings\Temporary Internet Files\Content.IE5\2EI4LF1D\Install[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Inori\Local Settings\Temporary Internet Files\Content.IE5\GLQQC2C7\Install[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Inori\Local Settings\Temporary Internet Files\Content.IE5\X2B5416M\Install[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Inori\Local Settings\Temporary Internet Files\Content.IE5\XSMBXUX6\Install[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Inori\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\PNSXCUYE\Install[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W9K1E0R2\Install[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rundll32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Inori\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Inori\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\NetworkService\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Delete on reboot.
I have a linksys router with firewall enabled and all ports closed. I have desktop and laptop PCs. My laptop is a HP Compaq-615 with 2 logic recovery drives. My laptop PC is severly infected, my desktop has Comodo firewall and Nod32 antivirus.
1.) If I will run a full format on laptop, will files in recovery drives still be infected?
2.) If I copy some of my data from laptop to desktop, is there a chance that I'll get a virus with it?
3.) If I format desktop PC (I was planning to anyway) and then copy some of the files, including anti-malware stuff from laptop, will I get infected?
4.) If I copy files from laptop to flash drive, will it get infected?
5.) If I copy some of the files from infected drive to HP recovery one, will they be infected?
The problem:
I recently bought a new laptop and installed Windows XP on it. I admit, that was very stupid of me, but I was lazy and didn't install any firewall/antivirus/spyware on it. I used this laptop for a week at University, which had a unsecured wireless network (from which I think I've got all the problems). 2 days ago it hit me to get some protection.
I installed Eset Nod32 4.0, it found a Win32/Olmarik Trojan and said that it can't delete it because it's in memory + some other viruses (don't remember names, sadly) + Kryptic.ZS trojan, which it stated to have deleted.
I then installed MalwareBytes and Spybot S&D. Ran both, they've found some minor spybots, removed. Booted in safe mode, scanned with Nod32, nothing.
Today when I turned on laptop, Nod32 found both Olmarik and Kryptic.ZS trojans again. I tried looking for .dlls, nothing. I installed Spyware Doctor, it didn't find anything. I then tried going to safe mode, but it did not boot at all (loads up all required dlls and then restarts and shows me that windows didn't turn off properly and blah blah). I then booted to Windows and it went all to hell. I've got some weird X in the tray stating that I have spyware and I should go to some bogus site and install their stuff), S&D refused to work, Nod32 flashed with virus notifications. Malwarebytes detected some, but I still have the Olmarik and Kryptic.ZS. It's a fresh windows install, so I don't mind reformatting if doing a full clean saves the hassle. My main concern are files, mentioned in questions.
Here's the Malwarebytes log
Malwarebytes' Anti-Malware 1.41
Database version: 2792
Windows 5.1.2600 Service Pack 3, v.5755
14.09.2009 22:31:42
mbam-log-2009-09-14 (22-31-42).txt
Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 134438
Time elapsed: 14 minute(s), 7 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 23
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\autochk.dll (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Delete on reboot.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\autochk.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Inori\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Inori\Local Settings\Temporary Internet Files\Content.IE5\2EI4LF1D\Install[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Inori\Local Settings\Temporary Internet Files\Content.IE5\GLQQC2C7\Install[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Inori\Local Settings\Temporary Internet Files\Content.IE5\X2B5416M\Install[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Inori\Local Settings\Temporary Internet Files\Content.IE5\XSMBXUX6\Install[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Inori\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\PNSXCUYE\Install[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W9K1E0R2\Install[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rundll32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Inori\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Inori\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\NetworkService\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Delete on reboot.