PDA

View Full Version : Infected with worm_downad.ad, Cryp_mangle, ---, Troj_Generic.dit



Liquuid
2009-10-15, 07:27
Hi,

I was recently assisted by Blade81 with the removal of Cryp_Mangle. It was believed to be a false positive so my Virus Scanner (Trend Micro was removed and reinstalled to fix). PLease see thread http://forums.spybot.info/showthread.php?t=52431. Two days have passed and it has come back with a new friend (Worm_Downad.ad). The only downloading that has occured was some add ons for Firefox. Everything else on the web has been the usual FB and email downloads. With the exception of a disck that came with Aug Edition of Australian PC magazine wich also registered a virus the (TRoj_Generic.dit).

My scan logs:
Virus Scan Logs 15/10/2009 JASON-PC
Time Detected by Source Type Threat Name Infected File First Action Second Action Pattern Version
12:22 Manual Scan File TROJ_Generic.DIT $INSTDIR\help.chm (E:\apcgui\files\feat\aug\rightclickconfigurator_acp_au.exe) Ignored Successfully 6.543.50
12:22 Manual Scan File --- E:\apcgui\files\feat\aug\rightclickconfigurator_acp_au.exe Ignored Successfully 6.543.50
12:10 Manual Scan File Cryp_Mangled RemoveTSRegistryKey.exe (C:\Users\Public\Desktop\TrendMicro_TIS_17.50_en-US_64-bit\Tools\64bit\TSRemove.exe) Ignored Successfully 6.543.50
12:10 Manual Scan File --- C:\Users\Public\Desktop\TrendMicro_TIS_17.50_en-US_64-bit\Tools\64bit\TSRemove.exe Ignored Successfully 6.543.50

and Trojans:

Virus Scan Logs 15/10/2009 JASON-PC
Time Threat Name Status Pattern Version
14:22 WORM_DOWNAD.AD Clean 6.543.50
14:22 WORM_DOWNAD.AD Clean 6.543.50
12:50 WORM_DOWNAD.AD Clean 1062
12:50 WORM_DOWNAD.AD Clean 6.543.50
12:50 WORM_DOWNAD.AD Clean 1062

Files currently quarantined are:
TSRemove.exe (Location C:\users\public\desktop\TrendMicro_TIS_17.50_en-US-64-bit\tools\64bit\)
jwgkvsq.vmx(Location H:\RECYLERS\S-5-42-2819952290-8240758988-879315005-3665\)
66a7.tmp (Location C:\Program Files\Trend Micro\Internet Security\Quarantine\Temp\)
342.tmp (Location C:\Program Files\Trend Micro\Internet Security\Quarantine\Temp\)

The modus operandi of this sucker has changed as it is infecting .exe files now; however, when I delete it it still reinfects a different file. HJT and OTL logs to follow this thread.

Thanks in anticipation.

Liquuid

Liquuid
2009-10-16, 11:16
I believe I have removed everything. Thank you anyways.

Regards,

Liquuid