Hello,

I'm new, therefore forgive my mistakes if any

My laptop at work was taken by a collegue of mine and returned with a virus/trojan that does:
- Fixes or generates a new autorun.inf in any USB-stick that is inserted to the PC.
- The autorun.inf has the following text:

CODE

[AutoRun]
shellexecute=/RECYCLER/rrqzrmne.exe navg

- The filename inside the RECYCLER directory changes everytime the file is generated.

For my good luck, the McAfee antivirus detects and destroys the executable. (Its size is always 114688 bytes)
For my bad luck, I can't find the one that is generating this trojan file. (The McAfee does not catch it, nor other tools I have run)


Attached is the HJT log file I have captured: Click to view attachment

Any hint?

Thanks in advance, and have a nice day

--- Ricky

Hello Rbid and welcome to BC. Let's see what we can find.

Before running a new scan let's clean out the temporoary folders.

Download ATF Cleaner to your Desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Click Select All found at the bottom of the list.
• Click the Empty Selected button.

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
• Close ALL Internet browsers (very important).
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Now download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
• Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
• Do not change any settings.
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
• Close Notepad (saving the change if necessry).

Use the Add Reply button and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt2 folder and named OTScanIt.txt.

I will review it when it comes in.

Cheers.

OT