Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have the Recycler Virus / External drive folders turned into shortcuts


  • This topic is locked This topic is locked
9 replies to this topic

#1 Vaneyk

Vaneyk

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 05 January 2012 - 10:47 AM

Hi, I am teaching English in Thailand and have to transfer files often between my computers and the ones at the school and printing shops, etc. Most of these computers are running cracked versions of Windows, so they are laden with malware. Two weeks ago I had the Security Sphere 2012 rogue security malware and I am pretty sure I fully got rid of it and doubt it's related, but I'm mentioning it in case there's some connection I don't know about.

So, I think I have the Recycler virus similar to or the same as the one from this old post http://www.bleepingcomputer.com/forums/topic199413.html

First of all, I am running one laptop with Windows 7 Home Premium and another with Windows 7 Starter. The Recycler virus seems to be on both. The symptoms are: A hidden "RECYCLER" folder on every USB stick, external hard drive, and SD card I have; All the folders are now turned into shortcuts (I can still access most of the folders except for the ones on my WD Passport which say they cannot be found); I can no longer eject any of these devices as they are always 'in use'; and until I ran MalwareBytes and SuperAntiSpyware, every time I restarted the computers a file called Zaberg.exe had it's properties window open at start-up. But after running the scans and deleting the files the drives are still acting the same.

When I ran MalwareBytes it detected a handful of malicious files, not sure which ones are related so I will post the log (the iexplor.exe file was a renamed RKill application from when I got rid of Security Sphere but I let it delete it anyway).

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.04.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
B :: B-PC [administrator]

1/4/2012 2:37:37 AM
mbam-log-2012-01-04 (02-37-37).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 360335
Time elapsed: 39 minute(s), 31 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 3
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Worm.AutoRun) -> Data: explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1830\zaberg.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Freaef (Trojan.Menti) -> Data: C:\Users\B\AppData\Roaming\Freaef.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|zaber0 (Worm.Autorun.B) -> Data: C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1830\zaberg.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1830\zaberg.exe) Good: (Explorer.exe) -> Quarantined and repaired successfully.

Folders Detected: 1
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1830 (Worm.AutoRun) -> Quarantined and deleted successfully.

Files Detected: 5
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1830\Desktop.ini (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1830\zaberg.exe (Worm.Autorun.B) -> Quarantined and deleted successfully.
C:\Users\B\AppData\Roaming\Freaef.exe (Trojan.Menti) -> Quarantined and deleted successfully.
C:\Users\B\Desktop\iExplor.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
F:\RECYCLER\e5188982.exe (Trojan.Menti) -> Quarantined and deleted successfully.

(end)


And this is the log from SuperAntiSpyware minus the tracking cookies.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/04/2012 at 06:45 AM

Application Version : 5.0.1142

Core Rules Database Version : 8096
Trace Rules Database Version: 5908

Scan type : Complete Scan
Total Scan Time : 00:30:57

Operating System Information
Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
UAC On - Limited User

Memory items scanned : 652
Memory threats detected : 0
Registry items scanned : 70550
Registry threats detected : 0
File items scanned : 70307
File threats detected : 198

[197 tracking cookies]

Trojan.Dropper/Malevo-NV
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1830\ZABERG.EXE



Please let me know what I should do next. It is bedtime over here so I will check this again after school tomorrow, so in about 15-20 hours.

Thanks

Edited by Vaneyk, 05 January 2012 - 11:52 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:10 PM

Posted 08 January 2012 - 03:15 PM

Hello.
If you tranfer files with a Flash drive that tool is infected and carrying malware into any units it connects to.

Clean the Flash Drive. Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present. Then perform your scans.

If your Malwarebytes is the Paid version. Perform a Full scan. The option for a Flash Scan is only on the paid version.
OR

Norman Malware Cleaner. For usb flash drives and/or other removable drives to scan, use the Add button to browse to the drives location, click on the drive to highlight and choose Ok.

Now please run these......Keeping the drive connected.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.



Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.


Run TFC by OT (Temp File Cleaner)
Please download TFC by Old Timer and save it to your desktop.
alternate download link

Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Vaneyk

Vaneyk
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 10 January 2012 - 10:31 AM

Thanks for the response, should I do this with all the infected flash drives connected at once, or one at a time? Also, I've been busy here lately and our internet is spotty to boot, but hopefully I'll find time to do this and post the logs by tomorrow night.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:10 PM

Posted 10 January 2012 - 12:16 PM

You can connect them all Just be sure to use any FULL scan Options.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Vaneyk

Vaneyk
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 11 January 2012 - 10:29 AM

Oh wow, I don't know if this was because of the virus or not, but the Eset Online Scanner shed some light on an unexpected problem. A while back I had to reformat my laptop and ended up transferring my entire Users folder onto this external hard-drive. Somehow my "users/appdata/local/application data" folder that transferred along with everything else has become recursive and if I hadn't figured out something was wrong and stopped it the scan might have gone on forever. Strangely this did not happen when I scanned the drive with MBAM or with the Norton scanner. http://answers.microsoft.com/en-us/windows/forum/windows_7-files/infinite-application-data-folders-and-subfolders/e5c13e20-2271-4329-bde8-c93cb1988139 There's some info on the issue, the difference is that I did not change any permissions and it is not the real Application Data folder for my computer, it's an accidental copy of an old one.

I am going to post the log of how far the scan got (I think it was almost done) but I'm sure you won't want to read all of it as it gets a little repetitive.

And I am currently working on trying to fix this problem. I tried to delete the folder but it would not delete all of it, saying that some (11,000) of the source file names are too long for the operation and only giving me the option of skipping them.


Log:

C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1830\zaberg.exe a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Local\Temp\nsf3D61.tmp\__localxml.xml Win32/DownloadAdmin.A.Gen application cleaned by deleting - quarantined
C:\Users\B\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\579abbb5-58908ecf Java/Exploit.CVE-2011-3544.L trojan deleted - quarantined
C:\Users\B\AppData\Roaming\103.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\155B.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\1991.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\1E76.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\2B30.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\2E8D.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\3458.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\34D0.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\35DF.tmp a variant of Win32/Kryptik.YME trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\3651.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\3987.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\4382.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\4A34.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\4AC6.tmp a variant of Win32/Kryptik.YME trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\4EC7.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\5201.tmp a variant of Win32/Kryptik.YME trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\62C4.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\6340.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\65FB.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\6709.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\6785.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\691F.tmp Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\6A6F.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\6AE1.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\6D0B.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\6F46.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\6FA5.tmp a variant of Win32/Kryptik.YME trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\7184.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\75B9.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\75CD.tmp a variant of Win32/Kryptik.YME trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\7705.tmp IRC/SdBot trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\7929.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\7D5E.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\8C1D.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\9062.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\99E3.tmp Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\9E36.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\9E78.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\A2C9.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\A349.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\A356.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\A79B.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\ACD0.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\AD4F.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\B115.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\B1C2.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\B47E.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\B6D0.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\B930.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\BBC0.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\BEA3.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\BEC3.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\C308.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\C39B.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\C706.tmp a variant of Win32/Kryptik.YME trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\C81E.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\CB5B.tmp a variant of Win32/Kryptik.YME trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\D053.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\D1E6.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\D4C7.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\D6A8.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\D803.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\DA63.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\DC48.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\DE23.tmp a variant of Win32/Kryptik.YME trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\E0CA.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\E42C.tmp a variant of Win32/Kryptik.YME trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\E820.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\E8AA.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\E9D4.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\EA10.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\EE19.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\EE46.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\F07D.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\F1C1.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\F519.tmp a variant of Win32/Kryptik.YNU trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\F6B2.tmp a variant of Win32/Kryptik.YTG trojan cleaned by deleting - quarantined
C:\Users\B\AppData\Roaming\FE25.tmp Win32/Lethic.AA trojan cleaned by deleting - quarantined
D:\poopchin.lnk Win32/Dorkbot.D worm cleaned by deleting - quarantined
D:\Programs.lnk Win32/Dorkbot.D worm cleaned by deleting - quarantined
D:\Recovered From G73.lnk Win32/Dorkbot.D worm cleaned by deleting - quarantined
D:\System Volume Information.lnk Win32/Dorkbot.D worm cleaned by deleting - quarantined
D:\TesolResumes.lnk Win32/Dorkbot.D worm cleaned by deleting - quarantined
D:\Untransfered Files.lnk Win32/Dorkbot.D worm cleaned by deleting - quarantined
D:\User Documents.lnk Win32/Dorkbot.D worm cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Default\maepnbjlgkonhfbijibneadkabdanllf\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache4675073767324699539.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache7951698761343611126.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Default\maepnbjlgkonhfbijibneadkabdanllf\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache4675073767324699539.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache7951698761343611126.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Default\maepnbjlgkonhfbijibneadkabdanllf\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache4675073767324699539.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache7951698761343611126.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Default\maepnbjlgkonhfbijibneadkabdanllf\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache4675073767324699539.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache7951698761343611126.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Default\maepnbjlgkonhfbijibneadkabdanllf\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache4675073767324699539.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache7951698761343611126.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Default\maepnbjlgkonhfbijibneadkabdanllf\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache4675073767324699539.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache7951698761343611126.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Default\maepnbjlgkonhfbijibneadkabdanllf\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache4675073767324699539.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache7951698761343611126.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Default\maepnbjlgkonhfbijibneadkabdanllf\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache4675073767324699539.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache7951698761343611126.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Default\maepnbjlgkonhfbijibneadkabdanllf\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache4675073767324699539.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache7951698761343611126.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Default\maepnbjlgkonhfbijibneadkabdanllf\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache4675073767324699539.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache7951698761343611126.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Default\maepnbjlgkonhfbijibneadkabdanllf\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache4675073767324699539.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache7951698761343611126.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Default\maepnbjlgkonhfbijibneadkabdanllf\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache4675073767324699539.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache7951698761343611126.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Default\maepnbjlgkonhfbijibneadkabdanllf\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache4675073767324699539.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache7951698761343611126.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Default\maepnbjlgkonhfbijibneadkabdanllf\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache4675073767324699539.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache7951698761343611126.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Default\maepnbjlgkonhfbijibneadkabdanllf\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache4675073767324699539.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache7951698761343611126.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Default\maepnbjlgkonhfbijibneadkabdanllf\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache4675073767324699539.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache7951698761343611126.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Default\maepnbjlgkonhfbijibneadkabdanllf\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache4675073767324699539.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache7951698761343611126.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Default\maepnbjlgkonhfbijibneadkabdanllf\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache4675073767324699539.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache7951698761343611126.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Default\maepnbjlgkonhfbijibneadkabdanllf\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache4675073767324699539.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache7951698761343611126.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Default\maepnbjlgkonhfbijibneadkabdanllf\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache4675073767324699539.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache7951698761343611126.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Default\maepnbjlgkonhfbijibneadkabdanllf\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache4675073767324699539.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache7951698761343611126.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Default\maepnbjlgkonhfbijibneadkabdanllf\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache4675073767324699539.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache7951698761343611126.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Default\maepnbjlgkonhfbijibneadkabdanllf\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache4675073767324699539.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jar_cache7951698761343611126.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined



#6 Vaneyk

Vaneyk
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 11 January 2012 - 10:32 AM

Looking at that log it seems like it started at 40 some-odd Application Data folders deep and was actually moving up the chain. So maybe it was finite?

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:10 PM

Posted 11 January 2012 - 10:15 PM

Does the Folders issue still exist?
It is possible that you have a file injecter virus.
Probably best to just get a deeper look and be certain.

We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Include a link back to this topic.

Let me know if that went well
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Vaneyk

Vaneyk
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 12 January 2012 - 04:35 AM

I let ESET run all night and it finished after 6 hours. Then ran MBAM and TFC.

Folders issue still exists but a little different now. Now on my external HD instead of the folders being shortcuts, they are all hidden to where I have to uncheck 'hide protected operating system files' in Folder Options in order to see them. And the Recycler folder still exists on all my drives.

Here are the new ESET and MBAM logs.

ESET:

D:\Recovered From G73\UsersB\AppData\Local\Google\Chrome\User Data\Default\Default\maepnbjlgkonhfbijibneadkabdanllf\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Temp\jar_cache4675073767324699539.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Local\Temp\jar_cache7951698761343611126.tmp a variant of Win32/Kryptik.TVS trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\257e0a14-2eef937a probably a variant of Java/Agent.BR trojan deleted - quarantined
D:\Recovered From G73\UsersB\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\c3423b7-749b58a1 a variant of Java/Agent.DT trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\35a654fd-38d5d469 multiple threats deleted - quarantined
D:\Recovered From G73\UsersB\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\62de1d08-27631e1f a variant of Java/Agent.DT trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\62de1d08-3346ee02 a variant of Java/Agent.DT trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\62de1d08-359fdf12 a variant of Java/Agent.DT trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\62de1d08-517a87fa a variant of Java/Agent.DT trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\62de1d08-6b70a641 a variant of Java/Agent.DT trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\62de1d08-74805477 a variant of Java/Agent.DT trojan cleaned by deleting - quarantined
D:\Recovered From G73\UsersB\AppData\Roaming\Mozilla\Firefox\Profiles\9dlq2o0b.default\extensions\{baaf5dc6-6573-4bdd-a37f-c7d5533b535c}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
D:\RECYCLER\e5188982.exe Win32/Dorkbot.A worm cleaned by deleting - quarantined
Operating memory multiple threats


MBAM:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.11.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
B :: B-PC [administrator]

Protection: Enabled

1/11/2012 3:30:32 PM
MbamLog1

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 714685
Time elapsed: 2 hour(s), 7 minute(s), 25 second(s)

Memory Processes Detected: 1
C:\Users\B\AppData\Roaming\8F.tmp (Backdoor.IRCBot) -> 5772 -> No action taken.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|zaber0 (Worm.Autorun.B) -> Data: C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1830\zaberg.exe -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Worm.AutoRun) -> Data: C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1830\zaberg.exe,explorer.exe -> No action taken.

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Hijack.Shell) -> Bad: (C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1830\zaberg.exe,explorer.exe) Good: (Explorer.exe) -> No action taken.

Folders Detected: 1
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1830 (Worm.AutoRun) -> No action taken.

Files Detected: 6
C:\Users\B\AppData\Roaming\8F.tmp (Backdoor.IRCBot) -> No action taken.
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1830\zaberg.exe (Worm.Autorun.B) -> No action taken.
C:\Users\B\AppData\Roaming\FBBD.tmp (Backdoor.IRCBot) -> No action taken.
F:\RECYCLER\e5188982.exe (Trojan.Menti) -> No action taken.
F:\RECYCLER\18cb2562.exe (Trojan.Agent.SZ) -> No action taken.
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1830\Desktop.ini (Worm.AutoRun) -> No action taken.

(end)


Now I will work on the DDS log.

#9 Vaneyk

Vaneyk
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 12 January 2012 - 10:48 AM

DDS Log Posted, will post again here once I have a reply.

http://www.bleepingcomputer.com/forums/topic437682.html

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:10 PM

Posted 12 January 2012 - 12:34 PM

Thank you, no need to post here again. Ask in the new topic about the folders when they reply.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.

The current wait time is 1 - 5 days and ALL logs are amswered.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users