passwords.exe, porn.exe, sexy.exe, msn.exe

[adam_bomb]

Anti-Rootkit keeps picking up instances of these Trojan.Agent files in every user profile.  After clean and reboot, they show up again.  Regular Malware Bytes, Trend Micro, Stinger, Super Anti Spyware, Roguekiller, McAfee Rootkitremover, and McAfee GetSusp do not find these either before or after running Anti-Rootkit.

 

The files cannot be found when searching, but then show up on a scan.  I'm at a loss... is this a glitch in Anti-Rootkit or is this an actual Trojan that keeps repopulating?

 

Folders Detected: 2

c:\updata (Worm.AutoRun) -> Delete on reboot.

c:\google.com (Trojan.Agent) -> Delete on reboot.

 

Files Detected: 156

c:\documents and settings\all users\passwords.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\default user\passwords.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\localservice\passwords.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\networkservice\passwords.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\pp\passwords.exe (Trojan.Agent) -> Delete on reboot.

c:\windows\system32\config\systemprofile\passwords.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\all users\porn.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\default user\porn.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\localservice\porn.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\networkservice\porn.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\pp\porn.exe (Trojan.Agent) -> Delete on reboot.

c:\windows\system32\config\systemprofile\porn.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\all users\sexy.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\default user\sexy.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\localservice\sexy.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\networkservice\sexy.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\pp\sexy.exe (Trojan.Agent) -> Delete on reboot.

c:\windows\system32\config\systemprofile\sexy.exe (Trojan.Agent) -> Delete on reboot.

c:\windows\system32\microsoft\msn.exe (Trojan.Backdoor) -> Delete on reboot.

c:\passwords.exe (Worm.AutoRun.Gen) -> Delete on reboot.

c:\porn.exe (Worm.AutoRun.Gen) -> Delete on reboot.

c:\sexy.exe (Worm.AutoRun.Gen) -> Delete on reboot.

c:\windows\install\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\sys64\msn.exe (Trojan.Agent) -> Delete on reboot.

c:\windows\messeng\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\program files\winst\msn.exe (Trojan.VBKrypt) -> Delete on reboot.

c:\windows\system23\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\all users\application data\msn.exe (Backdoor.Bifrose.Gen) -> Delete on reboot.

c:\documents and settings\default user\application data\msn.exe (Backdoor.Bifrose.Gen) -> Delete on reboot.

c:\documents and settings\localservice\application data\msn.exe (Backdoor.Bifrose.Gen) -> Delete on reboot.

c:\documents and settings\networkservice\application data\msn.exe (Backdoor.Bifrose.Gen) -> Delete on reboot.

c:\documents and settings\pp\application data\msn.exe (Backdoor.Bifrose.Gen) -> Delete on reboot.

c:\windows\system32\config\systemprofile\application data\msn.exe (Backdoor.Bifrose.Gen) -> Delete on reboot.

c:\updata\autorun.inf (Worm.AutoRun) -> Delete on reboot.

c:\windows\system32\mms\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\documents and settings\all users\application data\adobs\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\documents and settings\default user\application data\adobs\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\documents and settings\localservice\application data\adobs\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\documents and settings\networkservice\application data\adobs\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\documents and settings\pp\application data\adobs\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\windows\system32\config\systemprofile\application data\adobs\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\documents and settings\all users\application data\messanger\msn.exe (Backdoor.IRCBot) -> Delete on reboot.

c:\documents and settings\default user\application data\messanger\msn.exe (Backdoor.IRCBot) -> Delete on reboot.

c:\documents and settings\localservice\application data\messanger\msn.exe (Backdoor.IRCBot) -> Delete on reboot.

c:\documents and settings\networkservice\application data\messanger\msn.exe (Backdoor.IRCBot) -> Delete on reboot.

c:\documents and settings\pp\application data\messanger\msn.exe (Backdoor.IRCBot) -> Delete on reboot.

c:\windows\system32\config\systemprofile\application data\messanger\msn.exe (Backdoor.IRCBot) -> Delete on reboot.

c:\program files\adobs\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\program files\dll\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\program files\hotmail\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\program files\internet explorer\msn.exe (Trojan.Agent) -> Delete on reboot.

c:\program files\massenger\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\program files\msn\msn.exe (Trojan.Agent) -> Delete on reboot.

c:\program files\msns\msn.exe (Backdoor.PoisonIvy) -> Delete on reboot.

c:\bin\msn.exe (Trojan.Agent) -> Delete on reboot.

c:\msn.exe (Worm.AutoRun) -> Delete on reboot.

c:\documents and settings\all users\start menu\programs\startup\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\documents and settings\default user\start menu\programs\startup\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\documents and settings\pp\start menu\programs\startup\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\windows\system32\config\systemprofile\start menu\programs\startup\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\documents and settings\all users\start menu\programs\startup\sexy.exe (Backdoor.IRCBot) -> Delete on reboot.

c:\documents and settings\default user\start menu\programs\startup\sexy.exe (Backdoor.IRCBot) -> Delete on reboot.

c:\documents and settings\pp\start menu\programs\startup\sexy.exe (Backdoor.IRCBot) -> Delete on reboot.

c:\windows\system32\config\systemprofile\start menu\programs\startup\sexy.exe (Backdoor.IRCBot) -> Delete on reboot.

c:\windows\system32\1122\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\windows\system32\computer\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\windows\system32\mesenger\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\windows\system32\messanger\msn.exe (Trojan.Agent) -> Delete on reboot.

c:\windows\system32\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\windows\system32\msn\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\windows\system32\msnn\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\windows\system32\mstwain32\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\windows\system32\smn\msn.exe (Trojan.Agent) -> Delete on reboot.

c:\windows\system32\system32\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\windows\system32\systeme\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\windows\system32\update\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\windows\system32\windows\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\windows\exblorer\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\windows\help\msn.exe (Trojan.Banker) -> Delete on reboot.

c:\windows\mssn\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\windows\res\msn.exe (Password.Stealer) -> Delete on reboot.

c:\windows\system\msn.exe (Trojan.Banker) -> Delete on reboot.

c:\documents and settings\all users\application data\sexy.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\default user\application data\sexy.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\localservice\application data\sexy.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\networkservice\application data\sexy.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\pp\application data\sexy.exe (Backdoor.Agent) -> Delete on reboot.

c:\windows\system32\config\systemprofile\application data\sexy.exe (Backdoor.Agent) -> Delete on reboot.

c:\program files\outlook express\autorun.inf (Malware.Trace) -> Delete on reboot.

c:\wins\msn.exe (Trojan.Agent) -> Delete on reboot.

c:\program files\msn.exe\msn.exe (Trojan.Agent) -> Delete on reboot.

c:\windows\system32\installdir\msn.exe (Backdoor.XTRat) -> Delete on reboot.

c:\program files\yahoo\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\windows\system32\explorer\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\program files\nenatube\msn.exe (Trojan.Agent) -> Delete on reboot.

c:\windows\system32\biff\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\documents and settings\all users\recent\msn.exe (Trojan.Passwords) -> Delete on reboot.

c:\documents and settings\default user\recent\msn.exe (Trojan.Passwords) -> Delete on reboot.

c:\documents and settings\localservice\recent\msn.exe (Trojan.Passwords) -> Delete on reboot.

c:\documents and settings\networkservice\recent\msn.exe (Trojan.Passwords) -> Delete on reboot.

c:\documents and settings\pp\recent\msn.exe (Trojan.Passwords) -> Delete on reboot.

c:\windows\system32\config\systemprofile\recent\msn.exe (Trojan.Passwords) -> Delete on reboot.

c:\windows\system32\msn.exe\msn.exe (Trojan.Agent) -> Delete on reboot.

c:\winz\msn.exe (Trojan.Banker) -> Delete on reboot.

c:\windows\iexplorer\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\all users\start menu\programs\windows\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\documents and settings\default user\start menu\programs\windows\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\documents and settings\localservice\start menu\programs\windows\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\documents and settings\pp\start menu\programs\windows\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\windows\system32\config\systemprofile\start menu\programs\windows\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\program files\javasuppot\msn.exe (Trojan.Agent) -> Delete on reboot.

c:\windows\system\sexy.exe (Backdoor.Agent) -> Delete on reboot.

c:\publicos windows\msn.exe (Trojan.Banker) -> Delete on reboot.

c:\documents and settings\all users\application data\installdir\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\default user\application data\installdir\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\localservice\application data\installdir\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\networkservice\application data\installdir\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\pp\application data\installdir\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\windows\system32\config\systemprofile\application data\installdir\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\windows\system32\system 32\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\windows\installdir\msn.exe (Trojan.Agent) -> Delete on reboot.

c:\program files\firewall\msn.exe (Trojan.Banker) -> Delete on reboot.

c:\system\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\msgservice\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\windows\system32\wind0ws\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\all users\application data\systeme32\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\default user\application data\systeme32\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\localservice\application data\systeme32\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\networkservice\application data\systeme32\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\pp\application data\systeme32\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\windows\system32\config\systemprofile\application data\systeme32\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\program files\systeme32\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\windows\system32\install\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\windows\system32\frecel\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\all users\application data\live\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\documents and settings\default user\application data\live\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\documents and settings\localservice\application data\live\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\documents and settings\networkservice\application data\live\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\documents and settings\pp\application data\live\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\windows\system32\config\systemprofile\application data\live\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\windows\installdir\sexy.exe (Backdoor.Agent) -> Delete on reboot.

c:\windows\system32\microsoft2\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\passion\msn.exe (Trojan.Banker) -> Delete on reboot.

c:\documents and settings\default user\local settings\temp\porn.exe (Backdoor.Agent.TRJ) -> Delete on reboot.

c:\documents and settings\localservice\local settings\temp\porn.exe (Backdoor.Agent.TRJ) -> Delete on reboot.

c:\documents and settings\networkservice\local settings\temp\porn.exe (Backdoor.Agent.TRJ) -> Delete on reboot.

c:\documents and settings\pp\local settings\temp\porn.exe (Backdoor.Agent.TRJ) -> Delete on reboot.

c:\temp\porn.exe (Backdoor.Agent.TRJ) -> Delete on reboot.

c:\windows\system32\config\systemprofile\local settings\temp\porn.exe (Backdoor.Agent.TRJ) -> Delete on reboot.

c:\windows\temp\porn.exe (Backdoor.Agent.TRJ) -> Delete on reboot.

c:\documents and settings\all users\application data\autorun.inf (Worm.Agent) -> Delete on reboot.

c:\documents and settings\default user\application data\autorun.inf (Worm.Agent) -> Delete on reboot.

c:\documents and settings\localservice\application data\autorun.inf (Worm.Agent) -> Delete on reboot.

c:\documents and settings\networkservice\application data\autorun.inf (Worm.Agent) -> Delete on reboot.

c:\documents and settings\pp\application data\autorun.inf (Worm.Agent) -> Delete on reboot.

c:\windows\system32\config\systemprofile\application data\autorun.inf (Worm.Agent) -> Delete on reboot.

[Woomera]

have you tried running MBAR in safe mode?

[Firefox]

Hello and Welcome to Malwarebytes

Being that you are probably infected, feel free to follow the instructions below to receive free, one-on-one expert assistance in checking your system and clearing out any infections and correcting any damage done by the malware.

Please see the following pinned topic which has information on how to get help with this: Available Assistance for Possibly Infected Computers

Thank you

[miekiemoes]

Hi adam_bomb,

 

is there any chance you are running Trendmicro Office scan? If so, please see here:

http://forums.malwarebytes.org/index.php?showtopic=122013

[AdvancedSetup]

This is a document for older versions of Trend OfficeScan

It does not include some of the new files from MBAM but should give you the basic idea of setting exclusions.

Scan Exclusions

Officescan Online Help

Setting Scan Exceptions in Trend Micro OfficeScan - oit.ncsu.edu

Trend Micro OfficeScan Exclusions.pdf

[juju666]

Hi,

 

This is a worm

 

MBAM and this is clean normally

 

Cordially

[Choops]

I know this worm a little too well (had dealt with a minor outbreak). This WILL spread via shares, so make sure to lockdown other computers on your network. Do not allow the infected machine on the network in a native Windows environment until you have confirmed the worm has been purged. It is also highly recommended that you investigate any other Windows computers on your network as they might be infected already. Also another note, it will spread to your USB drives, so get those cleaned out with offline scans as well.

 

For the most part, a Malwarebytes Anti-Malware scan and a combofix will take care of it. However, if you have a system image to recover from, I'd highly suggest saving time using that.