'Trojan-Downloader.WMA.GetCodec.u' detected

[copperray]

I got an Acer Laptop (German Vista) from a friend with several infection in WMA and MP3 files. The reason for the infection were obviously P2P downloads using Limewire.
The virus removal tool woked fine but I have problems with the scan of AVZ (analysis and malware removal). The scan seems to remain in a loop in the folder c:\ Documents and Settings \ All Users \
Anwendungsdaten \ Anwendungsdaten....
(Anwendungsdaten = application data). I stopped this scan as after 6 hours a remaining time
of 122 hours was shown.
AVZ with "analysis scan" did work and the syscheck.zip was created.
After I run HJT.
Did I something wrong? Can you help me even if there are only the two files available.
Looking with a Linux Live CD I see a folder but in Vista I see a link but can not access.

Many thanks
copperray

[Numb]

Hello.
Are you sure you've launched AVZ utility using "runas" option of the context menu? Even though you're working under administrator's account, you should use "runas" option to get correct results in your logs. Anyway I don't see anything harmful in your logs. There are some suspicius files there. If you want them of being checked, please, execute the script:

Код:

begin
QuarantineFile('C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe','');
 QuarantineFile('c:\windows\plfseti.exe','');
BC_ImportquarantineList;
BC_Activate;
RebootWindows(true);
end.

After restart, upload quarantine using the link http://virusinfo.info/upload_virus_eng.php?tid=54763 , as it's described in the app.3 of the rules.
As for this suspicious folder, I think it's normal - it's the way that Vista's protection works, but you can try to gain access to it using takeown command and look what is inside.

[copperray]

Hi,
I followed your instructions. I run AVZ using "runas" a second time but same result. Can it be possible that Trojans create such links to disturb Antivirus scanning? For comparison, I do not have suchs directory links in another Vista system.
I uploaded the file list created with your script. AFAIK the "plfseti.exe" is link to the webcam of the laptop.

Additional question: How can I set password to the virus.zip? Nothing found with Windows nor 7zip.

Thanks

copperray

[Numb]

Hello.
Everything is possible of course, but I still think it's one of the Vista's tricks. There are many examples of "protection by obfuscation" in Vista. Did you try to gain access to this folder using "takeown" command?
You don't need to set password if you create virus.zip using AVZ tool - It will be set automatically.

Добавлено через 26 минут

But may be you'd better check this laptop with a live CD, such as DrWeb live CD for example, just to be sure that there is nothing harmful there that has been missed for the first check.

[copperray]

Hello Numb,

the "takeown" command did not help to access. Using the Win console I can go into these directories and see some subdirectories.
The scan with DrWeb-Live-CD is still running. Using "default mode" the program stops with the boot screen, so I'm using "safe mode".

Добавлено через 59 минут

Hello,

scan finished. Nothing found.
Seems this story can be closed now.

Thanks for the help.