Ok, so I downloaded a trial version of O&O defrag on utorrent (legally) and then I un RAR'd the file with the two versions of the installer program in it. Then I opened the x64 version of the program installer and then my computer started to wig out on me.

1. Mcafee told me it removed a trojan
2. Utorrent Re-opened and spammed my pc with popups reading "error (or something along those lines i dont remember)"
3. Mcafee opened again and asked me if a certain amount of programs could access the net. (i hit no)
4. I dont remember what the other programs were, except one: (21157.exe)
5. I wrote it down then i got the BSOD
6. I restarted my PC and went to another profile and mt problems seemed to be fixed until i went back to the other profile i was originally on. I immediatly knew at this point that it was a startup program for my profile, and i tried to open its containing folder (mcafee tells it to you when it asks permission)

7.but i couldnt. Task Manager wouldnt even open!!! All my resources were presumably at 100% so thats where I am now. (once i got the task manager to open immedaitly before the 21157.exe opened itself and saw that alreay 5 of this program was running. then it multiplied and multiplied to about 9000 procesess followed by the BSOD)

8. Mcafee virus scan sees absolutetly nothing wrong with my pc (or even the original installer), so i think the virus patched a system file.

9. So now im gonna disable UAC and do a search for 21157.exe on my other profile through the profile that isnt messed up and delete it.

WILL THIS SOLVE MY PROBLEM???

(I would give you a screenshot of the taskmanager with the over 9000 processes of 21157.exe on it but i cant save it in time b/c of the BSOD)

8R4ND0N

READ ALL OF THE FOLLOWING before doing anything:

If anyone here has balls enough to tackle this go right ahead. I uploaded the 21157.exe in a zip file, and dont worry, you can go ahead and unzip it, just dont run the program itself until you decide youre ready to take on this beast. If you can fix it, please tell me because its causing me hell.

YOU WERE WARNED AND I DONT EXPECT ANYONE TO DOWNLOAD THIS, I JUST WANNA KNOW IF ANYONE KNOWS WHERE IT COMES FROM!!!

This is your decision.

21157.zip<br />

8R4ND0N

This looks like it could be a challenge.

Just gonna create my back-up first. I'm using Vista Ultimate 32 bit so the removal technique will be alike.

I'm keen.

I first restored my pc to factory state so there were no antispyware or antivirus program on it. Then I disabled windows defender and firewall.

I downloaded, extracted the zip file and then run it as administrator.

At first it loaded and started running a program named 12145.exe but I was able to kill the process. Then I extracted and ran 21157.exe as administrator again and it started a program called 9683.exe. This also was able to be killed through task manager.

I noted the file path and it was

C:\users\username\AppData\Roaming\microsoft\dtsc\9683.exe

I had a couple more goes installing 21157.exe and rebooting.

Eventually it took hold and locked my pc up totally!!! I tried to reboot into safe mode and that locked up too!

I tried a couple of more reboots and eventually I was able to boot into safe mode with networking. As soon as I could I went into task manager and killed the process (this time named 30118.exe)

I then downloaded HiJackthis and run a scan. I fixed the line that showed the random exe:

O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Users\username\AppData\Roaming\Microsoft\dtsc\30118.exe

Still in safe mode I navigated to and deleted this folder:

C:\users\username\AppData\Roaming\microsoft\ dtsc <------

I then downloaded Combofix and ran it... It detected and fixed couple of problems. Now I'm reviewing the log to see if there is anything left behind. So far I've noticed these 2 lines which don't belong because Utorrent has never been installed on this machine and it was backed up to factory state.

"{452EF2AA-CE3D-4171-80E7-C6374C6AB31C}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{DB640CAE-CD5E-4AD3-BD8C-39D575026400}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent

I know that the malware hasn't acted in the same way on this machine as it has on yours. I could only ever see one instance of the malware running at any given time. But I hope it can help with the removal of it on your machine.

well at about 2am this morning i fixed it myself as well, but it looks as though Mcafee did do something after all...
When I started under safe mode the exe did not start on my pc, nor did it change names when not under safe mode. In fact, i think vista sp1 had a little to do with it as well b/c it <u>only</u> installed itself to C:\users\username\AppData\Roaming\microsoft\dtsc\21157.exe for each username, so i guess i got off easy hehe =).

All i did was uninstall utorrent from my pc from a protected user account, then I rebooted and noted that it did not come back, so i ran a search for the exe (good thing mine did not change names for whatever reason) and deleted it.

I googled the exe name and found 0 results (oh really?!) and then i knew it was not windows-vital.

anyway thanks for the help!

8R4ND0N

Uploaded to Jotti's malware scan
http://virusscan.jotti.org/

What others call it.

File: 21157.zip
Status:
INFECTED/MALWARE
MD5: 83f86878bbaec72514a50523e4e91104
Packers detected:
PE_PATCH.UPX, UPX
Scanner results
Scan taken on 06 Jun 2008 19:42:02 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Dldr.Agent.plz.2
ArcaVir
Found Trojan.Psw.Agent.Hj
Avast
Found nothing
AVG Antivirus
Found Downloader.Generic7.RAM
BitDefender
Found BehavesLike:Trojan.Downloader (probable variant)
ClamAV
Found nothing
CPsecure
Found Troj.Downloader.W32.Agent.rvy
Dr.Web
Found Trojan.MulDrop.15934
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan-Downloader.Win32.Agent.rvy
Fortinet
Found nothing
Ikarus
Found BehavesLike.Trojan-Downloader
Kaspersky Anti-Virus
Found Trojan-Downloader.Win32.Agent.rvy
NOD32
Found Win32/TrojanDownloader.Agent.PLZ
Norman Virus Control
Found W32/Downloader.NHJ
Panda Antivirus
Found Trj/Downloader.TWA
Sophos Antivirus
Found Mal/Generic-A
VirusBuster
Found nothing
VBA32
Found Embedded.Trojan-Downloader.Win32.Agent.plz (probable variant)