Ok, so I downloaded a trial version of O&O defrag on utorrent (legally) and then I un RAR'd the file with the two versions of the installer program in it. Then I opened the x64 version of the program installer and then my computer started to wig out on me. 1. Mcafee told me it removed a trojan 2. Utorrent Re-opened and spammed my pc with popups reading "error (or something along those lines i dont remember)" 3. Mcafee opened again and asked me if a certain amount of programs could access the net. (i hit no) 4. I dont remember what the other programs were, except one: (21157.exe) 5. I wrote it down then i got the BSOD 6. I restarted my PC and went to another profile and mt problems seemed to be fixed until i went back to the other profile i was originally on. I immediatly knew at this point that it was a startup program for my profile, and i tried to open its containing folder (mcafee tells it to you when it asks permission) 7.but i couldnt. Task Manager wouldnt even open!!! All my resources were presumably at 100% so thats where I am now. (once i got the task manager to open immedaitly before the 21157.exe opened itself and saw that alreay 5 of this program was running. then it multiplied and multiplied to about 9000 procesess followed by the BSOD) 8. Mcafee virus scan sees absolutetly nothing wrong with my pc (or even the original installer), so i think the virus patched a system file. 9. So now im gonna disable UAC and do a search for 21157.exe on my other profile through the profile that isnt messed up and delete it. WILL THIS SOLVE MY PROBLEM??? (I would give you a screenshot of the taskmanager with the over 9000 processes of 21157.exe on it but i cant save it in time b/c of the BSOD) 8R4ND0N

READ ALL OF THE FOLLOWING before doing anything: If anyone here has balls enough to tackle this go right ahead. I uploaded the 21157.exe in a zip file, and dont worry, you can go ahead and unzip it, just dont run the program itself until you decide youre ready to take on this beast. If you can fix it, please tell me because its causing me hell. YOU WERE WARNED AND I DONT EXPECT ANYONE TO DOWNLOAD THIS, I JUST WANNA KNOW IF ANYONE KNOWS WHERE IT COMES FROM!!! This is your decision. 21157.zip<br /> 8R4ND0N

This looks like it could be a challenge. Just gonna create my back-up first. I'm using Vista Ultimate 32 bit so the removal technique will be alike. I'm keen.

I first restored my pc to factory state so there were no antispyware or antivirus program on it. Then I disabled windows defender and firewall. I downloaded, extracted the zip file and then run it as administrator. At first it loaded and started running a program named 12145.exe but I was able to kill the process. Then I extracted and ran 21157.exe as administrator again and it started a program called 9683.exe. This also was able to be killed through task manager. I noted the file path and it was C:\users\username\AppData\Roaming\microsoft\dtsc\9683.exe I had a couple more goes installing 21157.exe and rebooting. Eventually it took hold and locked my pc up totally!!! I tried to reboot into safe mode and that locked up too! I tried a couple of more reboots and eventually I was able to boot into safe mode with networking. As soon as I could I went into task manager and killed the process (this time named 30118.exe) I then downloaded HiJackthis and run a scan. I fixed the line that showed the random exe: O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Users\username\AppData\Roaming\Microsoft\dtsc\30118.exe Still in safe mode I navigated to and deleted this folder: C:\users\username\AppData\Roaming\microsoft\ dtsc <------ I then downloaded Combofix and ran it... It detected and fixed couple of problems. Now I'm reviewing the log to see if there is anything left behind. So far I've noticed these 2 lines which don't belong because Utorrent has never been installed on this machine and it was backed up to factory state. "{452EF2AA-CE3D-4171-80E7-C6374C6AB31C}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent "{DB640CAE-CD5E-4AD3-BD8C-39D575026400}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent I know that the malware hasn't acted in the same way on this machine as it has on yours. I could only ever see one instance of the malware running at any given time. But I hope it can help with the removal of it on your machine.

well at about 2am this morning i fixed it myself as well, but it looks as though Mcafee did do something after all... When I started under safe mode the exe did not start on my pc, nor did it change names when not under safe mode. In fact, i think vista sp1 had a little to do with it as well b/c it <u>only</u> installed itself to C:\users\username\AppData\Roaming\microsoft\dtsc\21157.exe for each username, so i guess i got off easy hehe =). All i did was uninstall utorrent from my pc from a protected user account, then I rebooted and noted that it did not come back, so i ran a search for the exe (good thing mine did not change names for whatever reason) and deleted it. I googled the exe name and found 0 results (oh really?!) and then i knew it was not windows-vital. anyway thanks for the help! 8R4ND0N

Uploaded to Jotti's malware scan http://virusscan.jotti.org/ What others call it. File: 21157.zip Status: INFECTED/MALWARE MD5: 83f86878bbaec72514a50523e4e91104 Packers detected: PE_PATCH.UPX, UPX Scanner results Scan taken on 06 Jun 2008 19:42:02 (GMT) A-Squared Found nothing AntiVir Found TR/Dldr.Agent.plz.2 ArcaVir Found Trojan.Psw.Agent.Hj Avast Found nothing AVG Antivirus Found Downloader.Generic7.RAM BitDefender Found BehavesLike:Trojan.Downloader (probable variant) ClamAV Found nothing CPsecure Found Troj.Downloader.W32.Agent.rvy Dr.Web Found Trojan.MulDrop.15934 F-Prot Antivirus Found nothing F-Secure Anti-Virus Found Trojan-Downloader.Win32.Agent.rvy Fortinet Found nothing Ikarus Found BehavesLike.Trojan-Downloader Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Agent.rvy NOD32 Found Win32/TrojanDownloader.Agent.PLZ Norman Virus Control Found W32/Downloader.NHJ Panda Antivirus Found Trj/Downloader.TWA Sophos Antivirus Found Mal/Generic-A VirusBuster Found nothing VBA32 Found Embedded.Trojan-Downloader.Win32.Agent.plz (probable variant)