Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32:Alureon-EO [Rtk] detected by avast every two min


  • This topic is locked This topic is locked
20 replies to this topic

#1 salmantq

salmantq

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 09 December 2009 - 11:28 AM

My avast detects Win32:Alureon-EO [Rtk] virus every two min
Avira antivirus detects TR/TDss.zb Torjan every two min(i have uninstalled it)
I have scaned system with Ad-Aware but with no luck
Every time this virus is detected from location C:\Windows\temp\ncsw.tmp\svchost.exe by avira or avast
I have run dds which was sucessfull, i disbaled all antivirus while running this file
how ever when i tried to run RootRpeal it gave me error ,log is as follows

21:19:51: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000e8)
21:19:52: DeviceIoControl Error! Error Code = 0x1e7
21:19:52: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000e8


====================================================================

DDS (Ver_09-12-01.01) - NTFSx86
Run by salman at 21:09:27.69 on Wed 12/09/2009
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2038.630 [GMT 5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Program Files\TeamViewer\Version4\TeamViewer.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\salman\Documents\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.pk/
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avast!] "c:\program files\alwil software\avast4\ashDisp.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {72B36EB9-98EA-4933-A7D3-C775C16C8ACE} = 208.67.222.222,208.67.220.220
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-9 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-12-8 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-8 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-12-8 53328]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-8 138680]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
R2 sensorsview32;sensorsview32;c:\windows\system32\drivers\sensorsview32.sys [2009-12-6 14416]
R2 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2009-10-7 185640]
R4 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-28 56816]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-8 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-8 352920]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]

=============== Created Last 30 ================

2009-12-09 15:16:58 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-08 22:31:39 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-08 22:28:12 0 dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-08 22:27:56 0 d-----w- c:\programdata\Lavasoft
2009-12-08 22:27:56 0 d-----w- c:\program files\Lavasoft
2009-12-08 22:16:57 0 d-----w- c:\users\salman\appdata\roaming\Malwarebytes
2009-12-08 22:16:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-08 22:16:47 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-08 22:16:47 0 d-----w- c:\programdata\Malwarebytes
2009-12-08 22:16:47 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-08 15:26:21 0 d-sh--w- C:\$RECYCLE.BIN
2009-12-08 15:06:35 98816 ----a-w- c:\windows\sed.exe
2009-12-08 15:06:35 77312 ----a-w- c:\windows\MBR.exe
2009-12-08 15:06:35 260608 ----a-w- c:\windows\PEV.exe
2009-12-08 15:06:35 161792 ----a-w- c:\windows\SWREG.exe
2009-12-08 02:23:01 216788239 ----a-w- c:\windows\MEMORY.DMP
2009-12-07 20:09:35 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-12-07 20:09:35 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-12-07 20:09:35 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-12-07 20:09:35 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-12-07 18:25:55 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-12-06 18:37:15 0 d-----w- c:\windows\system32\appmgmt
2009-12-06 18:33:57 535 ----a-w- c:\windows\system32\MAPISVC.BAK
2009-12-06 18:33:51 0 d-----w- c:\program files\Ontrack
2009-12-06 17:46:11 0 d-----w- c:\windows\system32\custom matrices
2009-12-06 17:46:08 0 d-----w- c:\windows\system32\QuickTime
2009-12-06 17:46:08 0 d-----w- c:\windows\system32\C2MP
2009-12-06 06:55:21 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-12-06 06:53:33 0 d-----r- c:\program files\Skype
2009-12-06 06:53:29 0 d-----w- c:\programdata\Skype
2009-12-05 22:29:13 14416 ----a-w- c:\windows\system32\drivers\sensorsview32.sys
2009-12-05 22:27:43 0 d-----w- c:\program files\SensorsViewPro32
2009-12-05 21:36:27 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_cputemperature_01007.Wdf
2009-12-05 21:36:25 24488 ----a-w- c:\windows\system32\drivers\cputemperature.sys
2009-12-05 21:36:24 0 d-----w- c:\program files\eFMer
2009-12-05 21:27:41 999425 ----a-w- c:\windows\system32\HWMBlackBoxX86.dll
2009-12-05 21:27:39 0 d-----w- c:\users\salman\appdata\roaming\HWM BlackBox
2009-12-05 21:02:20 45 ----a-w- c:\windows\system32\initdebug.nfo
2009-12-05 20:53:38 0 d-----w- c:\program files\Driver Checker
2009-12-05 20:43:10 0 d-----w- c:\program files\Motherboard Monitor 5
2009-12-05 18:21:48 0 d-----w- c:\program files\FreeZ Online TV
2009-12-05 15:42:45 0 d-----w- C:\Diskeeper
2009-12-05 07:27:38 0 d-----w- c:\programdata\Adobe
2009-12-02 15:07:21 0 d-----w- c:\users\salman\appdata\roaming\GrabPro
2009-12-02 15:07:21 0 d-----w- C:\downloads
2009-12-02 15:07:16 0 d-----w- c:\program files\Orbitdownloader
2009-12-01 20:19:12 65536 --sha-w- c:\users\salman\NTUSER.DAT{6cced2f0-6e01-11de-8bed-001e0bcd1824}.TxR.blf
2009-12-01 20:19:12 1048576 --sha-w- c:\users\salman\NTUSER.DAT{6cced2f0-6e01-11de-8bed-001e0bcd1824}.TxR.2.regtrans-ms
2009-12-01 20:19:12 1048576 --sha-w- c:\users\salman\NTUSER.DAT{6cced2f0-6e01-11de-8bed-001e0bcd1824}.TxR.1.regtrans-ms
2009-12-01 20:19:12 1048576 --sha-w- c:\users\salman\NTUSER.DAT{6cced2f0-6e01-11de-8bed-001e0bcd1824}.TxR.0.regtrans-ms
2009-12-01 15:53:04 30568 ----a-w- c:\windows\system32\mdimon.dll
2009-12-01 15:48:41 0 d-----w- c:\programdata\Microsoft Help
2009-11-28 19:29:59 0 d-----w- c:\users\salman\Tracing
2009-11-28 19:16:22 0 d-----w- c:\program files\Microsoft
2009-11-28 19:16:02 0 d-----w- c:\program files\Windows Live SkyDrive
2009-11-28 19:15:01 0 d-----w- c:\windows\PCHEALTH
2009-11-28 19:10:28 0 d-----w- c:\program files\common files\Windows Live
2009-11-28 10:34:57 0 d-----w- c:\users\salman\appdata\roaming\TeamViewer
2009-11-28 10:34:44 0 d-----w- c:\program files\TeamViewer
2009-11-28 10:33:28 0 d-----w- c:\users\salman\temp
2009-11-28 06:57:37 257024 ----a-w- c:\windows\system32\msv1_0.dll
2009-11-28 06:55:36 1002008 ----a-w- c:\windows\system32\igxpun.exe
2009-11-28 06:55:36 0 d-----w- c:\windows\system32\x64
2009-11-28 06:54:20 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-28 06:49:08 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-11-28 06:49:08 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2009-11-28 06:49:07 71168 ----a-w- c:\windows\system32\fontsub.dll
2009-11-28 06:49:07 507568 ----a-w- c:\windows\system32\winload.exe
2009-11-28 06:49:07 442920 ----a-w- c:\windows\system32\winresume.exe
2009-11-28 06:49:07 293888 ----a-w- c:\windows\system32\atmfd.dll
2009-11-28 06:49:07 2613248 ----a-w- c:\windows\explorer.exe
2009-11-28 06:49:07 108544 ----a-w- c:\windows\system32\t2embed.dll
2009-11-28 06:49:06 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2009-11-28 06:48:28 34816 ----a-w- c:\windows\system32\msasn1.dll
2009-11-28 06:37:39 0 d-----w- c:\users\salman\appdata\roaming\DMCache
2009-11-28 06:33:49 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-28 06:33:45 0 d-----w- c:\program files\Avira
2009-11-28 06:29:52 0 d-----w- c:\program files\GRETECH
2009-11-28 06:19:13 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-28 06:10:36 0 d-----w- c:\program files\uTorrent
2009-11-28 06:09:45 0 d-----w- c:\users\salman\appdata\roaming\uTorrent
2009-11-28 05:31:18 0 d-----w- c:\program files\MSXML 4.0
2009-11-28 05:31:15 0 d-sh--w- c:\windows\Installer
2009-11-28 05:31:03 0 d-----w- C:\TempEI4
2009-11-28 05:04:40 713888 ----a-w- c:\windows\system32\PerfStringBackup.INI
2009-11-28 05:04:26 0 d-----w- c:\windows\system32\wbem\Performance
2009-11-28 04:50:47 0 d-----w- c:\windows\Panther

==================== Find3M ====================

2009-10-22 19:15:56 143872 ----a-w- c:\windows\system32\libmpeg2_ff.dll
2009-10-22 19:01:22 4835652 ----a-w- c:\windows\system32\libavcodec.dll
2009-10-16 23:58:06 183296 ----a-w- c:\windows\system32\ff_samplerate.dll
2009-10-16 23:57:06 146944 ----a-w- c:\windows\system32\ff_tremor.dll
2009-10-16 23:04:24 178688 ----a-w- c:\windows\system32\ff_libmad.dll
2009-10-16 23:04:08 113152 ----a-w- c:\windows\system32\ff_unrar.dll
2009-10-16 23:03:48 257024 ----a-w- c:\windows\system32\ff_libdts.dll
2009-10-16 23:03:44 142848 ----a-w- c:\windows\system32\ff_liba52.dll
2009-10-16 23:03:40 484864 ----a-w- c:\windows\system32\ff_libfaad2.dll
2009-10-16 22:10:10 281748 ----a-w- c:\windows\system32\ff_kernelDeint.dll
2009-10-16 20:53:32 100864 ----a-w- c:\windows\system32\ff_wmv9.dll
2009-10-16 20:53:20 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-10-16 19:40:42 957047 ----a-w- c:\windows\system32\ff_x264.dll
2009-10-16 19:38:20 914464 ----a-w- c:\windows\system32\xvidcore.dll
2009-10-16 19:35:50 311204 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2009-10-16 19:08:54 611638 ----a-w- c:\windows\system32\libmplayer.dll
2009-10-16 19:04:28 1632375 ----a-w- c:\windows\system32\ffmpegmt.dll
2009-09-11 12:15:38 8198680 ----a-w- c:\windows\system32\TVWSetup.exe
2009-09-11 12:15:38 672792 ----a-w- c:\windows\system32\igfxcfg.exe
2009-09-11 12:15:38 173080 ----a-w- c:\windows\system32\igfxext.exe
2009-09-11 12:15:36 252952 ----a-w- c:\windows\system32\igfxsrvc.exe
2009-09-11 12:15:36 173592 ----a-w- c:\windows\system32\hkcmd.exe
2009-09-11 12:15:36 150552 ----a-w- c:\windows\system32\igfxpers.exe
2009-09-11 12:15:36 141848 ----a-w- c:\windows\system32\igfxtray.exe
2009-09-11 12:11:52 155648 ----a-w- c:\windows\system32\igfxCoIn_v1912.dll
2009-09-11 12:00:22 3829760 ----a-w- c:\windows\system32\igdumd32.dll
2009-09-11 11:46:56 2686976 ----a-w- c:\windows\system32\ig4dev32.dll
2009-09-11 11:46:30 4104192 ----a-w- c:\windows\system32\ig4icd32.dll
2009-09-11 11:36:26 257536 ----a-w- c:\windows\system32\igfxTMM.dll
2009-09-11 11:36:10 59392 ----a-w- c:\windows\system32\oemdspif.dll
2009-09-11 11:36:00 23552 ----a-w- c:\windows\system32\igfxexps.dll
2009-09-11 11:35:56 199680 ----a-w- c:\windows\system32\igfxpph.dll
2009-09-11 11:35:32 51712 ----a-w- c:\windows\system32\igfxsrvc.dll
2009-09-11 11:35:12 130048 ----a-w- c:\windows\system32\igfxdo.dll
2009-09-11 11:35:04 94208 ----a-w- c:\windows\system32\hccutils.dll
2009-09-11 11:34:58 5702656 ----a-w- c:\windows\system32\igfxress.dll
2009-09-11 11:34:58 218112 ----a-w- c:\windows\system32\igfxdev.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 21:10:18.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 salmantq

salmantq
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 09 December 2009 - 04:45 PM

ESET Online scan results
=============================

C:\Users\salman\Documents\Downloads\SDFix.zip Win32/PrcView application deleted - quarantined
C:\Windows\temp\mwvq.tmp\svchost.exe a variant of Win32/Wigon.MK trojan cleaned by deleting - quarantined


=============================

#3 salmantq

salmantq
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 11 December 2009 - 10:46 AM

Plz check the attached Kaspersky scan report .
I have uninstalled avast was useless.

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:55 PM

Posted 18 December 2009 - 09:49 AM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this do following, please.


Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop. Post them back to your topic.
Download GMER here by clicking download exe -button and then saving it your desktop:
  • Double-click .exe that you downloaded
  • Click rootkit-tab and then scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log in your reply.

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 salmantq

salmantq
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 20 December 2009 - 02:56 PM

thanks for replying but you guys took too long to respond and i had to do something to make comp work

i have restored my system to an earlier point , i have scanned with avira and no virus was found during the scan.

Although these viruses are gone but we have to proof check it .. so that we are sure ..

plus restoring system to previous point is it a good solution ? does it make virus come back ?

sorry for the trouble and thanks :(

Edited by salmantq, 20 December 2009 - 03:08 PM.


#6 salmantq

salmantq
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 20 December 2009 - 03:04 PM

I have attched the dds logs as requested

Attached Files



#7 salmantq

salmantq
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 20 December 2009 - 03:11 PM

gmer log as requested

Attached Files

  • Attached File  gmer.txt   91.76KB   68 downloads


#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:55 PM

Posted 20 December 2009 - 05:08 PM

Hi,

uTorrent

Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.


plus restoring system to previous point is it a good solution ? does it make virus come back ?

In some cases system restore helps. If it has been gone for days now we may be able to assume it's really gone.


Upload c:\windows\system32\mssrv32.exe file to http://www.virustotal.com and post back the results.

Start MBAM, update the definitions thru update tab and run a quick scan letting found items be removed. Post back the report.

* Go here to run an online scanner from ESET.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • Make sure that the option Remove found threats is UNchecked.
  • Click Scan
  • Wait for the scan to finish and post back the results.

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 salmantq

salmantq
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 24 December 2009 - 10:18 AM

hey thanks for your reply ..

Comp has started behaving abnormally when i loged this time, explorer.exe failed to load and i loged in with no taskbar and no icons ...just a window was open to location mydocuments>download , so i had to manually start explorer.exe


was unable to upload mssrv.exe to virus total as when i try to browse to this location it says file already in use .. tried to copy it on desktop and then upload was not a success


let me do esset online scan and upload the results just when it finishes..

Edited by salmantq, 24 December 2009 - 10:28 AM.


#10 salmantq

salmantq
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 24 December 2009 - 01:14 PM

again when i started my pc explorer.exe crashes ...should i restore back my pc?... help me :(

Edited by salmantq, 24 December 2009 - 01:21 PM.


#11 salmantq

salmantq
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 24 December 2009 - 01:19 PM

eset scan result : just found.... TR/Buzus.cubz torjan AND Win32/Agent.NGC trojan in location

C:\Windows\temp\eqgw.tmp\svchost.exe

avast quatrine it

Blade its the same thing again ..viruses poping out every 5 min ..from same temp floder ...location is c:\windows\temp and svchost.exe is the process which is infected every time

this is bad :( plz help

Edited by salmantq, 25 December 2009 - 12:07 AM.


#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:55 PM

Posted 25 December 2009 - 04:35 AM

Hi,

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 salmantq

salmantq
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 25 December 2009 - 03:48 PM

hi

hmmm thanks for usefull info blade, i always wanted to format the pc , but could not make the decision as i didnt knew that the virus was this severe.

i have formated the system as you read this post.

i have been using utorrent from quite a while now and i dont want to stop using this application but since you have adviced me to stop using it , i m thinking a safe way to run this application and concluded to install linux on my pc and run this application from that os . what do you say ? and do you suggest to use vmware for linux ? and which linux u advice me to install ?

thankyou again for taking time out .

Edited by salmantq, 25 December 2009 - 03:54 PM.


#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:55 PM

Posted 25 December 2009 - 04:21 PM

Hi,

I'm wrong person to ask about Linux stuff :(

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 salmantq

salmantq
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 26 December 2009 - 04:34 AM

hi,

lol ohh okay ... thanks for the all the help balde in last i have one question , do u knw any thing about creating OS Image .. which is ready to use images of OS..

you can close the topic and thanks again :(

Edited by salmantq, 26 December 2009 - 04:34 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users