Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Disk Read Errors. Backdoor.amitis & Worms?


  • Please log in to reply
3 replies to this topic

#1 beyond_me

beyond_me

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 22 September 2007 - 04:51 AM

I've got a bunch of viruses in the vault & I'm still getting disk read errors, sound glitches & high CPU usage....

Hello,
I'm clearly infected and after a day of reading posts, running tests and listing my errors I'm a bit brain dead. I'd appreciate it if
anyone with a clearer insight could advise my next steps.
Sorry it's a bit long, there's Cut & paste Anti Virus reports lower down

Among my worries are: I'm not sure if deleting the files found by AGV will create irreversable problems.
I can't create a clean BACKUP file, System restore points are probably infected too. They seem to be 'breeding' I'm getting different ones in more locations (or each AV software uses different names)

Oh, and the crappy performance/CPU load of course.

Anyway, these files are in the vault. Am I right in thinking that they ought to be isolated and thus unable to run & affect my laptop? If so why do I still have errors?

While I'd been away for a couple of months my laptop (in China) had been used by my g/f who tried downloading some stuff.

There was also someone else who 'tried to fix it' I will never find out what the initial problems or what solutions were attempted - other than "someone had the back off".....!!

symptoms I noticed on my return:
-F:Drive not being found which prevented startup
-Sound glitches on startup and during offline games
-Severe lag/freezing during online play
leading to discovery of 100% CPU usage (previously, I was never aware that it ever exceeded 60%! - it was quite a smooth running machine -now & again I had a niggle but no reason to believe I was infected)
-odbcasvc.exe 'becomes' a high usage process
-Defender does an 'application registration and makes registry changes' on startup - but not every time...?

I tried a system restore, deleted folders, defraged, & freed up space on the o/s partition
but DRE's increased and BSOD/shutdown's started followed by a restart loop (scary! so I just pulled the power to escape)

I later discovered this site and have run through a few things; updating Antivirus being the main one, but even after installing
AVG, I'm not sure that all is well....

but today I did a scan with SUPERAntiSpyware Pro which only found 1 tracker cookie (not bad?)

Last week Bitdefender found 15 & claimed to have auto-deleted 14 files:

C:\Documents and Settings\hp01\Local Settings\Temp\123897.exe
Infected with: Trojan.Spy.Vb.QU
Disinfection fail
Deleted

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6F67589C.exe=>(Quarantine-2)
Infected with: Win32.Worm.Delf.AJ
Disinfection failed
Deleted

C:\Recycled\INFO.EXE
Infected with: Trojan.Spy.Vb.QU
Disinfection failed
Deleted

C:\System Volume Information\_restore{E3C9ECA3-BEEF-476E-B37B-FBA1168735B7}\RP343\A0057303.exe
Infected with: Trojan.Dropper.Agent.BCT
Disinfection failed
Deleted

C:\System Volume Information\_restore{E3C9ECA3-BEEF-476E-B37B-FBA1168735B7}\RP352\A0063713.dll
Infected with: Trojan.Small.MS
Disinfection failed
Deleted

C:\System Volume Information\_restore{E3C9ECA3-BEEF-476E-B37B-FBA1168735B7}\RP352\A0063863.exe
Infected with: Win32.Worm.Ice.A
Disinfection failed
Deleted

C:\System Volume Information\_restore{E3C9ECA3-BEEF-476E-B37B-FBA1168735B7}\RP365\A0067124.exe=>(Quarantine-2)
Infected with: Win32.Worm.Delf.AJ
Deleted

C:\System Volume Information\_restore{E3C9ECA3-BEEF-476E-B37B-FBA1168735B7}\RP365\A0067125.EXE
Infected with: Trojan.Spy.Vb.QU
Deleted

C:\WINDOWS\system32\odbcasvc.exe
Infected with: Trojan.Spy.Vb.QU

C:\WINDOWS\system32\odbcasvc.exe
Disinfection failed
C:\WINDOWS\system32\odbcasvc.exe
Delete failed

C:\WINDOWS\Temp\123897.exe
Infected with: Trojan.Spy.Vb.QU
Deleted

D:\Recycled\INFO.EXE
Infected with: Trojan.Spy.Vb.QU
Deleted

D:\System Volume Information\_restore{E3C9ECA3-BEEF-476E-B37B-FBA1168735B7}\RP365\A0067126.EXE
Infected with: Trojan.Spy.Vb.QU
Deleted

E:\Recycled\INFO.EXE
Infected with: Trojan.Spy.Vb.QU
Deleted

E:\System Volume Information\_restore{E3C9ECA3-BEEF-476E-B37B-FBA1168735B7}\RP365\A0067127.EXE
Infected with: Trojan.Spy.Vb.QU
Deleted

Next, I tried Symantec online which found 5 files infected with Backdoor.Amitis
3 instances of INFO.EXE in 'Recycled' for drives C,D&E
2 in C:WINDOWS - 123897.exe & odbcasvc.exe (same locations as before)

There was some info about Amitis removal but the regedit entries posted there didn't correspond with what I could see & my head stared hurting.

Next I got AVG, which found the Trojan horse BackDoor.Generic5.OWU C:\WINDOWS\system32\odbcasvc.exe C:\Recycled\INFO.EXE
C:\WINDOWS\Temp\123897.exe D:\Recycled\INFO.EXE E:\Recycled\INFO.EXE ... Must be the same 5 files???

Following day I've got 7 more
Trojan horse PSW.Generic4.UVP C:\System Volume Information\_restore{E3C9ECA3-BEEF-476E-B37B-FBA1168735B7}\RP343\A0057829.dll
C:\System Volume Information\_restore{E3C9ECA3-BEEF-476E-B37B-FBA1168735B7}\RP352\A0063339.dll
C:\System Volume Information\_restore{E3C9ECA3-BEEF-476E-B37B-FBA1168735B7}\RP352\A0063720.dll
Trojan horse BackDoor.Generic5.OWU C:\System Volume Information\_restore{E3C9ECA3-BEEF-476E-B37B-FBA1168735B7}\RP367\A0067174.exeKB
C:\System Volume Information\_restore{E3C9ECA3-BEEF-476E-B37B-FBA1168735B7}\RP367\A0067176.EXE
D:\System Volume Information\_restore{E3C9ECA3-BEEF-476E-B37B-FBA1168735B7}\RP367\A0067177.EXE
E:\System Volume Information\_restore{E3C9ECA3-BEEF-476E-B37B-FBA1168735B7}\RP367\A0067178.EXE

But these seem to be the same as picked up by Bitdefender - so why detected a day late?!!

And just for good measure, My USB drive has a couple!!
Trojan horse BackDoor.Generic5.OWU J:\Recycled\INFO.EXE G:\Recycled\info.exe (I can't even see a 'recycled' folder!!)

Thanks for reading, I think I've hit the top of my learning curve for today & would be very grateful for what to do next.

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,571 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:01 PM

Posted 22 September 2007 - 08:59 AM

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.

Please download Sysclean Package & save it to your desktop.
  • Create a new folder on drive "C:\" and rename it Sysclean - (C:\Sysclean).
  • Place the sysclean.com inside that folder.
  • Then download the latest Virus Pattern Files - (Pattern files are usually named lptxxx.zip, where xxx is the pattern file number)
  • Extract (unzip) the lptxxx.zip pattern file into the Sysclean folder where you put sysclean.com. (Click here for information on how to extract a file if your not sure how to do this. DO NOT scan yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: Some anti-virus programs such as Avast will alert you to a virus attack when running sysclean so it's best to disable them before going to the next step.

Scan with Sysclean as follows:
  • Open the Sysclean folder and double-click on sysclean.com to start the scanning process.
  • Put a check mark on the "Automatically clean or delete infected files" option by clicking in the checkbox.
  • Click the Advanced >> button.
  • The scan options appear. Select the "Scan all local fixed drives".
  • Click the "Scan button" on the Trend Micro System Cleaner console.
  • It will take some time to complete. Be patient and let it clean whatever it finds.
  • Another MS-DOS window appears containing the log file (sysclean.log) generated in the same folder where the scan is completed - C:\Sysclean.
  • To view the log, click the "View button" on the Trend Micro System Cleaner console. The Trend Micro Sysclean Package - Log window appears.
    • The Files Detected section shows the viruses that were detected by System Cleaner.
    • The Files Clean section shows the viruses that were cleaned.
    • The Clean Fail section shows the viruses that were not cleaned.
  • Exit when done, reboot normally and re-enable your anti-virus program.
Instructions with screenshots are here if you need them.

When using Sysclean its best to use the Administrator's account or an account with Administrative rights otherwise you will not have access rights to scan some locations. You can also Use the "Run As" Command to Start a Program as an Administrator. Even when doing that, the scanning process may result in "Access Denied" messages for some files. This is normal because these files are protected by the system.

Download and scan with Dr.Web CureIt. Follow the instructions here for performing a scan in "safe mode".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 beyond_me

beyond_me
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 23 September 2007 - 06:53 AM

thanks qm,
What will it do?
:thumbsup:
I'm going to run this tonight....

(I'm guessing this may save me the bother of reformatting and re-installing XP etc.)

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,571 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:01 PM

Posted 23 September 2007 - 07:25 AM

Just post back if you continue to have problems.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users