Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Shutdown after Malware/Trojan Removal


  • Please log in to reply
15 replies to this topic

#1 lukewinter1986

lukewinter1986

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 03 January 2009 - 01:40 PM

Well first off, thanks in advance for anyone attempting to help here... I'm having a few PC problems after trying to remove a virus/trojan/malware. The problem first started when I tried to remove continuous pop-ups from a fake anti-spyware program. I can't remember the exact name but it included "2008" at the end of the name. That's probably not too helpful but can't hurt right? Okay so the real problem now is that I get a system shutdown message about 20 min after rebooting. Here's the idea of the message:

System shutdown
Initiated by NT AUTHORITY/SYSTEM
DCOM Server Process Launcher service terminated unexpectedly

Then it'll count down for 1min. and turn of the pc. I removed the pop-up ads, trojans, etc. using malwarebytes and it seemed to do a great job expect for this little hick-up. The computer is running SP2 of XP and has been disconnected from the internet for security purposes. I'm somewhat computer literate but not obviously not advanced enough to diagnose this problem.

Any help you guys might be able to provide would be greatly appreciated!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:00 AM

Posted 03 January 2009 - 02:43 PM

Hi and welcome. There's a very good possibilty that a rootkit has caused this shut down.

Please run these so we can find out.
Download and scan with MSFT Malicious Software Removal Tool
click on the link Skip the details and download the tool.


Next Run a Rootkit scan. Prior to the Scan do the following:
Disconnect from the Internet or physically unplug you Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet

Please navigate to the download page of Avira AntiRootkit and click on Download to save it to your Destop.
  • You should now find a file called: antivir_rootkit.zip on your Desktop.
  • Extract the file to your Desktop (you may then delete the zip file).
  • You should now have a folder with Setup.exe and some other files within it on your Desktop.
  • Double-click Setup.exe.
  • Click Next.
  • Highlight the radio button to acceppt the license agreement and then click Next.
  • Then click Next and Install to finalise the installation process.
  • Click Finish (you may now also delete the folder with the extracted files from the zip archive)
You successfully installed Avira AntiRootkit!
  • Please now navigate to Start > All Programs > Avira RootKit Detection. Then select: Avira RootKit Detection
  • Click OK when a message window pops up
  • Click Start scan and let it run
  • Click View report and copy the entire contents into your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 lukewinter1986

lukewinter1986
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 03 January 2009 - 03:33 PM

Thanks for the quick response! I installed and ran the Windows Malicious Software Removal Tool, but no luck with that. Here is the report the AntiRootKit tool spit out. Looks like it got a couple hits... I haven't quarantined any of these yet, just in case it's a false positive.


Avira AntiRootkit Tool - Beta (1.0.1.17)

========================================================================================================
- Scan started Saturday, January 03, 2009 - 15:14:03 PM
========================================================================================================

--------------------------------------------------------------------------------------------------------
Configuration:
--------------------------------------------------------------------------------------------------------
- [X] Scan files
- [X] Scan registry
- [X] Scan processes
- [ ] Fast scan
- Working disk total size : 149.05 GB
- Working disk free size : 60.10 GB (40 %)
--------------------------------------------------------------------------------------------------------

Results:
Hidden file : c:\avenger\senekajcuuvgun.dll
Hidden file : c:\windows\system32\senekajneoyppp.dll
Hidden file : c:\windows\system32\senekalog.dat
Hidden file : c:\windows\system32\senekapugpawsy.dll
Hidden file : c:\windows\system32\drivers\seneka.sys
Hidden file : c:\windows\system32\drivers\senekaedalclkx.sys
Hidden service/driver : HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seneka => \systemroot\system32\drivers\senekaedalclkx.sys
Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seneka
Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\seneka

--------------------------------------------------------------------------------------------------------
Files: 6/177116
Registry items: 3/316464
Processes: 0/47
Scan time: 00:13:49
--------------------------------------------------------------------------------------------------------
Active processes:
- fvdhbmsy.exe (PID 4008) (Avira AntiRootkit Tool - Beta)
- System (PID 4)
- smss.exe (PID 488)
- csrss.exe (PID 552)
- winlogon.exe (PID 576)
- services.exe (PID 620)
- lsass.exe (PID 632)
- svchost.exe (PID 784)
- svchost.exe (PID 844)
- svchost.exe (PID 900)
- svchost.exe (PID 972)
- svchost.exe (PID 1024)
- aawservice.exe (PID 1100)
- spoolsv.exe (PID 1212)
- AppleMobileDeviceService.exe (PID 1364)
- avgamsvr.exe (PID 1440)
- explorer.exe (PID 1456)
- avgupsvc.exe (PID 1528)
- avgemc.exe (PID 1556)
- CDAC11BA.EXE (PID 1624)
- MDM.EXE (PID 1680)
- MSCamS32.exe (PID 1696)
- nvsvc32.exe (PID 1732)
- r_server.exe (PID 1780)
- svchost.exe (PID 1880)
- mHotkey.exe (PID 1928)
- SpySweeper.exe (PID 1976)
- CNYHKey.exe (PID 2000)
- WinPatrol.exe (PID 216)
- mixer.exe (PID 240)
- hpwuSchd.exe (PID 252)
- hpztsb08.exe (PID 260)
- hpotdd01.exe (PID 244)
- QTTask.exe (PID 288)
- iTunesHelper.exe (PID 312)
- hpcmpmgr.exe (PID 360)
- LXCCmon.exe (PID 396)
- vVX3000.exe (PID 440)
- WCESCOMM.EXE (PID 344)
- ctfmon.exe (PID 484)
- hpqtra08.exe (PID 680)
- WLService.exe (PID 1512)
- WUSB54Gv4.exe (PID 2232)
- lxcccoms.exe (PID 2676)
- alg.exe (PID 3032)
- iPodService.exe (PID 3184)
- avirarkd.exe (PID 4000)
========================================================================================================
- Scan finished Saturday, January 03, 2009 - 15:27:53 PM
========================================================================================================

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:00 AM

Posted 03 January 2009 - 03:44 PM

Great call boopme :thumbsup:
--------
Hello lukewinter1986.

Those are part of a rootkit infection. Please install ERUNT (below), then remove the items found by Avira AntiRootkit Tool.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer , you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

After please take a new scan with AAA and post the new log.

With Regards,
The Panda

Edited by PropagandaPanda, 03 January 2009 - 05:59 PM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:00 AM

Posted 03 January 2009 - 05:25 PM

Hello again,( It was me btw PP) but thanks.
after following Panda's instructons run Avira AntiRootkit like this. They or I will be back to look.

Please run Avira AntiRootkit again by following the below steps:
  • Please now navigate to Start > All Programs > Avira RootKit Detection. Then select: Avira RootKit Detection
  • Click OK when a message window pops up
  • Click Start scan and let it run
  • When the scan has finished, select Qurantine all
  • When done, please click OK (you may be asked to restart, if so please do so by clicking OK once more)
  • The log can be found here: C:\Program Files\Avira GmbH\Avira RootKit Detection\avirarkd.log. Please copy the entire contents into your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:00 AM

Posted 03 January 2009 - 05:59 PM

Sorry boopme! I don't read purple very well :thumbsup:

The Panda

#7 lukewinter1986

lukewinter1986
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 03 January 2009 - 10:08 PM

That seems to have done the trick! So far there hasn't been another shutdown cycle. Thanks so much for the help. Here's a copy of the log from the AntiRootKit Tool.

Avira AntiRootkit Tool - Beta (1.0.1.17)

========================================================================================================
- Scan started Saturday, January 03, 2009 - 19:02:21 PM
========================================================================================================

--------------------------------------------------------------------------------------------------------
Configuration:
--------------------------------------------------------------------------------------------------------
- [X] Scan files
- [X] Scan registry
- [X] Scan processes
- [ ] Fast scan
- Working disk total size : 149.05 GB
- Working disk free size : 59.97 GB (40 %)
--------------------------------------------------------------------------------------------------------

Scan task finished. No hidden objects detected!

--------------------------------------------------------------------------------------------------------
Files: 0/177203
Registry items: 0/316522
Processes: 0/45
Scan time: 00:13:31
--------------------------------------------------------------------------------------------------------
Active processes:
- wtjfxkwo.exe (PID 1216) (Avira AntiRootkit Tool - Beta)
- System (PID 4)
- smss.exe (PID 480)
- csrss.exe (PID 552)
- winlogon.exe (PID 576)
- services.exe (PID 620)
- lsass.exe (PID 632)
- svchost.exe (PID 788)
- svchost.exe (PID 836)
- svchost.exe (PID 892)
- svchost.exe (PID 976)
- svchost.exe (PID 1024)
- aawservice.exe (PID 1112)
- spoolsv.exe (PID 1180)
- AppleMobileDeviceService.exe (PID 1284)
- avgamsvr.exe (PID 1304)
- avgupsvc.exe (PID 1336)
- avgemc.exe (PID 1360)
- CDAC11BA.EXE (PID 1380)
- MDM.EXE (PID 1428)
- MSCamS32.exe (PID 1448)
- nvsvc32.exe (PID 1492)
- r_server.exe (PID 1540)
- svchost.exe (PID 1652)
- SpySweeper.exe (PID 1728)
- explorer.exe (PID 1996)
- WLService.exe (PID 284)
- WUSB54Gv4.exe (PID 504)
- alg.exe (PID 1600)
- mHotkey.exe (PID 1836)
- CNYHKey.exe (PID 2096)
- mixer.exe (PID 2320)
- hpwuSchd.exe (PID 2340)
- hpztsb08.exe (PID 2348)
- hpotdd01.exe (PID 2356)
- iTunesHelper.exe (PID 2392)
- hpcmpmgr.exe (PID 2412)
- LXCCmon.exe (PID 2436)
- vVX3000.exe (PID 2472)
- WCESCOMM.EXE (PID 2496)
- ctfmon.exe (PID 2536)
- lxcccoms.exe (PID 2560)
- hpqtra08.exe (PID 2688)
- iPodService.exe (PID 3168)
- avirarkd.exe (PID 1092)
========================================================================================================
- Scan finished Saturday, January 03, 2009 - 19:15:52 PM
========================================================================================================

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:00 AM

Posted 03 January 2009 - 10:21 PM

Hello,that looks OK , but please run this MBAM scan before we move on.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 lukewinter1986

lukewinter1986
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 04 January 2009 - 11:33 AM

well then, I guess there is still a problem. Here's the MBAM log. These files are similar to the ones initially caught by my first sweep. Once connected to the internet the infected computer received some random pop-ups related to some google searches I performed as a test drive last night. Other than that, there don't seem to be any apparent issues.



Malwarebytes' Anti-Malware 1.31
Database version: 1610
Windows 5.1.2600 Service Pack 2

1/4/2009 11:06:42 AM
mbam-log-2009-01-04 (11-06-42).txt

Scan type: Quick Scan
Objects scanned: 55971
Time elapsed: 6 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\avhigy.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c0e09252-8765-4635-b2d2-ee503790a3b0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\avhigy.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\opnnlKEX.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vnlynbfg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJAppqn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\s_4610_fHx8fHx8fDEyNDM0MDI3NzB8_.dbx (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Luke Winter\Local Settings\Temp\awexsncmro.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Luke Winter\Local Settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Luke Winter\Local Settings\Temp\winsinstall.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Luke Winter\Local Settings\Temporary Internet Files\Content.IE5\QF8161C3\winsinstall[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Luke Winter\Local Settings\Temporary Internet Files\Content.IE5\QF8161C3\winsinstall[2].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Luke Winter\Local Settings\Temporary Internet Files\Content.IE5\QF8161C3\apstpldr.dll[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekaedalclkx.sys (Trojan.Agent) -> Quarantined and deleted successfully.

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:00 AM

Posted 04 January 2009 - 01:01 PM

Hello Luke.

Please run the MalwareBytes scan again. This is so we can identify items that it cannot remove, and deal with them appropriately.

With Regards,
The Panda

#11 lukewinter1986

lukewinter1986
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 04 January 2009 - 02:51 PM

Here's the MBAM log... seems like it didn't find anything. Even after a restart and running a quick scan again, still nothing to be found.

Malwarebytes' Anti-Malware 1.31
Database version: 1610
Windows 5.1.2600 Service Pack 2

1/4/2009 2:23:16 PM
mbam-log-2009-01-04 (14-23-16).txt

Scan type: Quick Scan
Objects scanned: 55869
Time elapsed: 6 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:00 AM

Posted 04 January 2009 - 04:54 PM

That's great.

Let's do a scan with F-Secure.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.
With Regards,
The Panda

#13 lukewinter1986

lukewinter1986
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 04 January 2009 - 07:20 PM

Scanning Report
Sunday, January 04, 2009 18:05:02 - 19:17:52

Computer name: LUKE
Scanning type: Scan system for malware, rootkits
Target: C:\ E:\
Result: 15 malware found
AdWare.Win32.Agent (spyware)

* System

RemoteAdmin.Win32.RAdmin (spyware)

* System

TrackingCookie.2o7 (spyware)

* System

TrackingCookie.Adinterax (spyware)

* System

TrackingCookie.Atwola (spyware)

* System

TrackingCookie.Doubleclick (spyware)

* System

TrackingCookie.Imrworldwide (spyware)

* System

TrackingCookie.Mediaplex (spyware)

* System

TrackingCookie.Specificclick (spyware)

* System

TrackingCookie.Webtrends (spyware)

* System

TrackingCookie.Yieldmanager (spyware)

* System

Trojan-Downloader.Win32.Agent (virus)

* System

Trojan-Downloader.Win32.Agent.azcz (virus)

* C:\WINDOWS\CCAVIHITA.DLL

Trojan-Dropper.Win32.Agent (virus)

* System

Trojan-Dropper.Win32.Agent.adhp (virus)

* C:\WINDOWS\SYSTEM32\K9261108.EXE

Statistics
Scanned:

* Files: 35777
* System: 4328
* Not scanned: 8

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 15
* Submitted: 0

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options
Scanning engines:

* F-Secure USS: 2.40.0
* F-Secure Hydra: 2.8.8110, 2009-01-04
* F-Secure AVP: 7.0.171, 2009-01-04
* F-Secure Pegasus: 1.20.0, 2008-11-17
* F-Secure Blacklight: 0.0.0

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:00 AM

Posted 04 January 2009 - 07:29 PM

Hello Luke.

Let's take care of those leftover files.

Create and Run Batch Script
We will use this batch script to delete some files.
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    @ECHO OFF
    for %%a in (
    "C:\WINDOWS\CCAVIHITA.DLL"
    "C:\WINDOWS\SYSTEM32\K9261108.EXE "
    ) do (
    IF exist "%%~a" (
    attrib -s -r -h "%%~a"
    del /q /f "%%~a"
    if not exist "%%~a" (
    ECHO %%~a -Deleted.>>Report.txt
    ) ELSE (
    ECHO %%~a -Failed to delete.>>Report.txt
    )
    ) ELSE (
    ECHO %%~a -Not found.>>Report.txt
    )
    )
    start notepad report
    del %0
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.bat
  • Hit OK.
When done properly, the icon should look like Posted Image.

Double click Fix.bat. If you are using Windows Vista, right click the icon and select "Run as Administrator".

You will see a black command prompt window open, followed by a log. Please post back the log.
Any problems at this point?

With Regards,
The Panda

#15 lukewinter1986

lukewinter1986
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 04 January 2009 - 08:06 PM

No problems so far... haven't cruised around the net too much though. Here's the log from the fix file

C:\WINDOWS\CCAVIHITA.DLL -Not found.
C:\WINDOWS\SYSTEM32\K9261108.EXE -Not found.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users