Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse Generic 15.ARFB


  • This topic is locked This topic is locked
3 replies to this topic

#1 shimonk

shimonk

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 10 November 2009 - 05:11 PM

Hello,

Since Sunday when the modem is turned on get the following message every 5 minutes:
File: lovun.ru/images/judex.exe infection: Trojan horse Generic 15.ARFB

I'm running Win Vista SP2
AVG 8.5.425 with latest update.
Since it started I run also:
Malwarebytes
Trojan remover
SuperAntiSpyware
Spywarefighter
Spybot-S&D
All came clean.

Please note that when the modem is turned off the message doesn't appear.
I searched the web for 15.ARFB and came with 0 results.

I'm attaching attach.txt and dds.txt
I run 3 times RootRepeal.exe and got an error message box (empty) and the scan stopped and I could not get the data.
It stop at file:
c:windowswinsxsmsil_cscompmgd_b03f5f7f11d50a3a_6.0.6001.18000_none_18976aa08b000


Any idea ?

Thanks in advance,
Shimonk

I managed to see the RootRepeal Error message: "Attempting to write to address 0x00000004"
When I press OK the process disappears.

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 10 November 2009 - 05:56 PM.


BC AdBot (Login to Remove)

 


#2 shimonk

shimonk
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 13 November 2009 - 12:26 PM

Hello All,

During the last few days I tried various trojan removers. None of them is even locating the problem.
I upgraded AVG to version 9. Same results.

As far as I can see the trojan horse is leeching over one of the processes Plug and Play and DCOM (both using same PID), via svchost.

I blocked the lovun.ru site at my router. see the attached log of 30 minutes:

2009/11/13 18:20:09 : 192.168.1.106 has tried to access the blocked web site lovun.ru
2009/11/13 18:25:08 : 192.168.1.106 has tried to access the blocked web site lovun.ru
2009/11/13 18:30:07 : 192.168.1.106 has tried to access the blocked web site lovun.ru
2009/11/13 18:35:07 : 192.168.1.106 has tried to access the blocked web site lovun.ru
2009/11/13 18:40:06 : 192.168.1.106 has tried to access the blocked web site lovun.ru
2009/11/13 18:45:05 : 192.168.1.106 has tried to access the blocked web site lovun.ru
2009/11/13 18:50:04 : 192.168.1.106 has tried to access the blocked web site lovun.ru

Waiting for someone's help.

Note: when I googled for 15.ARFB I get only my post.

Merged posts and removed unnecessary quote. ~ OB

Attached Files


Edited by Orange Blossom, 21 October 2010 - 08:46 PM.
Removed no longer relevant content. ~ OB


#3 shimonk

shimonk
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 17 November 2009 - 03:37 AM

I can not wait any longer. I format the drive, re-install Vista.

Thanks.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:12 PM

Posted 17 November 2009 - 09:06 AM

Since this issue seems resolved, I am closing the topic.

If you are the original topic starter and you need this topic re-opened, please send me a PM

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users