Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Some Type of Infection/Attack

  • This topic is locked This topic is locked
2 replies to this topic

#1 blkdmd


  • Members
  • 2 posts
  • Local time:06:37 AM

Posted 13 January 2010 - 07:33 AM

Hello I have had this problem with my computer for a few days now. Including:
All searches being redirected (many times at once)
Every 5 minutes exactly, ESET NOD32 detects an attack coming from hxxp:// which keeps trying to download the file 2491.exe. Also this IP has been attacking my system32/svchost.exe. Which after trying to block the IP with NOD32, svhost.exe actually runs on my desktop when I've been idle for some time (freaking me out.)
EDIT: The name of the threat(s) are-
Win32/TrojanProxy.Agent.NFV Trojan
Win32/Agent.QOH trojan
Win32/Induc Virus

Nothing else is detected after running Malwarebytes Anti-Malware, NOD32, Spybot, Ad-Aware, or SUPERAntiSpyware

I have all the log files suggested to have attached here, will post in text if needed.
Thanks for any help

Attached Files

Edited by Orange Blossom, 13 January 2010 - 09:52 PM.
Deactivate link. ~ OB

BC AdBot (Login to Remove)


#2 blkdmd

  • Topic Starter

  • Members
  • 2 posts
  • Local time:06:37 AM

Posted 13 January 2010 - 08:42 AM

Problem Solved, read a few other posts similar to mine, RootRepeal and GMER revealed rootkits.
After running ComboFix (at my own risk, I understand):
c:\windows\system32\WORK.DAT deleted
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected

Voila! No more search redirections!
Thumbs up to the creator of Combofix!

Edited by blkdmd, 13 January 2010 - 08:42 AM.

#3 myrti



  • Malware Study Hall Admin
  • 33,785 posts
  • Gender:Female
  • Location:At home
  • Local time:01:37 PM

Posted 15 January 2010 - 07:40 PM

Since this topic appears to be resolved, I will now close it. Thanks for lettings us know.

ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained.
It is intended by its creator to be used under the guidance and supervision of a Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please do not run Combofix on your own (as you know. wink.gif)

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users