Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Google User Content CDN Used for Malware Hosting

Featured Deal: Get 98% off the Ultimate Cisco Certification Bundle: Lifetime Access Deal

Photo

Persistent w.exe, BtwSvc.dll, PereSvc.exe, winlogo.exe files

Started by Ocasio , May 09 2010 01:57 PM

  • Please log in to reply
1 reply to this topic

#1 Ocasio

Ocasio

  • Members
  • 2 posts
  • OFFLINE
    •  
  • Local time:04:04 AM

Posted 09 May 2010 - 01:57 PM

A used Compaq computer was given, but it was infected with dozen trojans. I've tried System Recovery that resides on the D drive, but upon restoration, the the following files came back:

c:\windows\system32\d.bin
c:\windows\system32\w.exe
c:\windows\system32\ms.bin
c:\windows\system32\so.bin
c:\windows\system32\BtwSvc.dll
c:\windows\fonts\services.exe
C:\WINDOWS\TEMP\3qiwqjt0o.exe
C:\WINDOWS\TEMP\671vw0.exe
C:\WINDOWS\TEMP\8twyqsz.log
C:\WINDOWS\TEMP\cn0erng2.exe
C:\WINDOWS\TEMP\v7hmnua7.exe
C:\WINDOWS\TEMP\~DF65FD.tmp
C:\WINDOWS\TEMP\~DFD55.tmp
C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logon\autorun.bat
C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logon\winlogo.exe


Every time I remove these files from Windows TEMP folder, system32 folder and FONTS folder and restart the computer, these files came back.

I've tried Spybot Search and Destroy, and MalwareBytes to scan and removed them, but upon reboot, the malicious files returned.

I'm looking for removal methods. Thanks.

BC AdBot (Login to Remove)

 

#2 Ocasio

Ocasio
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
    •  
  • Local time:04:04 AM

Posted 10 May 2010 - 10:40 AM

No help needed. I am convinced that the used PC is infected with a variant of Virut (Trojan.Agent/Gen-Virut[WinLogo] at C:\WINDOWS\System32\GroupPolicy\User\Scripts\Logon\winlogo.exe) which compromises .exe files in the system, including ComboFix.exe.

So I did a "destructive recovery" through Compaq's system restore partition to wipe the whole C: drive and the infections are completely gone.
Back to Am I infected? What do I do?


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Am I infected? What do I do?
  4. Privacy Policy
  5. Rules ·