Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Annoying virus keeps reappearing


  • Please log in to reply
5 replies to this topic

#1 kreG15

kreG15

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 16 July 2010 - 09:45 AM

Hi, I've recently found out that I'm infected with some kind of a virus. After realising that, I ran a scan with ESET Online Scanner (log below), and it found a few infected files and removed them, but every time I reboot my PC a new infected file appears to be running. All of the virus' files seem to be recreating in the folder C:\Documents and Settings\עדן\Local Settings\temp\ but I'm not completely sure that there is no other ones in other folders as well. The files were named 2.exe and 3.exe and they had an envelope icon. ESET removed the file when I ran the scan, and after I rebooted I deleted the file myself.

Here's the ESET Online Scanner Log:

# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=39bab8fa442c19429180bc8f8a36ea6d
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-16 09:53:07
# local_time=2010-07-16 12:53:07 )
# country="Israel"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 34955561 34955561 0 0
# compatibility_mode=8192 67108863 100 0 33152118 33152118 0 0
# scanned=71617
# found=8
# cleaned=7
# scan_time=3131
C:\Documents and Settings\עדן\Application Data\MaxKO.exe Win32/PSW.Fignotok.B trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\עדן\Local Settings\temp\service.exe a variant of Win32/Kryptik.FJP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\עדן\Local Settings\temp\svcnost.exe Win32/TrojanDownloader.Delf.POH trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\עדן\Local Settings\temp\tmp77373732727.tmp Win32/TrojanDownloader.Delf.POH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\עדן\My Documents\Matroska\Wizard-1.2\dll\libcharset.dll probably a variant of Win32/Spy.Banker trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\VentriloMIX\Ventrilo 2.2.0.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\userinit.exe Win32/TrojanDownloader.Delf.POH trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\system32\Com\svchost.exe a variant of Win32/Kryptik.FJP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=39bab8fa442c19429180bc8f8a36ea6d
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-16 10:59:11
# local_time=2010-07-16 01:59:11 )
# country="Israel"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 34961357 34961357 0 0
# compatibility_mode=8192 67108863 100 0 33157914 33157914 0 0
# scanned=34584
# found=1
# cleaned=1
# scan_time=1302
C:\Documents and Settings\עדן\Local Settings\temp\NODBE.tmp Win32/TrojanDownloader.Delf.POH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
esets_scanner_update returned -1 esets_gle=53251


I also ran a scan with HijackThis, but nothing seemed suspicious so I won't bother with that.

Any help is greatly appreciated! Thanks in advance.

Edited by kreG15, 16 July 2010 - 10:25 AM.


BC AdBot (Login to Remove)

 


#2 kreG15

kreG15
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 16 July 2010 - 03:19 PM

Just a little update on this:

I rebooted the PC to take a screenshot and show you how the files look like: http://i26.tinypic.com/25f1uoi.jpg

I scanned them both with Kaspersky Online FileScanner and it detected them as PSWTool.Win32.PassView.gd and PSWTool.Win32.MailPassView.gd

I believe there is more than just these trojans, I'm currently running a scan with SAS and so far it detected the above virus(es) as well as two other ones called Trojan.Agent/Gen-QTplugin and Rootkit.QTplugin.

Please help me asap, I'm too scared to use my PC as it's infected.

#3 kreG15

kreG15
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 17 July 2010 - 02:07 AM

Scanning with SAS didn't really help much. It only detected and removed one of the files that keep reappearing (3.exe and 4.exe), and it recreated itself after reboot... I am not sure if the other trojan(s) (Rookit.QTPlugin, Gen-QTPlugin) has been successfully removed.

BTW, My OS is XP Home Edition SP3.

Sorry for bumping again. Please help.

Edited by kreG15, 17 July 2010 - 02:09 AM.


#4 kreG15

kreG15
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 17 July 2010 - 09:42 AM

Why is this the only topic that's not getting any attention? Sorry if I'm being a bleep here, but many newer topics were given at least a tiny look and a reply...

#5 kreG15

kreG15
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 18 July 2010 - 05:03 PM

I've been waiting over 3 days for only first instructions on how to scan and bring logs for you to analyse, whilst others got a response within an hour or two...

Thank you for your help.

#6 kreG15

kreG15
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 19 July 2010 - 03:06 PM

I went to another forum where I got my problem completely solved in less than 24 hours, so I don't need your help anymore.

Thanks again for ignoring this topic.

Edited by kreG15, 19 July 2010 - 03:07 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users