Generic.malware.g!wx!g.69467997

<?xml version="1.0" encoding="utf-8"?>

<?xml-stylesheet type="text/xsl" href="C:\Program Files\BitDefender\BitDefender 2008\Lang\log_format.xsl"?>

<ScanOptions

showWarnings="1" >

</ScanPaths>

<ScanObjects

scanViruses="1"

scanAddware="1"

scanSpyware="1"

scanApplications="1"

scanDialers="1"

scanRootkits="1"

<TargetSelection

heuristicScan="1"

scanArchives="1"

scanRegistryKeys="1"

scanRegistry="1"

scanCookies="1"

memoryProcesses="1"

scanBootSectors="1"

scanEmail="1"

scanAllFiles="1"

scanPackedFiles="1"

scanSubfolders="0"

includeExtensions=""

<TargetProcessing

infectedAction="3"

suspiciousAction="1"

hiddenAction="1"

</ScanOptions>

<EngineSummary

archivePlugins="41"

mailPlugins="6"

scanPlugins="12"

totalSignatures="960825"

systemPlugins="4"

unpackPlugins="7"

<ScanSummary

scannedItems="566"

infectedItems="1"

suspiciousItems="0"

resolvedItems="0"

scannedArchives="9"

bootSectorCount="5"

scannedDirectories="13"

inputOutputErrors="0"

virusesNumber="1"

scanTime="00:00:00:03"

filesPerSecond="55"

<FileSummary

scanned="167"

archives="9"

packed="2"

infected="1"

suspicious="0"

resolved="0"

deleted="0"

moved="0"

copied="0"

<RegistryKeySummary

scanned="359"

infected="0"

suspicious="0"

<CookieSummary

scanned="0"

infected="0"

suspicious="0"

<ProcessSummary

scanned="40"

infected="0"

suspicious="0"

<MailSummary

scanned="0"

infected="0"

suspicious="0"

</ScanSummary>

</ScanDetails>

</ScanSession>

Please help me. This malware Generic.Malware.G!WX!!g.69467997 infected my svchost.exe (please note it's NOT svehost.exe).

What should I do?

Find more posts tagged with

Comments

stloco

I had check in Regedit (current user and local machine as stated in a previous topic) but the is nothing except for my Bitdefender registry, MSN and other harmless registries.

In System 32, there's no svehost.exe file. No hidden files or folders as I had my show hidden files and folders turned on.

I had followed the guidelines as to the topic posted by Eugene but I still don't know and can't find the solution out of this.

stloco

Please someone help me.

I do need your helping hands.

Thank you

adamian

Hi,

Please download http://www.tehnica.org/BDAspySetup.exe , install it and run it of course. Go to Syslog info, select the place where you want to save the log file and than click Start Enum to do that.

Zip the log file and post it in this thread as an attachment to have a look at it.

Probably you have a malware that injects itself (or some code) in a svchost process.

If you have any problems please ask.

stloco

This is the syslog zip file..

Please advise...

Thank you

/applications/core/interface/file/attachment.php?id=1394" data-fileid="1394" rel="">bd_sys_log.rar

bd_sys_log.rar

stloco

<?xml version="1.0" encoding="utf-8"?>

<?xml-stylesheet type="text/xsl" href="C:\Program Files\BitDefender\BitDefender 2008\Lang\log_format.xsl"?>

<ScanOptions

showWarnings="1" >

</ScanPaths>

<ScanObjects

scanViruses="1"

scanAddware="1"

scanSpyware="1"

scanApplications="1"

scanDialers="1"

scanRootkits="1"

<TargetSelection

heuristicScan="1"

scanArchives="1"

scanRegistryKeys="1"

scanRegistry="1"

scanCookies="1"

memoryProcesses="1"

scanBootSectors="1"

scanEmail="1"

scanAllFiles="1"

scanPackedFiles="1"

scanSubfolders="0"

includeExtensions=""

<TargetProcessing

infectedAction="3"

suspiciousAction="1"

hiddenAction="1"

</ScanOptions>

<EngineSummary

archivePlugins="41"

mailPlugins="6"

scanPlugins="12"

totalSignatures="960825"

systemPlugins="4"

unpackPlugins="7"

<ScanSummary

scannedItems="566"

infectedItems="1"

suspiciousItems="0"

resolvedItems="0"

scannedArchives="9"

bootSectorCount="5"

scannedDirectories="13"

inputOutputErrors="0"

virusesNumber="1"

scanTime="00:00:00:03"

filesPerSecond="55"

<FileSummary

scanned="167"

archives="9"

packed="2"

infected="1"

suspicious="0"

resolved="0"

deleted="0"

moved="0"

copied="0"

<RegistryKeySummary

scanned="359"

infected="0"

suspicious="0"

<CookieSummary

scanned="0"

infected="0"

suspicious="0"

<ProcessSummary

scanned="40"

infected="0"

suspicious="0"

<MailSummary

scanned="0"

infected="0"

suspicious="0"

</ScanSummary>

</ScanDetails>

</ScanSession>

adamian

We need more information... You may have a rootkit.

Please download Process Explorer from http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Take a screenshot with the Process Explorer window maximized. Save it.

In Process Explorer goto Find->Find Handle or DLL. Search for "icmp" (without quotes). Note the PIDs (the number from the second column from a svchost.exe process).

Go to that process with that PID, right click it and choose Properties (A window with multiple tabs should appear; you should select "Image" tab (it's selected by default)). Take a screenshot and save it. If there are more than one PIDs found at the step above repeat the process.

Send us the above screenshots.

Download Rootkit Revealer: http://technet.microsoft.com/en-us/sysinte...s/bb897445.aspx and do a scan. If anything is found save the list and send it to us.

stloco

This is info from Process Explorer

Process PID CPU Description Company Name

System Idle Process 0 91.26

Interrupts n/a 0.97 Hardware Interrupts

DPCs n/a Deferred Procedure Calls

System 4

smss.exe 404 Windows NT Session Manager Microsoft Corporation

csrss.exe 452 1.94 Client Server Runtime Process Microsoft Corporation

winlogon.exe 476 Windows NT Logon Application Microsoft Corporation

services.exe 520 1.94 Services and Controller app Microsoft Corporation

ati2evxx.exe 672

svchost.exe 684 Generic Host Process for Win32 Services Microsoft Corporation

svchost.exe 776 Generic Host Process for Win32 Services Microsoft Corporation

svchost.exe 812 0.97 Generic Host Process for Win32 Services Microsoft Corporation

wscntfy.exe 1972 Windows Security Center Notification App Microsoft Corporation

svchost.exe 868 Generic Host Process for Win32 Services Microsoft Corporation

svchost.exe 968 Generic Host Process for Win32 Services Microsoft Corporation

spoolsv.exe 1104 Spooler SubSystem App Microsoft Corporation

btwdins.exe 1216 Bluetooth Support Server WIDCOMM, Inc.

MDM.EXE 1256 Machine Debug Manager Microsoft Corporation

HPZipm12.exe 1300 PML Driver HP

SMAgent.exe 1376 SoundMAX service agent component Analog Devices, Inc.

svchost.exe 1396 Generic Host Process for Win32 Services Microsoft Corporation

svchost.exe 1424 Generic Host Process for Win32 Services Microsoft Corporation

xcommsvr.exe 1460 BitDefender Communicator Server BitDefender

livesrv.exe 1488 BitDefender Security Service BitDefender S.R.L.

vsserv.exe 1584 BitDefender Security Service BitDefender S.R.L.

svchost.exe 1680 Generic Host Process for Win32 Services Microsoft Corporation

alg.exe 1708 Application Layer Gateway Service Microsoft Corporation

svchost.exe 980 Generic Host Process for Win32 Services Microsoft Corporation

lsass.exe 532 LSA Shell (Export Version) Microsoft Corporation

BTTray.exe 1960 Bluetooth Tray Application WIDCOMM, Inc.

svchost.exe 2168 Generic Host Process for Win32 Services Microsoft Corporation

explorer.exe 2000 Windows Explorer Microsoft Corporation

SynTPLpr.exe 1776 TouchPad Driver Helper Application Synaptics, Inc.

SynTPEnh.exe 564 Synaptics TouchPad Enhancements Synaptics, Inc.

bdagent.exe 1860 BitDefender Agent Application BitDefender S.R.L.

ctfmon.exe 1896 CTF Loader Microsoft Corporation

RootkitRevealer.exe 2456 Rootkit detection utility Sysinternals - www.sysinternals.com

procexp.exe 3476 2.91 Sysinternals Process Explorer Sysinternals

iexplore.exe 3364 Internet Explorer Microsoft Corporation

Next is Process PID CPU Description Company Name

System Idle Process 0 93.33

Interrupts n/a Hardware Interrupts

DPCs n/a Deferred Procedure Calls

System 4 0.95

smss.exe 404 Windows NT Session Manager Microsoft Corporation

csrss.exe 452 Client Server Runtime Process Microsoft Corporation

winlogon.exe 476 Windows NT Logon Application Microsoft Corporation

services.exe 520 2.86 Services and Controller app Microsoft Corporation

ati2evxx.exe 672

svchost.exe 684 Generic Host Process for Win32 Services Microsoft Corporation

svchost.exe 776 Generic Host Process for Win32 Services Microsoft Corporation

svchost.exe 812 0.95 Generic Host Process for Win32 Services Microsoft Corporation