help with infected computer
We have just started using Bit Defender and our first virus report is below. We are not sure how to remove the multiple virus's on the report. Can some one please give us some advice.
Thanks for any help!
//-----------------------------------------------------------------
//
// Product BitDefender Antivirus Plus v10
// Product 10.2
//
// Created on: 14/06/2007 10:20:01
//
//-----------------------------------------------------------------
Virus Statistics
Scan path : C:\
F:\
G:\
Folders : 0
Files : 51
Memory processes scanned : 18
Archives : 3
Runtime packers : 1
Identified viruses : 2
Infected files : 2
Memory processes infected : 0
Suspect files : 0
Warnings : 0
Disinfected files : 0
Deleted files : 1
Moved files : 0
I/O errors : 0
Scan time : 00:01:19
Scan speed (files/sec) : 0
Spyware Statistics
Registry keys scanned : 1787
Registry keys infected : 20
Cookies scanned : 4
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 3
Virus definitions : 561726
Scan plugins : 16
Archive plugins : 41
Unpack plugins : 6
Mail plugins : 6
System plugins : 5
Virus scan options
Detection
[X] Scan boot sectors
[X] Memory Processes
[ ] Scan archives
[X] Scan runtime packers
[X] Scan email
File mask
[X] Programs
[ ] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;
Action
Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Move to quarantine
[ ] Prompt user
Second action
[ ] Ignore
[ ] Delete
[X] Move to quarantine
[ ] Prompt user
Virus scan options
[X] Enable warnings
[ ] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\full_scan\1181780401.log
Spyware scan options
[X] Scan for riskware
[ ] Skip dial and applications from scan
[X] Registry keys
[X] Cookies
Summary:
<System>=>C:\WINDOWS\scvhost.exe (disk) Infected: MemScan:Backdoor.VB.EV
<System>=>C:\WINDOWS\scvhost.exe (disk) Disinfection failed
<System>=>C:\WINDOWS\scvhost.exe (disk) Move failed
<System>=>C:\WINDOWS\scvhost.exe (full dump) Infected: Backdoor.VB.EV
<System>=>C:\WINDOWS\scvhost.exe (full dump) Disinfection failed
<System>=>C:\WINDOWS\scvhost.exe (full dump) Move failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\=>C:\WINDOWS\SCVHOST.EXE Detected: MemScan:Backdoor.VB.EV
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\=>C:\WINDOWS\SCVHOST.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\=>C:\WINDOWS\SCVHOST.EXE Move failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Windows Update=>C:\WINDOWS\SCVHOST.EXE Detected: MemScan:Backdoor.VB.EV
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Windows Update=>C:\WINDOWS\SCVHOST.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Windows Update=>C:\WINDOWS\SCVHOST.EXE Move failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\msconfig=>C:\WINDOWS\SCVHOST.EXE Detected: MemScan:Backdoor.VB.EV
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\msconfig=>C:\WINDOWS\SCVHOST.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\msconfig=>C:\WINDOWS\SCVHOST.EXE Move failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\icq lite=>C:\WINDOWS\SCVHOST.EXE Detected: MemScan:Backdoor.VB.EV
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\icq lite=>C:\WINDOWS\SCVHOST.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\icq lite=>C:\WINDOWS\SCVHOST.EXE Move failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Update Checker=>C:\WINDOWS\SCVHOST.EXE Detected: MemScan:Backdoor.VB.EV
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Update Checker=>C:\WINDOWS\SCVHOST.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Update Checker=>C:\WINDOWS\SCVHOST.EXE Move failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\AntiVir=>C:\WINDOWS\SCVHOST.EXE Detected: MemScan:Backdoor.VB.EV
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\AntiVir=>C:\WINDOWS\SCVHOST.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\AntiVir=>C:\WINDOWS\SCVHOST.EXE Move failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\rpsys32=>C:\WINDOWS\RPSYS32.EXE Detected: Backdoor.Cakl.H
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\rpsys32=>C:\WINDOWS\RPSYS32.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\rpsys32=>C:\WINDOWS\RPSYS32.EXE Move failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\Windows Update=>C:\WINDOWS\SCVHOST.EXE Detected: MemScan:Backdoor.VB.EV
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\Windows Update=>C:\WINDOWS\SCVHOST.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\Windows Update=>C:\WINDOWS\SCVHOST.EXE Move failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\msconfig=>C:\WINDOWS\SCVHOST.EXE Detected: MemScan:Backdoor.VB.EV
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\msconfig=>C:\WINDOWS\SCVHOST.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\msconfig=>C:\WINDOWS\SCVHOST.EXE Move failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\icq lite=>C:\WINDOWS\SCVHOST.EXE Detected: MemScan:Backdoor.VB.EV
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\icq lite=>C:\WINDOWS\SCVHOST.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\icq lite=>C:\WINDOWS\SCVHOST.EXE Move failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\Update Checker=>C:\WINDOWS\SCVHOST.EXE Detected: MemScan:Backdoor.VB.EV
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\Update Checker=>C:\WINDOWS\SCVHOST.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\Update Checker=>C:\WINDOWS\SCVHOST.EXE Move failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\AntiVir=>C:\WINDOWS\SCVHOST.EXE Detected: MemScan:Backdoor.VB.EV
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\AntiVir=>C:\WINDOWS\SCVHOST.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\AntiVir=>C:\WINDOWS\SCVHOST.EXE Move failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\=>C:\WINDOWS\SCVHOST.EXE Detected: MemScan:Backdoor.VB.EV
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\=>C:\WINDOWS\SCVHOST.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\=>C:\WINDOWS\SCVHOST.EXE Move failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\=>C:\WINDOWS\SCVHOST.EXE Detected: MemScan:Backdoor.VB.EV
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\=>C:\WINDOWS\SCVHOST.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\=>C:\WINDOWS\SCVHOST.EXE Move failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\Windows Update=>C:\WINDOWS\SCVHOST.EXE Detected: MemScan:Backdoor.VB.EV
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\Windows Update=>C:\WINDOWS\SCVHOST.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\Windows Update=>C:\WINDOWS\SCVHOST.EXE Move failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\msconfig=>C:\WINDOWS\SCVHOST.EXE Detected: MemScan:Backdoor.VB.EV
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\msconfig=>C:\WINDOWS\SCVHOST.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\msconfig=>C:\WINDOWS\SCVHOST.EXE Move failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\icq lite=>C:\WINDOWS\SCVHOST.EXE Detected: MemScan:Backdoor.VB.EV
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\icq lite=>C:\WINDOWS\SCVHOST.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\icq lite=>C:\WINDOWS\SCVHOST.EXE Move failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\Update Checker=>C:\WINDOWS\SCVHOST.EXE Detected: MemScan:Backdoor.VB.EV
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\Update Checker=>C:\WINDOWS\SCVHOST.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\Update Checker=>C:\WINDOWS\SCVHOST.EXE Move failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\AntiVir=>C:\WINDOWS\SCVHOST.EXE Detected: MemScan:Backdoor.VB.EV
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\AntiVir=>C:\WINDOWS\SCVHOST.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\AntiVir=>C:\WINDOWS\SCVHOST.EXE Move failed
<System>=>HKEY_CLASSES_ROOT\MAGNET Detected: magne2t
<System>=>HKEY_CLASSES_ROOT\MAGNET Deleted
<System> Archive repacking successfully completed (actions successfully applied)
Comments
-
Hi Petejo
I suggest that you try this:
Download drwebcureit!: ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe Let it scan and remove infected files. But do not remove vsserv.exe or anything that is mentionned in the BitDefender installation folder. Because than you have to repair BitDefender.
Superantispyware: http://downloads2.superantispyware.com/dow...AntiSpyware.exe Install it and perform an update. Reboot your pc afterwards and press several times on the F8 button before windows screen and choose safe mode. Start superantispyware and perform a complete scan. Reboot your pc again and perform a new scan with BitDefender and post the result.
Regards
Niels0 -
Thank you Niels
I have followed the instructions you gave me. The only thing that did show up was vsserv.exe with drwebcureit so I left that as you said.
Here is the report from the latest Bit defender scan.
----------------------------------------------------------------
//
// Product BitDefender Antivirus Plus v10
// Product 10.2
//
// Created on: 14/06/2007 19:42:22
//
//-----------------------------------------------------------------
Virus Statistics
Scan path : C:\
F:\
G:\
Folders : 0
Files : 51
Memory processes scanned : 18
Archives : 3
Runtime packers : 1
Identified viruses : 0
Infected files : 0
Memory processes infected : 0
Suspect files : 0
Warnings : 0
Disinfected files : 0
Deleted files : 0
Moved files : 0
I/O errors : 0
Scan time : 00:00:37
Scan speed (files/sec) : 1
Spyware Statistics
Registry keys scanned : 1771
Registry keys infected : 0
Cookies scanned : 4
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 0
Virus definitions : 556511
Scan plugins : 16
Archive plugins : 41
Unpack plugins : 6
Mail plugins : 6
System plugins : 5
Virus scan options
Detection
[X] Scan boot sectors
[X] Memory Processes
[ ] Scan archives
[X] Scan runtime packers
[X] Scan email
File mask
[X] Programs
[ ] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;
Action
Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Move to quarantine
[ ] Prompt user
Second action
[ ] Ignore
[ ] Delete
[X] Move to quarantine
[ ] Prompt user
Virus scan options
[X] Enable warnings
[ ] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\full_scan\1181814142.log
Spyware scan options
[X] Scan for riskware
[ ] Skip dial and applications from scan
[X] Registry keys
[X] Cookies
This is all that showed on this last report. Is this ok.
Thanks0 -
Hi Petejo
I suggest that you perform also a deep scan to be sure. Be careful because it can take a few hours.
But when I look now at your log it's clean.
Regards
Niels0 -
Thanks Niels
I did a deep scan and it has shown there are two infections - the report is below. Also everytime we reboot the computer we have an error message that appears
the message is:
C:\windows\system32\dig\ctfmon.exe
The NTVDM CPU has encounted an illegal instruction.
C5:0562 IP:0105 OP:63 31 2e 32 20 Choose 'Close' to terminate the application.
It also has on the top of the message window - 16 bit MS DOS Subsystem.
Does this have anything to do with the problems of infections.
Thanks for your help
//-----------------------------------------------------------------
//
// ProductBitDefender Internet Security v10
// Product10.2
//
// Created on: 15/05/2007 01:04:36
//
//-----------------------------------------------------------------
Virus Statistics
Scan path : C:\
F:\
G:\
Folders : 11721
Files : 517492
Memory processes scanned : 16
Archives : 12105
Runtime packers : 47252
Identified viruses : 2
Infected files : 2
Memory processes infected : 0
Suspect files : 0
Warnings : 0
Disinfected files : 0
Deleted files : 0
Moved files : 2
I/O errors : 48
Scan time : 01:00:32
Scan speed (files/sec) : 142
Spyware Statistics
Registry keys scanned : 1776
Registry keys infected : 0
Cookies scanned : 9
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 0
Virus definitions : 561670
Scan plugins : 16
Archive plugins : 41
Unpack plugins : 6
Mail plugins : 6
System plugins : 5
Virus scan options
Detection
[X] Scan boot sectors
[X] Memory Processes
[X] Scan archives
[X] Scan runtime packers
[X] Scan email
File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;
Action
Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Move to quarantine
[ ] Prompt user
Second action
[ ] Ignore
[ ] Delete
[X] Move to quarantine
[ ] Prompt user
Virus scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1179155076.log
Spyware scan options
[X] Scan for riskware
[ ] Skip dial and applications from scan
[X] Registry keys
[X] Cookies
Summary:
C:\WINDOWS\system32\drivers\etc\hosts Infected: Trojan.Hostblock.8CA
C:\WINDOWS\system32\drivers\etc\hosts Disinfection failed
C:\WINDOWS\system32\drivers\etc\hosts Moved
C:\WINDOWS\system32\fpx.ini Infected: Trojan.Mirc.Flood.AW
C:\WINDOWS\system32\fpx.ini Disinfection failed
C:\WINDOWS\system32\fpx.ini Moved0 -
Hi Petejo
The proces ctfmon.exe is legit but the normal place must be in the system 32 folder and not in a subfolder called dig. The legit one must have the description ctf loader,Microsoft Corporation,rightclick on it choose properties,version,there you must normally see Microsoft Corporation also with details. If that isn't the case it's likely malware. Delete the subfolder dig.Which windows version are you using?
Go to start,run,at the run dialog box type msconfig press enter go to start up/boot (it could have a different name because I don't have an English windows version). If you see a reference to ctfmon uncheck it and press on apply and ok. erify these items by entering them on this website: http://castlecops.com/StartupList.html If you see an X or N then you can delete it. After that go to start,all programs,start up/boot and look to any references of ctfmon. If you find one delete it by selecting it and press on delete. Finally go to start,run,type regedit press enter. Open the key HKEY_LOCAL_MACHINE by pressing on the +-icon. After that open the following folders and subfolders: Software,Microsoft,Windows,CurrentVersion,Run. Now you will see at the right site ab-icons which are all items that start together with windows. Verify these items by entering them on this website: http://castlecops.com/StartupList.html If you see an X or N then you can delete it.
BitDefender has quarantained the other infected files. So these items will not harm your computer.
Regards
Niels0 -
Hi Petejo,
Take a look here: http://www.neuber.com/taskmanager/process/ctfmon.exe.html
ctfmon.exe is always in C:\Windows\System32 and it must not have any other copies anywhere else. I'm almost sure that what you have it's a virus. You have to delete it.
Also, before deleting it, please put it in an zip archive (protected by the password infected) and attach it to your next post. If you do this, BD Virus Analysts will inspect the file and add it to the BD Virus Database. After this, BD will be able to clean your system of any traces of the virus.
Cris.0
