Multiple Malware In System32

Need help in removing multiple malware in windows system32. BD could not take any possible action & I'm unable to delete them manually. Below is the log file.

BitDefender Log File !!!!!

Product : BitDefender Internet Security 2008

Version : BitDefender UIScanner v.11

Log date : 00:36:17 14/10/2008

Log path : C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Profiles\Logs\deep_scan\1223915777_1_02.xml

Scan Paths:Path0000: C:\

Scan Options:Scan for viruses : Yes

Scan for adware : Yes

Scan for spyware : Yes

Scan for applications : Yes

Scan for dialers : Yes

Scan for rootkits : Yes

Target selection options:Scan registry keys : Yes

Scan cookies : Yes

Scan boot sectors : Yes

Scan memory processes : Yes

Scan archives : Yes

Scan runtime packers : Yes

Scan emails : Yes

Scan all files : Yes

Heuristic Scan : Yes

Scanned extensions :

Excluded extensions :

Target ProcessingDefault action for infected objects : Disinfect

Default action for suspicious objects : None

Default action for hidden objects : None

Scan engines summaryNumber of virus signatures : 1869679

Archive plugins : 43

Email plugins : 6

Scan plugins : 12

Archive plugins : 43

System plugins : 5

Unpack plugins : 7

Overall scan summaryScanned items : 250663

Infected items : 20

Suspicious items : 0

Resolved items : 15

Individual viruses found : 14

Scanned directories : 6615

Scanned boot sectors : 3

Scanned archives : 9382

Input-output errors : 25

Scan time : 00:00:53:24

Files per second : 77

Scanned processes summaryScanned : 80

Infected : 0

Scanned registry keys summaryScanned : 1483

Infected : 0

Scanned cookies summaryScanned : 0

Infected : 0

Remaining issues:Object Name Threat Name Final Status

[system]=]HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\ICF\ImagePath=]C:\WINDOWS\SYSTEM32\SVCHOST.EXE:EXT.EXE BehavesLike:Win32.ExplorerHijack No action was possible

[system]=]HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\WINCTRL32\DLLName=]C:\WINDOWS\SYSTEM32\WINCTRL32.DLL Trojan.Dropper.Kobcka.Gen.1 No action was possible

[system]=]HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\lphc3c7j0ecd9=]C:\WINDOWS\SYSTEM32\LPHC3C7J0ECD9.EXE Trojan.FakeAV.1.Gen No action was possible

[system]=]HKEY_USERS\S-1-5-21-150597262-1105282853-3413232892-1006\CONTROL PANEL\DESKTOP\SCRNSAVE.EXE=]C:\WINDOWS\SYSTEM32\BLPHC3C7J0ECD9.SCR Trojan.FakeAlert.AFW No action was possible

[system]=]HKEY_USERS\S-1-5-21-150597262-1105282853-3413232892-1006\CONTROL PANEL\DESKTOP\Wallpaper=]C:\WINDOWS\SYSTEM32\PHC3C7J0ECD9.BMP Trojan.FakeAlert.AGJ No action was possible

Resolved issues:Object Name Threat Name Final Status

C:\temp\.tt12.tmp.vbs Application.CleanSystemRestore.A Moved to Quarantine

C:\temp\.tt13.tmp.vbs Application.CleanSystemRestore.A Moved to Quarantine

C:\temp\.tt14.tmp.vbs Application.CleanSystemRestore.A Moved to Quarantine

C:\temp\.tt15.tmp.vbs Application.CleanSystemRestore.A Moved to Quarantine

C:\temp\.tt84.tmp.vbs Application.CleanSystemRestore.A Moved to Quarantine

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\01234567\w32tms[1].exe BehavesLike:Win32.ExplorerHijack Moved to Quarantine

[system]=]C:\WINDOWS\msauc.exe (memory dump) Trojan.Agent.AJCH Deleted

[system]=]C:\WINDOWS\System32\rs32net.exe (memory dump) Trojan.Agent.AKIA Deleted

C:\WINDOWS\system32\WinCtrl32.dll Trojan.Dropper.Kobcka.Gen.1 Moved to Quarantine

C:\System Volume Information\_restore{74596469-0A02-4C9E-9303-6035F91A9AB2}\RP132\A0045994.exe Trojan.FakeAV.1.Gen Moved to Quarantine

[system]=]C:\WINDOWS\system32\lphc3c7j0ecd9.exe (memory dump) Trojan.FakeAlert.AFW Deleted

C:\System Volume Information\_restore{74596469-0A02-4C9E-9303-6035F91A9AB2}\RP132\A0045995.scr Trojan.FakeAlert.AFW Deleted

C:\WINDOWS\system32\phc3c7j0ecd9.bmp Trojan.FakeAlert.AGJ Deleted

C:\Documents and Settings\Isaac David Ampil II\Shared\wanna ask somebody .mp3 Trojan.Wimad.Gen.1 Disinfected

C:\Documents and Settings\Isaac David Ampil II\Shared\wanna get somebody .mp3 Trojan.Wimad.Gen.1 Disinfected

Objects that were not scanned:Object Name Reason Final Status

Find more posts tagged with

Comments

Niels

Hello docampil,

Please reboot your pc into safe mode. Just reboot your pc but keep pressing several times on the F8 button before you see the windows splash screen. Select safe mode and press enter. Log in with your account. Once you are in windows (safe mode) click on start,programs,bitdefender 2009,bitdefender manual scan, check what you want to scan. I advice that you scan your entire drive or you can just set to only scan the windows folder and its subfolders press on ok.

Kind regards,

Niels

budicsmg

Hello docampil,

Please reboot your pc into safe mode. Just reboot your pc but keep pressing several times on the F8 button before you see the windows splash screen. Select safe mode and press enter. Log in with your account. Once you are in windows (safe mode) click on start,programs,bitdefender 2009,bitdefender manual scan, check what you want to scan. I advice that you scan your entire drive or you can just set to only scan the windows folder and its subfolders press on ok.

Kind regards,

Niels

Hi, I have the same problem, & I've already tried your solution (save mode & manual scan), but the virus still exist, any suggestion? please help. I attached the log file, thank you.

/applications/core/interface/file/attachment.php?id=4272" data-fileid="4272" rel="">1228894730_1_02.xml

1228894730_1_02.xml

eduardo0

Hi, I have the same problem, & I've already tried your solution (save mode & manual scan), but the virus still exist, any suggestion? please help. I attached the log file, thank you.

i think the virus now infect legimate .exe files. or the file is write protected.

aayman_farzand

I once had the same problem, it was a proces named msupdate.exe (http://www.processlibrary.com/directory/files/msupdate/)

It was in the System32 folder, it was not being removed, giving me the same errors you got. What I did was vew all hidden files including system files, and manually deleted it from the system32 folder. In case I got an error, I always have Unlocker running which helps me deal with situations like these. If it isnt deleted at first, unlocker deletes it at system startup. Give it a shot.

I've been using BD for 2 years, and always face the common problems which the BD team someway does not manage to fix. Like right now, my bdagent icon in the system tray is gray, and says that services are not responding even though seccenter.exe, bdagent.exe and vsserv.exe are all shown in the Task Manager.

rootkit

Please do this:

Can you please download combofix you will find it here. Print the following instructions and read them carefully. Please post the output of the scan into your next post.

JGray152

For stuborn virus files, I have been using a program called "Unlocker 1,7" A program that helps to "unlock" the file from windows process' to eliminate the "Error Deleting, File in use" error you get all the time.

Link: http://ccollomb.free.fr/unlocker/

I find this helps a lot. Safe mode doesn't always work but when playing around with Unlocker, after 1 attempt I can usually delete the file. Sometimes it takes several attempts.

Be careful though, you computer can crash or hang up doing this. Its not a perm issue though, a reboot will bring your computer back to good standing. I have noticed that instead of trying to delete the file with this program, renaming it seems to be a bit safer.

Take care.

AutoRuns. Another program listed on the microsoft site (not designed by MS). Lists ALL startup process' and reg keys. This program helps to disable startup entrys and can help reduce and eliminate current virus threats.

I run this program along side the Unlocker program to "cleanup" the startup entrie for the virus. Make sure you are disconnected from the internet while performing all this. Just in case it will try to download something while you remove it.

CCleaner is another proram I use to do a final cleanup after removing the main virus files.