Multiple Malware In System32

Need help in removing multiple malware in windows system32. BD could not take any possible action & I'm unable to delete them manually. Below is the log file.


BitDefender Log File !!!!!


Product : BitDefender Internet Security 2008


Version : BitDefender UIScanner v.11


Log date : 00:36:17 14/10/2008


Log path : C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Profiles\Logs\deep_scan\1223915777_1_02.xml


Scan Paths:Path0000: C:\


Scan Options:Scan for viruses : Yes


Scan for adware : Yes


Scan for spyware : Yes


Scan for applications : Yes


Scan for dialers : Yes


Scan for rootkits : Yes


Target selection options:Scan registry keys : Yes


Scan cookies : Yes


Scan boot sectors : Yes


Scan memory processes : Yes


Scan archives : Yes


Scan runtime packers : Yes


Scan emails : Yes


Scan all files : Yes


Heuristic Scan : Yes


Scanned extensions :


Excluded extensions :


Target ProcessingDefault action for infected objects : Disinfect


Default action for suspicious objects : None


Default action for hidden objects : None


Scan engines summaryNumber of virus signatures : 1869679


Archive plugins : 43


Email plugins : 6


Scan plugins : 12


Archive plugins : 43


System plugins : 5


Unpack plugins : 7


Overall scan summaryScanned items : 250663


Infected items : 20


Suspicious items : 0


Resolved items : 15


Individual viruses found : 14


Scanned directories : 6615


Scanned boot sectors : 3


Scanned archives : 9382


Input-output errors : 25


Scan time : 00:00:53:24


Files per second : 77


Scanned processes summaryScanned : 80


Infected : 0


Scanned registry keys summaryScanned : 1483


Infected : 0


Scanned cookies summaryScanned : 0


Infected : 0


Remaining issues:Object Name Threat Name Final Status


[system]=]HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\ICF\ImagePath=]C:\WINDOWS\SYSTEM32\SVCHOST.EXE:EXT.EXE BehavesLike:Win32.ExplorerHijack No action was possible


[system]=]HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\WINCTRL32\DLLName=]C:\WINDOWS\SYSTEM32\WINCTRL32.DLL Trojan.Dropper.Kobcka.Gen.1 No action was possible


[system]=]HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\lphc3c7j0ecd9=]C:\WINDOWS\SYSTEM32\LPHC3C7J0ECD9.EXE Trojan.FakeAV.1.Gen No action was possible


[system]=]HKEY_USERS\S-1-5-21-150597262-1105282853-3413232892-1006\CONTROL PANEL\DESKTOP\SCRNSAVE.EXE=]C:\WINDOWS\SYSTEM32\BLPHC3C7J0ECD9.SCR Trojan.FakeAlert.AFW No action was possible


[system]=]HKEY_USERS\S-1-5-21-150597262-1105282853-3413232892-1006\CONTROL PANEL\DESKTOP\Wallpaper=]C:\WINDOWS\SYSTEM32\PHC3C7J0ECD9.BMP Trojan.FakeAlert.AGJ No action was possible


Resolved issues:Object Name Threat Name Final Status


C:\temp\.tt12.tmp.vbs Application.CleanSystemRestore.A Moved to Quarantine


C:\temp\.tt13.tmp.vbs Application.CleanSystemRestore.A Moved to Quarantine


C:\temp\.tt14.tmp.vbs Application.CleanSystemRestore.A Moved to Quarantine


C:\temp\.tt15.tmp.vbs Application.CleanSystemRestore.A Moved to Quarantine


C:\temp\.tt84.tmp.vbs Application.CleanSystemRestore.A Moved to Quarantine


C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\01234567\w32tms[1].exe BehavesLike:Win32.ExplorerHijack Moved to Quarantine


[system]=]C:\WINDOWS\msauc.exe (memory dump) Trojan.Agent.AJCH Deleted


[system]=]C:\WINDOWS\System32\rs32net.exe (memory dump) Trojan.Agent.AKIA Deleted


C:\WINDOWS\system32\WinCtrl32.dll Trojan.Dropper.Kobcka.Gen.1 Moved to Quarantine


C:\System Volume Information\_restore{74596469-0A02-4C9E-9303-6035F91A9AB2}\RP132\A0045994.exe Trojan.FakeAV.1.Gen Moved to Quarantine


[system]=]C:\WINDOWS\system32\lphc3c7j0ecd9.exe (memory dump) Trojan.FakeAlert.AFW Deleted


C:\System Volume Information\_restore{74596469-0A02-4C9E-9303-6035F91A9AB2}\RP132\A0045995.scr Trojan.FakeAlert.AFW Deleted


C:\WINDOWS\system32\phc3c7j0ecd9.bmp Trojan.FakeAlert.AGJ Deleted


C:\Documents and Settings\Isaac David Ampil II\Shared\wanna ask somebody .mp3 Trojan.Wimad.Gen.1 Disinfected


C:\Documents and Settings\Isaac David Ampil II\Shared\wanna get somebody .mp3 Trojan.Wimad.Gen.1 Disinfected


Objects that were not scanned:Object Name Reason Final Status

Comments

  • Hello docampil,


    Please reboot your pc into safe mode. Just reboot your pc but keep pressing several times on the F8 button before you see the windows splash screen. Select safe mode and press enter. Log in with your account. Once you are in windows (safe mode) click on start,programs,bitdefender 2009,bitdefender manual scan, check what you want to scan. I advice that you scan your entire drive or you can just set to only scan the windows folder and its subfolders press on ok.


    Kind regards,


    Niels

  • Hello docampil,


    Please reboot your pc into safe mode. Just reboot your pc but keep pressing several times on the F8 button before you see the windows splash screen. Select safe mode and press enter. Log in with your account. Once you are in windows (safe mode) click on start,programs,bitdefender 2009,bitdefender manual scan, check what you want to scan. I advice that you scan your entire drive or you can just set to only scan the windows folder and its subfolders press on ok.


    Kind regards,


    Niels


    Hi, I have the same problem, & I've already tried your solution (save mode & manual scan), but the virus still exist, any suggestion? please help. I attached the log file, thank you.

    /applications/core/interface/file/attachment.php?id=4272" data-fileid="4272" rel="">1228894730_1_02.xml

  • Hi, I have the same problem, & I've already tried your solution (save mode & manual scan), but the virus still exist, any suggestion? please help. I attached the log file, thank you.


    i think the virus now infect legimate .exe files. or the file is write protected.

  • I once had the same problem, it was a proces named msupdate.exe (http://www.processlibrary.com/directory/files/msupdate/)


    It was in the System32 folder, it was not being removed, giving me the same errors you got. What I did was vew all hidden files including system files, and manually deleted it from the system32 folder. In case I got an error, I always have Unlocker running which helps me deal with situations like these. If it isnt deleted at first, unlocker deletes it at system startup. Give it a shot.


    I've been using BD for 2 years, and always face the common problems which the BD team someway does not manage to fix. Like right now, my bdagent icon in the system tray is gray, and says that services are not responding even though seccenter.exe, bdagent.exe and vsserv.exe are all shown in the Task Manager.

  • Please do this:


    Can you please download combofix you will find it here. Print the following instructions and read them carefully. Please post the output of the scan into your next post.

  • JGray152
    edited January 2009

    For stuborn virus files, I have been using a program called "Unlocker 1,7" A program that helps to "unlock" the file from windows process' to eliminate the "Error Deleting, File in use" error you get all the time.


    Link: http://ccollomb.free.fr/unlocker/


    I find this helps a lot. Safe mode doesn't always work but when playing around with Unlocker, after 1 attempt I can usually delete the file. Sometimes it takes several attempts.


    Be careful though, you computer can crash or hang up doing this. Its not a perm issue though, a reboot will bring your computer back to good standing. I have noticed that instead of trying to delete the file with this program, renaming it seems to be a bit safer.


    Take care.


    AutoRuns. Another program listed on the microsoft site (not designed by MS). Lists ALL startup process' and reg keys. This program helps to disable startup entrys and can help reduce and eliminate current virus threats.


    I run this program along side the Unlocker program to "cleanup" the startup entrie for the virus. Make sure you are disconnected from the internet while performing all this. Just in case it will try to download something while you remove it.


    CCleaner is another proram I use to do a final cleanup after removing the main virus files.