Multiple Malware In System32
Need help in removing multiple malware in windows system32. BD could not take any possible action & I'm unable to delete them manually. Below is the log file.
BitDefender Log File !!!!!
Product : BitDefender Internet Security 2008
Version : BitDefender UIScanner v.11
Log date : 00:36:17 14/10/2008
Log path : C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Profiles\Logs\deep_scan\1223915777_1_02.xml
Scan Paths:Path0000: C:\
Scan Options:Scan for viruses : Yes
Scan for adware : Yes
Scan for spyware : Yes
Scan for applications : Yes
Scan for dialers : Yes
Scan for rootkits : Yes
Target selection options:Scan registry keys : Yes
Scan cookies : Yes
Scan boot sectors : Yes
Scan memory processes : Yes
Scan archives : Yes
Scan runtime packers : Yes
Scan emails : Yes
Scan all files : Yes
Heuristic Scan : Yes
Scanned extensions :
Excluded extensions :
Target ProcessingDefault action for infected objects : Disinfect
Default action for suspicious objects : None
Default action for hidden objects : None
Scan engines summaryNumber of virus signatures : 1869679
Archive plugins : 43
Email plugins : 6
Scan plugins : 12
Archive plugins : 43
System plugins : 5
Unpack plugins : 7
Overall scan summaryScanned items : 250663
Infected items : 20
Suspicious items : 0
Resolved items : 15
Individual viruses found : 14
Scanned directories : 6615
Scanned boot sectors : 3
Scanned archives : 9382
Input-output errors : 25
Scan time : 00:00:53:24
Files per second : 77
Scanned processes summaryScanned : 80
Infected : 0
Scanned registry keys summaryScanned : 1483
Infected : 0
Scanned cookies summaryScanned : 0
Infected : 0
Remaining issues:Object Name Threat Name Final Status
[system]=]HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\ICF\ImagePath=]C:\WINDOWS\SYSTEM32\SVCHOST.EXE:EXT.EXE BehavesLike:Win32.ExplorerHijack No action was possible
[system]=]HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\WINCTRL32\DLLName=]C:\WINDOWS\SYSTEM32\WINCTRL32.DLL Trojan.Dropper.Kobcka.Gen.1 No action was possible
[system]=]HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\lphc3c7j0ecd9=]C:\WINDOWS\SYSTEM32\LPHC3C7J0ECD9.EXE Trojan.FakeAV.1.Gen No action was possible
[system]=]HKEY_USERS\S-1-5-21-150597262-1105282853-3413232892-1006\CONTROL PANEL\DESKTOP\SCRNSAVE.EXE=]C:\WINDOWS\SYSTEM32\BLPHC3C7J0ECD9.SCR Trojan.FakeAlert.AFW No action was possible
[system]=]HKEY_USERS\S-1-5-21-150597262-1105282853-3413232892-1006\CONTROL PANEL\DESKTOP\Wallpaper=]C:\WINDOWS\SYSTEM32\PHC3C7J0ECD9.BMP Trojan.FakeAlert.AGJ No action was possible
Resolved issues:Object Name Threat Name Final Status
C:\temp\.tt12.tmp.vbs Application.CleanSystemRestore.A Moved to Quarantine
C:\temp\.tt13.tmp.vbs Application.CleanSystemRestore.A Moved to Quarantine
C:\temp\.tt14.tmp.vbs Application.CleanSystemRestore.A Moved to Quarantine
C:\temp\.tt15.tmp.vbs Application.CleanSystemRestore.A Moved to Quarantine
C:\temp\.tt84.tmp.vbs Application.CleanSystemRestore.A Moved to Quarantine
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\01234567\w32tms[1].exe BehavesLike:Win32.ExplorerHijack Moved to Quarantine
[system]=]C:\WINDOWS\msauc.exe (memory dump) Trojan.Agent.AJCH Deleted
[system]=]C:\WINDOWS\System32\rs32net.exe (memory dump) Trojan.Agent.AKIA Deleted
C:\WINDOWS\system32\WinCtrl32.dll Trojan.Dropper.Kobcka.Gen.1 Moved to Quarantine
C:\System Volume Information\_restore{74596469-0A02-4C9E-9303-6035F91A9AB2}\RP132\A0045994.exe Trojan.FakeAV.1.Gen Moved to Quarantine
[system]=]C:\WINDOWS\system32\lphc3c7j0ecd9.exe (memory dump) Trojan.FakeAlert.AFW Deleted
C:\System Volume Information\_restore{74596469-0A02-4C9E-9303-6035F91A9AB2}\RP132\A0045995.scr Trojan.FakeAlert.AFW Deleted
C:\WINDOWS\system32\phc3c7j0ecd9.bmp Trojan.FakeAlert.AGJ Deleted
C:\Documents and Settings\Isaac David Ampil II\Shared\wanna ask somebody .mp3 Trojan.Wimad.Gen.1 Disinfected
C:\Documents and Settings\Isaac David Ampil II\Shared\wanna get somebody .mp3 Trojan.Wimad.Gen.1 Disinfected
Objects that were not scanned:Object Name Reason Final Status
Comments
-
Hello docampil,
Please reboot your pc into safe mode. Just reboot your pc but keep pressing several times on the F8 button before you see the windows splash screen. Select safe mode and press enter. Log in with your account. Once you are in windows (safe mode) click on start,programs,bitdefender 2009,bitdefender manual scan, check what you want to scan. I advice that you scan your entire drive or you can just set to only scan the windows folder and its subfolders press on ok.
Kind regards,
Niels0 -
Hello docampil,
Please reboot your pc into safe mode. Just reboot your pc but keep pressing several times on the F8 button before you see the windows splash screen. Select safe mode and press enter. Log in with your account. Once you are in windows (safe mode) click on start,programs,bitdefender 2009,bitdefender manual scan, check what you want to scan. I advice that you scan your entire drive or you can just set to only scan the windows folder and its subfolders press on ok.
Kind regards,
Niels
Hi, I have the same problem, & I've already tried your solution (save mode & manual scan), but the virus still exist, any suggestion? please help. I attached the log file, thank you.0 -
Hi, I have the same problem, & I've already tried your solution (save mode & manual scan), but the virus still exist, any suggestion? please help. I attached the log file, thank you.
i think the virus now infect legimate .exe files. or the file is write protected.0 -
I once had the same problem, it was a proces named msupdate.exe (http://www.processlibrary.com/directory/files/msupdate/)
It was in the System32 folder, it was not being removed, giving me the same errors you got. What I did was vew all hidden files including system files, and manually deleted it from the system32 folder. In case I got an error, I always have Unlocker running which helps me deal with situations like these. If it isnt deleted at first, unlocker deletes it at system startup. Give it a shot.
I've been using BD for 2 years, and always face the common problems which the BD team someway does not manage to fix. Like right now, my bdagent icon in the system tray is gray, and says that services are not responding even though seccenter.exe, bdagent.exe and vsserv.exe are all shown in the Task Manager.0 -
Please do this:
Can you please download combofix you will find it here. Print the following instructions and read them carefully. Please post the output of the scan into your next post.0 -
For stuborn virus files, I have been using a program called "Unlocker 1,7" A program that helps to "unlock" the file from windows process' to eliminate the "Error Deleting, File in use" error you get all the time.
Link: http://ccollomb.free.fr/unlocker/
I find this helps a lot. Safe mode doesn't always work but when playing around with Unlocker, after 1 attempt I can usually delete the file. Sometimes it takes several attempts.
Be careful though, you computer can crash or hang up doing this. Its not a perm issue though, a reboot will bring your computer back to good standing. I have noticed that instead of trying to delete the file with this program, renaming it seems to be a bit safer.
Take care.
AutoRuns. Another program listed on the microsoft site (not designed by MS). Lists ALL startup process' and reg keys. This program helps to disable startup entrys and can help reduce and eliminate current virus threats.
I run this program along side the Unlocker program to "cleanup" the startup entrie for the virus. Make sure you are disconnected from the internet while performing all this. Just in case it will try to download something while you remove it.
CCleaner is another proram I use to do a final cleanup after removing the main virus files.0