Curse

Tarun · Oct 20, 2008, 05:42 PM // 17:42

You don't need to turn off System Restore. I advise against it because if you need to use a restore point, disabling it will remove them all.

Did the avast boot scan find anything?

Malwarebytes recently updated to 1.29, so you may want to rescan with the new version and also with SUPERAntiSpyware. Do complete scans with both programs.

I pwnd U · Oct 20, 2008, 06:07 PM // 18:07

Ya it found the virus in the Windows folder but could not delete, repair, or move it to the chest.

Updated Malwarebytes and scanning now. Will scan with SUPERAntiSpyware after that.

I pwnd U · Oct 20, 2008, 07:11 PM // 19:11

Malwarebytes log

Quote:

Malwarebytes' Anti-Malware 1.29
Database version: 1298
Windows 5.1.2600 Service Pack 3

10/20/2008 2:09:05 PM
mbam-log-2008-10-20 (14-09-05).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 138363
Time elapsed: 58 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Scanning with SUPER now to see if it really got rid of it or not.

Tarun · Oct 20, 2008, 07:26 PM // 19:26

Since that one is in Windows and not system32, I can recommend that you use Unlocker on it to try and delete it too.

I pwnd U · Oct 20, 2008, 07:28 PM // 19:28

Unlocker? Sorry, not sure what that is.

EDIT: NVM, searched it on google. Downloaded it and am waiting for SUPER to finish scanning before I try to delete it.

I pwnd U · Oct 21, 2008, 01:43 AM // 01:43

Super found it and it is still there. Trying to delete it now with the Unlocker. Also found the same virus in C:\RECYCLER\S-1-5-21-115661142-etc.

Unlocker says it deleted it but it is still there.

Tarun · Oct 21, 2008, 02:09 AM // 02:09

Use Safe Mode and Unlocker or FileAssassin (built into MBAM) to try and get rid of the file.

I pwnd U · Oct 21, 2008, 03:16 AM // 03:16

Okay so apparently my recycle bin is now also infected. One of the files in that stores the deleted files is infected with it. Can I safely delete it without causing any harm to my computer?

Checked in Safe mode for the Svchost.exe in the Windows folder and it not there. Even searched for it. So I guess that one is gone.

In regular windows it still says it is there but I can't find it in the Windows folder. Found it in search and when scanned with AVast! it says there is a virus, when scanned with Malwarebytes it says it is not infected.

Tarun · Oct 21, 2008, 04:18 AM // 04:18

You can safely empty it from your Recycle Bin or you can use CCleaner to get rid of it.

I'd like to recommend that you go through your installed programs and look for anything suspicious.

You can also make a new System Restore point and then purge the older points safely using the Disk Cleanup.

I pwnd U · Oct 21, 2008, 04:25 AM // 04:25

Well it is still there. I tried to delete the Svchost.exe from Windows but it won't delete. The recycle bin is infected as well, though I think I actually got rid of that one. Haven't had that warning pop up again.

My brother and I are going to reformat my computer tomorrow after we back up my Program Files, Document and Settings, and school work.

Tarun · Oct 21, 2008, 04:48 AM // 04:48

I honestly wish I could work on this computer and see this virus first hand.

If you can, please put it into a zip file and upload it to VirusTotal. I wouldn't mind getting a copy to test on a box here at home. If you could host it on a file sharing service and send me the link I would appreciate it.

I pwnd U · Oct 21, 2008, 04:56 AM // 04:56

If you explain to me exactly how to do that I would gladly do this for you Tarun. Thanks again for all the help you have given me.

Tarun · Oct 21, 2008, 04:10 PM // 16:10

Since this virus is residing in C:\Windows it should be easy to do.

For VirusTotal:
Click Browse and then navigate to your Windows directory and find the svchost.exe file. Select it and click Open. Next, in your browser click Submit.

Navigate to your Windows directory and find the svchost.exe file. Pack it into a zip archive. After that, move the zip to your desktop and go to a file sharing host like Rapidshare. Upload the file and copy the link provided. You can then PM me the link and I'll let you know if it worked.

I pwnd U · Oct 21, 2008, 09:27 PM // 21:27

PM sent to you Tarun.

Tarun · Oct 21, 2008, 10:10 PM // 22:10

Here's the virustotal results.

http://www.virustotal.com/analisis/0...d0bd3df16531ef

I pwnd U · Oct 21, 2008, 10:55 PM // 22:55

So from the looks of it the ones that detected it detected it as a Trojan virus. So I assume that is what it is infected?

Tarun · Oct 22, 2008, 12:24 AM // 00:24

Indeed. Seems it's more a keylogger/password stealer. An offline cleaning (Internet unplugged) may help to stop it and remove it properly.

I pwnd U · Oct 22, 2008, 12:44 AM // 00:44

Ah, good thing I never logged into Guild Wars than.