W32/Injector Win32/Peerfrag

My system running NOD32 was infected by
1. MBR Virus - NOD32 detected as operating memory virus
2. Trojan W32 / Injector
3. Worm Win32 / Peerfrag

NOD32 could not remove these infections. Though it quarantines these, they re-appear back on re-booting

The MBR virus was removed through XP Boot CD http://pcsupport.about.com/od/fixtheproblem/ht/repairmbr.htm

I ran a free version of anti-spyware http://www.superantispyware.com/. It detected & deleted a bunch of trojans & registry entries. However, when XP was restarted NOD32 caught the infections again

Have submitted the files for analysis to ESET via Quarantine box.

Scanning again with Superantispyware narrowed me down to an .exe file in folder.
C:\Documents and Settings\Hardware\Application Data\ltzqai.exe

Hardware is local user folder

http://img.photobucket.com/albums/v663/eapen/software/trojan.jpg

 

Solution:

1. Deleted ltzqai.exe file using FileAssasin http://www.malwarebytes.org/fileassassin.php

2. Removed the registry entries containing ltzqai.exe using RegistryCrawler http://www.dcsoft.com/products/regeditx/regcrawler.htm

Still observing for detection of remaining infections. I believe ' ltzqai .exe' was the root file causing the infection

 

Options to consider if you are currently infected

 

siljaline thanks for the link. Had tried with a whole lot of tricks - Hijack This, AdAware - but didn't find the solution. The method listed above is the easiest way I could remove the infection.

I think its a Success! The infection appears to be removed.

Both NOD32 & Superantispyware shows clean.

 

Help: I Got Hacked. Now What Do I Do?
http://technet.microsoft.com/de-de/library/cc512587(en-us).aspx

 

You are welcome for the Link and the assistance.

Post back to this thread if anything else should arise.

Regards,

 

Brummelchen - Whatever written I believe if you can pin-point your root infection the problem can be solved. The infection was resident in my computer for almost a month because I thought NOD32 was doing the work - capturing & quarantining.

Finally it hit me that everyday on re-start these programs re-appear as different .exe s

Its the thrid day now after cleaning - no problems & clean scan

The exe s created by ltzqai.exe were detected & deleted by both programs - NOD32 & Superantispyware - but they failed to cure the root problem. I have to give credit to Superantispyware for giving me the hint to the root infection.

Note:
I found an anti-virus link on how ltzqai.exe infects - though I didn't use the program.

http://info.prevx.com/aboutprogramtext.asp?PX5=2121F1CB00F0A06482BC014316FB3C00216F5486

File Behavior :

LTZQAI.EXE has been seen to perform the following behavior:

* Writes to another Process's Virtual Memory (Process Hijacking)
* Executes a Process
* Injects code into other processes
* The Process is packed and/or encrypted using a software packing process

LTZQAI.EXE has been the subject of the following behavior:

* Created as a process on disk
* Executed as a Process
* Has code inserted into its Virtual Memory space by other programs
* Deleted as a process from disk
* Copied to multiple locations on the system

 

pls read the entire cite of me again!
maybe it is obviously clean... the (back)door aint shut.
it can hit you any time again - to point that out.
and as you wrote yourself - it was active over a month,
time to do something right.

Malware - what now?
* save data (copy documents, music aso., create image/backup...)

* insert Windows-CD/DVD, reboot
* format windows partition with that cd/dvd
* reinstall windows from scratch
* install all windows updates
(or use a clean backup/image instead)

* use a secure browser
* install only programs from trustable sources
* revise your security concept
* change all passwords at trojan infections
* dont work as admin

sounds hard but from my experience to normal users there aint not really a choice.

maybe this thread can help you for the future
https://www.wilderssecurity.com/showthread.php?t=111264

 

Yes you are right. I think the backdoor is not solved yet

I see today other exe's caught by NOD32

1. syscr - syscr.exe executes at winlogon

Registry location : HKEY_USERS\S-1-5-21-515967899-1220945662-299502267-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Registry Action :
(Shell=C:\Documents and Settings\Hardware\Application Data\ltzqai.exe,explorer.exe,C:\RECYCLER\S-1-5-21-9667281957-3319854020-242786114-8915\syscr.exe)

Deleting this registry entry re-writes it automatically !


2. msvmiode - msvmiode.exe

I guess format of the system is only solution now.
I also see this as a reason to upgrade to the new Windows 7 ! :-l