Virus/Trojan Help. Please Help Me Out.

Discussion in 'malware problems & news' started by Jinn, Dec 17, 2004.

Thread Status:
Not open for further replies.
  1. Jinn

    Jinn Registered Member

    Joined:
    Dec 16, 2004
    Posts:
    10
    These trojans are making me insane. 100% CPU usage even if no program is open. They use my computer to host whatever it is they do(probably porn). They have 4 processes (misspelled) running and if I end them they make my computer shut down. A counter pops up saying 1 min to shutdown. SCVhost.exe is what it is. If there is anyway you could help me I would be undyingly greatful.

    The viruses are below.

    JAVA_BYTEVER A-1 -Troj/Femad-B uses the byte verifier vulnerability in unpatched versions of Internet Explorer to drop and execute the file C:\web.exe.

    BKDR_LT -Troj/Litmus-AS is a backdoor Trojan that runs in the background as a system process and allows unauthorised remote access to the computer via an IRC network connection.

    The Trojan copies itself to C:\Windows\Server as svchost.EXE and adds an entry to the registry at:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\LTM2
    run itself on system restart.
    The Trojan may also attempt to steal passwords.

    Heres is a pic on the processes. Check it. Might help.

    http://www.fatalinfliction.com/upload_files/virusproblempic.jpg

    I have the following programs...
    Spotbot
    Ad-Aware SE
    Nortan Antivirus
    Nortan Internet Security
    HJT

    None of which have helped the problem. Went to Tran and tried to do a scan but it won't let me.

    Thanks for any help you can give me.
    ~Jinn
     
    Last edited: Dec 17, 2004
  2. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Hi Jinn

    Try this: Click start > run > type "shutdown -a" > click ok, and see if this takes care of the shutdown's when you try end the processes you describe.

    If it works, you can then try a couple of online scanners like:

    http://www.pandasoftware.com/activescan/

    http://housecall.trendmicro.com/

    http://support.f-secure.com/enu/home/ols.shtml

    You might have to shutdown your anti-virus when using the online scanners, but you should of course turn them on again right after using these.

    After this you might want to take a look at a post about General cleaning

    Hope this helps. :)
     
    Last edited: Dec 17, 2004
  3. Jinn

    Jinn Registered Member

    Joined:
    Dec 16, 2004
    Posts:
    10
    Thanks a bunch Don. The shutdown -a works well but the exe just pops back up after I end them.
    I used all 3 sites and ran a full scan and found these. They say they are small but still havn't been removed.
    The other 2 main viruses have not been removed and continue to piss me off. Makes my sexy computer run slow.... :oops:

    All help is greatly appreciated!
    Thanks again Don.
    ~Jinn
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Jinn, welcome to Wilders.

    Can you please follow the comprehensive steps found in General Cleaning.

    If these steps do not resolve your situation, you will need to download and run “Hijack This” found here and post your log at one of the forums found here. The two bigger forums for HijackThis log processing, (meaning they process more log threads each day than most others) are: SpywareInfo.com and CastleCops.com. Be sure to read their posting policy in the links at their log review forum sections prior to posting.

    The steps mentioned in General Cleaning use software that ought to be part of your security, as an absolute minimum. Once your system is clean, please don’t hesitate to ask further about using these and other security software to protect your computer.

    Hope this helps...

    Let us know how you go.

    Cheers :D
     
  5. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Your welcome Jinn. Use the steps in the post about General Cleaning , this very week i helped a friend who lives a couple of hours from me over the telefone doing these very comprehensive steps.

    The result was over 1000 (we stopped counting after 1000) viruses, trojans, worms adware/spyware found, and a friend who was shocked (who is now protected by a dedicated anti-virus, anti-trojan and a spyware-monitor :D) the computer is back to it's "sexy normal state", which is almost a miracle.

    The steps might seem overwhelming, but are usually well worth the time spent on it.

    BTW. Many of viruses could only be deleted in safemode (described in the General Cleaning thread). I wish you luck.:)
     
  6. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
  7. Jinn

    Jinn Registered Member

    Joined:
    Dec 16, 2004
    Posts:
    10
    I'll do the General Cleaning, and your right, it is a bit overwhelming, but I'd like to get rid of this virus so I'll take the time. :)
    I'll also try the TDS-3.
    Thanks for the help ya'll.
    Hope this works! :D
    ~Jinn
     
  8. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Jinn,

    I'm curious. On the screenshot you indicate a few processes as culprits, but none of them are responsible for the 100% CPU utilization shown (at least at the time of the screenshot).

    Have you taken a peek with ProcessExplorer in which the image path and command line (selectable under View>Select columns) are shown? I've found that a useful exercise, particularly in identifying whether multiple instances or processes are protecting each other.

    Blue
     
  9. Jinn

    Jinn Registered Member

    Joined:
    Dec 16, 2004
    Posts:
    10
    Zanetti- Thanks but the virus, which was listed on Sophos.com hides its self as a java, but is actually hosting stuff throguht my computer. So it takes the biggest program open and says that it is the one causing 100% CPU usage.

    Kerbos- Why the helk did you post this on my thread? o_O o_O (this post has been split-off to it's own thread here- BlueZannetti)
     
    Last edited by a moderator: Dec 18, 2004
  10. kerberos

    kerberos Registered Member

    Joined:
    Dec 18, 2004
    Posts:
    7
    sorry, :( blimey, already gotten up someones nose within half an hour of joining the forum . great.
     
  11. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Kerberos,

    No worries. Problem fixed. Welcome to Wilders!

    Jinn,

    Not quite sure what you're saying here - does this exploit replace TaskManager with it's own app? Suggest you run ProcessExplorer. It's a standalone app. See what it says.

    Blue
     
  12. Jinn

    Jinn Registered Member

    Joined:
    Dec 16, 2004
    Posts:
    10
    Blue, I don't exactly know how to run the Proccess thing that you posted. Could you explain to me how its done?

    Also I just did the General Cleaning 2 times! Waste of 2 and a half hours of my life. Lol. Anyways....3rd times the charm I guess...I hope anyways. :rolleyes:

    ~Jinn
     
  13. Jinn

    Jinn Registered Member

    Joined:
    Dec 16, 2004
    Posts:
    10
    Sorry to double post, but 3 times and it hasn't stopped this virus. I can't beleive how irritating this virus is. :oops: I think this is when I spot a HJT log?
    ~Jinn
     
  14. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    General Cleaning fixes 95% of what’s out there through simple steps that anyone can follow, unfortunately you have struck the 5% which requires a HijackThis Log. Often if you first ran HJT you would have to wait a few days for someone to look at your log at one of the A-SAP forums for a simple Trojan/Virus removal, thus running through General Clean even a single time begins to resolve 95% of what’s out there.

    In addition to this General Cleaning has the person heading in the right direction as to the use of security software and at the end has links to further discussions on securing their computer so that they will not find themselves in the same situation again.


    Correct.

    Would appreciate you keeping us in the loop as to your progress as we all learn this way…

    Cheers :D
     
    Last edited: Dec 21, 2004
  15. Jinn

    Jinn Registered Member

    Joined:
    Dec 16, 2004
    Posts:
    10
    Thanks for clearing that up Blackspear. Heres the log. I'll post it in the HJT thread soon.

    ~Jinn

    Mod Note - HijackThis log (attachment) removed. Jinn, I believe you may have misunderstood Blackspear's reply above (Post #14) regarding the posting of a HJT log. He did not request you post/attach a hijackthis log. Please see his following reply (Post #17) for links to the forums that do offer HijackThis log review services. - snap
     
    Last edited by a moderator: Dec 19, 2004
  16. Jinn

    Jinn Registered Member

    Joined:
    Dec 16, 2004
    Posts:
    10
    I post the HJT but the HJT thread is gone.
    https://www.wilderssecurity.com/showthread.php?t=42148

    Before doing the General Cleaning I posted a HJT thread and was deleted.
    I recieved his PM.
    "Sorry Jinn but we no longer process HJT logs except when requested by a moderator or Admin, This usually only occurrs because we feel their are special circumstances that we can all learn from."

    So Blackspear are you an admin or moderator? Because I'd rather not have my thread deleted. Lol.
     
  17. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    As I said here, unfortunately you are 1 of the 5% and as such you will need to continue with what General Cleaning advises and post your log at one of the forums found here. The two bigger forums for HijackThis log processing, (meaning they process more log threads each day than most others) are: SpywareInfo.com and CastleCops.com. Be sure to read their posting policy in the links at their log review forum sections prior to posting.

    Cheers.

    Blackspear.
     
  18. Jinn

    Jinn Registered Member

    Joined:
    Dec 16, 2004
    Posts:
    10
    Will do Blackspear.
    Thanks again!
    ~Jinn
     
Loading...
Thread Status:
Not open for further replies.