TechSpot

Help Needed with I-Worm/Luder Removal

By f1maniac
Aug 19, 2008
  1. Hi Guys,

    I have been trying to remove the Luder virus by some of the techniques listed on here, but I am not able to interpret the results of HJT accurately enough and I need to get some help from you experts out there. Ive noticed the suspect svchost.exe in System32/drivers/ however it keeps coming back after i boot into safemode, fix it in HJT, and then remove the file so im guessing there is something else im missing.

    I am attaching my HJT logs. I tried to attach my AVG log, however it was 300k and exceeded the allowed attachment size.

    Thanks a ton in advance!
     
  2. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    I did not see anything bad in your log follow the steps below

    Make sure to use Internet Explorer for this
    Please go to VirSCAN.org FREE on-line scan service
    Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:

    C:\WINDOWS\SYSTEM32\TPSvc.dll

    Click on the Upload button
    Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    Paste the contents of the Clipboard in your next reply.
     
  3. f1maniac

    f1maniac TS Rookie Topic Starter

    I know something is definitely up because AVG goes absolutely nuts and tells me every single EXE on the machine is infected with Luder. It found 1700+ instances of infection during the scan I just did a little while ago. Also I had read online here that the svchost.exe that runs from the /windows/system32/drivers folder is actually the Luder virus.

    Yesterday it got to the point where I couldnt do anything. Control Panel, firefox, etc... wouldnt open. I did a system restore to the earliest point where I could, but I was still infected, but I was able to run programs again. That was yesterday, and today already I can no longer open notepad, wordpad, etc... When I do the windows office xp install thing comes up asking me to insert the cd. Also the AVG shield pops up ever 10 or so seconds.

    Also in the /windows/system32/drivers folder files keep multiplying with garbage names, and they all have the exact same date, time, and size as the suspect svchost.exe in the same folder. I will paste in the report from the other computer
     
  4. f1maniac

    f1maniac TS Rookie Topic Starter

    Here is my report. Also Windows Defender finds the virus too, but cant do anything about it. When I tell AVG to repair the files, it cant do that either.

    Just out of curiousity I ran the scan also on the svchost.exe file from the /system32/drivers folder. I have pasted that below the TPSVc.dll results.

    Here is the report on the TPSVc.dll file:

    VirSCAN.org Scanned Report :
    Scanner results: 3% Scanner(1/36) found malware!
    File Name : TPSvc.dll
    File Size : 364544 byte
    File Type : MS-DOS executable (EXE), OS/2 or MS Windows
    MD5 : 0951967953130a6e2edb3745fb2b9b99
    SHA1 : 1960597f07a6d5a15f1b9d5a6a8e0f726dc9be5b


    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 3.5.0.18 2008.06.15 2008-06-15 4.98 -
    AhnLab V3 2008.06.15.00 2008.06.15 2008-06-15 1.92 -
    AntiVir 7.8.0.55 7.0.4.197 2008-06-15 7.68 -
    Arcavir 1.0.4 200806151533 2008-06-15 3.66 -
    AVAST! 1.0.8 080615-0 2008-06-15 6.32 -
    AVG 7.5.51.442 270.3.0/1500 2008-06-12 4.70 -
    BitDefender 7.60825.1260910 7.19534 2008-06-15 10.27 -
    CA (VET) 9.0.0.143 31.6.5873 2008-06-14 9.60 -
    ClamAV 0.93 7483 2008-06-16 0.13 -
    Comodo 2.11 2.0.0.556 2008-06-15 1.45 -
    CP Secure 1.1.0.715 2008.06.15 2008-06-15 14.77 -
    Dr.Web 4.44.0.9170 2008.06.15 2008-06-15 12.95 -
    ewido 4.0.0.2 2008.06.15 2008-06-15 3.70 -
    F-Prot 4.4.1.52 20080614 2008-06-14 4.17 -
    F-Secure 5.51.6100 2008.06.14.01 2008-06-14 9.42 -
    Fortinet 2.81-3.11 9.203 2008-06-15 5.45 -
    ViRobot 20080613 2008.06.13 2008-06-13 0.69 -
    Ikarus T3.1.01.26 2008.06.15.70921 2008-06-15 5.69 -
    JiangMin 11.0.706 2008.06.14 2008-06-14 2.19 -
    Kaspersky 5.5.10 2008.06.15 2008-06-15 15.80 -
    KingSoft 2008.1.14.15 2008.6.15.15 2008-06-15 1.43 -
    McAfee 5.2.00 5317 2008-06-13 5.05 -
    Microsoft 1.3604 2008.06.15 2008-06-15 7.46 -
    mks_vir 2.01 2008.06.15 2008-06-15 7.20 -
    Norman 5.92.08 5.92.00 2008-06-13 13.39 -
    Panda 9.04.03.0001 2008.06.15 2008-06-15 3.06 -
    Trend Micro 8.700-1004 5.344.31 2008-06-15 0.06 -
    Prevx V2 20080616 2008-06-16 3.19 TROJAN.PWDSTEALER.GEN
    Quick Heal 9.00 2008.06.14 2008-06-14 0.48 -
    Rising 20.0 20.48.62.00 2008-06-15 1.68 -
    Sophos 2.74.1 4.30 2008-06-16 7.14 -
    Symantec 1.3.0.24 20080609.003 2008-06-09 0.01 -
    nProtect 2008-06-13.00 1543807 2008-06-13 5.33 -
    The Hacker 6.2.92 v00350 2008-06-14 1.26 -
    VBA32 3.12.6.7 20080613.1826 2008-06-13 3.22 -
    VirusBuster 4.3.19:9 9.132.4/11.0 2008-06-15 2.96 -

    Here is the report on svchost.exe

    VirSCAN.org Scanned Report :
    Scanned time : 2008/08/20 09:54:09 (CST)
    Scanner results: 83% Scanner(30/36) found malware!
    File Name : svchost.exe
    File Size : 45803 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : d93ec64a30dd46d6959f973f68123016
    SHA1 : b99230f64a105bb8ff5ae51896c670e9db4e868e


    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 3.5.0.22 2008.08.19 2008-08-19 2.62 Backdoor.Win32.Agent.amb
    AhnLab V3 2008.08.20.00 2008.08.20 2008-08-20 0.89 Win-Trojan/Mnless.45799
    AntiVir 7.8.1.23 7.0.6.38 2008-08-19 2.21 BDS/Agent.amb.24
    Arcavir 1.0.5 200808191217 2008-08-19 1.24 Trojan.Agent.Amb
    AVAST! 3.0.1 080819-0 2008-08-19 0.01 Win32:Small-EVF [Wrm]
    AVG 7.5.51.442 270.6.6/1621 2008-08-19 1.52 Generic_c.BV
    BitDefender 7.60825.1571275 7.20589 2008-08-20 2.83 Backdoor.Generic.38857
    CA (VET) 9.0.0.143 31.6.6036 2008-08-18 5.48 Win32/Fuceb!generic worm.
    ClamAV 0.93.3 8058 2008-08-19 0.01 -
    Comodo 2.11 2.0.0.621 2008-08-19 0.51 -
    CP Secure 1.1.0.715 2008.08.20 2008-08-20 6.21 -
    Dr.Web 4.44.0.9170 2008.08.19 2008-08-19 3.09 BackDoor.Wua
    ewido 4.0.0.2 2008.08.19 2008-08-19 2.60 Backdoor.Agent.amb
    F-Prot 4.4.4.56 20080819 2008-08-19 1.17 Possible W32/new-malware!Maximus
    F-Secure 5.51.6100 2008.08.19.08 2008-08-19 3.06 Backdoor.Win32.Agent.amb [AVP]
    Fortinet 2.81-3.11 9.447 2008-08-20 1.71 W32/Agent.AMB!tr.bdr
    ViRobot 20080819 2008.08.19 2008-08-19 0.39 -
    Ikarus T3.1.01.34 2008.08.19.71305 2008-08-19 3.41 Backdoor.Win32.Agent.amb
    JiangMin 11.0.706 2008.08.19 2008-08-19 1.18 Adware/Malware.at
    Kaspersky 5.5.10 2008.08.19 2008-08-19 0.05 Backdoor.Win32.Agent.amb
    KingSoft 2008.1.14.15 2008.8.19.20 2008-08-19 0.57 -
    McAfee 5.2.00 5364 2008-08-19 2.56 W32/WBoy
    Microsoft 1.3807 2008.08.19 2008-08-19 4.07 Backdoor:Win32/Agent
    mks_vir 2.01 2008.08.19 2008-08-19 2.57 Trojan.Mnless.jsd
    Norman 5.93.01 5.93.00 2008-08-19 5.19 -
    Panda 9.05.01 2008.08.19 2008-08-19 2.00 Adware/BaiduBar
    Trend Micro 8.700-1004 5.486.13 2008-08-19 0.02 BKDR_AGENT.RKL
    Quick Heal 9.50 2008.08.19 2008-08-19 1.67 Backdoor.Agent.amb
    Rising 20.0 20.58.12.00 2008-08-19 0.84 Trojan.Mnless.jsd
    Sophos 2.77.0 4.32 2008-08-20 2.12 Mal/Emogen-Y
    Sunbelt 3.1.1546.1 2193 2008-08-14 0.45 Backdoor.Win32.Agent.amb
    Symantec 1.3.0.24 20080819.003 2008-08-19 0.10 W32.Whybo.Z
    nProtect 2008-08-19.00 1899769 2008-08-19 3.38 Backdoor.Generic.38857
    The Hacker 6.2.96 v00396 2008-08-11 0.40 Backdoor/Agent.amb
    VBA32 3.12.8.3 20080819.0941 2008-08-19 1.09 Backdoor.Win32.Agent.amb
    VirusBuster 4.5.11.10 10.84.5/598255 2008-08-19 0.87 Worm.SdBot.Gen.26
     
  5. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    Uninstal AVG and install Avira Free Anti-virus click on the link in my sig then update anr run a full scan in safemode
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...