Help Needed with I-Worm/Luder Removal

Status
Not open for further replies.
F

f1maniac

Hi Guys,

I have been trying to remove the Luder virus by some of the techniques listed on here, but I am not able to interpret the results of HJT accurately enough and I need to get some help from you experts out there. Ive noticed the suspect svchost.exe in System32/drivers/ however it keeps coming back after i boot into safemode, fix it in HJT, and then remove the file so im guessing there is something else im missing.

I am attaching my HJT logs. I tried to attach my AVG log, however it was 300k and exceeded the allowed attachment size.

Thanks a ton in advance!
 
I did not see anything bad in your log follow the steps below

Make sure to use Internet Explorer for this
Please go to VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:

C:\WINDOWS\SYSTEM32\TPSvc.dll

Click on the Upload button
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.
 
I know something is definitely up because AVG goes absolutely nuts and tells me every single EXE on the machine is infected with Luder. It found 1700+ instances of infection during the scan I just did a little while ago. Also I had read online here that the svchost.exe that runs from the /windows/system32/drivers folder is actually the Luder virus.

Yesterday it got to the point where I couldnt do anything. Control Panel, firefox, etc... wouldnt open. I did a system restore to the earliest point where I could, but I was still infected, but I was able to run programs again. That was yesterday, and today already I can no longer open notepad, wordpad, etc... When I do the windows office xp install thing comes up asking me to insert the cd. Also the AVG shield pops up ever 10 or so seconds.

Also in the /windows/system32/drivers folder files keep multiplying with garbage names, and they all have the exact same date, time, and size as the suspect svchost.exe in the same folder. I will paste in the report from the other computer
 
Here is my report. Also Windows Defender finds the virus too, but cant do anything about it. When I tell AVG to repair the files, it cant do that either.

Just out of curiousity I ran the scan also on the svchost.exe file from the /system32/drivers folder. I have pasted that below the TPSVc.dll results.

Here is the report on the TPSVc.dll file:

VirSCAN.org Scanned Report :
Scanner results: 3% Scanner(1/36) found malware!
File Name : TPSvc.dll
File Size : 364544 byte
File Type : MS-DOS executable (EXE), OS/2 or MS Windows
MD5 : 0951967953130a6e2edb3745fb2b9b99
SHA1 : 1960597f07a6d5a15f1b9d5a6a8e0f726dc9be5b


Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 3.5.0.18 2008.06.15 2008-06-15 4.98 -
AhnLab V3 2008.06.15.00 2008.06.15 2008-06-15 1.92 -
AntiVir 7.8.0.55 7.0.4.197 2008-06-15 7.68 -
Arcavir 1.0.4 200806151533 2008-06-15 3.66 -
AVAST! 1.0.8 080615-0 2008-06-15 6.32 -
AVG 7.5.51.442 270.3.0/1500 2008-06-12 4.70 -
BitDefender 7.60825.1260910 7.19534 2008-06-15 10.27 -
CA (VET) 9.0.0.143 31.6.5873 2008-06-14 9.60 -
ClamAV 0.93 7483 2008-06-16 0.13 -
Comodo 2.11 2.0.0.556 2008-06-15 1.45 -
CP Secure 1.1.0.715 2008.06.15 2008-06-15 14.77 -
Dr.Web 4.44.0.9170 2008.06.15 2008-06-15 12.95 -
ewido 4.0.0.2 2008.06.15 2008-06-15 3.70 -
F-Prot 4.4.1.52 20080614 2008-06-14 4.17 -
F-Secure 5.51.6100 2008.06.14.01 2008-06-14 9.42 -
Fortinet 2.81-3.11 9.203 2008-06-15 5.45 -
ViRobot 20080613 2008.06.13 2008-06-13 0.69 -
Ikarus T3.1.01.26 2008.06.15.70921 2008-06-15 5.69 -
JiangMin 11.0.706 2008.06.14 2008-06-14 2.19 -
Kaspersky 5.5.10 2008.06.15 2008-06-15 15.80 -
KingSoft 2008.1.14.15 2008.6.15.15 2008-06-15 1.43 -
McAfee 5.2.00 5317 2008-06-13 5.05 -
Microsoft 1.3604 2008.06.15 2008-06-15 7.46 -
mks_vir 2.01 2008.06.15 2008-06-15 7.20 -
Norman 5.92.08 5.92.00 2008-06-13 13.39 -
Panda 9.04.03.0001 2008.06.15 2008-06-15 3.06 -
Trend Micro 8.700-1004 5.344.31 2008-06-15 0.06 -
Prevx V2 20080616 2008-06-16 3.19 TROJAN.PWDSTEALER.GEN
Quick Heal 9.00 2008.06.14 2008-06-14 0.48 -
Rising 20.0 20.48.62.00 2008-06-15 1.68 -
Sophos 2.74.1 4.30 2008-06-16 7.14 -
Symantec 1.3.0.24 20080609.003 2008-06-09 0.01 -
nProtect 2008-06-13.00 1543807 2008-06-13 5.33 -
The Hacker 6.2.92 v00350 2008-06-14 1.26 -
VBA32 3.12.6.7 20080613.1826 2008-06-13 3.22 -
VirusBuster 4.3.19:9 9.132.4/11.0 2008-06-15 2.96 -

Here is the report on svchost.exe

VirSCAN.org Scanned Report :
Scanned time : 2008/08/20 09:54:09 (CST)
Scanner results: 83% Scanner(30/36) found malware!
File Name : svchost.exe
File Size : 45803 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : d93ec64a30dd46d6959f973f68123016
SHA1 : b99230f64a105bb8ff5ae51896c670e9db4e868e


Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 3.5.0.22 2008.08.19 2008-08-19 2.62 Backdoor.Win32.Agent.amb
AhnLab V3 2008.08.20.00 2008.08.20 2008-08-20 0.89 Win-Trojan/Mnless.45799
AntiVir 7.8.1.23 7.0.6.38 2008-08-19 2.21 BDS/Agent.amb.24
Arcavir 1.0.5 200808191217 2008-08-19 1.24 Trojan.Agent.Amb
AVAST! 3.0.1 080819-0 2008-08-19 0.01 Win32:Small-EVF [Wrm]
AVG 7.5.51.442 270.6.6/1621 2008-08-19 1.52 Generic_c.BV
BitDefender 7.60825.1571275 7.20589 2008-08-20 2.83 Backdoor.Generic.38857
CA (VET) 9.0.0.143 31.6.6036 2008-08-18 5.48 Win32/Fuceb!generic worm.
ClamAV 0.93.3 8058 2008-08-19 0.01 -
Comodo 2.11 2.0.0.621 2008-08-19 0.51 -
CP Secure 1.1.0.715 2008.08.20 2008-08-20 6.21 -
Dr.Web 4.44.0.9170 2008.08.19 2008-08-19 3.09 BackDoor.Wua
ewido 4.0.0.2 2008.08.19 2008-08-19 2.60 Backdoor.Agent.amb
F-Prot 4.4.4.56 20080819 2008-08-19 1.17 Possible W32/new-malware!Maximus
F-Secure 5.51.6100 2008.08.19.08 2008-08-19 3.06 Backdoor.Win32.Agent.amb [AVP]
Fortinet 2.81-3.11 9.447 2008-08-20 1.71 W32/Agent.AMB!tr.bdr
ViRobot 20080819 2008.08.19 2008-08-19 0.39 -
Ikarus T3.1.01.34 2008.08.19.71305 2008-08-19 3.41 Backdoor.Win32.Agent.amb
JiangMin 11.0.706 2008.08.19 2008-08-19 1.18 Adware/Malware.at
Kaspersky 5.5.10 2008.08.19 2008-08-19 0.05 Backdoor.Win32.Agent.amb
KingSoft 2008.1.14.15 2008.8.19.20 2008-08-19 0.57 -
McAfee 5.2.00 5364 2008-08-19 2.56 W32/WBoy
Microsoft 1.3807 2008.08.19 2008-08-19 4.07 Backdoor:Win32/Agent
mks_vir 2.01 2008.08.19 2008-08-19 2.57 Trojan.Mnless.jsd
Norman 5.93.01 5.93.00 2008-08-19 5.19 -
Panda 9.05.01 2008.08.19 2008-08-19 2.00 Adware/BaiduBar
Trend Micro 8.700-1004 5.486.13 2008-08-19 0.02 BKDR_AGENT.RKL
Quick Heal 9.50 2008.08.19 2008-08-19 1.67 Backdoor.Agent.amb
Rising 20.0 20.58.12.00 2008-08-19 0.84 Trojan.Mnless.jsd
Sophos 2.77.0 4.32 2008-08-20 2.12 Mal/Emogen-Y
Sunbelt 3.1.1546.1 2193 2008-08-14 0.45 Backdoor.Win32.Agent.amb
Symantec 1.3.0.24 20080819.003 2008-08-19 0.10 W32.Whybo.Z
nProtect 2008-08-19.00 1899769 2008-08-19 3.38 Backdoor.Generic.38857
The Hacker 6.2.96 v00396 2008-08-11 0.40 Backdoor/Agent.amb
VBA32 3.12.8.3 20080819.0941 2008-08-19 1.09 Backdoor.Win32.Agent.amb
VirusBuster 4.5.11.10 10.84.5/598255 2008-08-19 0.87 Worm.SdBot.Gen.26
 
Uninstal AVG and install Avira Free Anti-virus click on the link in my sig then update anr run a full scan in safemode
 
Status
Not open for further replies.

Similar threads

endrsgm
Changing power supply/moving to new country with new voltage
Replies
6
Views
3K
neeyik
neeyik
A
  • Locked
Inactive I was the victim of a targeted spyware attack
Replies
3
Views
1K
Broni
Broni
M
Help needed with crazy ex IT boyfriend who hacks my computer and remotely makes changes
Replies
3
Views
2K
techmaniac231
T

Latest posts

Back