Please help with koos.exe

Status
Not open for further replies.
Hi there,

I have found that my computer comes up with disturbing dialog boxes which lead me to the point that there was something that I dont want on my machine ;-)

I was able to fix this about a week ago but since then I found that there is a lot of network traffic.
tcpview showed me that there is a "<non-existent process>:xxx" which connects to a server "atfactor.com" and tries to connect to several smtp servers.
Looking at the process properties of this process shows "C:\WINNT\system32\koos.exe" which is not located on my system. I have checked the harddisk several times and there is no file with this name.

I changed the configuration of my router so no one is harmed any more by me but I am not able to get rid of this thing.

I have also checked with Process Explorer which shows me that this process ID belongs to CSRSS and Services.exe

Right at the moment I made a HJT log and attached it to this post. koos.exe is active and in memory with process ID 372, avast antivirus 4.7 home edition and prevx1 v2.3.0 build 10 are up and running and both systems tell me that there is no problem.

I know this description is a bit long but I hope to give all needed information

tia

Sebastian
 
koos.exe is a trojan that exhibits rootkit like properties.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :)

This thread is for the use of cadguru only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.
Back