AVG detected a serious hit as I was downloading a file using ABC torrent client. It quickly unloaded a multitude of infected files into my system (SONY VIAO laptop windows 7 premium).
Symptoms:
Slow running, error messages on startup (duch.dll and another dll, I should have screen shotted), slow boot up, system restore inaccessible, windows explorer randomly malfunctions and has to restart.
First I uninstalled AVG free as the virus would cause the program to endlessly pop up with warnings making any usage of the computer slow and futile. I downloaded Microsoft Security Essentials and updated. It detected ertfor.b and removed it. Still the symptoms remained so I did a google search for ertfor.b and found your forum and started the 8 steps.
Ran TFC and restarted. 17,000mb cleared
Downloaded, updated and ran a full system scan with malwarebytes
----------------------------------------------------------------------------------------
first full scan:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4586
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
10/09/2010 10:03:07 AM
mbam-log-2010-09-10 (10-03-07).txt
Scan type: Quick scan
Objects scanned: 136073
Time elapsed: 5 minute(s), 39 second(s)
Memory Processes Infected: 10
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 27
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 12
Memory Processes Infected:
C:\Windows\nvsvc32.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\cmd.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\user.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\spoolsv.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\csrss.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\setup.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\win16.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\drweb.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\taskmgr.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\win.exe (Trojan.Downloader) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF196$ (Adware.StreetAds) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqtw+ (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqtw+ (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqqz (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqqz (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mque (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mque (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mquuf (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mquuf (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqqyc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqqyc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mquvc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mquvc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqvpc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqvpc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqqsc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqqsc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqurb (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqurb (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqva (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqva (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uledeweciqusol (Trojan.Agent.U) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvtdhfngre (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvtdhfngre (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bipro (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Windows\$ntUninstallmtf196$ (Adware.StreetAds) -> Quarantined and deleted successfully.
Files Infected:
C:\Windows\nvsvc32.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\cmd.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\user.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\spoolsv.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\csrss.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\setup.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\win16.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\drweb.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\taskmgr.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\win.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\$ntUninstallmtf196$\apUninstall.exe (Adware.StreetAds) -> Quarantined and deleted successfully.
C:\Users\tyler\AppData\Local\Temp\skaioejiesfjoee.tmp (Malware.Trace) -> Quarantined and deleted successfully.
---------------------------------------------------------------------------------------------
Second Full Scan:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4586
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
10/09/2010 12:22:55 PM
mbam-log-2010-09-10 (12-22-55).txt
Scan type: Full scan (C:\|E:\|G:\|)
Objects scanned: 262892
Time elapsed: 41 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Users\tyler\AppData\Local\Mozilla\Firefox\Profiles\il97otd1.default\Cache\64321B95d01 (Rogue.Installer) -> No action taken.
C:\Users\tyler\Downloads\setupxv.exe (Rogue.Installer) -> No action taken.
C:\Windows\Tasks\RegClean Scheduled Scan.job (Rogue.RegClean) -> No action taken.
----------------------------------------------------------------------------------
These infected registry entries and files can't seem to be removed even after restart.
There are two startup processes that i do not recognize and have disabled to hopefully prevent further downloading or hijack.
Lvtdhfngmtd and Lvtdhfngotd
After doing another quick scan to confirm the infection is still here I tried another deletion and ran DDS I can include logs if you need them.
Since MBAM removed the majority of the infection I do not get messages on startup. System recover still says it requires 'administrator privileges' to run (which I am), there is a general slowness and windows explorer still crashes spontaneously (once it happened as the infected registry entry was detected by MBAM).
I have deleted all internet temp files and am not accessing any accounts for fear they may be hijacked.
I hope you can help. I'm sorry I don't have the log from the first Microsoft Scan, but hopefully this info is enough to get to the bottom of things.
Thank you!
Symptoms:
Slow running, error messages on startup (duch.dll and another dll, I should have screen shotted), slow boot up, system restore inaccessible, windows explorer randomly malfunctions and has to restart.
First I uninstalled AVG free as the virus would cause the program to endlessly pop up with warnings making any usage of the computer slow and futile. I downloaded Microsoft Security Essentials and updated. It detected ertfor.b and removed it. Still the symptoms remained so I did a google search for ertfor.b and found your forum and started the 8 steps.
Ran TFC and restarted. 17,000mb cleared
Downloaded, updated and ran a full system scan with malwarebytes
----------------------------------------------------------------------------------------
first full scan:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4586
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
10/09/2010 10:03:07 AM
mbam-log-2010-09-10 (10-03-07).txt
Scan type: Quick scan
Objects scanned: 136073
Time elapsed: 5 minute(s), 39 second(s)
Memory Processes Infected: 10
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 27
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 12
Memory Processes Infected:
C:\Windows\nvsvc32.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\cmd.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\user.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\spoolsv.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\csrss.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\setup.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\win16.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\drweb.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\taskmgr.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\win.exe (Trojan.Downloader) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF196$ (Adware.StreetAds) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqtw+ (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqtw+ (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqqz (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqqz (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mque (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mque (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mquuf (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mquuf (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqqyc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqqyc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mquvc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mquvc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqvpc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqvpc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqqsc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqqsc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqurb (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqurb (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqva (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqva (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uledeweciqusol (Trojan.Agent.U) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvtdhfngre (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvtdhfngre (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bipro (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Windows\$ntUninstallmtf196$ (Adware.StreetAds) -> Quarantined and deleted successfully.
Files Infected:
C:\Windows\nvsvc32.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\cmd.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\user.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\spoolsv.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\csrss.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\setup.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\win16.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\drweb.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\taskmgr.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\win.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\$ntUninstallmtf196$\apUninstall.exe (Adware.StreetAds) -> Quarantined and deleted successfully.
C:\Users\tyler\AppData\Local\Temp\skaioejiesfjoee.tmp (Malware.Trace) -> Quarantined and deleted successfully.
---------------------------------------------------------------------------------------------
Second Full Scan:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4586
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
10/09/2010 12:22:55 PM
mbam-log-2010-09-10 (12-22-55).txt
Scan type: Full scan (C:\|E:\|G:\|)
Objects scanned: 262892
Time elapsed: 41 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Users\tyler\AppData\Local\Mozilla\Firefox\Profiles\il97otd1.default\Cache\64321B95d01 (Rogue.Installer) -> No action taken.
C:\Users\tyler\Downloads\setupxv.exe (Rogue.Installer) -> No action taken.
C:\Windows\Tasks\RegClean Scheduled Scan.job (Rogue.RegClean) -> No action taken.
----------------------------------------------------------------------------------
These infected registry entries and files can't seem to be removed even after restart.
There are two startup processes that i do not recognize and have disabled to hopefully prevent further downloading or hijack.
Lvtdhfngmtd and Lvtdhfngotd
After doing another quick scan to confirm the infection is still here I tried another deletion and ran DDS I can include logs if you need them.
Since MBAM removed the majority of the infection I do not get messages on startup. System recover still says it requires 'administrator privileges' to run (which I am), there is a general slowness and windows explorer still crashes spontaneously (once it happened as the infected registry entry was detected by MBAM).
I have deleted all internet temp files and am not accessing any accounts for fear they may be hijacked.
I hope you can help. I'm sorry I don't have the log from the first Microsoft Scan, but hopefully this info is enough to get to the bottom of things.
Thank you!