cancel
Showing results for 
Search instead for 
Did you mean: 

about a P2P worm a Rootkit and a Bunch of Trojan Downloaders

I delete them, but they keep on coming back!

Avl.exe(Trojan.downloader)

Avk.exe(Trojan.downloader)

sbpad.exe(Rootkit.dropper)

xuilih.exe(P2P.Worm)

My svchost.exe eats up 100% of my Cpu Usage, and i do not know what to do! Please help me! I don't know anything about malware busting, and i really really need professional help!

PS. I used the GetSusp thingy that I came across with from this community, and below is the .zip file of my recent scan.

Thank you!

0 Kudos
4 Replies
exbrit
Level 21

Re: about a P2P worm a Rootkit and a Bunch of Trojan Downloaders

Moved to the correct area for expert help.

0 Kudos
vinoo
Level 13

Re: about a P2P worm a Rootkit and a Bunch of Trojan Downloaders

Thanks for submitting the GetSusp logs. The culprit is:

md5: c26e0c99a16397ac5252a8d23b9f398a 
Location: C:\Users\Owner\tomov.exe
Attributes: HRS

You could follow these instructions to submit this sample to McAfee Labs: http://vil.nai.com/vil/submit-sample.aspx

Best,
Vinoo

Ps: I’ve whitelisted most of your files – a rerun of GetSusp will bring up fewer unknown files.

on 12/9/10 8:20:50 PM IST
0 Kudos

Re: about a P2P worm a Rootkit and a Bunch of Trojan Downloaders

Hi!

First of all I would like to thank Ex_Brit for leading my post onto a community where it could be solved! Much appreciated!

And to Mr. Vinoo Thomas, thank you for identifying the culprit! Any luck on how to delete it? I ran another GetSusp scan, and successfully sent the file to you guys.

Question: Now the filepath says C:/Users/Owner/tomov.exe, but I cannot find it anywhere (I activated the "View Hidden Files" btw). Is this an insanely hidden file which cannot be seen unless provoked by an apt program?

I am asking this because I was wondering if I could delete it manually. Much thanks if you could tell me how to permanently delete this bugger!

Thank You!

PS: I am really sorry because I haven't got the faintest idea on what "md5: c26e0c99a16397ac5252a8d23b9f398a" and "Attributes: HRS" mean. Please help me out here!

Again Much thanks to you and to McAfee experts for helping this ignoramus out!

0 Kudos
vinoo
Level 13

Re: about a P2P worm a Rootkit and a Bunch of Trojan Downloaders

In windows explorer, goto Tools --> folder options --> view and uncheck "Hide protected operating systems files".

The file tomov.exe uses the attributes HRS (Hidden, Read-Only, System) making it hidden even if show hidden files option was checked in explorer.

Once you can view the file, you could try to delete it manually in safe mode. Although I would recommended that you wait for detection to be added in the McAfee VirusScan DAT files for better system cleaning.

Happy to help!

Best,
Vinoo

Ps: md5 is a unique hash that is associated with a file.

on 13/9/10 11:41:03 AM IST
0 Kudos