4 Replies Latest reply on Sep 13, 2010 1:11 AM by vinoo

    about a P2P worm a Rootkit and a Bunch of Trojan Downloaders

      I delete them, but they keep on coming back!

       

      Avl.exe(Trojan.downloader)

      Avk.exe(Trojan.downloader)

      sbpad.exe(Rootkit.dropper)

      xuilih.exe(P2P.Worm)

       

      My svchost.exe eats up 100% of my Cpu Usage, and i do not know what to do! Please help me! I don't know anything about malware busting, and i really really need professional help!

       

      PS. I used the GetSusp thingy that I came across with from this community, and below is the .zip file of my recent scan.

       

      Thank you!

        • 1. Re: about a P2P worm a Rootkit and a Bunch of Trojan Downloaders
          Peter M

          Moved to the correct area for expert help.

          • 2. Re: about a P2P worm a Rootkit and a Bunch of Trojan Downloaders
            vinoo

            Thanks for submitting the GetSusp logs. The culprit is:

             

            md5: c26e0c99a16397ac5252a8d23b9f398a 
            Location: C:\Users\Owner\tomov.exe
            Attributes: HRS

             

            You could follow these instructions to submit this sample to McAfee Labs: http://vil.nai.com/vil/submit-sample.aspx

             

            Best,
            Vinoo

             

            Ps: I’ve whitelisted most of your files – a rerun of GetSusp will bring up fewer unknown files.

             

             

            on 12/9/10 8:20:50 PM IST
            • 3. Re: about a P2P worm a Rootkit and a Bunch of Trojan Downloaders

              Hi!

              First of all I would like to thank Ex_Brit for leading my post onto a community where it could be solved! Much appreciated!

               

              And to Mr. Vinoo Thomas, thank you for identifying the culprit! Any luck on how to delete it? I ran another GetSusp scan, and successfully sent the file to you guys.

               

              Question: Now the filepath says C:/Users/Owner/tomov.exe, but I cannot find it anywhere (I activated the "View Hidden Files" btw). Is this an insanely hidden file which cannot be seen unless provoked by an apt program?

               

              I am asking this because I was wondering if I could delete it manually. Much thanks if you could tell me how to permanently delete this bugger!

               

              Thank You!

               

              PS: I am really sorry because I haven't got the faintest idea on what "md5: c26e0c99a16397ac5252a8d23b9f398a" and "Attributes: HRS" mean. Please help me out here!

               

              Again Much thanks to you and to McAfee experts for helping this ignoramus out!

              • 4. Re: about a P2P worm a Rootkit and a Bunch of Trojan Downloaders
                vinoo

                In windows explorer, goto Tools --> folder options --> view and uncheck "Hide protected operating systems files".

                 

                The file tomov.exe uses the attributes HRS (Hidden, Read-Only, System) making it hidden even if show hidden files option was checked in explorer.

                 

                Once you can view the file, you could try to delete it manually in safe mode. Although I would recommended that you wait for detection to be added in the McAfee VirusScan DAT files for better system cleaning.

                 

                Happy to help!

                 

                Best,
                Vinoo

                 

                Ps: md5 is a unique hash that is associated with a file.

                 

                 

                on 13/9/10 11:41:03 AM IST