Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.
Hi all, please see this major site announcement: https://www.boards.ie/discussion/2058427594/boards-ie-2026

lots of issues

  • 19-01-2010 05:05PM
    #1
    Candlemaker
    Closed Accounts Posts: 17


    I'm trying to get some malware off some office computers. All the computers seem to be infected. I've installed avira on all of them. All of them have somewhere between 5-15 detections (but often seem to be the same thing) Most of the same key names keep popping up

    i'm going to just describe the one computer i'm concentrating on so far.

    When i got in blue screen. bad pool call. restarted no issues since.

    Avira guard: unknown

    Hosts file: the hosts file is replaced with a huge obfuscation with various redirects. It's 5 megs big

    The malware that keeps popping up is named rundll32_s.exe
    C:\WINDOWS\TEMP\rundll32_s.exe one (command line)
    C:\windows\system32\qtplugin.exe (detected on various other computers)

    process monitor log of it : http://www.2shared.com/file/10773337/97cfb994/Logfile2.html


    Hijack this: http://boards.ie/vbulletin/attachment.php?attachmentid=103144&stc=1&d=1263916906

    Process monitor and explorer and cmd both close when opened i had to rename them just to open them. will update information in a bit


Comments

  • #2
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    got an avira log ?


  • #3
    Candlemaker
    Closed Accounts Posts: 17 Candlemaker


    Not at this time. the virus kept recreating itself when i delete it. So i've left the office for the moment. Is there anything apparent on any of the other logs so far?


  • #4
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    not really, HJT logs are not that useful

    You would be best off installing MBAM on all the machines and running a scan with that.


  • #5
    highlander87
    Closed Accounts Posts: 7 highlander87


    Got the same problem, couldn't believe there's nothing about it on google, it's obviously very new, just can't figure out where I picked it up. I tried everything, deleted qtplugin.exe and rundll32_s.exe, searched the registry for any sign of these two (but didnt find any), and the rundll32_s.exe still keeps running, and not only as one process, but it seems to periodically run one of this process after another, I've counted up to 10 active on task manager on one occasion. I really don't have time to reinstall windows, and download all the software and install it again, so it's pretty frustrating. Got Avast antivirus, and some other anti-malware software, had a boot-time scan performed with avast today, and still didnt remove it... I figure the key for removing it is finding out what starts the rundll_s.32 process, so any clues on how to do that that?


  • #6
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    highlander make a new topic and I can help you remove it

    Candlemaker if MBAM doesn't do it then your IT Support are going to have to handle it


  • Advertisement
  • #7
    highlander87
    Closed Accounts Posts: 7 highlander87


    why a new topic it's a same malware?! whatever, making a new thread...


  • #8
    Candlemaker
    Closed Accounts Posts: 17 Candlemaker


    i am the IT support. Never used hijackthis before so i thought i'd post the log. Second never seen this before, can't find anything on google. infact when i try searching i only get the other guys thread.

    highlander87: you're more than welcome to use this thread as well


Advertisement
Advertisement