Win32.Buzus.amit / svchost fake - local and external drives

Discussion in 'Malware Help (A Specialist Will Reply)' started by kingpinski, Jun 15, 2009.

  1. kingpinski

    kingpinski Private E-2

    I identified the problem about a week ago, but I could have been infected long before that. There was a hidden RECYCLER folder in my root directory and the system seemed to be slowing down. A NortonAntiVir-scan registered a Trojan.Horse-svchost.exe in that folder but couldn't do anything about it.

    Spybot didn't find anything during the regular scan, but when I used it on that folder specifically, the heuristic analysis detected Win32.buzus.amit in desktop.ini - but again, no action could be taken.

    Going through your Read & Run Me, ComboFix seems to have removed the folder, but there's no perceivable change in system performance and my task manager still shows seven svchost processes running.

    Additionally and unfortunately, the infection spread to an external drive and a flash drive via autorun before I even discovered the threat. Now I have no problem with setting up my notebook anew if necessary, but no idea how to disinfect the large external drive without massive data loss.

    Help would be much appreciated.
     

    Attached Files:

    kingpinski, Jun 15, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    First just an up front warning, any removable devices you use (like thumb/USB drives etc) may be infected. And any PCs they have been plugged into are most likely infected now too. You need to clean all of the removable devices and any PCs they have been plugged into.

    Now download and install this: Autorun Eater


    Now delete the below file:
    c:\windows\rar.vbs

    Other than the above, your logs are clean. Are you still having any malware problems?
     
    chaslang, Jun 18, 2009
    #2
  3. kingpinski

    kingpinski Private E-2

    I followed the instructions, but there are still strange RECYCLER folders on both external drives and I still can't delete them.

    There are also still several svchost exes running and the system is still going slow, although I'm not sure anymore if I can blame that solely on malware.
     
    kingpinski, Jun 18, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What folders exactly are you referring too? Emptying the recycle bin is the proper way to empty these folders for normal files. The RECYCLER folder itself is part of Windows and will appear on all drives.

    Normal. There are always between 3 to 8 of these depending on what you are doing. I have 7 running right now my PC.
     
    chaslang, Jun 20, 2009
    #4
  5. kingpinski

    kingpinski Private E-2

    I guess you're right. The RECYCLER folders are in the root directories of the external drives, and they contain recycle bins named S-1-5-21-1966764565-2189706233-4176665243-1006 or something similar.

    The only thing I find odd is that after I ran ComboFix, the RECYCLER folder on my C drive disappeared, and didn't reappear until I plugged in the external.
     
    kingpinski, Jun 22, 2009
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Normal.

    This folder is always there unless you jump thru special hoops to remove it. It is part of Windows just like the ones on your external drives.
     
    chaslang, Jun 25, 2009
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds