Worms.... Please help [SOLVED]

[sojanponnoly]

Thanks for replying to earlier posts...i would like to tell you that duplication of all the folders have occured in most of the drives(G,E,F) ....I have been scanning all the drives for the past 2 days & removing all the threats using IObit Security 360.......i also uploaded one of the duplicated folders in Virus total & following result was found:

 

Antivirus Version Last Update Result

a-squared 4.5.0.24 2009.10.03 Worm.Win32.AutoRun!IK

AhnLab-V3 5.0.0.2 2009.10.03 -

AntiVir 7.9.1.27 2009.10.02 Worm/Sohanad.41755

Antiy-AVL 2.0.3.7 2009.10.03 -

Authentium 5.1.2.4 2009.10.03 W32/SuspPack.AC.gen!Eldorado

Avast 4.8.1351.0 2009.10.03 Win32:AutoRun-AUV

AVG 8.5.0.420 2009.10.03 -

BitDefender 7.2 2009.10.04 Win32.Worm.YahLover.C

CAT-QuickHeal 10.00 2009.10.03 Trojan.Agent.ATV

ClamAV 0.94.1 2009.10.03 Worm.Autorun-1782

Comodo2505 2009.10.03 -

DrWeb5.0.0.12182 2009.10.03 Win32.HLLW.Autoruner.6522

eSafe 7.0.17.0 2009.10.01 Suspicious File

eTrust-Vet 31.6.6774 2009.10.02 Win32/Yahlover.GC

F-Prot 4.5.1.85 2009.10.03 W32/SuspPack.AC.gen!Eldorado

F-Secure8.0.14470.0 2009.10.03 IM-Worm.Win32.Sohanad.gen

Fortinet 3.120.0.0 2009.10.03 -

GData 19 2009.10.04 Win32.Worm.YahLover.C

IkarusT3.1.1.72.0 2009.10.03 Worm.Win32.AutoRun

Jiangmin 11.0.800 2009.09.27 -

K7AntiVirus 7.10.861 2009.10.03 Trojan.Win32.Malware

Kaspersky 7.0.0.125 2009.10.04 IM-Worm.Win32.Sohanad.gen

McAfee5760 2009.10.03 W32/Yahlover.worm.gen.c

McAfee+Artemis 5760 2009.10.03 W32/Yahlover.worm.gen.c

McAfee-GW-Edition6.8.52009.10.03 Worm.Sohanad.41755

Microsoft 1.5101 2009.10.03 Worm:Win32/Tupym.A

NOD32 4478 2009.10.03 Win32/Autoit.EB

Norman 6.01.09 2009.10.03 -

nProtect 2009.1.8.0 2009.10.03 Worm/W32.Sohanad_Packed.417559

Panda 10.0.2.2 2009.10.03 W32/Sality.AF

PCTools 4.4.2.0 2009.10.03 Worm.AutoRun.esf

Prevx 3.0 2009.10.04 -

Rising 21.49.22.00 2009.09.30 -

Sophos 4.45.0 2009.10.03 W32/AutoRun-AOA

Sunbelt 3.2.1858.2 2009.10.03 IM-Worm.Win32.Sohanad.gen

Symantec 1.4.4.12 2009.10.03 W32.Imaut.E

TheHacker 6.5.0.2.028 2009.10.03 W32/Sohanad.gen

TrendMicro 8.950.0.1094 2009.10.03 -

VBA323.12.10.11 2009.10.03 Trojan-Downloader.Autoit.gen

ViRobot 2009.10.2.1968 2009.10.02 -

VirusBuster 4.6.5.0 2009.10.03 Worm.Autoit.SY

Additional information

File size: 417559 bytes

MD5...: 6ec2f1f9507027544b86c59ee428ecb6

SHA1..: 906950a2df0cce400c638bd7c9e79d6136d5fafb

SHA256: 72673bddd2619e4d6535c076efc68290fcdaa9deefd6a9571c7cf47961ddb160

ssdeep: 6144:NYZTNk3D6LyUXwLLk+cR3qh0GQ43VJRD0ewyMdr:NSNC80I+cR3R03Vseer

PEiD..: -

PEInfo: PE Structure information

 

( base data )

entrypointaddress.: 0x9acb0

timedatestamp.....: 0x482d38ba (Fri May 16 07:33:14 2008)

machinetype.......: 0x14c (I386)

 

( 4 sections )

name viradd virsiz rawdsiz ntrpy md5

UPX0 0x1000 0x62000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

UPX1 0x63000 0x38000 0x38000 7.93 fd778de86ffa0943ad88ad69aa6f086d

.rsrc 0x9b000 0x9000 0x8800 4.76 807970d2d54ca7f456ada8e9c27c72b4

.TUPX1 0xa4000 0xf000 0xf000 0.00 84c48b8da7e9b9d3c5667ad9819debd9

 

( 13 imports )

> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess

> ADVAPI32.dll: RegCloseKey

> COMCTL32.dll: ImageList_Create

> comdlg32.dll: GetSaveFileNameW

> GDI32.dll: LineTo

> MPR.dll: WNetUseConnectionW

> ole32.dll: CoInitialize

> OLEAUT32.dll: -

> SHELL32.dll: DragFinish

> USER32.dll: GetDC

> VERSION.dll: VerQueryValueW

> WINMM.dll: timeGetTime

> WSOCK32.dll: -

 

( 0 exports )

RDS...: NSRL Reference Data Set

-

pdfid.: -

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..:

original name: n/a

internal name: n/a

file version.: 3, 2, 12, 0

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

packers (Authentium): UPX

trid..: UPX compressed Win32 Executable (39.5%)

Win32 EXE Yoda's Crypter (34.3%)

Win32 Executable Generic (11.0%)

Win32 Dynamic Link Library (generic) (9.8%)

Generic Win/DOS Executable (2.5%)

packers (F-Prot): UPX

[333halfevil]

Hi there. Can you please do the following. And remember do NOT delete anything.

 

Run Hijack Scan and save a log. Once a log file is saved to your desktop, please attach it to or paste it in this thread.

http://img30.imageshack.us/img30/7895/74140502.png

[sojanponnoly]

Hijack scan log

 

Attached herewith is the hijack scan report...thanks

Hijack scan Report.txt

[333halfevil]

Hello. Do you use a program called LAN Voice Chat?

[sojanponnoly]

I dont use it ....... :)

 

 

thanks

[333halfevil]

Please use Unlock and Delete to remove:

• C:\Program Files\LAN Voice Chat\Speechs.exe
  

 

Then check the box in Hijack Scan to remove:

• O23 - Service: Glasovne poruke (Speechsrv) - Unknown - C:\Program Files\LAN Voice Chat\Speechs.exe
  

 

Please then run another scan with Security 360.

[sojanponnoly]

Guess problem is solved......

 

Thanks for all the help....

 

i have removed & deleted the following as per your instructions:

 

 

 

C:\Program Files\LAN Voice Chat\Speechs.exe

O23 - Service: Glasovne poruke (Speechsrv) - Unknown - C:\Program Files\LAN Voice Chat\Speechs.exe

 

The iorbit scan did not detect any threats after this .thanks .