Trojan keeps reappearing

[georgemcd]

Hi,

A few days ago I got a virus called antimalware doctor on my laptop which was pretty hard to get rid of, and have been having problems every since. Every few hours or so I get a message saying "services and controller app stopped working and was closed", follwed by a messages saying windows has encountered a critical error and will restart in 1 minute. There doesn't seem to be a way to stop this and its extremely annoying when it happens and i'm in the middle of doing something.

There's a trojan that superantispyware detects when I scan the computer with the following location :- c:\windows\system32\drivers\MLURK.sys which the programme says gets removed but after the required restart it finds it again. I dont think this is related to the above issue but it may be, google doesn't seem to come up with anything when i search for Mlurk.sys.

Can anyone help?

Cheers

George

[Seth]

Welcome to the SAS forum George.

Be sure you're using the latest version and definition files in SAS. You can do so by right clicking on the SAS icon near the time, then choose "Check For Updates". Now run a complete scans and see if the Trojan re-appears. If so, please submit a Customer Support Request. The SAS team will then analyze the possible infection and make changes to the definition files if necessary.

https://www.superantispyware.com/csrcreateticket.html

[SUPERAntiSpy]

Hi,

A few days ago I got a virus called antimalware doctor on my laptop which was pretty hard to get rid of, and have been having problems every since. Every few hours or so I get a message saying "services and controller app stopped working and was closed", follwed by a messages saying windows has encountered a critical error and will restart in 1 minute. There doesn't seem to be a way to stop this and its extremely annoying when it happens and i'm in the middle of doing something.

There's a trojan that superantispyware detects when I scan the computer with the following location :- c:\windows\system32\drivers\MLURK.sys which the programme says gets removed but after the required restart it finds it again. I dont think this is related to the above issue but it may be, google doesn't seem to come up with anything when i search for Mlurk.sys.

Can anyone help?

Cheers

George

George - we'll be happy to help you out. Can you post your latest SUPERAntiSpyware Scan Log here so we can see exactly what version of the product and definitions you are using? If you are using the latest defintions we will run a custom diagnostic which will allow us to pinpoint the problem, update our definitions and help you and other users that are infected with the same issue.

[georgemcd]

George - we'll be happy to help you out. Can you post your latest SUPERAntiSpyware Scan Log here so we can see exactly what version of the product and definitions you are using? If you are using the latest defintions we will run a custom diagnostic which will allow us to pinpoint the problem, update our definitions and help you and other users that are infected with the same issue.

Thanks. I seem to be having a problem updating to the latest version, it comes up with the error "There was an error trying to retrieve definitions. Make sure your firewall is not blocking SUPERANTISPYWARE from accessing the internet". I have tried turning off the windows firewall but got the same error. I'm also running Avira anti-virus, would that stop it at all? I'm also having problems updating Avira as it says the same thing that it can't get a connection so i suspect it is related to my virus.

Latest log is:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 05/04/2010 at 12:58 PM

Application Version : 4.34.1000

Core Rules Database Version : 4865

Trace Rules Database Version: 2649

Scan type : Quick Scan

Total Scan Time : 00:31:41

Memory items scanned : 659

Memory threats detected : 0

Registry items scanned : 514

Registry threats detected : 0

File items scanned : 19924

File threats detected : 13

Adware.Casino Games (Golden Palace Casino)

C:\POKER\PADDY POWER POKER\CASINO.EXE

C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\PADDY POWER POKER\PADDY POWER POKER.LNK

C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\PADDY POWER POKER.LNK

C:\USERS\PUBLIC\DESKTOP\PADDY POWER POKER.LNK

Adware.Tracking Cookie

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[1].txt

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ads.bcserving[1].txt

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@videoegg.adbureau[1].txt

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@invitemedia[2].txt

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ad.yieldmanager[2].txt

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@content.yieldmanager[2].txt

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@content.yieldmanager[3].txt

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertise[1].txt

Trojan.RootKit/Gen

C:\WINDOWS\SYSTEM32\DRIVERS\MLURK.SYS

[Seth]

In regards to the programs not updating, go into Control Panel>Internet Options>Connections>Lan Settings. Nothing should be checked in the Lan Settings Window. If so, uncheck it, then try to update. If that doesn't help, did the computer ever run Norton?

[georgemcd]

In regards to the programs not updating, go into Control Panel>Internet Options>Connections>Lan Settings. Nothing should be checked in the Lan Settings Window. If so, uncheck it, then try to update. If that doesn't help, did the computer ever run Norton?

Also, you're using an old version of SAS. Right click on the SAS icon near the time and choose "Check For Updates".

Thanks Seth I did that and it let me update both SuperAntiSpyware and avira, was that box checked as a result of the trojan? Anyways seems like a pretty nasty attack because when I ran the spyware scan again after updating it found a few trojans that weren't picked up before:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 05/04/2010 at 05:04 PM

Application Version : 4.34.1000

Core Rules Database Version : 4888

Trace Rules Database Version: 2700

Scan type : Complete Scan

Total Scan Time : 00:40:26

Memory items scanned : 734

Memory threats detected : 1

Registry items scanned : 7433

Registry threats detected : 1

File items scanned : 23505

File threats detected : 19

Trojan.Agent/Gen-FakeAlert

C:\USERS\GEORGE\APPDATA\LOCAL\TEMP\UDK.EXE

C:\USERS\GEORGE\APPDATA\LOCAL\TEMP\UDK.EXE

[M5T8QL3YW3] C:\USERS\GEORGE\APPDATA\LOCAL\TEMP\UDK.EXE

C:\USERS\GEORGE\APPDATA\LOCAL\TEMP\UDJ.EXE

C:\WINDOWS\UVOZIA.EXE

C:\Windows\Prefetch\UDK.EXE-C69763CA.pf

Adware.Tracking Cookie

C:\Users\George\AppData\Roaming\Microsoft\Windows\Cookies\george@atdmt[2].txt

C:\Users\George\AppData\Roaming\Microsoft\Windows\Cookies\george@uk.findstuff[2].txt

C:\Users\George\AppData\Roaming\Microsoft\Windows\Cookies\george@stat.dealtime[1].txt

C:\Users\George\AppData\Roaming\Microsoft\Windows\Cookies\george@trafficengine[1].txt

C:\Users\George\AppData\Roaming\Microsoft\Windows\Cookies\george@dealtime[1].txt

C:\Users\George\AppData\Roaming\Microsoft\Windows\Cookies\george@mediatraffic[1].txt

C:\Users\George\AppData\Roaming\Microsoft\Windows\Cookies\george@overture[1].txt

C:\Users\George\AppData\Roaming\Microsoft\Windows\Cookies\george@doubleclick[1].txt

C:\Users\George\AppData\Roaming\Microsoft\Windows\Cookies\george@adviva[1].txt

Adware.Casino Games (Golden Palace Casino)

C:\POKER\PADDY POWER POKER\CASINO.EXE

C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\PADDY POWER POKER\PADDY POWER POKER.LNK

C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\PADDY POWER POKER.LNK

C:\USERS\PUBLIC\DESKTOP\PADDY POWER POKER.LNK

Trojan.Agent/Gen-Banker

C:\USERS\GEORGE\APPDATA\LOCAL\TEMP\WGVYD.EXE

Trojan.RootKit/Gen

C:\WINDOWS\SYSTEM32\DRIVERS\MLURK.SYS

I followed the process to remove them and ran it again on startup and they were all removed successfully apart from the one I originally mentioned (MLURK.SYS).

[Seth]

You're welcome George.

Yes, the "Proxy" was checked due to the infection. It's designed to prevent the removal of the infection.

I noticed that you updated SAS as per my direction...good job. If you run a complete scan and the same infection appears, then please submit a CSR.