svchost.exe infects system volume info files

Eset Nod32 antivirus
January 24, 2010 at 16:06:24
Specs: Windows XP Pro SP3, Intel Core2Duo E6750@2,66GHz, 2GB RAM
NOD32 alerted me today (2 files, about 4 hours apart,sequential filenames) that svchost.exe has modified a system volume information _restore{} exe file and infected it with "probably a variant of Win32/Genetik trojan". The files were quarantined.
If this information helps, the infected file is on drive E:, which is an older hard disk, C: & D: are partitions of a newer one. I use E: for backup, no programmes are installed there, never had any problems with it.
Can someone please help me?

Thanks a lot,


See More: svchost.exe infects system volume info files

Report •

January 25, 2010 at 04:43:57
Also, this morning I did a quick scan with Malwarebytes' anti-malware which turned up with the code later on.

And then I did a full system scan which said that there are no infections.
Haven't had NOD's notifications since the first (and only) two.

No mention of svchost.exe, though.

Malwarebytes' Anti-Malware 1.44
Database version: 3631
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

25.1.2010 2:38:43
mbam-log-2010-01-25 (02-38-38).txt

Scan type: Quick Scan
Objects scanned: 114886
Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{d18bbd1f-82bb-4385-bed3-e9d31a3e361e} (Hacktool.KewlButtonz) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{9dc243a5-ee33-4674-8563-89b48e779eb1} (Hacktool.KewlButtonz) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{b3d14cb9-183b-4bc8-8ce4-cba37a6fe8c6} (Hacktool.KewlButtonz) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{d4bbe4c0-bd72-4a33-817c-2e7e16de20bc} (Hacktool.KewlButtonz) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\KewlButtonz.ocx (Hacktool.KewlButtonz) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\KewlButtonz.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\WINDOWS\ufdata2000.log (Malware.Trace) -> No action taken.
C:\tel.xls.exe (Backdoor.Tenga) -> No action taken.

Report •
Related Solutions

Ask Question