Luder-F nightmare!!! HELP!

[itoff]

I need some help on this one!!!  Avast has detected a virus infection on one of our computers.  THe virus is Win32:Luder-F, and It has infected MANY files on the computer!  The scan is running as I type!  When I click repair, avast gives a repair error and says that it can't repair.  I don't know what to do, but click ignore all, since it ahs infected many critical program files and system files!  Is there any help here!  Please advise ASAP!!!

(sorry about placing this post in the wrong forum first...  )

The error I get is Error 42060.  Also, I notice now that when I try to run programs, the progam executables DISAPPEAR!!!  Even aswAvast.exe disappeared!!!!  I am running a boot time virus scan, and telling it to move all the stuff to the chest.  I just don't know what to do!!!  THis thing is wreaking HAVOK on that system!  God forbid it to spread to any other computer, OR the server!

[Lisandro]

God forbid it to spread to any other computer, OR the server!

Please, remove the cables of the network and avoid further spreading of the virus.
I'll think while you do this...

[Lisandro]

The error I get is Error 42060.

This means that the file was not repaired. Reparation failed.
How long did you install avast in this computer? Did you remember of having finished VRDB (virus recovery database) before?
Maybe you should try The Cleaner: http://www.avast.com/eng/down_cleaner.html

[NickGolovko]

The Virus type... Let me see whether I have info.

Aha. See this:

http://vil.nai.com/vil/content/v_138841.htm

Hope this helps a little. If avast can't cure the infected files, you may download the free Dr.Web CureIt utility. Dr.Web is a known leader in curing files.

[itoff]

This means that the file was not repaired. Reparation failed.
How long did you install avast in this computer? Did you remember of having finished VRDB (virus recovery database) before?
Maybe you should try The Cleaner: http://www.avast.com/eng/down_cleaner.html

Avast has been installed on this computer for months now.  I have an ADNM, and that computer is one of the 30 or so workstations that have the netclient on them.  The office was closed yesterday, but I will go now and check to see what happened.  I assume that the VRDB was finished, but I really don't know.  As I said, it is not a stand alone system, because it is a managed client.  I will try the cleaner, but how do I clean all the files that have been placed in the chest?

Please advise!!!

THanks!

PS. The virus cleaner can clean files that avast cannot?  isn't avast better?

[Lisandro]

But how do I clean all the files that have been placed in the chest?

I need Alwil assistence here... as you're trying to manage local Chests by the ADNM and I'm not an expert on this...

PS. The virus cleaner can clean files that avast cannot?  isn't avast better?

Well, I did not try to say so. avast can do the same as The Cleaner... but it was just a suggestion as, due to avast errors, any function of repairing could give you repair erros, while the standalone Cleaner could, in my guess, do it without further problems.

[missingstang]

My brother just called me with this same thing. Unfortunately he connects through AOL and can not open it to get online scans. Is this a new virus? I've found relatively nothing about it. He has avast installed for pver a year. A VRDB was created. I just don't know how to revert using the VRDB. Any help appreciated.

[igor]

VRDB is a generic method, storing file parts that are often target of virus infections. So, it is capable of fixing even some brand new virus infections. However, it also means that it fails on some others (that use special infection methods, for example). So, it's possible that VRDB doesn't work for this particular virus... (and I'm afraid Cleaner won't help either - it's a handy tool, but with a very limited set of supported malware, and Luder is not one of them).

What is rather strange is how the computer on the network could have been infected - when avast! detects the virus (for a few months now), it couldn't have been just executed on the computer. So, maybe there's an unprotected computer on the network which uses some open shares to open other machines' files?

[jleonard2]

I also have win32:banwarum-m and win32:luder-f infections.
I have run Avast in "thorough" mode 4 times and opted to permanently delete all infected files which Avast identified.  The virus comes back each time.
It starts by stating that "wservice.exe has generated errors and will be closed by windows" and then identifies c:\Documents & settings\all users\dr watson\user.dmp as infected with luder-f, and c:\winnt\system32\adir.dll as infected with banwarum-m.
I keep reloading programs to get functionality, but can't get rid of this pair of devils, even though I use explore to manually delete them - "Dr Watson" comes back even though it is deleted through avast.
Any solution would be greatly appreciated.
I have had Avast for two years and it is current

[ONEBADMK8]

This MUST be BRAND NEW!! The scary thing is there isNO info on google for this at all.

 I have it too and it is screwing me up royally.  PLEASE HELP!!  I had to delete Avast all together because this god damn thing went into the awil folder and got everything, now I have the Microsoft Live OneCare and I cant even open it up now?  It says I am at risk but I cannot open up this program now.

This thing is BAD NEWS and I want it gone. 

I disabled system restore many times, this thing also takes down the windows firewall on every restart.

PLEASE tell me whatever I can do and Ill do it.

[Lisandro]

Which is the name of the file (and its path) infected?
Did you run a boot-time scanning?

[ONEBADMK8]

Ok Ill say this again, IT DOES NOT ALLOW YOU TO REBOOT IN SAFE MODE.

[DavidR]

That doesn't stop you answering Tech's question on the infected file name and location.

In order to run a boot-time scan (WinNT, Win2k, WinXP only) you don't have to be in safe mode so no F8 required. If you can run the Start avast anti-virus, the Simple User Interface, click Menu, Schedule boot-time scan. If not run this file C:\Program Files\Alwil Software\Avast4\ashSimpl.exe (or ashSimp2.exe, no skins interface) and schedule bot-time scan from there.

Windows Start, Run, type msconfig, select the Startup Tab and see if there is any entry for the malware.

Also check (I know it says Duel, but that is also an alias):

Upon execution, it creates a copy of itself into the Windows system directory:

%Windir%\%SYSDIR%\Duel.exe

Adds the following values to the registry to auto start itself when Windows starts.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
 "Win32_Duel" = "%Windir%\%SYSDIR%\Duel.exe"

Also see http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE%5FLUDER%2EA%2DO&VSect=P

[Spiritsongs]

   Hi all :

     WHY are you NOT trying to use a Good antiSPYWARE/antiTROJAN program to
     deal with this, like the FREE version of "SUPERantispyware" from
     www.superantispyware.com  !?

[ONEBADMK8]

That doesn't stop you answering Tech's question on the infected file name and location.

In order to run a boot-time scan (WinNT, Win2k, WinXP only) you don't have to be in safe mode so no F8 required. If you can run the Start avast anti-virus, the Simple User Interface, click Menu, Schedule boot-time scan. If not run this file C:\Program Files\Alwil Software\Avast4\ashSimpl.exe (or ashSimp2.exe, no skins interface) and schedule bot-time scan from there.

Windows Start, Run, type msconfig, select the Startup Tab and see if there is any entry for the malware.

Also check (I know it says Duel, but that is also an alias):

Upon execution, it creates a copy of itself into the Windows system directory:

%Windir%\%SYSDIR%\Duel.exe

Adds the following values to the registry to auto start itself when Windows starts.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
 "Win32_Duel" = "%Windir%\%SYSDIR%\Duel.exe"

Also see http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE%5FLUDER%2EA%2DO&VSect=P

Well heres what I did.  I reinstalled Avast since I couldnt open up Microsoft OneCare anymore, well I do a boot scan with Avast right after a fresh install and low and behold there was the Luder-F all up in the OneCare Files ASS!!  Unreal.  It disabled me from opening it but it was actively scanning and running, it also aeems to be containing it in some way because i am not having ANY of the previous problems I had before I installd the OneCare.  It seemed to have gotten rid of the two other problems that Adaware wouldnt remove before, now it removed them?  Weird.  Anyway all I have left is this Luder-F deal.  SHould I try the removal instructions for the Duel variant?  Will this work?