help with unknown virus

Viruses and worms
1

Hello, I was using my PC without any problems until about 4PM today, the PC was unused until I returned to it
at about 7. On the screen, there were all these IE windows for gambling sites and other things that I didn’t set in motion.

My box is triple boot, two versions of xp and one Vista. The infected system, partition F:, has Avast home installed,
while none of the other have any anti-virus. (these two systems are working OK)

When I sat down at the PC close to 7PM, Avast said it had found something and asked me to put it in the chest.
I did it, but the message kept reappearing. At that point, I rebooted the system to my other XP, version C:.
The first thing I did was to look in the Avast warnng log, and I see this:

12/1/2008 5:05:25 PM 1228179925 SYSTEM 1256 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
12/3/2008 6:38:45 PM 1228358325 SYSTEM 1476 Sign of “Win32:Trojan-gen {Other}” has been found in “F:\DOCUME~1\DAVEXN~1\LOCALS~1\Temp\sxnaomwerc.tmp” file.
12/3/2008 6:52:10 PM 1228359130 SYSTEM 1476 Sign of “Win32:Agent-HYD [trj]” has been found in “F:\DOCUME~1\DAVEXN~1\LOCALS~1\Temp\wrncsoexam.tmp” file.
12/3/2008 6:52:13 PM 1228359133 SYSTEM 1476 Sign of “Win32:Trojan-gen {Other}” has been found in “F:\DOCUME~1\DAVEXN~1\LOCALS~1\Temp\winvsnet.tmp” file.
12/3/2008 6:52:18 PM 1228359138 SYSTEM 1476 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “F:\WINDOWS\system32\ssqOEUoL.dll” file.
12/3/2008 6:52:23 PM 1228359143 SYSTEM 1476 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Temp\uVN23L.exe” file.
12/3/2008 6:52:29 PM 1228359149 SYSTEM 1476 Sign of “Win32:Trojan-gen {Other}” has been found in “F:\DOCUME~1\DAVEXN~1\LOCALS~1\Temp\winvsnet.tmp” file.

While Nshield.log says this:
03.12.2008 18:47:21 Network Shield: blocked access to malicious site dns://powerfulvirusremover2008.com [ F:\WINDOWS\system32\svchost.exe ]

Curiously enough, uvn23l.exe was found in c:\temp, but the c:\ XP is booting and showing no sign of infection(yet). I also found this file in
the F;\Internet explorer temporary internet files (cache)

Virustotal reveals the following about uVN23L.exe (330,034 bytes)
If you look in F:\windows\prefetch you can see some other odd file names between 6.38 and 6.54 PM

I tried booting up the F: partition in safemode - it opens, but desktop (explorer.exe?) will not stay up for more than about 5 seconds.
I can open the task manager and restart it, but it closes again. Was able to open System Restore, but all restore points are gone except one that
is called “Last known configuration” - at about the time of this activity. First time I’ve seen a restore point with that name.

What should I do next? Install Avast (or other tool) in the good c:\ partition and scan F:?
Thanks for any info.


http://img222.imageshack.us/img222/7017/prefetchrz0.jpg

[URL=http://g.imageshack.us/img2


http://img150.imageshack.us/img150/3694/virustotalmw2.jpg

2

Run a boot scan with avast and let it deal with it.

NEVER use a OS without protection.

BTW, is not a unknow malware. If it was it would not have been recognized/detected :wink:

3

I have installed Avast on my c: partition (so far, no signs of infection there). Updated it,
and ran the boot scan for c: and f:.

The only thing it found if f: was the previously mentioned file - uVN23L.exe in the IE cache -
which I sent to the chest. (i had previously manually deleted the contents of
\local settings\temp - which contained a number of suspicious file names.

I’ll try booting f: again now and see what happens.
I’ll update this forum when I get some more info. Thanks.

4

When the system was booted normally, problems are still apparent. Te shell was closing every 5 - 10
seconds. Then , of all, things, Windows Defender gave me a message saying a trojan had been found
and I had to restart the box a couple of times to implement the fix.

Shell is stable now, however, I still have some malware in the task manager called gadcom.exe.
Avast is not flagging this at all - but apparently it’s a known malicious files, spawned by
some other hidden process within the system.

I’ve modified the Avast’s resident settings to scan for a little more things, and it’s doing it now,
but so far it hasn’t found anything.

Search and destroy has found some registry entries related to the malware,such as these.
Avast seems not to be sensitive to these at all. Am I not using Avast correctly?

http://img20.imageshack.us/img20/9819/sadyz9.jpg


http://img20.imageshack.us/img20/sadyz9.jpg/1/w970.png

5

I suggest you let Spybot - S&D fix the enties it has found.

6

Thanks S&D has done it’s thing. I’m going to sleep now, so I’ll leave any further
action till tomorrow.

When you open up the on-access protection control, select the Standard Shield,
the “customize” button allows you to change the settings regardless of the
“normal”, “high” or “custom” slider position.

How do you get the setting back to default, if inadvertently, a normal or high setting
was modified?

What is good practices with the Avast product? I haven’t initiated any full partition scans - only the
online boot scans I did for this problem. Should they be done? What else is the product doing in the
back ground? Is it just checking the files as they are opened?