I found this malware yesterday. It kills the Avira service, disable it effectively. Later I format my C partition and reinstall my operating system (Windows XP), and install Avast with latest update.

http://img525.imageshack.us/img525/9523/avastq.png

Avast sometimes detect it as rootkit, but in most cases Avast didn’t recognize it at all, even if I manually scan it and increasing the heuristic level into maximum.

It can place itself under system32 directory, and create a startup entry in HKEY_LOCAL_MACHINE, although I just using a limited user. It mark itself as “Intel Display Manager” in the startup entry (I currently have NO Intel device at all).

I’ve tried to boot on my Ubuntu Linux OS and delete it from there. It appears again right after windows startup, means there’s another one lurks inside my system.

I’ve checked my services and drivers entries using Serviwin, and found nothing suspicious. Please help, I don’t know how to remove it. I’ll send the EXE if needed.

I'll send the EXE if needed.

Upload the exe to www.virustotal.com and test it with 43 malware scanners when you have the result, copy the url in the address bar and post it here

Follow this guide from our expert malware remover Essexboy, and post the log`s here
http://forum.avast.com/index.php?topic=53253.0

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and Malwarebytes scan log)

Essexboy will be notified when you have posted the log`s

Prevx file info - “IGFXDPR32.EXE” - Cloaked Malware
http://www.prevx.com/filenames/X2798402690131367639-X1/IGFXDPR32.EXE.html

this is just a google search on the file name, so it does not have to be the exact same file

here’s the link from virustotal.com
http://www.virustotal.com/file-scan/report.html?id=440fcb1c1eb7211fd4368230ee40b536cf046d166028c445435e3a2a960af3d6-1292817569

maybe i’ll just wait for avast update to recognize it. Thank you

Thank you for providing the VT link and results.

Question: When you first got the pop-up alert from Avast, the “action” you took was “delete” instead of “send to Virus Chest”?

Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.

Follow the directions of obtaining an MBAM log (make sure you update MBAM first) and the OTL logs (save them as ANSI and not Unicode). When the OTL scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. Post the MBAM log here and the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post).

Essexboy will review your logs and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily.

Let us know if you have any questions. Thank you.

My copy of Avast automatically updated its virus definition about an hours ago. It’s now able to detect and clean that malware. Thank you, that was so fast

But I’ll try MBAM in case of future infection. Once again, thanks.

But I'll try MBAM in case of future infection. Once again, thanks.

remeber to update it before you run it, and if anything is detected you may post the scan log here

Seems that the malware is polymorphic type. Avast clearly detect and clean the last infection. Minutes later, it appears again at same location with new name, igfxdxr32.exe. Yet Avast is now unable to detect it. I can copy and access the file without warning at all from Avast.

I uploaded the new sample to VT.
http://www.virustotal.com/file-scan/report.html?id=8be901f06ceb3e41cec054da3fc52de93811d4876e77d5ed18f840ba73d80b22-1292845294

@Pondus, I’ll send this new sample to your email soon.

I’m currently downloading MBAM, I currently have only 64K connection, so it’ll take a while. I’ll try it and post the result soon.

Thank you

well looks as you have something more in there that make it come back
lets see if Malwarebytes is able to fix it ?

these rootkits is often difficult to remove and that is where Essexboy and his magic tools does wonderfull work. he can if you post the log`s see if everything is removed, if not he will fix it

Sample sendt avast

the file is detected by Malwarebytes as Malware.PGen