Malware identified and then hidden again

Hi,

Over the last three days, I’ve received two blue screens of death(BSOD). After the second one, I began to investigate what was wrong.

I used ‘BlueScreenView’ to give me a log of what was causing the BSOD.

Then I tried to scan the drivers causing the BSODs using the ‘Virus Total’ website. Only problem was I couldn’t locate the driver when I was using the site.

Then I went through windows explorer and found the driver exactly where it should be. I used Avast free software to scan it and sure enough it came back and told me it was malware.

I stopped at this point because I was unfamiliar with the options and was afraid to damage the computer because of the driver the malware has attached itself to.

The driver is win32k.sys within Windows 7. When I’ve googled the driver, various people have warned against tampering with the file as one user put it, it is ‘the heart of Windows’.

In the meantime, I called a friend more knowledgeable than myself to help. But we reached the conclusion I was as well off to proceed slowly.

Finally, I googled the ‘move to chest’ option and was happy that it seemed like if I screwed up, it wasn’t permanent.

So I selected ‘move to chest’ option and Avast gave me an error message, saying that it the was wrong directory, path, file(I didn’t copy the message down).

I closed the window and went to scan the driver again with Avast and now it tells me the driver is clean and can’t find any problems. However, I went back to find the driver again with ‘Virus Total’ again and I can’t as its still hidden.

Between when Avast found the malware and when I finally pressed ‘apply’ for ‘move to chest’ was roughly 1 hour.

It would seem to me that in that time, the malware has hidden itself from Avast.

Can anyone recommend what the next step I should take should be?

Thanks

if you know where the file is…you can add it to virus chest manually (it will only be a copy)
then you right click the file in chest and upload it to avast lab as possible false positive
add a link to this topic in case they want to reply here

Moving files to chest
https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1406#idt_03

Submitting files from chest to avast lab
https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1406#idt_07

if you want a check for infection, follow this guide and attach the logs…not copy and paste
http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

Thanks for that Pondus,

I tried what you suggested in your first reply to upload it into the ‘Chest’. But the same problem I was running into earlier reoccurred, which was that I couldn’t find the file, like it was hidden. I attached the two jpeg screen prints of what I am seeing to illustrate this.

Is the fact the file is hidden from me, what the problem is or is just a symptom of the problem that I am fixating on?

I am going to follow the steps you suggested in your second reply, which I hope will solve the problem.

Thanks again

hi ESLR,

A workaround that one might do without affecting the operation of your system is to copy/paste the copy of win32k.sys file on your desktop temporarily, and also change your file attributes to ‘show hidden and system files’ using ‘Folder Options’<Control Panel in XP; likely same for Win7, but show protected system files may need to be enabled as well.

Then the upload to Virus Total dot com should become possible.

Really, tho, the scanning and attaching of the logs would seem more important at the moment.

Thanks for that Mchain

Here are the logs, I stopped once I got to the Specific Infection Logs(was I supposed to continue?)

Nothing showed up to be cleaned except in the Malwarebytes scan, and even then there was very little.

What are the next steps?

Thank you all for your help.

I would like to take a different look at the MBR first before I proceed

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[]Wait for the end of the scan.
[
] The report has been created on the desktop.

Thanks for that essex boy.

Sorry but now what do I do?

I am quickly realizing I am very much a newby in trying to solve this problem.

Thank all of you for all your help.

Essexboy will have to get back and check your log as I presume that he is talking about checking the ¤¤¤ MBR Check: ¤¤¤ section in your log.

Unfortunately he is off-line right now and it is 11:33pm in the UK, so I think he may be off-line for the night.

OK MBR is good, so lets now check out win32 for infection

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Thanks Essexboy

I did as you said, but I mistakenly didn’t turn off Windows Defender(do I need to start the process over and re-do it?)

FWIW, here’s the log.

Thanks again for your help

Thought I should attach these logs as well.

Thanks

That reports win32 as good as well… Are you experiencing any problems ?