When i looked with TuneUp Process Manager a dubious process was running xxyvsQJB.dll, launched with rundll32.exe. It was started by Task Scheduler and run every 10 mins. I included in the zip file the Scheduler file, the mem dump made with CE and mem disassembly. No registry entries or whatsoever.

hxxp://www.wraymogg.ro/Suspect_vir.zip

Regards

P.S. Edit: I DID scanned with latest updated AVAST

please edit the link to hxxp: so other user cannot download the virus"the suspect"

Ok, i edited to hxxp, i will keep the link up for 1 month, i presume is enough.

Regards

Hi wraymogg,

This is a rootkit driver that is added by Troj/Bckdr-QJB, a Trojan

Troj/Bckdr-QJB is a Trojan for the Windows platform.

Characteristics of the Trojan is that it installs itself in the registry,

When run Troj/Bckdr-QJB creates the files:

\drivers\zvaeypeb.sys - detected as Troj/Bckdr-QJB
\zvaeypeb.dll - detected as Troj/Bckdr-QJB

The file zvaeypeb.sys is a kernel rootkit driver which is registered as a new system driver service named “yvaeypeb”, with a display name of “yvaeypeb” and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\yvaeypeb

The file zvaeypeb.dll is registered as a new service named “zvaeypeb”. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\zvaeypeb
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_YVAEYPEB\

Troj/Bckdr-QJB also runs as a separate service processs by hooking onto the Windows system process svchost.exe.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
zvaeypeb

Look here: http://www.bleepingcomputer.com/startups/yvaeypeb-19503.html

polonus

Analysis of the zip.file found now trace of rootkit or malware…