Request help cleaning malware-gen

[suspicious](System is Windows XP Pro, 32-bit, SP3 is up to date.)

Avast caught an infected file that I believe originated in a zipped archive. It was several days ago so I’m not positive, but as I recall I first told Avast to clean the file, and when it could not I told it to delete the file. I followed this with a quick scan and found nothing, so I assumed the problem was contained. Yesterday I thought it might be good to do a complete system scan as a follow up, and when I did Avast found more infected files. It couldn’t clean or delete the first one found, and suggested I do a boot up scan instead. That’s what I did, but Avast found dozens of infected files. At first I again tried to clean, and when that didn’t work I told it to delete. This went on at a slow pace but after a while I became concerned about deleting all of them since they appeared to be system related. I decided to cancel the scan by powering down the computer and came here to see if I could find more information.

Now I’m unsure whether I should have let Avast continue deleting or whether it would be better to stop and follow the standard directions that have been posted in this forum. I decided to follow directions for a computer that won’t boot, even though I wasn’t sure that was the case. I was afraid if I did try to boot it that the infection would spread. So I downloaded LTLPE and FRST. (Attached is FRST.txt.)

My question is what I should do next. Thanks in advance for any assistance.

JG
[/suspicious]

Hi,

FRST doesn’t show malware. We need to investigate from active system.

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds to run the tool.

* When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.

Please download aswMBR and save it to your desktop.

Double click aswMBR.exe to start the tool.

[*]Select Yes if prompted to download the Avast database.
[*]Click Scan
[*]Upon completion of the scan ( Scan finished successfully ) click Save log and save it to your desktop, and post that log in your next reply for review.

Forth Attempt: After posting my reply for the third time the system told me that I had already submitted it. It had previously told me that I had a bad captcha code and made me write it again from the beginning. I looked at the list of posts, refreshed, but didn’t see mine, so here it is again.

The quick response to my initial question was unexpected but much appreciated! Here are the files you requested.

Thanks again for your trouble.

JG

Hi,

Does your computer member of some domain and did you have DHCP server on roother or via Windows Server thru role > scope?

Please download zoek.exe and save it to your desktop.

[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:



d:\winxp\system32\drivers\nlem32nt.sys;i
startupall;
filesrcm;
FFdefaults;
autoclean;


[*] Click on Run script button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log

I should have mentioned that the DHCP situation had nothing to do with the virus. The DHCP server was misconfigured, and gave my computer’s ip address to someone else. My computer runs a static IP address, and that was the source of the conflict/errors you saw.

I’ll proceed now with your most recent instructions.

Thanks,
JG

That little script did a lot of work. Someone did a nice job of it.

Here is the log. It looks like the patient is better. If so, can you point me to something that might explain how I picked up this thing? I really don’t know what I did that activated it.

Thanks again for your help, and I’ll be standing by in case this isn’t everything.

JG

I became concerned about deleting all of them since they appeared to be system related.
[b]Clean, Quarantine, or Delete?[/b] http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm

I can’t see zoek logs. :slight_smile: Without logs, I’m blind. :slight_smile:

Sorry about that–I can’t believe I forgot to attach it, but here it is.

JG

Re-run zoek.exe as you did before but use this script:

nlem32nt.sys;z
filesrcm;
startupall;
emptyalltemp;

Click on RunScript. Attach here fresh zoek log.

Here is the log file from the second script.

Thanks,
JG

That pretty well encapsulates the question, and it’s one that’s made me scratch my head for several years, every time I found myself with an infected computer. And like the article says, it’s not something that can be answered ahead of knowing the particular situation.

However, I think I didn’t state my question very well because I was looking for a description of the function of this particular virus/trojan. I was thinking that if I knew how it worked I might understand what I may have done to unleash the thing. I’ve heavily used the Internet for several years without attracting an infection until this one. I did that primarily by knowing what was safe to do and what wasn’t. But that seems to be changing. If I’m not mistaken this virus was activated on my computer when I extracted a compressed file from a zip file.

Thanks,
JG

Magna86, I believe that I have posted what you requested, and am hoping that you will have a chance to take a look at it. As things stand I’m not sure whether I’ve completed the work that needs to be done to be rid of the malware-gem infection.

I very much appreciate the help you’ve already provided, but on my own I don’t know what my next step should be.

Thanks,
JG

Hi,
I don’t see any malware here. Your PC is clean.

Do you have thouse logs?
C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report[b]aswBoot.txt [/b]

Attach here avast logs so we can see what is detected.
I do not know what’s avast has detected ( with no logs ) but probably nothing dangerous.
My guess is that avast is just detects an system restore images and then avast mades ​​some random heuristic detection and you just so that.

magna86, I’m so glad to see you again! I thought you might have had other business today.

When you ask if I have the logs, C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\aswBoot.txt , do I need to do anything to generate them, or should I use whatever I find in that location?

You may recall that you had asked for logs from a second run of zoek.exe yesterday that I managed to supply on a second attempt. I was looking through it and wondered if this was a concern.

==== Suspicious Entries Found ======================

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
“3389:TCP”=“3389:TCP::Enabled:@xpsp2res.dll,-22009"
“1900:UDP”=“1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007”
“2869:TCP”=“2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008”
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
“9322:TCP”="9322:TCP:
:Enabled:EKDiscovery”
“5353:UDP”=“5353:UDP::Enabled:Bonjour Port 5353"
“3389:TCP”="3389:TCP:
:Enabled:@xpsp2res.dll,-22009”
“1900:UDP”=“1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007”
“2869:TCP”=“2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008”
“5985:TCP”="5985:TCP::Disabled:Windows Remote Management "
“80:TCP”="80:TCP:
:Disabled:Windows Remote Management - Compatibility Mode (HTTP-In) "

It also contained a long list of “other files” that I believe are where the infection may have originated.

Thanks for your help. I hope I don’t sound overly anxious, it’s just that I have a lot of important information stored on the computer in question. I admit that I’ll feel much relieved when I know it’s safe again.

JG

zoek only worning me ( helpers ) about posible exploit ports. Thouse entrys are leght and not malware-related.

Run Malwarebytes scan for additional check and just to calm you. ;D

http://forum.avast.com/index.php?topic=53253.0

Once again I owe many thanks to you, magna86. I ran Malwarebytes and although it took over three hours to complete, it flagged over forty items. Most of these were so called “PUPs” which I legitimately use in my work, but it also found several instances of Trojan.VBKrypt and deleted them all.

As a point of interest I was going to see if Avast had flagged these same files, but after searching for about a half hour I could find no reference telling me where Avast puts scan logs. There are plenty of references to their existence and how long they are kept, but even the help file only explains what they are, nothing on how you might see them.

At any rate my computer is probably cleaner now than it was when it was new. You’ve been a great help throughout–I hate to think how long it might have taken me to get through all of this on my own.

Best regards,
JG