Dear All

This wino.sys appeared in my computer inside China, the place I got it is www.eefoo.com/quotes/quote.asp, a Chinese website shows real-time Chinese stock prices.

As I turned off the automatic reboot function, my computer does not reboot again and again. But this wino.sys does reduce the speed of computer, such open file and calculation using SigmaPlot. When opening computer, the virus creates ett4xym4.dll in WINDOWS\Temp, sometimes in local settings\ . . .\temp.

Now wino.sys certainly and effectively affects X509 function, which I found in fold sun/security/ but I could not find this fold.

Now I have zipped this ett4xym4.dll as ett4xym4.zip, could anyone please analyze this file to determine how to delete this virus.

Many thanks for your great help, and meanwhile I will try to send this zip file to Avast.

WG

Dear All

This terrible wino.sys is still active in the computer and no anti-virus software can delete it. Today it creates fs7.dll in WINDOWS\Temp, and mstscex.dll and mstscs.exe in WINDOWS\system32.

This virus is eating the computer resource, which leads me unable to open files and even task manager. The avast scan is effectively blacked to some degree because no memory to scan.

I made a fake ett4xym4.dll in WINDOWS\Temp, which only blocked once occurrence of wino.sys.

Has anyone else made some progress?

All the best

WG

Did you try?

1. Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;[LN];310405
2. Clean your temporary files.
3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
4. Use a-squared, ewido or Spyware Terminator (trojan removers).

Dear Mr Tech

The System Restore was completely disabled 1.5 years ago when I read Stephen Hawking’s book The Theory of Everything, where he told the website www.murphy-laws.com, from which my computer was heavily contaminated by virus, and the then-avast detected the virus in System Restore.

The other two measures have been taken, but as the same as hhichijo, there is no positive result.

The last measure does induce the system very unstable as stated in avast that the use of two anti-virus software packages leads the operation system unstable and unpredictable consequence. Also hhichijo had shown no results, I therefore did not take this measure.

However, I used Anuraag anti-virus to check the boot sector in hard disk.

Have a good weekend

WG

All that three applications are NOT antivirus.
They’re fully compatible with avast and are on my system right now. You don’t have to use their ‘resident’ part if you want. Even if you use, no problem.
For ewido, see that ewido anti-spyware can be used as a supplement for existing protection systems under Windows 2000 and XP to protect you also against the latest threats. That’s why ewido anti-spyware also works with all current anti-virus programs and firewalls. http://www.ewido.net/en/compatibility/

If you run Ewido from safe mode there won’t be two AVs running as in safe mode avast won’t be running (along with lots of other stuff) until you start it. So if you didn’t try it from safe mode try that.

Even though Ewido and avast are compatible, I always pause standard shield when I run another security based scan such as ewido, adaware, etc. Whilst this isn’t required it stops duplicate scanning as the other scanner opens files to scan them, this triggers avast to do the same. This also avoids the occasion where both scanners could detect the same malware and possibly clash, it also stop one scanner (avast) detecting the signatures in the other scanner. The overall effect is the scan duration is shorter as only one scanner is at work and duplicate scanning is reduced.

Dear Mr Tech & David

Many thanks for your suggestions, I downloaded these three software packages, and tried them one by one.

Although they made my computer much cleaner, sadly the wino.sys is still alive. What can I do? I really do not want to format all the disks and reinstall everything again.

In fact, until now it is only avast that finds this wino.sys.

Regards

WG

I did a google search for wino.sys and it returs a few hits, this topic being one of them. The others look like the language is Chineese Simplified. I don’t know what language of where you live but this seems only to effect only that reigon. There are Translation links in the google returns if you need them.

A couple of the returns also mention VAnti.sys in relation to this, so it might be worth trying to find this file on your system and doing a google search for it also and see what that brings.
If the translation is linited you can also try the http://babelfish.altavista.com/ translation service.

Google seems to think it’s Japanese. I wonder if Trend Micro might be worth a try?

As this seems to be something new, maybe they might have the edge, being in the area?

They have an online scanner which removes malware:

http://housecall.trendmicro.com/

and the excellent Sysclean stand-alone scanner:

http://uk.trendmicro-europe.com/enterprise/support/tsc.php

As this appears to be something quite recent, it might be worth trying the CPR virus definitions file:

A Controlled Pattern File Release (CPR) is a pre-release version of a Trend Micro virus protection database. It is a fully tested, manually downloadable pattern file, designed to provide customers with advanced protection against the latest computer viruses and to serve as an emergency patch during a virus threat or outbreak.

http://uk.trendmicro-europe.com/enterprise/support/pattern.php

I just saw the ?s and assumed Chinese and one that I checked did translate using simplified Chinese.

I’ve done some more googling on VAnti.sys seems to be related to wino.sys and one suggests that VAnti.sys might be part of a rootkit. So this might account for it not being found

Dear David

My google search indicates three Chinese, one Japanese and one English, which are similar to the search I did one week ago.

The Chinese version only asks for help.

I am particularly interested in whether or not the engineers in avast are working to kill this wino.sys

Best wishes

WG

Hi WD ( & possibly hhichijo ) :

  Since what you have MAY be hidden by a rootkit, it would
  seem wise to have some antiROOTKIT Experts check your
  computer !? The best forum for that is located :

  http://www.castlecops.com/f233-Rootkit_Revelations.html  


 This is an example of their Instructions :

"To get started, I would like you to download the following five programs to your computer:

RootkitRevealer: http://www.sysinternals.com/Utilities/RootkitRevealer.html
Hook Analyzer: http://www.resplendence.com/hookanalyzer
gmer: http://www.gmer.net/
Blacklight: http://www.f-secure.com/blacklight/
Sophos Anti-Rootkit: http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

Initially, we will only use the first three programs that you have downloaded. I would like you to run the first three programs in the following sequence:

1. RootkitRevealer: RootkitRevealer will scan your system and provide a report. Please take a screen shot of that report and post it in this thread.

2. Hook Analyzer: Hook Analyzer will also do a scan. Please check the button at the bottom that says “Show hooked services only”. Again, please take a screenshot of the results of this scan and post it in this thread.

3. gmer: Next, run gmer. The 5th tab is labeled “Rootkit”. Please post a screen shot of that tab as well.

Now stop. Post the screen shots from these three programs before going on.

We will want to see those results before doing anything else. If you have any questions about these instructions, please post before doing anything further.

In addition, can you please post how you connect to the Internet, and if you use a hardware router/firewall. "

Dear Spiritsongs

Many thanks for your great help!

Following your instruction, I did what you suggested. Please kindly find the pasted results, hopefully the problem can be solved soon.

Dear Spiritsongs

Many thanks for your great help!

Following your instruction, I did what you suggested. Please kindly find the pasted results, hopefully the problem can be solved soon.

http://

http://

http://

I use an ADSL to connect with internet, use Windows XP with firewall and without hardware router.

Again, thanks for your help.

All the best

WG

Dear Spiritsongs

How can I send the results?

WG

Dear Spiritsongs

The following is the result of RootitReveal in txt format

HKLM\SYSTEM\ControlSet001\Services\Remote Procedure Call 2006-8-28 13:15 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\Remote Procedure Call 2006-8-28 13:15 0 bytes Hidden from Windows API.
C:\WINDOWS\nt_Server2006.DLL 2006-8-28 13:15 678.50 KB Hidden from Windows API.
C:\WINDOWS\nt_Server2006.exe 2006-8-22 6:20 380.00 KB Hidden from Windows API.
C:\WINDOWS\nt_Server2006Key.DLL 2006-8-28 13:15 60.00 KB Hidden from Windows API.

The following is the result of RootKit Hook Ana;lyzer in txt format

Index Service name Address Module Hooked
122 NtOpenProcess/ZwOpenProcess 0xF9C208AC guard.sys YES

The following is the result of Gmer in txt format

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-28 14:48:09
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.10 ----

Type Name Value
SSDT ??\d:\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT ??\d:\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess
INT 0x63 ? FEAF4C3C
INT 0x71 ? FEADFDD4
INT 0x73 ? FEB05C8C
INT 0x92 ? FEADFB64
INT 0x93 ? FEAE10B4
INT 0xA4 ? FEAECDD4
INT 0xB2 ? FEADF64C
INT 0xB4 ? FEAF0DD4

---- Processes - GMER 1.0.10 ----

Process C:\Program Files\Internet Explorer\IEXPLORE.EXE (*** hidden *** ) 200 ← ROOTKIT !!!

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\WINDOWS\nt_Server2006.DLL
File C:\WINDOWS\nt_Server2006.exe ← ROOTKIT !!!
File C:\WINDOWS\nt_Server2006Key.DLL
File D:\System Volume Information\MountPointManagerRemoteDatabase
File D:\System Volume Information\tracking.log
File E:\System Volume Information\MountPointManagerRemoteDatabase
File E:\System Volume Information\tracking.log
File F:\System Volume Information\MountPointManagerRemoteDatabase
File F:\System Volume Information\tracking.log
File G:\System Volume Information\MountPointManagerRemoteDatabase
File G:\System Volume Information\tracking.log
File H:\System Volume Information\MountPointManagerRemoteDatabase
File H:\System Volume Information\tracking.log

---- Services - GMER 1.0.10 ----

Service C:\WINDOWS\nt_Server2006.exe [AUTO] Remote Procedure Call ← ROOTKIT !!!

---- EOF - GMER 1.0.10 ----

Hopefully, you can tell me what to do next.

Thanks

WG

Hi WD :

 I am NOT an antiROOTKIT Expert; my "Instructions" were
 to go to the Castlecops forum that I provided a link and
 ask THEM . You will need to "register" there to get them
 to help you.
 One note about "running" RootkitRevealer : just before
 running it, delete all your temporary internet files AND
 while it is "running", do NOT do anything on your
 computer . This helps to get more accurate results .

Dear all,

Sorry for not giving updates to my problem. I have been really busy with my work and I did not have time to work with my troubled PC lately.

As I mentioned in earlier posts, Avast is no longer detecting virus although the computer still do the rebooting. I have read some of the minidump files generated when the computer reboots and it seem to point to a driver problem, although I have no idea which driver/device was causing this.

Is there a way to clean all the drivers (i.e. restore to a “clean” windows like it was just installed)??

In Start Menu > Control Panel > Administrative Tools > Events
On ‘System’ tab, look for ‘Errors’ and see if there is a description of the dump or the drive error and post here.

Well, sometimes, sometimes, overinstallation helps.
Overinstallation can solve the problem and you won’t lose your programs, settings, data, files, etc.
Just choose ‘Repair’ installation of Windows and install ‘over’ the old installation.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;315341
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314058
http://www.webtree.ca/windowsxp/repair_xp.htm

If you have a backup for your data, it is advised to format and do a clean installation.

I have actually tried the repair install but the problem remains. The following is a minidump file created at the time of the reboot.

•                                                                         *
  

•                    Bugcheck Analysis                                    *
  

•                                                                         *
  

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: 80000004, The exception code that was not handled
Arg2: 804ddb15, The address that the exception occurred at
Arg3: f65a57c0, Trap Frame
Arg4: 00000000

Debugging Details:

ANALYSIS: Kernel with unknown size. Will force reload symbols with known size.
ANALYSIS: Force reload command: .reload /f ntoskrnl.exe=FFFFFFFF804D5000,1F2700,3D6DE35C
ANALYSIS: kernel symbols have been forced reloaded due to unknown size.

EXCEPTION_CODE: (HRESULT) 0x80000004 (2147483652) - No such interface supported

FAULTING_IP:
nt!Dr_kite_a+16
804ddb15 0f21c3 mov ebx,dr0

TRAP_FRAME: f65a57c0 – (.trap fffffffff65a57c0)
ErrCode = 00000000
eax=00000023 ebx=f65a5b3c ecx=0006fbd0 edx=7ffe0304 esi=7ffde000 edi=00030000
eip=804ddb15 esp=f65a5834 ebp=f65a5834 iopl=0 nv up di pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000002
nt!Dr_kite_a+0x16:
804ddb15 0f21c3 mov ebx,dr0
Resetting default scope

CUSTOMER_CRASH_COUNT: 2

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: ctfmon.exe

LAST_CONTROL_TRANSFER: from bf879588 to 804ddb15

STACK_TEXT:
f65a5834 bf879588 bf839997 0006f8e0 804db140 nt!Dr_kite_a+0x16
WARNING: Stack unwind information not available. Following frames may be wrong.
f65a5854 e12ea1f0 00360036 e1353630 00000000 win32k+0x79588
f65a5858 00360036 e1353630 00000000 00000023 0xe12ea1f0
f65a585c e1353630 00000000 00000023 00000023 0x360036
f65a5860 00000000 00000023 00000023 7ffe0304 0xe1353630

STACK_COMMAND: kb

FOLLOWUP_IP:
win32k+79588
bf879588 ?? ???

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: win32k

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3d6de5e5

SYMBOL_NAME: win32k+79588

FAILURE_BUCKET_ID: 0x8E_win32k+79588

BUCKET_ID: 0x8E_win32k+79588

Followup: MachineOwner