Viruses detected

OS: Win XP Home SP3 32 bit
Avast 5.0.545 (Auto update)

A couple of days ago avast prevented an “attack” on my computer with the real-time shield by JS:Jaderun-A [Expl] then VBS:Malware-Gen then Win32:Malware-gen (in 2 minute space). I have multiple files in my chest including drivers which I need especially the USB storage driver. Currently my computer is freezing once it gets to the desktop, I can open AVAST and that still works but explorer/taskbar/start menu etc do not work for a while due to the disrupted startup processes but eventually everything works fine.

Here is the extract from avast real-time scanner log:

  • Started on: Tuesday, June 15, 2010 5:59:25 PM

15/06/2010 8:07:57 PM C:\Documents and Settings\Dariusz\Local Settings\Temporary Internet Files\Content.IE5\IVUVU1YF\Applet1[1].htm [L] JS:Jaderun-A [Expl] (0)
File was successfully moved to chest…
15/06/2010 8:08:41 PM C:\Program Files\Mozilla Firefox\fjhdyfhsn.bat [L] VBS:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:35 PM C:\WINDOWS\system32\drivers\aec.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:36 PM C:\WINDOWS\system32\drivers\arp1394.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:36 PM C:\WINDOWS\system32\drivers\asyncmac.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:42 PM C:\WINDOWS\system32\drivers\atmarpc.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:43 PM C:\WINDOWS\system32\drivers\Cdaudio.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:43 PM C:\WINDOWS\system32\drivers\Changer.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:43 PM C:\WINDOWS\system32\drivers\dmusic.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:43 PM C:\WINDOWS\system32\drivers\drmkaud.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:43 PM C:\WINDOWS\system32\drivers\i2omgmt.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:43 PM C:\WINDOWS\system32\drivers\ip6fw.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:47 PM C:\WINDOWS\system32\drivers\ipfltdrv.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:47 PM C:\WINDOWS\system32\drivers\ipinip.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:49 PM C:\WINDOWS\system32\drivers\irenum.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:49 PM C:\WINDOWS\system32\drivers\lbrtfdc.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:49 PM C:\WINDOWS\system32\drivers\lusbfilt.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:49 PM C:\WINDOWS\system32\drivers\ma_cmidi.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:49 PM C:\WINDOWS\system32\drivers\Modem.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:50 PM C:\WINDOWS\system32\drivers\mskssrv.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:50 PM C:\WINDOWS\system32\drivers\mspclock.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:53 PM C:\WINDOWS\system32\drivers\mspqm.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:54 PM C:\WINDOWS\system32\drivers\nic1394.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:55 PM C:\WINDOWS\system32\drivers\nwlnkflt.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:56 PM C:\WINDOWS\system32\drivers\nwlnkfwd.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:56 PM C:\WINDOWS\system32\drivers\palmusbd.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:56 PM C:\WINDOWS\system32\drivers\PCIDump.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:56 PM C:\WINDOWS\system32\drivers\PDCOMP.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:56 PM C:\WINDOWS\system32\drivers\PDFRAME.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:56 PM C:\WINDOWS\system32\drivers\PDRELI.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:56 PM C:\WINDOWS\system32\drivers\PDRFRAME.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:56 PM C:\WINDOWS\system32\drivers\RDPWD.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:57 PM C:\WINDOWS\system32\drivers\rtenicxp.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:57 PM C:\program files\superantispyware\sasenum.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:57 PM C:\WINDOWS\system32\drivers\secdrv.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:09:59 PM C:\WINDOWS\system32\drivers\Sfloppy.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:10:00 PM C:\WINDOWS\system32\drivers\splitter.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:10:00 PM C:\WINDOWS\system32\drivers\swmidi.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:10:02 PM C:\WINDOWS\system32\drivers\TDPIPE.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:10:02 PM C:\WINDOWS\system32\drivers\TDTCP.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:10:02 PM C:\WINDOWS\system32\drivers\usbaapl.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:10:03 PM C:\WINDOWS\system32\drivers\usbaudio.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:10:03 PM C:\WINDOWS\system32\drivers\usbscan.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:10:03 PM C:\WINDOWS\system32\drivers\usbstor.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:10:03 PM C:\WINDOWS\system32\drivers\WDICA.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:10:06 PM C:\WINDOWS\system32\drivers\wpdusb.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:10:06 PM C:\WINDOWS\system32\drivers\wudfrd.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…
15/06/2010 8:10:06 PM C:\WINDOWS\system32\drivers\2590449099.sys [L] Win32:Malware-gen (0)
File was successfully moved to chest…

A subsequent thorough full system scan with Avast found:
in Local Settings\Temp\svchost.exe Win32:Malware-Gen (in chest)
in Local Settings\Temporary internet files\content.ie5\JVUVU1YF\Notes1[1].pdf JS:Pdfka-AHK [Expl] (in Chest)

Other Scans done: Mailwarebytes Anti-Mailware (nothing) and Superantispyware (just tracking cookies).
I have CClean but am yet to use it.
I am not sure what is the next step to restore my system functionality?

Looks like a false positive on the drivers except one. What is your Virus definition version (VDV)?

Extract 2590449099.sys from the virus chest and upload it to VirScan.Org or NoVirusThanks Multi-Engine Antivirus Scanner and post the results.

Thanks for the reply.

Defenition version: 100617-1
I also re-scanned all of the items in the chest but they all kept the original defenitions.

Results from NoVirusThanks:

File Info

Report date: 2010-06-18 06:04:48 (GMT 1)
File name: 2590449099.sys
File size: 772096 bytes
MD5 Hash: 19c8fb7ae0c7f10453aafda8debae559
SHA1 Hash: 72901a68e368a0db697d3cae7e7ac77041b886c6
Detection rate: 13 on 16 (81%)
Status: INFECTED

Detections

a-squared - Backdoor.Win32.IEbooot!IK
Avast - Win32:Malware-gen
AVG - BackDoor.Generic12.BPKA
Avira AntiVir - TR/Crypt.ZPACK.Gen
BitDefender - Trojan.IEBooot.E
ClamAV -
Comodo -
Dr.Web -
F-PROT6 - W32/Backdoor2.GXML
G-Data - Backdoor.Win32.IEbooot.fbs A
Ikarus T3 - Backdoor.Win32.IEbooot
Kaspersky - Backdoor.Win32.IEbooot.fbs
NOD32 - Win32/Agent.OFB
Panda - Rootkit/IEBooot.C
TrendMicro - BKDR_IEBOOOT.AZ
VBA32 - Backdoor.Win32.IEbooot.fbs

Scan report generated by
NoVirusThanks.org

Hello,
I suspect that all the files are same inside but with different filenames. Send us (virus@avast.com) that files with link to this forum to anlalyze them.

Milos

I can’t seem to get them to email because they are supposedly .exe files and it wont send them. I have tried a .zip file and .rar file, anybody know how I could send them?

I thought it would be interesting to note that the virus had moved from various Drivers to Temp files in C:windows… it keeps creating .tmp files in the same folder. Every time it finds a files in the avast5 folder and removes it a new one is generated straight away.

Todays avast log:

  • Started on: Saturday, June 19, 2010 10:33:00 AM
    19/06/2010 1:29:38 PM C:\WINDOWS\ckbcdp.dll [L] Win32:Malware-gen (0)
    File was successfully moved to chest…
    19/06/2010 1:30:06 PM C:\WINDOWS\trz4F.tmp [L] Win32:Malware-gen (0)
    File was successfully moved to chest…
    19/06/2010 1:35:07 PM C:\WINDOWS\trz50.tmp [L] Win32:Malware-gen (0)
    File was successfully moved to chest…
    19/06/2010 1:40:11 PM C:\WINDOWS\trz55.tmp [L] Win32:Malware-gen (0)
    File was successfully moved to chest…
    19/06/2010 1:45:12 PM C:\WINDOWS\trz5B.tmp [L] Win32:Malware-gen (0)
    File was successfully moved to chest…
    19/06/2010 1:53:40 PM C:\WINDOWS\trz5D.tmp [L] Win32:Malware-gen (0)
    File was successfully moved to chest…
    19/06/2010 1:58:40 PM C:\WINDOWS\trz5F.tmp [L] Win32:Malware-gen (0)
    File was successfully moved to chest…
    19/06/2010 2:03:42 PM C:\WINDOWS\trz60.tmp [L] Win32:Malware-gen (0)
    File was successfully moved to chest…
    19/06/2010 2:08:41 PM C:\WINDOWS\trz61.tmp [L] Win32:Malware-gen (0)
    File was successfully moved to chest…
    19/06/2010 2:13:41 PM C:\WINDOWS\trz62.tmp [L] Win32:Malware-gen (0)
    File was successfully moved to chest…
    19/06/2010 2:18:44 PM C:\WINDOWS\trz63.tmp [L] Win32:Malware-gen (0)
    File was successfully moved to chest…
    19/06/2010 2:23:55 PM C:\WINDOWS\Temp_avast5_\unp258465847.tmp [L] Win32:Malware-gen (0)
    File was successfully moved to chest…
    19/06/2010 2:29:02 PM C:\WINDOWS\Temp_avast5_\unp133538749.tmp [L] Win32:Malware-gen (0)
    File was successfully moved to chest…
    19/06/2010 2:34:05 PM C:\WINDOWS\Temp_avast5_\unp213109777.tmp [L] Win32:Malware-gen (0)
    File was successfully moved to chest…
    19/06/2010 2:39:19 PM C:\WINDOWS\Temp_avast5_\unp102098617.tmp [L] Win32:Malware-gen (0)
    File was successfully moved to chest…
    19/06/2010 2:45:03 PM C:\WINDOWS\Temp_avast5_\unp226431120.tmp [L] Win32:Malware-gen (0)
    File was successfully moved to chest…
    19/06/2010 2:50:04 PM C:\WINDOWS\Temp_avast5_\trz71.tmp [L] Win32:Malware-gen (0)
    File was successfully moved to chest…
    19/06/2010 2:55:04 PM C:\WINDOWS\Temp_avast5_\unp234372650.tmp [L] Win32:Malware-gen (0)
    File was successfully moved to chest…
    19/06/2010 3:00:06 PM C:\WINDOWS\Temp_avast5_\trz73.tmp [L] Win32:Malware-gen (0)
    File was successfully moved to chest…
    19/06/2010 3:05:12 PM C:\WINDOWS\Temp_avast5_\trz74.tmp [L] Win32:Malware-gen (0)
    File was successfully moved to chest…
    19/06/2010 3:10:13 PM C:\WINDOWS\Temp_avast5_\trz7F.tmp [L] Win32:Malware-gen (0)
    File was successfully moved to chest…
    19/06/2010 3:15:26 PM C:\WINDOWS\Temp_avast5_\trz80.tmp [L] Win32:Malware-gen (0)
    File was successfully moved to chest…
    19/06/2010 3:20:38 PM C:\WINDOWS\Temp_avast5_\trz81.tmp [L] Win32:Malware-gen (0)
    File was successfully moved to chest…
    19/06/2010 3:25:38 PM C:\WINDOWS\Temp_avast5_\trz82.tmp [L] Win32:Malware-gen (0)
    File was successfully moved to chest…

A scan on usbscan.sys at VirusTotal which is one of the original driver files infected that I need resulted in:

Antivirus Version Last Update Result
a-squared 5.0.0.26 2010.06.19 Backdoor.Win32.IEbooot!IK
AhnLab-V3 2010.06.19.00 2010.06.19 Win-Trojan/Iebooot.772096
AntiVir 8.2.2.6 2010.06.18 TR/Crypt.ZPACK.Gen
Antiy-AVL 2.0.3.7 2010.06.18 Backdoor/Win32.IEbooot.gen
Authentium 5.2.0.5 2010.06.19 W32/Backdoor2.GXML
Avast 4.8.1351.0 2010.06.18 Win32:Malware-gen
Avast5 5.0.332.0 2010.06.18 Win32:Malware-gen
AVG 9.0.0.787 2010.06.18 BackDoor.Generic12.BPKA
BitDefender 7.2 2010.06.19 Trojan.IEBooot.E
CAT-QuickHeal 10.00 2010.06.18 Trojan.Agent.gen
ClamAV 0.96.0.3-git 2010.06.19 -
Comodo 5149 2010.06.19 -
DrWeb 5.0.2.03300 2010.06.19 -
eSafe 7.0.17.0 2010.06.17 Win32.TRCrypt.ZPACK
eTrust-Vet 36.1.7650 2010.06.19 -
F-Prot 4.6.1.107 2010.06.18 W32/Backdoor2.GXML
F-Secure 9.0.15370.0 2010.06.19 Trojan.IEBooot.E
Fortinet 4.1.133.0 2010.06.18 W32/IEbooot.FBS!tr.rkit
GData 21 2010.06.19 Trojan.IEBooot.E
Ikarus T3.1.1.84.0 2010.06.19 Backdoor.Win32.IEbooot
Jiangmin 13.0.900 2010.06.15 Backdoor/IEbooot.pv
Kaspersky 7.0.0.125 2010.06.19 Backdoor.Win32.IEbooot.fbs
McAfee 5.400.0.1158 2010.06.19 Generic BackDoor!cqz
McAfee-GW-Edition 2010.1 2010.06.18 Heuristic.LooksLike.Trojan.Dropper.E
Microsoft 1.5902 2010.06.19 Trojan:WinNT/Bubnix.gen!A
NOD32 5208 2010.06.18 Win32/Agent.OFB
Norman 6.05.06 2010.06.18 W32/Suspicious_Gen2.BBZQB
nProtect 2010-06-19.01 2010.06.19 Trojan.IEBooot.E
Panda 10.0.2.7 2010.06.18 Rootkit/IEBooot.C
PCTools 7.0.3.5 2010.06.19 Backdoor.Trojan
Prevx 3.0 2010.06.19 -
Rising 22.52.05.02 2010.06.19 Trojan.Win32.Generic.52069B85
Sophos 4.54.0 2010.06.19 Troj/Rustock-M
Sunbelt 6470 2010.06.19 Trojan.Win32.Generic!BT
Symantec 20101.1.0.89 2010.06.19 Backdoor.Trojan
TheHacker 6.5.2.0.300 2010.06.18 -
TrendMicro 9.120.0.1004 2010.06.19 BKDR_IEBOOOT.AZ
TrendMicro-HouseCall 9.120.0.1004 2010.06.19 BKDR_IEBOOOT.AZ
VBA32 3.12.12.5 2010.06.18 Backdoor.Win32.IEbooot.fbs
ViRobot 2010.6.19.3894 2010.06.19 Backdoor.Win32.IEbooot.772096
VirusBuster 5.0.27.0 2010.06.18 Backdoor.IEbooot.XH

Latest MB log:

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4214

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

19/06/2010 5:16:52 PM
mbam-log-2010-06-19 (17-16-52).txt

Scan type: Full scan (C:|F:|G:|)
Objects scanned: 328409
Time elapsed: 2 hour(s), 41 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Files Infected:
C:\System Volume Information_restore{0F412C91-802F-4C5A-8FBA-8035FA4FC242}\RP275\A0037346.exe (Trojan.Agent.CK) → Quarantined and deleted

Update Internet Explorer to 8.0 as 6.0 is quite old and vulnerable to infections.

See:
Clear System Restore Points
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Hello,
you can rename the extensions “.exe” to i.e. “.ex_”. Or pack the files with password (i.e. “virus” without quotes) and filename encryption.

Milos