Win-32 Malware

Hello,

Yesterday my computer has been affected with some sort of Win-32 Malware (in svchost.exe from Windows/Temp). Avast also provides a warning about a Rootkit (in Windows/System32/Drivers).
I’ve read several posts on this forum about this same type of Malware. So far, I’ve tried to clean my PC with Malwarebytes’ Anti-Malware, OTL, SUPERAntiSpyware, Spybot - Search & Destroy; all with latest updates, but Avast still gives me the same warnings.
As described elsewhere, I’ve attached the logfiles of OTL (2x) and MBAM (1x).
Help would be very much appreciated!

Jan

An additional question; are files like Office-files also infected, i.e. when I open a file from the infected PC on another PC (through e-mail or a pen drive), will it also be infected with the Malware?
Again, thanks a lot for a reply!

Jan

I have sendt a PM to Essexboy so he will have look when he enters the forum… :wink:

OBS: your MBAM log says " NO ACTION TAKEN " have you clicked " REMOVE SELECTED " after scan ?

Did you take any action with mbam ? C:\Windows\system32\Drivers\synvp.sys (Rootkit.Agent) → No action taken

You could try HMP, it could be the tdl3 rootkit http://www.surfright.nl/en/hitmanpro

Hi there lets clear what I can see first - and then determine what problems remain

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
[2010-04-03 11:59:39 | 000,823,808 | ---- | M] () -- C:\Windows\System32\drivers\synvp.sys
[2010-04-03 12:10:11 | 000,823,808 | ---- | M] () Unable to obtain MD5 -- C:\Windows\System32\drivers\synvp.sys

:Files
C:\Windows\tasks\At*.job

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Hi,

See attachment for OTL file.
After reboot Avast found a Trojan Horse in several files; so far no more messages about the Malware have com up.

Jan

Sorry, wrong file in last reply. This one is the OTL Quick scan log. Malware is still present, btw.

Jan

Yep sure is - lets use a bigger hammer

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following


:Files
C:\Windows\tasks\At*.job
C:\Windows\System32\drivers\synvp.sys

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

  1. Please download The Avenger by Swandog46 to your Desktop.
    [*]Right click on the Avenger.zip folder and select “Extract All…”
    [*] Follow the prompts and extract the avenger folder to your desktop
  2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Begin copying here:
Drivers to delete:
synvp.sys
synvp

Files to delete:
C:\Windows\System32\drivers\synvp.sys


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Now, open the avenger folder and start The Avenger program by clicking on its icon.

[*] Right click on the window under Input script here:, and select Paste.
[*] You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
[*] Click on Execute
[*] Answer “Yes” twice when prompted.

  1. The Avenger will automatically do the following:
    [*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete”, The Avenger will actually restart your system twice.)
    [*]On reboot, it will briefly open a black command window on your desktop, this is normal.
    [*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    [*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  2. Please copy/paste the content of c:\avenger.txt into your reply

Hi,

I’m back again… See attachments.

Jan

My apologies for the delay as I lost my notifications

I need to run combofix now as there is something I am not seeing

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Combofix.txt attached

Jan

Well that revealed an infection I have not seen for a while

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:


Renv::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\clistart .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\CyberLink\YouCam\MUITransfer\muistartmenu .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\itsecmng .exe
c:\windows\RaidTool\xinside .exe

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt [*]A new OTL log.

On the first run, something went wrong and my computer gave me an error message in a blue screen. Second time, it seemed to run fine. There was no reboot and Combofix automatically gave me the log.txt file (instead of Comfix.txt), but I assume this is the same.
Interesting to have such a special infection over here! :wink:

Jan

OK I can longer find the bad boy - or anything else - How is your computer running now ?

So far, so good! Still need to run a bootscan, but I think it’s unlikely that something will be find.
I’m impressed by the amount of (short-term) help I’ve gotton over here! Thanks!

Jan

After feeling happy, it seems that there is little bit remaining. Avast displayed a message about blocking some Malware twice today. I ran a boot scan and it found a couple of infected files that I moved to chest.
I ran a quick scan with OTL (log attached). I’ve also added some kind of log file of the bootscan that Avast did (but I don’t know if it’s the correct one or helpful).
Hope you can me finish the last bit of this!

Jan

Nothing apparent in that log - could you run MBAM to see what that reveals. Was it a webshield warning ?

Here is the MBAM file. I don’t know for sure, but I think it was a Webshield warning, not a warning about an infection. Still, I got worried because the Avast bootscan found so many infections (and moved them to chest).

Jan

There is definitively still something going on. Google is not working; both Firefox and IE are giving me warnings about this…

http://www.geekstogo.com/misc/guide_icons/gmer.png
GMER Rootkit Scanner - Download - Homepage
[] Download GMER
[
] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif

[*] If it gives you a warning about rootkit activity and asks if you want to run a full scan…click on NO, then use the following settings for a more complete scan…
[*] In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
[] IAT/EAT
[
] Drives/Partition other than Systemdrive (typically C:)
[*] Show All (don’t miss this one)

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg

Click the image to enlarge it

[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “ark.txt”
[*]Save the log where you can easily find it, such as your desktop.
Caution
Rootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries

Please copy and paste the report into your Post.