Win-32 Malware

A fatal error occurs when I try to do the scan. Windows then shows a blue screen. This has happened twice. Do I have to kep trying, or use another program?

Jan

Unfortunately there is a new rootkit going around at the moment, I have only had one case so far but GMER shows it quite nicely

Lets see if I can find the traces it leaves, this time OTL is looking at a few different areas

Download OTL to your Desktop

[]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[
]Under the Custom Scan box paste this in

[b]netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles
%systemroot%\system32\drivers*.sys /lockedfiles /all
%systemroot%\System32\config*.sav

[/b]

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

I don’t know why I’m not allowed to create a message.

Never mind.

Somebody has already sawn a problèm with X5 ?

I think avast sees a fake trojan with it

http://rencontres.tarot.free.fr/cheval de troie.jpg

If you can post you can create a topic - Please start a New Topic of your own as this is unrelated to the original subject and will just confuse the topic and we will try to help.

  • Go to this link, http://forum.avast.com/index.php, scroll down to the Viruses and Worms forum and click it, click the New Topic button at the top of the list and post there.

No Extras.txt was created after this scan, just OTL.txt (attached). Do I need to do the OTL-scan again with other settings?

Jan

Aye the extras is only produced on the first run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O20 - Winlogon\Notify\gport_: DllName - gport_.dll - C:\Windows\System32\gport_.dll ()
[2010-04-07 17:03:03 | 000,005,136 | ---- | M] () -- C:\Windows\System32\gport_.dll

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

See attachment for OTL log after Fix. Tried gmer again after that, but still stops running after 2 minutes.

Jan

Could you retry GMER but remove the tick from Files

Same problem. I’ve removed ticks from Files alone and Files+IAT/EAT, but in both cases the program stops running after a few minutes.

Jan

OK lets try Icesword on this - it is a nifty Chinese anti rootkit programme, not as automated but good

Please download and unzip Icesword to its own folder on your desktop

If you get a lot of “red entries” in an IceSword log, don’t panic.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it’s hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.

Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.

Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.

Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.

Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.

Now post all of the data collected under the headings for :

Processes
Win32 Services
Startup
SSDT
Message Hooks

Frustrating… IceSword doesn’t work either. After clicking the Icesword application, it tells me “Initialize Failed[1]!”. I’ve extracted it to my Desktop, tried a reboot and shutting down all other programs. Should I try it without Avast or Windows Defender enabled?
Jan

Hi someone has just created a programme to look for the data I need

1. Go HERE and download FileLister.

[*]Save it to your Desktop
[*]Rt Click ->> Extract all ->> And extract it to your Desktop
[*]Additional help on extracting zip files can be found HERE
[*]Open the File Lister Folder.
[*] Note: Leave the FileLister.vbe file in the folder and run it from there.

http://bamajim.com/Images/unzip4.JPG

[*]Rt Click FileLister.vbe ->>Select Open Then Open to confirm.
[*]When the program is fnished it will produce a log for you Files.txt
[*]Which will be located in the default location from which FileLister was run(the FileLister folder)

Copy and paste the contents of that log in your reply.

I got a blue windows error screen again, but it seems that it produced a log.
Since then, Avast started to report the old Win-32 Malware again…

Could you delete your current copy of Combofix and download the latest version from here
Link 1
Link 2

Run and then post the log please

I cannot post the log, since then my browser tells me that the sever has been reinitialized… I tried all day yesterday and this morning and then I found out that that was the problem.

Where do you want me to post the Combofix log alternatively?

Jan

You could mail it to me - I will PM you with the address

That does seem rather large

I will use an analysis tool instead - although Avenger had killed the rootkit. Uploadthe two zip files to Mediafire and post the sharing link.

Download avz4.zip from HERE

[*]Unzip it to your desktop to a folder named avz4
[*]Double click on AVZ.exe to run it.
[*]Run an update by clicking the Auto Update button on the Right of the Log window:
http://perplexus.geekstogo.com/avz-update-button.png

[*]Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

[*] Start AVZ.

[*] Choose from the menu “File” => "Standard scripts " and mark the “Advanced System Analysis with malware removal mode enabled” check box.

http://perplexus.geekstogo.com/avz-standardscripts-asa-removal.png

[*] Click on the “Execute selected scripts”.
[*] Automatic scanning, healing and system check will be executed.
[*] A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
[] It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
[
] All applications will work properly after the system restart.

When restarted

[*] Start AVZ.

[*] Choose from the menu “File” => “Standard scripts " and mark the “Advanced System Analysis” check box.

http://perplexus.geekstogo.com/avz-standardscripts-asa.png

[*] Click on the “Execute selected scripts”.
[*] A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Upload both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

Mmm, I’m starting to worry. Avz also shuts down after 3/4 of the analysis. I’ve tried it several times, yesterday and today. Do I need to try Combofix again? Or do I need to start thinking about a complete format of my PC?

Jan

I would commence backing up your data at this stage just to be safe

Delete your current combofix and download a new copy

Download ComboFix from one of these locations:

Link 1
Link 2

Combofix worked hard and well; see log.
In between, I’m still very much appreciating the help I’m getting!