Win32.Malware-gen & Rootkit issues

A few days ago, Avast! alerted me about a Win32.Malware-gen infection. However, every time I tried to quarantine (not always possible) or delete the file, another alert would occur shortly afterwards.

I tried using Spybot (and managed to remove a few infected files) but, after rebooting my PC (and allowing Spybot to run a system check) a windows error message popped up consistently (“error loading: C:\windows\dsxewm6.dll Access denied”) almost covering the screen. Although Spybot didn’t detect anything further, I was still getting alerts from Avast! about the same infection. At one point, Avast! instructed me to reboot my PC because it couldn’t deal with the infected file(s) any other way. So, I rebooted and Avast! scanned my system in DOS. However, as soon as it detected something, my keyboard was unable to select an option to deal with the infection.

I then decided to reboot my PC to safe mode and ran all the anti-virus programs I have on my PC: Avast!, Malwarebytes’ Anti-Malware and Spybot. All of them, except Spybot, found further infected files and they were promptly quarantined. However, after restating my computer normally, Avast! once again notified me of the same Win32.Malware-gen problem! This has happened three times so far and, on each occasion, they were quarantined.

To be safe, I decided to run a quick Malwarebytes’ Anti-Malware scan and found yet another infected file and quarantined that as well (and I hadn’t even started using the internet yet). Since then, Avast! haven’t notified me of any further infections but I’m not completely confident that the problem’s been solved. I’d really appreciate if someone could help (especially Essexboy). I’ve enclosed logs from most of the programs I’ve used (including an OTL log).

Cheers.

Latest database for MBAM is 3960 you have scanned with 3930

Hey, thanks for the heads-up! I’ve updated it twice within the last few days but only now has it upgraded itself to the 3960 version.

I’ve just run a full scan on Malwarebytes’ Anti-Malware (v 3960) and it found one infected file. I’ve attached the log below.

Hi, a few bits to clean and then I will want to use a stronger tool

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O3 - HKU\S-1-5-21-371757489-1780262812-3310583448-1006\..\Toolbar\ShellBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-371757489-1780262812-3310583448-1006\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-371757489-1780262812-3310583448-1006\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
[2010/04/01 07:50:03 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Sjuxurupoh.dat
[2010/04/01 02:47:09 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Lcofagacut.bin

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

NEXT

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Hi Essexboy.

Thanks for your help but, on OTL, the run fix option never finished due to an error (I’ve enclosed the error log). I waited for ten minutes but nothing happened. After rebooting, I ran a quick scan, just in case.

I’m not sure if I should conduct the second stage regardless, so please let me know.

“Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon.” I can see a method for Spybot and Avast! but not for MBAM…

Right click the Avast icon and under shield control select disable for 1 hour. Once you have rebooted from the CF run then re-enable

Ooops numpty can’t read, you can leave MBAM alone and it will not conflict

Okay, all done! ComboFix log attached.

Cheers.

Looks good - do you have any further problems showing ?

Since my opening post, Avast! hasn’t alerted me of anything else (although, as already mentioned, MBAM picked up one more infected file).

I haven’t noticed any strange behaviour from my PC either.

OK if you could run OTL and hit the clean up button it will remove itself and Combofix

I would the recommend that you reset your restore points - keep an eye on it for 24 hours or so and if you have any problems come back here

Okay, OTL and Combofix have now been removed, previous system restore points have also been deleted and the latest version of MBAM (3961) has come up with no infected files after a quick scan.

Thank you ever so much! :slight_smile:

Just a quick question about the ‘Immunize’ function on Spybot: Windows Global (Hosts) remain unprotected even after immunising. I don’t recall it doing this before (but all the other sections are fully immunised). Since I use Firefox exclusively, should it be considered a concern?

It is always best to protect IE even if you rarely use it ;D

All sorted! After doing some research, I realised that it was due to one of the advanced settings in ZoneAlarm. I just deselected it (temporarily) and the immunisation of the global hosts worked this time.

My PC has been running fine today but I’ll probably continue to monitor it for another 24 hours. Once again, many thanks for all your help! :smiley: