Win32:Malware-gen

A Virus Was Found!

File name: C:\WINDOWS\TEMP\maec.tmp\svchost.exe

I’ve sent it to chest and deleted it, but it keeps reappearing.
I have scheduled two boot-scans which didn’t help and also did a quick scan with MBAM.

Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\tm (Trojan.Downloader) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java quick start (Trojan.Downloader) → Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\J\Local Settings\Temp\5.tmp (Rootkit.TDSS) → Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Temp\8.tmp (Rootkit.TDSS) → Quarantined and deleted successfully.
C:\Documents and Settings\J\jusched.exe (Trojan.Downloader) → Quarantined and deleted successfully.
C:\WINDOWS\system32\d3d8thk.dll (Trojan.FakeAlert) → Quarantined and deleted successfully.


What should I do?

Greatful for any help!

So are you saying that it is still coming back ?

The TDSS rootkit can be a bit of a pig.

Now you have run MBAM and it reports removing some TDSS rootkit elements, I would run an avast boot-time scan again.

Also try SUPERantispyware On-Demand only in free version.
Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.
Also available a portable version of SAS, http://www.superantispyware.com/portablescanner.html, no installation required.

You can also try Tdsskiller and HMPro, followed by MalwareBytes

http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

http://www.surfright.nl/en/hitmanpro

I thought I would run MBAM once more (since this log was like 2 days old), before I ran the avast boot-time scan.
Now I have a problem, I realised that MBAM was never able to remove anything during reboot because everytime it was about to reboot it enountered a problem and had to be shut down.

I ran MBAM twice just to be certain and here are the logs:

Scan type: Quick scan Objects scanned: 109107 Time elapsed: 8 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) → Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshnas (Trojan.Downloader) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\sshnas21.dll
(Trojan.Downloader) → Delete on reboot.
C:\WINDOWS\Tasks{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
(Trojan.Downloader) → Quarantined and deleted successfully.
C:\WINDOWS\Tasks{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
(Trojan.Downloader) → Quarantined and deleted successfully.


Didn’t reboot so I tried again:

Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702

2010-04-03 22:56:20
mbam-log-2010-04-03 (22-56-20).txt

Scan type: Quick scan
Objects scanned: 109111
Time elapsed: 2 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) → Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) → Delete on reboot.

Once again, mbab encountered a problem, had to shut down and didn’t reboot.
Suddenly, a “DrWatson Postmortem Debugger” encountered a problem and had to close, don’t really know if this is related, but I’ve never seen it before…
I also forgot to say that the file name slightly shifts every time:
For ex.
C:\WINDOWS\TEMP\yorg.tmp\svchost.exe
C:\WINDOWS\TEMP\whug.tmp\svchost.exe

Sorry for writing such a long post without having tried what you wrote, but I thought this could be good to tell you before I do something else.

Edit:
Ran Avast boot-time scan, still get virus warning, now also located in c:\windows\temp\egr.exe.
And now Avast wants to run another boot-time scan… the last one took like two hours :confused:

Edit 2:
Ran SAS, which found 360 threats, it removed them all and reboot, but the problem still remains in:
c:\windows\system32\ymamvrxb.dll

Edit3:
I ran SAS a second time, and my problem still remains.
@ DavidR: do you have any other suggestions or should I try Tdsskiller and HMPro next?

Anybody? :-[

OTL

[*] Download OTL here
[] Double click the OTL icon to run it
[
] The text below in bold:

netsvcs
%SYSTEMDRIVE%*.*
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
c:\windows\system32*.dll /lockedfiles
c:\windows\system32\drivers*.sys /lockedfiles
%systemroot%*. /mp /s
CREATERESTOREPOINT

[*] Paste it in the Custom Scans box of OTL
[*] Click Quick Scan Do not change the other settings unless you are told to do so
[] Wait until OTL is done scanning. Notepad file(s) will pop-up (OTL.txt and Extras.txt). Those are saved in the same location as OTL
[
] Please copy all the contents of the notepad files and attach them on your reply respectively

Did you not try the TDSS Killer link and info given by micky77 as that is most relevant in this case ?

If you did try it then post the results.

probably wont have anything to say in your case, but the top of your MBAM logs does not show…
so did you scan with the latest MBAM 1.45 and latest malware database 3952 ?

Sorry it took me forever to answer, had just written my reply and was about to press post when the electricity went out >:(

Ran Tdsskiller and have attached the log.

@ Pondus: Yes, you are right, it seems as though I failed to update MBAM after I installed it, will do so and run it again, followed by avast boot-time scan, hopefully that will help :slight_smile:

Edit:
Attached OTL logs
Also seems as though theres something wrong with Explorer since it keeps having to shut down :S

Thanks everybody for taking your time to help

Well firstly I’m not familiar with the TDSSKiller logs:

16:20:32:296 1892 RegNode HKLM\SYSTEM\ControlSet003\services\Tdsshbecr infected by TDSS rootkit …
16:20:32:296 1892 will be deleted on reboot

16:20:32:296 1892 Driver “mv61xx” infected by TDSS rootkit!
16:20:32:312 1892 File “C:\WINDOWS\system32\DRIVERS\mv61xx.sys” infected by TDSS rootkit … 16:20:32:312 1892 Processing driver file: C:\WINDOWS\system32\DRIVERS\mv61xx.sys

16:20:34:234 1892	Memory objects infected / cured / cured on reboot:	1 / 0 / 0

16:20:34:234 1892	File objects infected / cured / cured on reboot:	2 / 0 / 2

*******
So from the above TDSSKiller found these and should hopefully be cured on boot (removal of the infected registry key and file) as is mentioned above.
- Did TDSSKiller reboot or have you rebooted ?

If you run it again are any of these found again ?
If not run the updated MBAM scan again.

I ran the TDSSKiller twice, once last night and once just now. I’ve attached those logs

Edit:
Forgot to say that MBAM is acting strange, I keep getting the error code “MBAM_ERROR_LOAD_DATABASE (0, 0)”

Re-installed MBAM, seems to be working now. Here’s the log:

Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org

Database version: 3956

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2010-04-05 16:07:06
mbam-log-2010-04-05 (16-07-06).txt

Scan type: Quick scan
Objects scanned: 102767
Time elapsed: 5 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT.fsharproj (Trojan.Tracur) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\fusjajwt.dat (Rootkit.Agent) → Quarantined and deleted successfully.

Well it looks like it has only got rid of the infected registry key not the rootkit file C:\WINDOWS\system32\drivers\mv61xx.sys.

However, the only reference to mv61xx.sys in the OTL logs is in the modified in the last 14 days, see below. Now that says it was modified on 04/04/2010 at 16:23 and is part of (Marvell Semiconductor, Inc.), so do you have any Marvel products, is this possibly a graphics card or does this ring any bells ?

========== Files - Modified Within 14 Days ==========

[2010-04-04 20:44:24 | 000,512,960 | ---- | M] () – C:\WINDOWS\System32\PerfStringBackup.INI
[2010-04-04 20:44:24 | 000,435,260 | ---- | M] () – C:\WINDOWS\System32\perfh009.dat
[2010-04-04 20:44:24 | 000,068,156 | ---- | M] () – C:\WINDOWS\System32\perfc009.dat
[2010-04-04 20:40:04 | 000,000,236 | ---- | M] () – C:\WINDOWS\tasks\OGALogon.job
[2010-04-04 20:40:03 | 000,000,006 | -H-- | M] () – C:\WINDOWS\tasks\SA.DAT
[2010-04-04 20:39:53 | 000,002,048 | --S- | M] () – C:\WINDOWS\bootstat.dat
[2010-04-04 16:23:58 | 000,150,568 | ---- | M] (Marvell Semiconductor, Inc.) – C:\WINDOWS\System32\drivers\mv61xx.sys

So I did a check on the file name, http://www.google.com/search?q=mv61xx.sys and many appear to be legit, but that is no guarantee.

Are you actually able to find this file on your system C:\WINDOWS\System32\drivers\mv61xx.sys ?
If it truly were a rootkit perhaps not. But under normal circumstances you may need to show hidden files and folders, etc.

  • Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.

Yeah found it. Should I run all the programs again and see if they find anything?

Also found this, if it is of any interest.

No, what I would like you to do is a check that the TDSSKiller detection was good.

Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page.

The reason I suggest this is that the TDSSKiller that was suggested is looking for a specific type of rootkit and I don’t know much about it or its effectiveness or its accuracy. As I implied if this were truly a rootkit, in theory the windows explorer interface shouldn’t find it. Since it did we have the opportunity to confirm the detection or otherwise.

Yes that is of interest, I’m no hardware specialist either ;D
However, I would Imagine that any Raid driver would have to be operating at a very low level indeed; so I don’t know if that might well have confused TDSSKiller or not, which is why the confirmation scan at virustotal would be worthwhile.

Eh, I hope this is what you were asking for: :-[

http://www.virustotal.com/reanalisis.html?ca40f7d5669d86f03152c84591e9d7b50f4de0dd77ed3818aa340e439d8d7bdb-1270479335

Hi I have just had a look at the TDSSkiller logs and it appears you had multiple files infected

Also looking at the OTL there are a lot of miscreants there as well

Unfortunately you saved the TDSS logs as Unicode instead of ANSI so they were difficult to read

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Is there a chance the log is named something other than ComboFix? My computer searched but with zero result.