Win32:Malware-gen

Almost, this is the one, http://www.virustotal.com/analisis/ca40f7d5669d86f03152c84591e9d7b50f4de0dd77ed3818aa340e439d8d7bdb-1270479335. This shows that no ‘conventional’ anti-virus scanner detects anything, which is what I suspected.

Now that essexboy is on the case hopefully he has the tools to analyse the problem and bring it to a successful conclusion.

The file should be as named in the C:\ root directory.

Sorry about that, have attached the log.

Edit:

Unfortunately you saved the TDSS logs as Unicode instead of ANSI so they were difficult to read

How do I change that? Thought it was done automatically.

No problem on that David gave me a link to a nifty little programme - I can read it now ;D

OK TDSS was successful and replaced one file with a good copy, then deleted the rootkit. Combofix took out all the other malware.

What problems are you experiencing at the moment ?

Just got a warning from Avast!

Malware was found in:
C:\SYSTEM VOLUME INFORMATION_RESTORE{BA9F4A2F-E990-4D4A-9024-E38A6921616B}\RP233\A0129976.SYS

Name: Win32:Agent-PSI (Rtk)
Rootkit

Thank you guys so much for all your help! It’s really appreciated!

That is in system restore - so lets kill it

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

[*]Select Start > All Programs > Accessories > System tools > System Restore.
[*]On the dialogue box that appears select Create a Restore Point
[*]Click NEXT
[*]Enter a name e.g. Clean
[*]Click CREATE

You now have a clean restore point, to get rid of the bad ones:

[*]Select Start > All Programs > Accessories > System tools > Disk Cleanup.
[*]In the Drop down box that appears select your main drive e.g. C
[*]Click OK
[*]The System will do some calculation and the display a dialogue box with TABS
[*]Select the More Options Tab.
[*]At the bottom will be a system restore box with a CLEANUP button click this
[*]Accept the Warning and select OK again, the program will close and you are done

Any further problems ?

Well I never did anything with the last warning, should I send the malware to the chest?
Sorry to be such a dumb newbie, but I don’t feel like messing up the work so far

No need just clear the restore point as above

I guess I don’t have any other problems (yet) :-
Although, I find it strange that I had a problem with old restore points, when I didn’t have any.

Thank you so much! :slight_smile:

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Great!
Thank you :slight_smile:

Nooo!
It seems like the virus is back (never left?)… Although now it is in File Name:
C:\WINDOWS\Fonts\anN0oNf.com

seems like i’m gonna have to reformat my computer?

When did it return ?

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Just now basically… altough I have been getting complaints that the computer acts as though it has a virus (screens turn white and it’s slow, etc.)… and just now the keyboard stopped working, so I changed to another tab and back, and then it worked :S

Got this message to from avast also (attached pic). pressed cancel, then got the usual virus warning and moved it to chest.

What is your version of Adobe it should be 9.3

Yeah, it’s 9.3…
Attached the log also.

Thank you so much essexboy :slight_smile:

Looks like Avast stopped most of it

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:


File::
c:\documents and settings\All Users\Application Data\E5LTD0b5.exe

Renv::
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\ASUS\Six Engine\SixEngine .exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Microsoft Office\Office12\GrooveMonitor .exe

NetSvc::
oybidfpv 

Driver::
oybidfpv 
  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt .

that was really weird :S had to reboot like 3-4 times…

have attached log

CF had to remove a driver and a service plus it needed to locate backup files for the ones it needed to replace

Run it now for a day or so and let me know of any further problems

Will do! Thanks! :slight_smile:

so the virus is back… it returned earlier today.
now found in C:\WINDOWS\system32\drivers\rasacd.sys
Malware name: Win32:Alureon-FZ

i keep moving it to chest, but it keeps appearing, like every second, literally. makes typing seriously annoying… :frowning:

help me, please! :cry: