Anyone?
OK this is a new variant that has only recently been detected
http://www.geekstogo.com/misc/guide_icons/gmer.png
GMER Rootkit Scanner - Download - Homepage
[] Download GMER
[] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe.
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
[*] If it gives you a warning about rootkit activity and asks if you want to run a full scan…click on NO, then use the following settings for a more complete scan…
[*] In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED …
[] IAT/EAT
[] Drives/Partition other than Systemdrive (typically C:)
[*] Show All (don’t miss this one)
http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg
Click the image to enlarge it
[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “ark.txt”
[*]Save the log where you can easily find it, such as your desktop.
Caution
Rootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries
Please copy and paste the report into your Post.
THEN
Download OTL to your Desktop
[]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[]Under the Custom Scan box paste this in
[b]netsvcs
%SYSTEMDRIVE%*.*
/md5start
rasacd.sys
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles
%systemroot%\system32\drivers*.sys /lockedfiles
%systemroot%\System32\config*.sav
%systemroot%\system32\drivers*.sys /90
[/b]
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
I attached all the logs, couldn’t paste the result of the GMER since it was too long.
Thank you!
OK lets try the easy way first, if it fails I will have to use avenger
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:Files
C:\WINDOWS\system32\drivers\rasacd.sys|C:\WINDOWS\system32\dllcache\rasacd.sys /replace
:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Attached log
Could you now re-run Combofix and allow it to update if it asks to
Is Avast still alerting ?
Done.
No, Avast isn’t alerting anymore, you think that’s it?
Well normally OTL is not strong enough to move that sort of file - but hey I won’t argue
Did you re-run Combofix ?
Yeah, I did, but I forgot to save the log :-[ and now I can’t find it
Should be at C:\Combofix
Got an alert!
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\E5LTD0b5.exe.vir
Win32:Malware-gen
moved it to chest
Edit:
attached log
avast found more viruses:
C:\System Volume Information_restore{BA9F4A2F-E990-4D4A-9024-E38A6921616B}\RP240\A0135210.sys
&
C:\System Volume Information_restore{BA9F4A2F-E990-4D4A-9024-E38A6921616B}\RP239\A0134807.sys
Win32:Alureon-FZ
C:\System Volume Information_restore{BA9F4A2F-E990-4D4A-9024-E38A6921616B}\RP240\A0135218.exe
&
C:\System Volume Information_restore{BA9F4A2F-E990-4D4A-9024-E38A6921616B}\RP240\A0135165.exe
Win32:Malware-gen
C:\System Volume Information_restore{BA9F4A2F-E990-4D4A-9024-E38A6921616B}\RP240\A0135672.exe
&
C:\System Volume Information_restore{BA9F4A2F-E990-4D4A-9024-E38A6921616B}\RP240\A0135673.exe
&
C:\System Volume Information_restore{BA9F4A2F-E990-4D4A-9024-E38A6921616B}\RP240\A0135293.exe
&
C:\System Volume Information_restore{BA9F4A2F-E990-4D4A-9024-E38A6921616B}\RP240\A0135270.com
well basically they won’t stop
Win32:Trojan-gen
the warnings just keep popping up and i keep moving them to the chest
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\E5LTD0b5.exe.vir
C:\System Volume Information[b]_restore[/b]
They are either in your restore point or quarantine
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
done.
I wonder why Avast started finding them all of a sudden ?
I ran an avast virus scan… and then it found loads of them
but we made a clean restore point last time just like a week ago, and I don’t have any other ones…
Well the restore points have been reset - is avast still alerting ?
no, I’m running another scan now just to see what happens…
edit:
should I do something else after?
Run MBAM to see if that says anything
Seems like it can’t find anything, but I have a feeling there is something on the computer which causes the problem.
What is it that makes you feel that ?