Avast WEBforum

Other => Viruses and worms => Topic started by: janvanderscheer on April 03, 2010, 12:21:25 PM

Title: Win-32 Malware
Post by: janvanderscheer on April 03, 2010, 12:21:25 PM

Hello,

Yesterday my computer has been affected with some sort of Win-32 Malware (in svchost.exe from Windows/Temp). Avast also provides a warning about a Rootkit (in Windows/System32/Drivers).
I've read several posts on this forum about this same type of Malware. So far, I've tried to clean my PC with Malwarebytes' Anti-Malware, OTL, SUPERAntiSpyware, Spybot - Search & Destroy; all with latest updates, but Avast still gives me the same warnings.
As described elsewhere, I've attached the logfiles of OTL (2x) and MBAM (1x).
Help would be very much appreciated!

Jan

Title: Re: Win-32 Malware
Post by: janvanderscheer on April 03, 2010, 12:41:17 PM

An additional question; are files like Office-files also infected, i.e. when I open a file from the infected PC on another PC (through e-mail or a pen drive), will it also be infected with the Malware?
Again, thanks a lot for a reply!

Jan

Title: Re: Win-32 Malware
Post by: Pondus on April 03, 2010, 12:46:17 PM

I have sendt a PM to Essexboy so he will have  look when he enters the forum..... ;)


OBS: your MBAM log says " NO ACTION TAKEN " have you clicked " REMOVE SELECTED " after scan ?

Title: Re: Win-32 Malware
Post by: micky77 on April 03, 2010, 12:49:52 PM

Did you take any action with mbam ? C:\Windows\system32\Drivers\synvp.sys (Rootkit.Agent) -> No action taken

You could try HMP, it could be the tdl3 rootkit http://www.surfright.nl/en/hitmanpro (http://www.surfright.nl/en/hitmanpro)

Title: Re: Win-32 Malware
Post by: essexboy on April 03, 2010, 01:31:26 PM

Hi there lets clear what I can see first - and then determine what problems remain

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

Code: [Select]

:OTL
[2010-04-03 11:59:39 | 000,823,808 | ---- | M] () -- C:\Windows\System32\drivers\synvp.sys
[2010-04-03 12:10:11 | 000,823,808 | ---- | M] () Unable to obtain MD5 -- C:\Windows\System32\drivers\synvp.sys

:Files
C:\Windows\tasks\At*.job

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

Title: Re: Win-32 Malware
Post by: janvanderscheer on April 03, 2010, 03:05:13 PM

Hi,

See attachment for OTL file.
After reboot Avast found a Trojan Horse in several files; so far no more messages about the Malware have com up.

Jan

Title: Re: Win-32 Malware
Post by: janvanderscheer on April 03, 2010, 03:17:39 PM

Sorry, wrong file in last reply. This one is the OTL Quick scan log. Malware is still present, btw.

Jan

Title: Re: Win-32 Malware
Post by: essexboy on April 05, 2010, 12:09:48 AM

Yep sure is - lets use a bigger hammer

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

Code: [Select]

:Files
C:\Windows\tasks\At*.job
C:\Windows\System32\drivers\synvp.sys

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

THEN

1. Please download The Avenger (http://swandog46.geekstogo.com/avenger2/download.php) by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code: [Select]

Begin copying here:
Drivers to delete:
synvp.sys
synvp

Files to delete:
C:\Windows\System32\drivers\synvp.sys

Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
  
• You can also click on this window and  press (Ctrl+V) to paste the contents of the clipboard.
  
• Click on Execute
  
• Answer "Yes" twice when prompted.
  

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions.  This log file will be located at  C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

5. Please copy/paste the content of c:\avenger.txt into your reply

Title: Re: Win-32 Malware
Post by: janvanderscheer on April 05, 2010, 08:04:12 AM

Hi,

I'm back again... See attachments.

Jan

Title: Re: Win-32 Malware
Post by: essexboy on April 05, 2010, 12:13:00 PM

My apologies for the delay as I lost my notifications

I need to run combofix now as there is something I am not seeing

Download ComboFix from one of these locations:


Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Title: Re: Win-32 Malware
Post by: janvanderscheer on April 05, 2010, 01:16:39 PM

Combofix.txt attached

Jan

Title: Re: Win-32 Malware
Post by: essexboy on April 05, 2010, 03:54:49 PM

Well that revealed an infection I have not seen for a while

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]

Renv::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\clistart .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\CyberLink\YouCam\MUITransfer\muistartmenu .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\itsecmng .exe
c:\windows\RaidTool\xinside .exe

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new OTL log.

Title: Re: Win-32 Malware
Post by: janvanderscheer on April 05, 2010, 04:50:21 PM

On the first run, something went wrong and my computer gave me an error message in a blue screen. Second time, it seemed to run fine. There was no reboot and Combofix automatically gave me the log.txt file (instead of Comfix.txt), but I assume this is the same.
Interesting to have such a special infection over here! ;)

Jan

Title: Re: Win-32 Malware
Post by: essexboy on April 05, 2010, 04:54:24 PM

OK I can longer find the bad boy - or anything else - How is your computer running now ?

Title: Re: Win-32 Malware
Post by: janvanderscheer on April 07, 2010, 08:33:50 AM

So far, so good! Still need to run a bootscan, but I think it's unlikely that something will be find.
I'm impressed by the amount of (short-term) help I've gotton over here! Thanks!

Jan

Title: Re: Win-32 Malware
Post by: janvanderscheer on April 07, 2010, 03:07:42 PM

After feeling happy, it seems that there is little bit remaining. Avast displayed a message about blocking some Malware twice today. I ran a boot scan and it found a couple of infected files that I moved to chest.
I ran a quick scan with OTL (log attached). I've also added some kind of log file of the bootscan that Avast did (but I don't know if it's the correct one or helpful).
Hope you can me finish the last bit of this!

Jan

Title: Re: Win-32 Malware
Post by: essexboy on April 07, 2010, 09:39:44 PM

Nothing apparent in that log - could you run MBAM to see what that reveals.  Was it a webshield warning ?

Title: Re: Win-32 Malware
Post by: janvanderscheer on April 08, 2010, 08:27:01 AM

Here is the MBAM file. I don't know for sure, but I think it was a Webshield warning, not a warning about an infection. Still, I got worried because the Avast bootscan found so many infections (and moved them to chest).

Jan

Title: Re: Win-32 Malware
Post by: janvanderscheer on April 08, 2010, 10:09:48 AM

There is definitively still something going on. Google is not working; both Firefox and IE are giving me warnings about this...

Title: Re: Win-32 Malware
Post by: essexboy on April 08, 2010, 09:07:31 PM

(http://www.geekstogo.com/misc/guide_icons/gmer.png) GMER Rootkit Scanner - Download (http://www.gmer.net/gmer.zip) - Homepage (http://www.gmer.net/)

• Download GMER
• Extract the contents of the zipped file to desktop.
• Double click GMER.exe.

(http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif)

• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
  (http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg) (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
  Click the image to enlarge it
  

• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt" 
  
• Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

Title: Re: Win-32 Malware
Post by: janvanderscheer on April 10, 2010, 12:48:48 PM

A fatal error occurs when I try to do the scan. Windows then shows a blue screen. This has happened twice. Do I have to kep trying, or use another program?

Jan

Title: Re: Win-32 Malware
Post by: essexboy on April 10, 2010, 03:51:38 PM

Unfortunately there is a new rootkit going around at the moment, I have only had one case so far but GMER shows it quite nicely

Lets see if I can find the traces it leaves, this time OTL is looking at a few different areas 

Download OTL (http://oldtimer.geekstogo.com/OTL.exe)  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles /all
%systemroot%\System32\config\*.sav

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    

Title: Re: Win-32 Malware
Post by: ulysse on April 10, 2010, 04:35:18 PM

I don't know why I'm not allowed to create a message.

Never mind.

Somebody has already sawn a problèm with X5 ?

I  think avast sees a fake trojan with it

(http://rencontres.tarot.free.fr/cheval de troie.jpg)

Title: Re: Win-32 Malware
Post by: DavidR on April 10, 2010, 04:49:28 PM

If you can post you can create a topic - Please start a New Topic of your own as this is unrelated to the original subject and will just confuse the topic and we will try to help. 
- Go to this link, http://forum.avast.com/index.php (http://forum.avast.com/index.php), scroll down to the Viruses and Worms forum and click it, click the New Topic button at the top of the list and post there.

Title: Re: Win-32 Malware
Post by: janvanderscheer on April 10, 2010, 08:11:32 PM

No Extras.txt was created after this scan, just OTL.txt (attached). Do I need to do the OTL-scan again with other settings?

Jan

Title: Re: Win-32 Malware
Post by: essexboy on April 10, 2010, 08:29:49 PM

Aye the extras is only produced on the first run

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

Code: [Select]

:OTL
O20 - Winlogon\Notify\gport_: DllName - gport_.dll - C:\Windows\System32\gport_.dll ()
[2010-04-07 17:03:03 | 000,005,136 | ---- | M] () -- C:\Windows\System32\gport_.dll

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

Title: Re: Win-32 Malware
Post by: janvanderscheer on April 11, 2010, 01:42:46 PM

See attachment for OTL log after Fix. Tried gmer again after that, but still stops running after 2 minutes.

Jan

Title: Re: Win-32 Malware
Post by: essexboy on April 11, 2010, 04:27:08 PM

Could you retry GMER but remove the tick from Files

Title: Re: Win-32 Malware
Post by: janvanderscheer on April 12, 2010, 07:18:58 AM

Same problem. I've removed ticks from Files alone and Files+IAT/EAT, but in both cases the program stops running after a few minutes.

Jan

Title: Re: Win-32 Malware
Post by: essexboy on April 12, 2010, 08:18:07 PM

OK lets try Icesword on this - it is a nifty Chinese anti rootkit programme, not as automated but good

Please download and unzip Icesword  (http://mail.ustc.edu.cn/~jfpan/download/IceSword122en.zip)to its own folder on your desktop


If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.


Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.


Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.


Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.


Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.



Now post all of the data collected under the headings for :

Processes
Win32 Services
Startup
SSDT
Message Hooks

Title: Re: Win-32 Malware
Post by: janvanderscheer on April 13, 2010, 08:23:23 AM

Frustrating... IceSword doesn't work either. After clicking the Icesword application, it tells me "Initialize Failed[1]!". I've extracted it to my Desktop, tried a reboot and shutting down all other programs. Should I try it without Avast or Windows Defender enabled?
Jan

Title: Re: Win-32 Malware
Post by: essexboy on April 13, 2010, 08:15:59 PM

Hi someone has just created a programme to look for the data I need

1. Go HERE (http://bamajim.com/Tools/FileLister.zip) and download FileLister.

• Save it to your Desktop
• Rt Click ->> Extract all ->> And extract it to your Desktop
  
• Additional help on extracting zip files can be found HERE (http://www.bleepingcomputer.com/tutorials/tutorial105.html)
  
• Open the File Lister Folder.
• Note: Leave the FileLister.vbe file in the folder and run it from there.
  

(http://bamajim.com/Images/unzip4.JPG)

• Rt Click FileLister.vbe ->>Select Open Then Open to confirm.
  
• When the program is fnished it will produce a log for you Files.txt
  
• Which will be located in the default location from which FileLister was run(the FileLister folder)

Copy and paste the contents of that log in your reply.

Title: Re: Win-32 Malware
Post by: janvanderscheer on April 16, 2010, 05:07:12 PM

I got a blue windows error screen again, but it seems that it produced a log.
Since then, Avast started to report the old Win-32 Malware again...

Title: Re: Win-32 Malware
Post by: essexboy on April 16, 2010, 09:12:16 PM

Could you delete your current copy of Combofix and download the latest version from here 
Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

Run and then post the log please

Title: Re: Win-32 Malware
Post by: janvanderscheer on April 20, 2010, 08:51:18 AM

I cannot post the log, since then my browser tells me that the sever has been reinitialized... I tried all day yesterday and this morning and then I found out that that was the problem.

Where do you want me to post the Combofix log alternatively?

Jan

Title: Re: Win-32 Malware
Post by: essexboy on April 20, 2010, 08:45:35 PM

You could mail it to me - I will PM you with the address

Title: Re: Win-32 Malware
Post by: essexboy on April 21, 2010, 09:01:15 PM

That does seem rather large

I will use an analysis tool instead - although Avenger had killed the rootkit.   Uploadthe two zip files to Mediafire (http://www.mediafire.com/) and post the sharing link.

Download avz4.zip from HERE (http://z-oleg.com/avz4.zip)

• Unzip it to your desktop to a folder named avz4
  
• Double click on AVZ.exe to run it.
  
• Run an update by clicking the Auto Update button on the Right of the Log window: (http://perplexus.geekstogo.com/avz-update-button.png)
  
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with malware removal mode enabled" check box.

(http://perplexus.geekstogo.com/avz-standardscripts-asa-removal.png)

• Click on the “Execute selected scripts”.
• Automatic scanning, healing and system check will be executed.
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
• All applications will work properly after the system restart.

When restarted

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.

(http://perplexus.geekstogo.com/avz-standardscripts-asa.png)

• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Upload both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

Title: Re: Win-32 Malware
Post by: janvanderscheer on April 23, 2010, 11:37:13 AM

Mmm, I'm starting to worry. Avz also shuts down after 3/4 of the analysis. I've tried it several times, yesterday and today. Do I need to try Combofix again? Or do I need to start thinking about a complete format of my PC?

Jan

Title: Re: Win-32 Malware
Post by: essexboy on April 23, 2010, 08:45:18 PM

I would commence backing up your data at this stage just to be safe

Delete your current combofix and download a new copy

Download ComboFix from one of these locations:


Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

Title: Re: Win-32 Malware
Post by: janvanderscheer on April 24, 2010, 01:51:27 PM

Combofix worked hard and well; see log.
In between, I'm still very much appreciating the help I'm getting!

Title: Re: Win-32 Malware
Post by: essexboy on April 24, 2010, 02:40:11 PM

Looks like CF got it that time

Quote

Besmet exemplaar van c:\windows\system32\drivers\kbdclass.sys werd aangetroffen en gedesinfecteerd 
Hersteld exemplaar van - Kitty had a snack :p

This variant is proving elusive and hard to kill - but the authors of the tools I use are working hard to get round it

Redirects should have gone now