Virus/trojan keeps re-appearing

[Eddy]

I would say get Sunbelt Kerio Personal Firewall.
It is a trial, but after 30 days it will run as the free version.
Disable the Window Firewall.

[hhichijo]

Thanks Eddy.  I will try Sunbelt after I solve my rebooting problem.

I tried disabling the automatic reboot function in windows and all I got was a blackscreen (no signal from display card and the monitor switched to standby mode) when the problem kicks in.  There was not even a BSOD. 

Now that it seems the trojan/virus is contained and the rebooting function is due to some damaged files, do you have any idea where could I get further help for my automatic rebooting problem?

[Eddy]

Please check the windows\minidump folder.
Windows may have created a minidump there.
If there is one, look at the date/time of creation.
If it is about the same date/time the black screen was, I would like to have a look at it.

[hhichijo]

This is the minidump created at the time of the reboot.  I hope I have extracted the information correctly.

----- 32 bit Kernel Mini Dump Analysis

DUMP_HEADER32:
MajorVersion        0000000f
MinorVersion        00000a28
DirectoryTableBase  183a5000
PfnDataBase         81053000
PsLoadedModuleList  8054ce30
PsActiveProcessHead 8054ee78
MachineImageType    0000014c
NumberProcessors    00000001
BugCheckCode        1000008e
BugCheckParameter1  80000004
BugCheckParameter2  804dd47c
BugCheckParameter3  b93b37c0
BugCheckParameter4  00000000
PaeEnabled          00000000
KdDebuggerDataBlock 8053ede0
MiniDumpFields      00000dff

TRIAGE_DUMP32:
ServicePackBuild      00000100
SizeOfDump            00010000
ValidOffset           0000fffc
ContextOffset         00000320
ExceptionOffset       000007d0
MmOffset              00001068
UnloadedDriversOffset 000010a0
PrcbOffset            00001878
ProcessOffset         000024c8
ThreadOffset          00002720
CallStackOffset       00002978
SizeOfCallStack       000007cc
DriverListOffset      000033d8
DriverCount           00000076
StringPoolOffset      000056e0
StringPoolSize        00001018
BrokenDriverOffset    00000000
TriageOptions         00000041
TopOfStack            b93b3834
DebuggerDataOffset    00003148
DebuggerDataSize      00000290
DataBlocksOffset      000066f8
DataBlocksCount       00000006


Windows XP Kernel Version 2600 (Service Pack 1) UP Free x86 compatible
Kernel base = 0x804d5000 PsLoadedModuleList = 0x8054ce30
Debug session time: Tue Aug 15 22:46:00 2006
System Uptime: 0 days 0:01:03
start    end        module name
804d5000 806c7900   nt             Checksum: 001F3D75  Timestamp: Thu Aug 29 17:03:24 2002 (3D6DE35C)

Unloaded modules:
f7e7a000 f7e7b000   drmkaud.sys    Timestamp: unavailable (00000000)
b9689000 b9696000   DMusic.sys    Timestamp: unavailable (00000000)
b9636000 b9659000   aec.sys     Timestamp: unavailable (00000000)
b96c9000 b96d7000   swmidi.sys    Timestamp: unavailable (00000000)
f7def000 f7df1000   splitter.sys    Timestamp: unavailable (00000000)
f7bcf000 f7bd7000   processr.sys    Timestamp: unavailable (00000000)
f7acf000 f7ad4000   Cdaudio.SYS    Timestamp: unavailable (00000000)
f7ccb000 f7cce000   Sfloppy.SYS    Timestamp: unavailable (00000000)

Finished dump check

[Eddy]

I will send you a email address in a private message.
Please send the minidump file as attachment to me so I can analyse it.
I will tell the findings after analyzing here.

[WG]

Dear All

This wino.sys appeared in my computer inside China, the place I got it is www.eefoo.com/quotes/quote.asp, a Chinese website shows real-time Chinese stock prices.

As I turned off the automatic reboot function, my computer does not reboot again and again. But this wino.sys does reduce the speed of computer, such open file and calculation using SigmaPlot. When opening computer, the virus creates ett4xym4.dll in WINDOWS\Temp, sometimes in local settings\ . . .\temp\.

Now wino.sys certainly and effectively affects X509 function, which I found in fold sun/security/ but I could not find this fold.

Now I have zipped this ett4xym4.dll as ett4xym4.zip, could anyone please analyze this file to determine how to delete this virus.

Many thanks for your great help, and meanwhile I will try to send this zip file to Avast.

WG

[WG]

Dear All

This terrible wino.sys is still active in the computer and no anti-virus software can delete it. Today it creates fs7.dll in WINDOWS\Temp, and mstscex.dll and mstscs.exe in WINDOWS\system32.

This virus is eating the computer resource, which leads me unable to open files and even task manager. The avast scan is effectively blacked to some degree because no memory to scan.

I made a fake ett4xym4.dll in WINDOWS\Temp, which only blocked once occurrence of wino.sys.

Has anyone else made some progress?

All the best

WG

[Lisandro]

This terrible wino.sys is still active in the computer and no anti-virus software can delete it. Today it creates fs7.dll in WINDOWS\Temp, and mstscex.dll and mstscs.exe in WINDOWS\system32.

Did you try?

1) Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
2) Clean your temporary files.
3) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
4) Use a-squared, ewido or Spyware Terminator (trojan removers).

[WG]

Dear Mr Tech

The System Restore was completely disabled 1.5 years ago when I read Stephen Hawking’s book The Theory of Everything, where he told the website www.murphy-laws.com, from which my computer was heavily contaminated by virus, and the then-avast detected the virus in System Restore.

The other two measures have been taken, but as the same as hhichijo, there is no positive result.

The last measure does induce the system very unstable as stated in avast that the use of two anti-virus software packages leads the operation system unstable and unpredictable consequence. Also hhichijo had shown no results, I therefore did not take this measure.

However, I used Anuraag anti-virus to check the boot sector in hard disk.

Have a good weekend


WG

[Lisandro]

The last measure does induce the system very unstable as stated in avast that the use of two anti-virus software packages leads the operation system unstable and unpredictable consequence. Also hhichijo had shown no results, I therefore did not take this measure.

All that three applications are NOT antivirus.
They're fully compatible with avast and are on my system right now. You don't have to use their 'resident' part if you want. Even if you use, no problem.
For ewido, see that ewido anti-spyware can be used as a supplement for existing protection systems under Windows 2000 and XP to protect you also against the latest threats. That's why ewido anti-spyware also works with all current anti-virus programs and firewalls. http://www.ewido.net/en/compatibility/

[DavidR]

The last measure does induce the system very unstable as stated in avast that the use of two anti-virus software packages leads the operation system unstable and unpredictable consequence. Also hhichijo had shown no results, I therefore did not take this measure.

However, I used Anuraag anti-virus to check the boot sector in hard disk.

If you run Ewido from safe mode there won't be two AVs running as in safe mode avast won't be running (along with lots of other stuff) until you start it. So if you didn't try it from safe mode try that.

Even though Ewido and avast are compatible, I always pause standard shield when I run another security based scan such as ewido, adaware, etc. Whilst this isn't required it stops duplicate scanning as the other scanner opens files to scan them, this triggers avast to do the same. This also avoids the occasion where both scanners could detect the same malware and possibly clash, it also stop one scanner (avast) detecting the signatures in the other scanner. The overall effect is the scan duration is shorter as only one scanner is at work and duplicate scanning is reduced.

[WG]

Dear Mr Tech & David

Many thanks for your suggestions, I downloaded these three software packages, and tried them one by one.

Although they made my computer much cleaner, sadly the wino.sys is still alive. What can I do? I really do not want to format all the disks and reinstall everything again.

In fact, until now it is only avast that finds this wino.sys.

Regards

WG

[DavidR]

I did a google search for wino.sys and it returs a few hits, this topic being one of them. The others look like the language is Chineese Simplified. I don't know what language of where you live but this seems only to effect only that reigon. There are Translation links in the google returns if you need them.

A couple of the returns also mention VAnti.sys in relation to this, so it might be worth trying to find this file on your system and doing a google search for it also and see what that brings.
If the translation is linited you can also try the http://babelfish.altavista.com/ translation service.

[FreewheelinFrank]

Google seems to think it's Japanese. I wonder if Trend Micro might be worth a try?

As this seems to be something new, maybe they might have the edge, being in the area?

They have an online scanner which removes malware:

http://housecall.trendmicro.com/

and the excellent Sysclean stand-alone scanner:

http://uk.trendmicro-europe.com/enterprise/support/tsc.php

As this appears to be something quite recent, it might be worth trying the CPR virus definitions file:

A Controlled Pattern File Release (CPR) is a pre-release version of a Trend Micro virus protection database. It is a fully tested, manually downloadable pattern file, designed to provide customers with advanced protection against the latest computer viruses and to serve as an emergency patch during a virus threat or outbreak.

http://uk.trendmicro-europe.com/enterprise/support/pattern.php

[DavidR]

I just saw the ?s and assumed Chinese and one that I checked did translate using simplified Chinese.

I've done some more googling on VAnti.sys seems to be related to wino.sys and one suggests that VAnti.sys might be part of a rootkit. So this might account for it not being found