Vanti virus: please nead suport.

[stain]

Hi I nead some suport on how to get rid of the VANTI virus.

I have bin in a forum on this topic and could not fallow all the steps becouse (ComboFix) dounloads but dont know how to run it well. im going to post the log that I have done with (Hijack This):

Oh I got to mention that now that I try to get into one of my hard drives I get this window that one gets wen trying to openb an unrecognised file:

THIS IS THE LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:53, on 30/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Internet\Avast4\aswUpdSv.exe
C:\Internet\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Archivos de programa\Motorola\SMSERIAL\sm56hlpr.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe
C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Internet\Avast4\ashDisp.exe
C:\Archivos de programa\Java\jre1.6.0_06\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe
C:\Archivos de programa\Bonjour\mDNSResponder.exe
C:\Archivos de programa\Windows Media Player\wmplayer.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Grafic\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\PSIService.exe
C:\Archivos de programa\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\MSN Messenger\usnsvc.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Internet\HijackThis\HijackThis.exe

[stain]

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos

[stain]

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [StartCCC] C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Archivos de programa\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Archivos de programa\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\Internet\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Archivos de programa\Archivos comunes\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Internet\eMule\emule.exe -AutoStart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: eMule (2).lnk = C:\Internet\eMule\emule.exe
O4 - Startup: Windows Media Player (2).lnk = C:\Archivos de programa\Windows Media Player\wmplayer.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Archivos de programa\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Reader 8.0\Reader\reader_sl.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Internet\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Internet\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Internet\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Internet\Avast4\ashWebSv.exe
O23 - Service: Servicio Bonjour (Bonjour Service) - Apple Inc. - C:\Archivos de programa\Bonjour\mDNSResponder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Internet\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Internet\ewido anti-malware\ewidoguard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Grafic\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Archivos de programa\CyberLink\Shared files\RichVideo.exe

--
End of file - 10492 bytes


HOPE SOME ONE COULD HELP ME: THX...

[FreewheelinFrank]

C:\Archivos de programa\Windows Media Player\wmplayer.exe

Please upload the above file to VirusTotal for analysis and post the result here.

[stain]

I hope this is it.



Motor antivirus    Versión    Última actualización    Resultado
AhnLab-V3    2008.5.22.1    2008.05.23    -
AntiVir    7.8.0.19    2008.05.23    -
Authentium    5.1.0.4    2008.05.23    -
Avast    4.8.1195.0    2008.05.23    -
AVG    7.5.0.516    2008.05.23    -
BitDefender    7.2    2008.05.23    -
CAT-QuickHeal    9.50    2008.05.23    -
ClamAV    0.92.1    2008.05.23    -
DrWeb    4.44.0.09170    2008.05.23    -
eSafe    7.0.15.0    2008.05.22    -
eTrust-Vet    31.4.5815    2008.05.23    -
Ewido    4.0    2008.05.23    -
F-Prot    4.4.4.56    2008.05.23    -
F-Secure    6.70.13260.0    2008.05.23    -
Fortinet    3.14.0.0    2008.05.23    -
GData    2.0.7306.1023    2008.05.23    -
Ikarus    T3.1.1.26.0    2008.05.23    -
Kaspersky    7.0.0.125    2008.05.23    -
McAfee    5302    2008.05.23    -
Microsoft    1.3520    2008.05.23    -
NOD32v2    3126    2008.05.23    -
Norman    5.80.02    2008.05.23    -
Panda    9.0.0.4    2008.05.23    -
Prevx1    V2    2008.05.23    -
Rising    20.45.42.00    2008.05.23    -
Sophos    4.29.0    2008.05.23    -
Sunbelt    3.0.1123.1    2008.05.17    -
Symantec    10    2008.05.23    -
TheHacker    6.2.92.318    2008.05.23    -
VBA32    3.12.6.6    2008.05.23    -
VirusBuster    4.3.26:9    2008.05.23    -
Webwasher-Gateway    6.6.2    2008.05.23    -
Información adicional
Tamano archivo: 64000 bytes
MD5...: b5657b7c95750b4fe77299006689a47e
SHA1..: 2c3d884165869e67b2672a2f489384621eced3e5
SHA256: 22584d09bfc891e35ce0f5751501034e8309fe833e460fd6c9a5b95e92078ce7
SHA512: 5674955a6ab71eeeaf15f2c8c0d7e407915bbc35c0b059451ad0172545730deb
42bd9d3d233070a7dd1cc377a3a4c1abd5438fcd8aec8e3871c28bd5a689afb2
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x100191d
timedatestamp.....: 0x4537112a (Thu Oct 19 05:46:18 2006)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1c00 0x1c00 6.07 9bc44a47c38a8efb597f372056290af7
.data 0x3000 0x378 0x200 0.39 4c3d1d418b0eec9d2f4c206ebd43ac60
.rsrc 0x4000 0xe000 0xd600 6.08 788014f0c0e594afe60b316763078d4b
.reloc 0x12000 0x184 0x200 5.28 8e0d78a7f7cb0dce673af322b6fbc543

( 3 imports )
> ADVAPI32.dll: RegQueryValueExW, RegOpenKeyExW, RegCloseKey
> KERNEL32.dll: GetLastError, lstrlenW, CompareStringA, ExitProcess, FreeLibrary, SetErrorMode, GetProcAddress, HeapFree, SetCurrentDirectoryW, ExpandEnvironmentStringsW, HeapAlloc, CreateMutexW, GetStartupInfoW, GetProcessHeap, SetThreadPriority, GetCurrentThread, LocalFree, LoadLibraryW, FormatMessageW, GetCommandLineW, GetModuleHandleW, CloseHandle, SetEvent, OpenEventW, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, LoadLibraryA, InterlockedExchange, LocalAlloc, RaiseException
> USER32.dll: SetForegroundWindow, GetClassNameA, GetParent, GetDesktopWindow, GetWindowThreadProcessId, IsWindowVisible, GetWindow, MessageBoxW, GetSystemMetrics, ShowWindow, FindWindowW, SendMessageTimeoutW, IsIconic

[stain]

why windows media player ?

[FreewheelinFrank]

why windows media player ?

I uploaded the log for analysis and the location of the file was highlighted as suspicious.

http://www.hijackthis.de/

http://www.sophos.com/security/analyses/viruses-and-spyware/trojpsymeat.html

Malware sometimes pretend to be a legitimate file, so it was worth checking out.

Nothing else looks suspicious, but Vanti is a rootkit so it may be hiding.

What alerted you to Vanti?

Do you have version 4.8 of avast! (The lastest version.) If you do, have you tried a boot time scan? This will also run an anti-rootkit scan.

Right click the scanner screen, select 'schedule a boot time scan' and reboot when requested.

Try a scan with DrWeb CureIT!

Try one or more of these anti-rootkit scanners if you're still having problems.

Panda Antirootkit
Blacklight
Trend Micro Rootkit Buster
McAfee Rootkit Detective
Sophos AntiRootki

[stain]

Yes the vanti I lerned of it from avast and I got the latest version, I have done the boot scan but that dose not help, I wil continue whith the help you give me until I find a solution

[FreewheelinFrank]

These posts may have some bearing:

http://forum.avast.com/index.php?topic=35895.0

http://forum.avast.com/index.php?topic=35692.0

I'm not sure if it's a false positive or a rootkit modifying legitimate files.

 

[Sonichko]

Hi,

I don't know much about this and I'm not done yet, but when the Vanti virus showed up on my computer after I borrowed a pen drive I got good advice from Polonus here to run Dr. Web Cure It. Vanti did not show up; "Besso", a trojan, showed up, in 19 files including system restore.

However, after Dr. Web Cure it moved these files, I stopped getting that Avast Alarm every time I turned my computer on. So I tend to think they are related...

Hope you can get to the bottom of it!

[Maxx_original]

have anyone sent a commented sample to virus[at]avast[dot]com? i don't know if it really is a false positive (it would be reported by many users) and can't tell you more without having seen the file... i will be offline this weekend, so i can't do any direct action immediately... anyway, it's strange, that the file is detected on the machine and not at virustotal... it's a detection independent on anti-rootkit engine..

[stain]

I thank a lot I believe I got rid of it and was done with DoctorWeb.

The thing is that I get this mesage wen I doble clik on one of my hard drives. so I can only acces my information with one of my short cuts.

The mesage is that of wich one gets wen triying to open an unrecognisable file.

Can this be caused by a virus

http://img158.imageshack.us/my.php?image=72619878ts5.jpg

[stain]

Never mind I fixed the problem aparently avast delited some sistem thing and gave some problems but its fixed now, thax for all the help hear.