Stealth virus, need help

[Syx0]

So, I use Avast normally, but I felt there still might be something wrong with my computer. I scanned with Avast and found nothing. I went to F-secure's on-line scanner. It scanned until it was about 66% and then it blue screen of deathed me. It did detect 3 malware though (the report is below). I am running Vista Home Premium and my Avast is up to date. If anyone could tell me what the report means and what I need to do about it, that would be amazingly helpful. The computer is only slightly slower and I thought I saw some sort of pop up flash for a minute (in several instances) as the computer was shutting down (I'm not sure if that isn't just a program resisting being shut down), past this the comp is asymptomatic. Anyway, I say all this just to ask for help, and I appreciate anyone who is willing to help.

                                                                          Thanks in Advance,
                                                                                 Syx0
Scanning Report
Saturday, August 1, 2009 00:27:38 - 00:36:26
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\ D:\ F:\ G:\


--------------------------------------------------------------------------------

3 malware found
Stealth_file (virus)
C:\ADSM_PDATA_0150\DB\_AVT (Not cleaned & Submitted)
Stealth_file (virus)
C:\ADSM_PDATA_0150\DRAGWAIT.EXE (Not cleaned & Submitted)
Stealth_file (virus)
C:\ADSM_PDATA_0150\_AVT (Not cleaned & Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 18870
System: 5022
Not scanned: 0
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
Not cleaned: 3
Submitted: 3

[nmb]

Hello Syx0,

you can download malwarebytes antimalware(mbam) from here malwarebytes.org(free version) install, update and perform full scan and post the log here.

you can also try superantispyware(sas). dont worry about the tracking cookies  it reports, let sas deal with it.

[.: L' arc :.]

 Don't forget to update MBAM & SAS before running a scan.

[polonus]

Hi Syx0,

It could well be you if you still would have Norton there or parts of Norton because this is known to be a Norton false positive. This time it was a F-Secure FP.
Question.
Do you have an asus machine? Because the Faux virus can be found as:

Hidden file : c:\adsm_pdata_0150\dragwait.exe
Hidden file : c:\adsm_pdata_0150\_avt
Hidden file : c:\adsm_pdata_0150\db\si.db
Hidden file : c:\adsm_pdata_0150\db\ul.db
Hidden file : c:\adsm_pdata_0150\db\vl.db
Hidden file : c:\adsm_pdata_0150\db\_avt
Hidden file : c:\program files\asus\asus data security manager\driver\x86\asdsm.sys
Hidden file : c:\program files\asus\asus data security manager\driver\x86\_avt
Hidden directory : c:\adsm_pdata_0150
Hidden directory : c:\adsm_pdata_0150\db
Hidden directory : c:\program files\asus\asus data security manager\driver\x86

So check on: C:\ADSM_PData_0150\DragWait.exe and upload it to virustotal.com for results,
as well as this one: C:\Program Files\ASUS\ASUS Data Security Manager\driver\x86\AsDsm.sys

So I would go for the False Positive, like to have that confirmed? Yes it is a FP more than likely...

polonus

[Syx0]

Ok so forgive my ignorance but how do I go about getting said hidden files to appear normally. I can get them to appear in safe mode, but not in normal mode. This in effect means that I cannot scan the Dragwait.exe or other file without making them visible normally.

[Syx0]

Oh and I do have an ASUS machine, and it came with Norton which I never used as I starteed this machine with Avast. In fact, I uninstalled Norton almost immediately.

[Syx0]

Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.39
Database version: 2548
Windows 6.0.6001 Service Pack 1

8/2/2009 10:30:52 PM
mbam-log-2009-08-02 (22-30-47).txt

Scan type: Full Scan (C:\|D:\|F:\|G:\|)
Objects scanned: 293731
Time elapsed: 46 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Jtaylor83]

Run MBAM again and remove this item.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Also try and run SAS.

[Syx0]

It gave me the option to remove it so I did already and I am currently running SAS

[Syx0]

Ok I ran SAS. It gave me some stuff about a few cookies. I couldn't find a way to copy the report. It didn't appear pertinent. As soon as I restart my system, it will remove them. I want to do what Polonus said(above) and check out those two files, but being that they are hidden I can't access them except when in safemode. Is there anything I can do to change that?

[nmb]

Syx0

you can do this.

go to virus chest > user files > add files > browse to the folder > type DragWait.exe or AsDsm.sys in the file area(even if you dont see it there.) and click ok.

then extract the file(s) to another folder, well let it be on the desktop, then try to upload it to virustotal. and post the link to that site here.

[Syx0]

Here is the DragWait.exe file analysis:

File has already been analysed:
MD5: 49bd0a002320d9f3266a04b15ba1f933
First received: 2009.05.27 12:21:01 UTC
Date: 2009.06.21 19:40:21 UTC [>42D]
Results: 0/41
Permalink: analisis/d69c0f12a76360297e0fefc0aaa14010ca5b452cc45ee587279a7eb7e549cacf-1245613221

[nmb]

<snip>
3 malware found
Stealth_file (virus)
C:\ADSM_PDATA_0150\DB\_AVT (Not cleaned & Submitted)
Stealth_file (virus)
C:\ADSM_PDATA_0150\DRAGWAIT.EXE (Not cleaned & Submitted)
Stealth_file (virus)
C:\ADSM_PDATA_0150\_AVT (Not cleaned & Submitted)

did avast detect it? and said not cleaned and submitted?

accordin virustotal(vt) not one is detecting.

edit : or is it mbam?

[Syx0]

It was neither. I posted at the top that it was F-secure. I normally use Avast and so I figured I would see if my Avast just wasn't detecting something that was there or if I needed to be worried.

[nmb]

<snip>
It was neither. I posted at the top that it was F-secure.

yes! it is there. missed it.

<snip>
I normally use Avast and so I figured I would see if my Avast just wasn't detecting something that was there or if I needed to be worried.

if you want make sure that avast is oki, you can use mbam instead of online scanners. No need to worry!