Avast! missing an infected file, even tho jotti says avast recognises it... ???

[AussieChippie]

I don't suppose it would make any difference,but if you just click on files, then scan with Rootrepeal, does the file  C:\WINDOWS\system32\drivers\ytasfwvbcxvvti.sys show at all ?

You were right No difference... Just get the "MRB Rootkit Detected" line, and all the sector mismatch lines, but that's it.

I've decided not to just FIXMBR and delete or corrupt the files, for now... Don't want to risk bricking the OS.

Does anyone know how exactly it's hiding the files? Is it intercepting FS calls and just not reporting it in directory enumerations?

Trying MSRT now.

[AussieChippie]

MSRT gave a big fat zero

It does mention Win32/Aleureon in the list of infections it can detect, but given that this seems to be a new version it's no surprise I suppose.

Sooo...  Do I try to repair this thing, or pull out and nuke it from orbit?

That said, since MSRT didnt succeed, and it's a rootkit it supposedly fixes, I've set up a support call with them. Good or bad idea?

[AussieChippie]

OK, Microsoft support could only add having a look with Process Explorer (useless), and having a look to see if it was loading in safe mode (it is).

Useless.

Any other suggestions?

[nmb]

could please upload it to virustotal.com and give the link?

I need to know what other antiviruses are detecting it as.

[micky77]

could please upload it to virustotal.com

How can he send an invisible file ?
I found someone else on google with the same problem, who appears to have had some success.I have not read the thread thoroughly,I have posted the link

http://www.bleepingcomputer.com/forums/topic248156.html

[nmb]

How can he send an invisible file ?

His topic "jotti says avast recognizes it".. jotti is a online scanner : http://virusscan.jotti.org/en

edit: also see this :

I've been able to send it to online scanners.

[AussieChippie]

The file is invisible in explorer, even with 'hide system files' turned off, and 'show hidden files' turned on.

Its full path name was found by the McAffee Rootkit Detective tool (which is currently in beta).

By copying the path name from that tool's report file, I was able to paste the path into the 'browse' window used to submit the file to jotti, and to virustotal.

Now, having done that, VirusTotal says the file has already been submitted, the first time was 2009.08.06 16:50:36 UTC. It's been around a while!

The link to the analysis done at that time is:

http://www.virustotal.com/analisis/351effd84755de1d21c8c1d90117fd293c8dc22ef6ebe0b1b36a72839eb0b31b-1249577436

However this is out of date.

My Jotti scan's result is:

http://virusscan.jotti.org/en/scanresult/98dc41f88863324873cbd2b28ebf18dabda132bb/73bf9925d5406ee030e9668277f0ac7e9b2b17e3

These are scans of the .sys file. I can scan the .dll file as well if you would like, but I assume the code is extremely similar. I expect the .sys file is a backup in case the .dll gets deleted/corrupted, as only the .dll file is showing up in any of the rootkit reports about running processes.

Does anybody yet have any idea how it's hiding this file?

[nmb]

click reanalyse now and then post.

[AussieChippie]

click reanalyse now and then post.

http://www.virustotal.com/analisis/351effd84755de1d21c8c1d90117fd293c8dc22ef6ebe0b1b36a72839eb0b31b-1252419846

[micky77]

His topic "jotti says avast recognizes it".. jotti is a online scanner

My apologies nmb , I assumed he was talking about the , quote " a similarly named dll in the system32 directory " my mistake.

AussieChippie, it may be worth try several rescue cd's , Avira, Kapersky and DrWeb. It may be they will recognise the virus, I don't know if they will remove it.At least the virus will be dormant

http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130

http://www.freedrweb.com/livecd/?lng=en

http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/

The avira disc can be burnt straight to disc, the others are iso's

[nmb]

I think sophos antirootkit can remove it. download it from here : http://downloads.sophos.com/support/cleaners/sar_15_sfx.exe

run and post back the results.

if it does not work in normal mode, try safe mode..

@micky 77

its okay micky.

edit : if spohos doesn't detect it then get dr.web live cd and scan. that should do.

[essexboy]

Hi there I have a few tools for you to run

First Download this tool to desktop:

http://www2.gmer.net/mbr/mbr.exe

Double click it & post the log it creates on desktop. (mbr.log)

THEN

Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
  
• Double click on AVZ.exe to run it.
  
• Run an update by clicking the Auto Update button on the Right of the Log window:
  
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Analysis" check box.

• Click on the “Execute selected scripts”.
• Automatic scanning, healing and system check will be executed.
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
• All applications will work properly after the system restart.

When restarted

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.

• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Upload both virusinfo_syscure.zip and virusinfo_syscheck.zip to  Mediafire and post the sharing link.

[AussieChippie]

Wow, heaps of advice! Lots to get through too.

Obviously my intention is to get the machine clean, without having to reinstall the OS. My fear is busting the OS in the middle of trying one of the repairs.

I'm going to try the advised steps in the following sequence:

Essexboy's advice:

1. gmer's mbr.exe
2. avz, but I'll just create a report file first.
3. sophos rootkit tool - see what it detects first.

based on the outcome of 2 and 3, I'll choose which to use - and I'll do some research on them both first too.

4. Then I'll run avz or sophos in repair mode, depending on which looks most likely to work. If it doesn't work I'll try the other one

5. If neither of them work, I'll go to the rescue cd's.

Anything about that plan seem stupid to anyone?

[essexboy]

AVZ is quite safe in the healing mode, I have not yet broken a system with it 

ytasfwvbcxvvti.sys  is a new variant of the TDSS rootkit so we should be able to kill it without using a rescue disc

[AussieChippie]

Well, having done all of the above with the exception of the sophos tool - including my favourite variation:

msconfig, set minimal safe mode.

Reboot with CD, Fixboot and fixmbr

Manually remove everything that seemed the right size to be backup copies of the YTAS files.

Reboot, into minimal safe mode from previous settings.

Run new copy of avz from CD

Everthing I tried failed SOB came back every time.

Eventually bricked the machine by attaching the HDD as a slave on another machine and running avast! over it, then trying to reboot.

Oh well. Was an interesting experiment.