Win32:Malware-gen, DTSWIZ.EXE and asampeli.exe

[Tarq57]

Start the computer, and leave it on for at least ten minutes, then please go to the folder "C:\Program Files\Alwil Software\Avast4\DATA\log" , locate the file "aswAr.log", check the date time is very recent, (same day, within the last few minutes) and attach it (see additional options, lower left of the forum reply pane).
Won't hurt to make sure.
Don't be too afraid. Heuristics aren't a perfect science. Subsequent clean scans are a pretty good indication.

[wikkid1]

Well, let's hope heuristics aren't a perfect science in my case LOL.  I've been sketched out about even touching my system for the last week.  BTW, I haven't cleared my restore points yet.  Was just getting ready to do so when the Avast scan popped up advising of the possible rootkit.  Shall I hold off on that or do ASAP?  Thanks again for all the advice Tarq57.

[Tarq57]

That's weird. It's full of nulls, or in a language my Windows does not speak. (Sample below.) What language do you use (Windows/Avast)?
No warnings after that restart?
The restore points can be disabled any time. It won't matter when. Just don't use system restore before then. It's not making any difference to this alleged possible rootkit.

[wikkid1]

Hmm, it's in English.  I saved it in notepad on my desktop and opened it and it looks fine.  This is what the first part of it looks like:

avast! Antirootkit, version 1.0
Scan started: Thursday, December 10, 2009 10:28:41 AM

Process  

Process  [4]
Process C:\WINDOWS\system32\smss.exe [804]
Process C:\WINDOWS\system32\csrss.exe [880]
Process C:\WINDOWS\system32\winlogon.exe [912]
Process C:\WINDOWS\system32\services.exe [956]
Process C:\WINDOWS\system32\lsass.exe [968]
Process C:\WINDOWS\system32\ati2evxx.exe [1136]
Process C:\WINDOWS\system32\svchost.exe [1152]
Process C:\WINDOWS\system32\svchost.exe [1232]
Process C:\WINDOWS\system32\svchost.exe [1272]
Process C:\WINDOWS\system32\svchost.exe [1396]
Process C:\WINDOWS\system32\ati2evxx.exe [1468]
Process C:\WINDOWS\system32\svchost.exe [1516]
Process C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [1580]
Process C:\Program Files\Alwil Software\Avast4\ashServ.exe [1684]
Process C:\WINDOWS\explorer.exe [1852]
Process C:\Program Files\Analog Devices\SoundMAX\SMTray.exe [392]
Process C:\WINDOWS\system32\spoolsv.exe [460]
Process C:\Program Files\MirrorFolder\mrfshl.exe [476]
Process C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [488]
Process C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe [516]
Process C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [532]
Process C:\Program Files\iTunes\iTunesHelper.exe [636]
Process C:\WINDOWS\system32\svchost.exe [612]
Process C:\WINDOWS\system32\ctfmon.exe [728]
Process C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [816]
Process C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [368]
Process C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [932]
Process C:\Program Files\Bonjour\mDNSResponder.exe [1084]
Process C:\WINDOWS\system32\mfsyncsv.exe [1384]
Process C:\WINDOWS\system32\IoctlSvc.exe [1528]
Process C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [1728]
Process C:\WINDOWS\system32\svchost.exe [1752]
Process C:\WINDOWS\system32\wuauclt.exe [2300]
Process C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2780]
Process C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2856]
Process C:\Program Files\iPod\bin\iPodService.exe [3080]
Process C:\WINDOWS\system32\alg.exe [3280]
Disk 0 MBR
File C:\WINDOWS\system32\Drivers\aavmker4.sys
File C:\WINDOWS\system32\Drivers\acpi.sys
File C:\WINDOWS\system32\Drivers\acpiec.sys
File C:\WINDOWS\system32\Drivers\adv01nt5.dll
File C:\WINDOWS\system32\Drivers\adv02nt5.dll
File C:\WINDOWS\system32\Drivers\adv05nt5.dll
File C:\WINDOWS\system32\Drivers\adv07nt5.dll
File C:\WINDOWS\system32\Drivers\adv08nt5.dll
File C:\WINDOWS\system32\Drivers\adv09nt5.dll
File C:\WINDOWS\system32\Drivers\adv11nt5.dll
File C:\WINDOWS\system32\Drivers\aeaudio.sys
File C:\WINDOWS\system32\Drivers\aec.sys
File C:\WINDOWS\system32\Drivers\afd.sys
File C:\WINDOWS\system32\Drivers\agp440.sys
File C:\WINDOWS\system32\Drivers\agpcpq.sys
File C:\WINDOWS\system32\Drivers\alim1541.sys
File C:\WINDOWS\system32\Drivers\amdagp.sys
File C:\WINDOWS\system32\Drivers\amdk6.sys
File C:\WINDOWS\system32\Drivers\amdk7.sys
File C:\WINDOWS\system32\Drivers\arp1394.sys
File C:\WINDOWS\system32\Drivers\aswFsBlk.sys
File C:\WINDOWS\system32\Drivers\aswmon.sys
File C:\WINDOWS\system32\Drivers\aswmon2.sys
File C:\WINDOWS\system32\Drivers\aswRdr.sys
File C:\WINDOWS\system32\Drivers\aswSP.sys
File C:\WINDOWS\system32\Drivers\aswTdi.sys
File C:\WINDOWS\system32\Drivers\asyncmac.sys
File C:\WINDOWS\system32\Drivers\atapi.sys
File C:\WINDOWS\system32\Drivers\ati1btxx.sys
File C:\WINDOWS\system32\Drivers\ati1mdxx.sys
File C:\WINDOWS\system32\Drivers\ati1pdxx.sys
File C:\WINDOWS\system32\Drivers\ati1raxx.sys
File C:\WINDOWS\system32\Drivers\ati1rvxx.sys
File C:\WINDOWS\system32\Drivers\ati1snxx.sys
File C:\WINDOWS\system32\Drivers\ati1ttxx.sys
File C:\WINDOWS\system32\Drivers\ati1tuxx.sys
File C:\WINDOWS\system32\Drivers\ati1xbxx.sys
File C:\WINDOWS\system32\Drivers\ati1xsxx.sys
File C:\WINDOWS\system32\Drivers\ati2erec.dll
File C:\WINDOWS\system32\Drivers\ati2mtaa.sys
File C:\WINDOWS\system32\Drivers\ati2mtag.sys
File C:\WINDOWS\system32\Drivers\atinbtxx.sys
File C:\WINDOWS\system32\Drivers\atinmdxx.sys
File C:\WINDOWS\system32\Drivers\atinpdxx.sys
File C:\WINDOWS\system32\Drivers\atinraxx.sys
File C:\WINDOWS\system32\Drivers\atinrvxx.sys
File C:\WINDOWS\system32\Drivers\atinsnxx.sys
File C:\WINDOWS\system32\Drivers\atinttxx.sys
File C:\WINDOWS\system32\Drivers\atintuxx.sys
File C:\WINDOWS\system32\Drivers\atinxbxx.sys
File C:\WINDOWS\system32\Drivers\atinxsxx.sys
File C:\WINDOWS\system32\Drivers\ativmc20.cod
File C:\WINDOWS\system32\Drivers\atmarpc.sys
File C:\WINDOWS\system32\Drivers\atmepvc.sys
File C:\WINDOWS\system32\Drivers\atmlane.sys
File C:\WINDOWS\system32\Drivers\atmuni.sys
File C:\WINDOWS\system32\Drivers\atv01nt5.dll
File C:\WINDOWS\system32\Drivers\atv02nt5.dll
File C:\WINDOWS\system32\Drivers\atv04nt5.dll
File C:\WINDOWS\system32\Drivers\atv06nt5.dll
File C:\WINDOWS\system32\Drivers\atv10nt5.dll
File C:\WINDOWS\system32\Drivers\audstub.sys
File C:\WINDOWS\system32\Drivers\b57xp32.sys
File C:\WINDOWS\system32\Drivers\beep.sys
File C:\WINDOWS\system32\Drivers\bridge.sys
File C:\WINDOWS\system32\Drivers\bthenum.sys
File C:\WINDOWS\system32\Drivers\bthmodem.sys
File C:\WINDOWS\system32\Drivers\bthpan.sys
File C:\WINDOWS\system32\Drivers\bthport.sys
File C:\WINDOWS\system32\Drivers\bthprint.sys
File C:\WINDOWS\system32\Drivers\bthusb.sys

[wikkid1]

This is what it shows at the end of the log:

Scan finished: Thursday, December 10, 2009 10:28:55 AM
Hidden files found: 0
Hidden registry items found: 0
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0

I'll resend and see if you can read this one.

[Tarq57]

Hi, sorry for not responding for a time, I went away for a couple of days to a rock concert.

The log looks fine. I still cannot display the attachment correctly, and don't know why. But if there was no message in the second boot scan you ran with Avast, I'd be inclined not to worry.

It would probably have been better to post the report of that first boot scan rather than the antirootkit scan, but it doesn't matter now.

If you want a second opinion on this, there are a number of free antirootkit tools linked from this site (which I've found handy.) I'd try TM rootkit buster,  (Trend Micro) or Rootalyser (by the makers of Spybot.)
The one used in Avast is based on the GMER application.

If you do try any of these post for advice if anything suspicious is found. This type of application reports on mismatches in the ADS...never mind, can have a high percentage of False Positives.

[bran34]

wikkid1,
they might well relate to the same files, but with a different threat-naming protocol.
The file name produces few Google hits; the Prevx entry for MDSETE.DLL indicates the file was first observed Sep14 this year. So it's fairly new.
Did you have SAS quarantine all found?
If not, rescan and please do so.

System volume information can be dealt with later. Just don't use system restore, for now.

Were the other 166 items all tracking cookies?

Do you have two operating systems, or one shared on two partitions? I see the malicious file is in both the C Windows directory, and an identical directory in D.

If he has an HP (as I do) HP has it's own little recovery system it can use to recover windows in the event that you screw something up horribly. It is stored on a separate harddrive (in my case, D:)

My Main drive is HP_PAVILION C: then there is HP_RECOVERY D:

[wikkid1]

Hi, sorry for not responding for a time, I went away for a couple of days to a rock concert.

The log looks fine. I still cannot display the attachment correctly, and don't know why. But if there was no message in the second boot scan you ran with Avast, I'd be inclined not to worry.

It would probably have been better to post the report of that first boot scan rather than the antirootkit scan, but it doesn't matter now.

If you want a second opinion on this, there are a number of free antirootkit tools linked from this site (which I've found handy.) I'd try TM rootkit buster,  (Trend Micro) or Rootalyser (by the makers of Spybot.)
The one used in Avast is based on the GMER application.

If you do try any of these post for advice if anything suspicious is found. This type of application reports on mismatches in the ADS...never mind, can have a high percentage of False Positives.

Hey no worries, I haven't been able to get on here much anyway.  I just appreciate the help.  Hope you had fun at the concert.  I work as a DJ at a classic rock station in Seattle so I catch as many shows as possible.

I'll DL the Rootkit Buster and give 'er a try.  Quick question, though--what would you recommend I do with the items in my Avast quarantine chest and in SuperAntiSpyware's quarantine?  I know deleting them could possibly be disastrous. 

[YoKenny]

@ wikkid1

Leave the items in the Chest for a while and make sure your system performs as expected then you can remove them or restore them and re-scan them to see if they are still detected at a later date.