The same happened to me today.
It all started with AVAST trowing these warnings. I was browsing with Firefox 3.5+
11/12/2009 23:08:51 xxx 412 Sign of “Win32:Malware-gen” has been found in “C:\WINDOWS\TEMP\~TM1F1A.tmp” file.
I told AVAST to delete ~TM1F1A.tmp, but avast apparently didn’t delete the file. Shortly after AVAST complained about a system file:
11/12/2009 23:10:08 xxx 412 Sign of “Win32:Cutwail-AD [Trj]” has been found in “C:\WINDOWS\system32\drivers\atapi.sys” file.
11/12/2009 23:10:37 xxx 412 Sign of “Win32:Cutwail-AD [Trj]” has been found in “C:\WINDOWS\system32\dllcache\atapi.sys” file.
Then I looked at the running processes.
A process called CsimPlayer.exe was running and had two child processes svchost.exe attached to it.
Running a SHA Hash comparison between CsimPlayer.exe and the tmp-file confirmed that CsimPlayer.exe was indeed ~TM1F1A.tmp, the file AVAST identified as malware. It was still there, in the windows temp directory.
The same CsimPlayer was added to the startup registry tree : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ( C:\\WINDOWS\\system32\\CsimPlayer.exe” )
In the meantime a CMD (command prompt) process was VERY active running a batch called fjhdyfhsn.bat. The batch command file contained following statements (a loop trying to delete firefox… ):
@echo off
:try
@del /F /Q "C:\Program Files\Mozilla Firefox\firefox.exe"
if exist "C:\Program Files\Mozilla Firefox\firefox.exe" goto try
The BAT file was dropped on my system at 11 december 23:08, right before the ~temp file.
Another file called
siszyd32.exe was dropped in the StartUp folder.
I still don’t know what it was and why Avast isn’t detecting it.
What I did:
* I ran process explorer: (
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx )
* I killed all CMDs, siszyd32.exe and CsimPlayer.exe (including the child processes)
* I removeD all instances of siszyd32.exe and CsimPlayer.exe on my C:\drive and I deleted both the infected atapi.sys files.
* I removed it from the registry
* And I ran Malwarebyte's anti-malware
I checked the site where I thought it originated from, but it's not there... :-/ Can be a root-kit that resides, who knows how long, on my system. There's no way to check for root-kits when the OS is running. It's only noticeable when the root-kit installs or downloads files that inadvertently trigger avast.
So if someone knows a good OFFLINE (boot-cd) rootkit scanner, please let me know.
Thanks.