Author Topic: Win32.Malware-gen & Rootkit issues  (Read 6813 times)

0 Members and 1 Guest are viewing this topic.

Nicrobliz

  • Guest
Win32.Malware-gen & Rootkit issues
« on: April 06, 2010, 07:32:31 PM »
A few days ago, Avast! alerted me about a Win32.Malware-gen infection. However, every time I tried to quarantine (not always possible) or delete the file, another alert would occur shortly afterwards.

I tried using Spybot (and managed to remove a few infected files) but, after rebooting my PC (and allowing Spybot to run a system check) a windows error message popped up consistently ("error loading: C:\windows\dsxewm6.dll  Access denied") almost covering the screen. Although Spybot didn't detect anything further, I was still getting alerts from Avast! about the same infection. At one point, Avast! instructed me to reboot my PC because it couldn't deal with the infected file(s) any other way. So, I rebooted and Avast! scanned my system in DOS. However, as soon as it detected something, my keyboard was unable to select an option to deal with the infection.

I then decided to reboot my PC to safe mode and ran all the anti-virus programs I have on my PC: Avast!, Malwarebytes' Anti-Malware and Spybot. All of them, except Spybot, found further infected files and they were promptly quarantined. However, after restating my computer normally, Avast! once again notified me of the same Win32.Malware-gen problem! This has happened three times so far and, on each occasion, they were quarantined.

To be safe, I decided to run a quick Malwarebytes' Anti-Malware scan and found yet another infected file and quarantined that as well (and I hadn't even started using the internet yet). Since then, Avast! haven't notified me of any further infections but I'm not completely confident that the problem's been solved. I'd really appreciate if someone could help (especially Essexboy). I've enclosed logs from most of the programs I've used (including an OTL log).

Cheers.
« Last Edit: April 06, 2010, 08:27:19 PM by Nicrobliz »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37644
  • F-Secure user
Re: Win32.Malware-gen & Rootkit issues
« Reply #1 on: April 06, 2010, 07:43:36 PM »
Latest database for MBAM is 3960 you have scanned with 3930
« Last Edit: April 06, 2010, 07:46:10 PM by Pondus »

Nicrobliz

  • Guest
Re: Win32.Malware-gen & Rootkit issues
« Reply #2 on: April 06, 2010, 07:51:51 PM »
Hey, thanks for the heads-up! I've updated it twice within the last few days but only now has it upgraded itself to the 3960 version.

Nicrobliz

  • Guest
Re: Win32.Malware-gen & Rootkit issues
« Reply #3 on: April 06, 2010, 08:46:21 PM »
I've just run a full scan on Malwarebytes' Anti-Malware (v 3960) and it found one infected file. I've attached the log below.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32.Malware-gen & Rootkit issues
« Reply #4 on: April 06, 2010, 09:20:14 PM »
Hi, a few bits to clean and then I will want to use a stronger tool

 Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

Code: [Select]
:OTL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O3 - HKU\S-1-5-21-371757489-1780262812-3310583448-1006\..\Toolbar\ShellBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-371757489-1780262812-3310583448-1006\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-371757489-1780262812-3310583448-1006\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
[2010/04/01 07:50:03 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Sjuxurupoh.dat
[2010/04/01 02:47:09 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Lcofagacut.bin

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
NEXT

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Nicrobliz

  • Guest
Re: Win32.Malware-gen & Rootkit issues
« Reply #5 on: April 06, 2010, 09:54:28 PM »
Hi Essexboy.

Thanks for your help but, on OTL, the run fix option never finished due to an error (I've enclosed the error log). I waited for ten minutes but nothing happened. After rebooting, I ran a quick scan, just in case.

I'm not sure if I should conduct the second stage regardless, so please let me know.

"Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon." I can see a method for Spybot and Avast! but not for MBAM...
« Last Edit: April 06, 2010, 10:03:28 PM by Nicrobliz »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32.Malware-gen & Rootkit issues
« Reply #6 on: April 06, 2010, 10:06:49 PM »
Right click the Avast icon and under shield control select disable for 1 hour.  Once you have rebooted from the CF run then re-enable 

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32.Malware-gen & Rootkit issues
« Reply #7 on: April 06, 2010, 10:08:41 PM »
Ooops numpty can't read, you can leave MBAM alone and it will not conflict

Nicrobliz

  • Guest
Re: Win32.Malware-gen & Rootkit issues
« Reply #8 on: April 06, 2010, 10:34:24 PM »
Okay, all done! ComboFix log attached.

Cheers.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32.Malware-gen & Rootkit issues
« Reply #9 on: April 06, 2010, 10:50:12 PM »
Looks good - do you have any further problems showing ?

Nicrobliz

  • Guest
Re: Win32.Malware-gen & Rootkit issues
« Reply #10 on: April 06, 2010, 10:52:55 PM »
Since my opening post, Avast! hasn't alerted me of anything else (although, as already mentioned, MBAM picked up one more infected file).

I haven't noticed any strange behaviour from my PC either.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32.Malware-gen & Rootkit issues
« Reply #11 on: April 06, 2010, 10:58:55 PM »
OK if you could run OTL and hit the clean up button it will remove itself and Combofix

I would the recommend that you reset your restore points - keep an eye on it for 24 hours or so and if you have any problems come back here

Nicrobliz

  • Guest
Re: Win32.Malware-gen & Rootkit issues
« Reply #12 on: April 06, 2010, 11:35:25 PM »
Okay, OTL and Combofix have now been removed, previous system restore points have also been deleted and the latest version of MBAM (3961) has come up with no infected files after a quick scan.

Thank you ever so much!   :)

Just a quick question about the 'Immunize' function on Spybot: Windows Global (Hosts) remain unprotected even after immunising. I don't recall it doing this before (but all the other sections are fully immunised). Since I use Firefox exclusively, should it be considered a concern?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32.Malware-gen & Rootkit issues
« Reply #13 on: April 07, 2010, 09:36:19 PM »
It is always best to protect IE even if you rarely use it  ;D

Nicrobliz

  • Guest
Re: Win32.Malware-gen & Rootkit issues
« Reply #14 on: April 07, 2010, 09:55:24 PM »
All sorted! After doing some research, I realised that it was due to one of the advanced settings in ZoneAlarm. I just deselected it (temporarily) and the immunisation of the global hosts worked this time.

My PC has been running fine today but I'll probably continue to monitor it for another 24 hours. Once again, many thanks for all your help! :D
« Last Edit: April 07, 2010, 10:26:22 PM by Nicrobliz »