Author Topic: Win-32 Malware  (Read 10761 times)

0 Members and 1 Guest are viewing this topic.

Offline janvanderscheer

  • Jr. Member
  • **
  • Posts: 20
Win-32 Malware
« on: April 03, 2010, 12:21:25 PM »
Hello,

Yesterday my computer has been affected with some sort of Win-32 Malware (in svchost.exe from Windows/Temp). Avast also provides a warning about a Rootkit (in Windows/System32/Drivers).
I've read several posts on this forum about this same type of Malware. So far, I've tried to clean my PC with Malwarebytes' Anti-Malware, OTL, SUPERAntiSpyware, Spybot - Search & Destroy; all with latest updates, but Avast still gives me the same warnings.
As described elsewhere, I've attached the logfiles of OTL (2x) and MBAM (1x).
Help would be very much appreciated!

Jan

Offline janvanderscheer

  • Jr. Member
  • **
  • Posts: 20
Re: Win-32 Malware
« Reply #1 on: April 03, 2010, 12:41:17 PM »
An additional question; are files like Office-files also infected, i.e. when I open a file from the infected PC on another PC (through e-mail or a pen drive), will it also be infected with the Malware?
Again, thanks a lot for a reply!

Jan

Offline Pondus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 27127
Re: Win-32 Malware
« Reply #2 on: April 03, 2010, 12:46:17 PM »
I have sendt a PM to Essexboy so he will have  look when he enters the forum..... ;)


OBS: your MBAM log says " NO ACTION TAKEN " have you clicked " REMOVE SELECTED " after scan ?
« Last Edit: April 03, 2010, 12:49:26 PM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline micky77

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1049
  • Trust no program
Re: Win-32 Malware
« Reply #3 on: April 03, 2010, 12:49:52 PM »
Did you take any action with mbam ? C:\Windows\system32\Drivers\synvp.sys (Rootkit.Agent) -> No action taken

You could try HMP, it could be the tdl3 rootkit http://www.surfright.nl/en/hitmanpro
I Sandboxie

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 37333
  • Dragons by Sasha
    • Malware fixes
Re: Win-32 Malware
« Reply #4 on: April 03, 2010, 01:31:26 PM »
Hi there lets clear what I can see first - and then determine what problems remain

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

Code: [Select]
:OTL
[2010-04-03 11:59:39 | 000,823,808 | ---- | M] () -- C:\Windows\System32\drivers\synvp.sys
[2010-04-03 12:10:11 | 000,823,808 | ---- | M] () Unable to obtain MD5 -- C:\Windows\System32\drivers\synvp.sys

:Files
C:\Windows\tasks\At*.job

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Offline janvanderscheer

  • Jr. Member
  • **
  • Posts: 20
Re: Win-32 Malware
« Reply #5 on: April 03, 2010, 03:05:13 PM »
Hi,

See attachment for OTL file.
After reboot Avast found a Trojan Horse in several files; so far no more messages about the Malware have com up.

Jan

Offline janvanderscheer

  • Jr. Member
  • **
  • Posts: 20
Re: Win-32 Malware
« Reply #6 on: April 03, 2010, 03:17:39 PM »
Sorry, wrong file in last reply. This one is the OTL Quick scan log. Malware is still present, btw.

Jan

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 37333
  • Dragons by Sasha
    • Malware fixes
Re: Win-32 Malware
« Reply #7 on: April 05, 2010, 12:09:48 AM »
Yep sure is - lets use a bigger hammer

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

Code: [Select]
:Files
C:\Windows\tasks\At*.job
C:\Windows\System32\drivers\synvp.sys

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code: [Select]
Begin copying here:
Drivers to delete:
synvp.sys
synvp

Files to delete:
C:\Windows\System32\drivers\synvp.sys

Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and  press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions.  This log file will be located at  C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply

Offline janvanderscheer

  • Jr. Member
  • **
  • Posts: 20
Re: Win-32 Malware
« Reply #8 on: April 05, 2010, 08:04:12 AM »
Hi,

I'm back again... See attachments.

Jan

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 37333
  • Dragons by Sasha
    • Malware fixes
Re: Win-32 Malware
« Reply #9 on: April 05, 2010, 12:13:00 PM »
My apologies for the delay as I lost my notifications

I need to run combofix now as there is something I am not seeing

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Offline janvanderscheer

  • Jr. Member
  • **
  • Posts: 20
Re: Win-32 Malware
« Reply #10 on: April 05, 2010, 01:16:39 PM »
Combofix.txt attached

Jan

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 37333
  • Dragons by Sasha
    • Malware fixes
Re: Win-32 Malware
« Reply #11 on: April 05, 2010, 03:54:49 PM »
Well that revealed an infection I have not seen for a while

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]
Renv::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\clistart .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\CyberLink\YouCam\MUITransfer\muistartmenu .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\itsecmng .exe
c:\windows\RaidTool\xinside .exe

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new OTL log.

Offline janvanderscheer

  • Jr. Member
  • **
  • Posts: 20
Re: Win-32 Malware
« Reply #12 on: April 05, 2010, 04:50:21 PM »
On the first run, something went wrong and my computer gave me an error message in a blue screen. Second time, it seemed to run fine. There was no reboot and Combofix automatically gave me the log.txt file (instead of Comfix.txt), but I assume this is the same.
Interesting to have such a special infection over here! ;)

Jan

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 37333
  • Dragons by Sasha
    • Malware fixes
Re: Win-32 Malware
« Reply #13 on: April 05, 2010, 04:54:24 PM »
OK I can longer find the bad boy - or anything else - How is your computer running now ?

Offline janvanderscheer

  • Jr. Member
  • **
  • Posts: 20
Re: Win-32 Malware
« Reply #14 on: April 07, 2010, 08:33:50 AM »
So far, so good! Still need to run a bootscan, but I think it's unlikely that something will be find.
I'm impressed by the amount of (short-term) help I've gotton over here! Thanks!

Jan