Win-32 Malware

[janvanderscheer]

After feeling happy, it seems that there is little bit remaining. Avast displayed a message about blocking some Malware twice today. I ran a boot scan and it found a couple of infected files that I moved to chest.
I ran a quick scan with OTL (log attached). I've also added some kind of log file of the bootscan that Avast did (but I don't know if it's the correct one or helpful).
Hope you can me finish the last bit of this!

Jan

[essexboy]

Nothing apparent in that log - could you run MBAM to see what that reveals.  Was it a webshield warning ?

[janvanderscheer]

Here is the MBAM file. I don't know for sure, but I think it was a Webshield warning, not a warning about an infection. Still, I got worried because the Avast bootscan found so many infections (and moved them to chest).

Jan

[janvanderscheer]

There is definitively still something going on. Google is not working; both Firefox and IE are giving me warnings about this...

[essexboy]

GMER Rootkit Scanner - Download - Homepage

• Download GMER
• Extract the contents of the zipped file to desktop.
• Double click GMER.exe.

• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
  
  Click the image to enlarge it
  

• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt" 
  
• Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

[janvanderscheer]

A fatal error occurs when I try to do the scan. Windows then shows a blue screen. This has happened twice. Do I have to kep trying, or use another program?

Jan

[essexboy]

Unfortunately there is a new rootkit going around at the moment, I have only had one case so far but GMER shows it quite nicely

Lets see if I can find the traces it leaves, this time OTL is looking at a few different areas 

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles /all
%systemroot%\System32\config\*.sav

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    

[ulysse]

I don't know why I'm not allowed to create a message.

Never mind.

Somebody has already sawn a problèm with X5 ?

I  think avast sees a fake trojan with it

[DavidR]

If you can post you can create a topic - Please start a New Topic of your own as this is unrelated to the original subject and will just confuse the topic and we will try to help. 
- Go to this link, http://forum.avast.com/index.php, scroll down to the Viruses and Worms forum and click it, click the New Topic button at the top of the list and post there.

[janvanderscheer]

No Extras.txt was created after this scan, just OTL.txt (attached). Do I need to do the OTL-scan again with other settings?

Jan

[essexboy]

Aye the extras is only produced on the first run

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

Code: [Select]

:OTL
O20 - Winlogon\Notify\gport_: DllName - gport_.dll - C:\Windows\System32\gport_.dll ()
[2010-04-07 17:03:03 | 000,005,136 | ---- | M] () -- C:\Windows\System32\gport_.dll

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

[janvanderscheer]

See attachment for OTL log after Fix. Tried gmer again after that, but still stops running after 2 minutes.

Jan

[essexboy]

Could you retry GMER but remove the tick from Files

[janvanderscheer]

Same problem. I've removed ticks from Files alone and Files+IAT/EAT, but in both cases the program stops running after a few minutes.

Jan

[essexboy]

OK lets try Icesword on this - it is a nifty Chinese anti rootkit programme, not as automated but good

Please download and unzip Icesword to its own folder on your desktop


If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.


Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.


Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.


Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.


Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.



Now post all of the data collected under the headings for :

Processes
Win32 Services
Startup
SSDT
Message Hooks