Win32:Malware-gen

[elle_97]

A Virus Was Found!

File name: C:\WINDOWS\TEMP\maec.tmp\svchost.exe

I've sent it to chest and deleted it, but it keeps reappearing.
I have scheduled two boot-scans which didn't help and also did a quick scan with MBAM.

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\tm (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java quick start (Trojan.Downloader) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\J\Local Settings\Temp\5.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Temp\8.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\jusched.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\d3d8thk.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

What should I do?

Greatful for any help!

[DavidR]

So are you saying that it is still coming back ?

The TDSS rootkit can be a bit of a pig.

Now you have run MBAM and it reports removing some TDSS rootkit elements, I would run an avast boot-time scan again.

Also try SUPERantispyware On-Demand only in free version.
Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.
Also available a portable version of SAS, http://www.superantispyware.com/portablescanner.html, no installation required.

[micky77]

You can also try Tdsskiller and HMPro, followed by MalwareBytes

http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

http://www.surfright.nl/en/hitmanpro

[elle_97]

I thought I would run MBAM once more (since this log was like 2 days old), before I ran the avast boot-time scan.
Now I have a problem, I realised that MBAM was never able to remove anything during reboot because everytime it was about to reboot it enountered a problem and had to be shut down.

I ran MBAM twice just to be certain and here are the logs:

Scan type: Quick scan
Objects scanned: 109107
Time elapsed: 8 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshnas (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\sshnas21.dll
(Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
(Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
(Trojan.Downloader) -> Quarantined and deleted successfully.

Didn’t reboot so I tried again:

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2010-04-03 22:56:20
mbam-log-2010-04-03 (22-56-20).txt

Scan type: Quick scan
Objects scanned: 109111
Time elapsed: 2 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.

Once again, mbab encountered a problem, had to shut down and didn't reboot.
Suddenly, a "DrWatson Postmortem Debugger" encountered a problem and had to close, don't really know if this is related, but I've never seen it before..
I also forgot to say that the file name slightly shifts every time:
For ex.
C:\WINDOWS\TEMP\yorg.tmp\svchost.exe
C:\WINDOWS\TEMP\whug.tmp\svchost.exe

Sorry for writing such a long post without having tried what you wrote, but I thought this could be good to tell you before I do something else.

Edit:
Ran Avast boot-time scan, still get virus warning, now also located in c:\windows\temp\egr.exe.
And now Avast wants to run another boot-time scan.. the last one took like two hours :/

Edit 2:
Ran SAS, which found 360 threats, it removed them all and reboot, but the problem still remains in:
c:\windows\system32\ymamvrxb.dll

Edit3:
I ran SAS a second time, and my problem still remains.
@ DavidR: do you have any other suggestions or should I try Tdsskiller and HMPro next?

[elle_97]

Anybody? 

[.: L' arc :.]

OTL

• Download OTL here
  
• Double click the OTL icon to run it
• The text below in bold:

netsvcs
%SYSTEMDRIVE%\*.*
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
c:\windows\system32\*.dll /lockedfiles
c:\windows\system32\drivers\*.sys /lockedfiles
%systemroot%\*. /mp /s
CREATERESTOREPOINT

• Paste it in the Custom Scans box of OTL
  
• Click Quick Scan Do not change the other settings unless you are told to do so
  
• Wait until OTL is done scanning. Notepad file(s) will pop-up (OTL.txt and Extras.txt). Those are saved in the same location as OTL
• Please copy all the contents of the notepad files and attach them on your reply respectively

[/list]

[DavidR]

Anybody? 

Did you not try the TDSS Killer link and info given by micky77 as that is most relevant in this case ?

If you did try it then post the results.

[Pondus]

probably wont have anything to say in your case, but the top of your MBAM logs does not show......
so did you scan with the latest MBAM 1.45 and latest malware database 3952 ?

[elle_97]

Sorry it took me forever to answer, had just written my reply and was about to press post when the electricity went out  

Ran Tdsskiller and have attached the log.
 
@ Pondus: Yes, you are right, it seems as though I failed to update MBAM after I installed it, will do so and run it again, followed by avast boot-time scan, hopefully that will help  

Edit:
Attached OTL logs
Also seems as though theres something wrong with Explorer since it keeps having to shut down :S

Thanks everybody for taking your time to help

[DavidR]

Well firstly I'm not familiar with the TDSSKiller logs:

####
16:20:32:296 1892   RegNode HKLM\SYSTEM\ControlSet003\services\Tdsshbecr infected by TDSS rootkit ...
16:20:32:296 1892   will be deleted on reboot

####
16:20:32:296 1892   Driver "mv61xx" infected by TDSS rootkit!
16:20:32:312 1892   File "C:\WINDOWS\system32\DRIVERS\mv61xx.sys" infected by TDSS rootkit ... 16:20:32:312 1892   Processing driver file: C:\WINDOWS\system32\DRIVERS\mv61xx.sys

~~~~
16:20:34:234 1892   Memory objects infected / cured / cured on reboot:   1 / 0 / 0

16:20:34:234 1892   File objects infected / cured / cured on reboot:   2 / 0 / 2

*******
So from the above TDSSKiller found these and should hopefully be cured on boot (removal of the infected registry key and file) as is mentioned above.
- Did TDSSKiller reboot or have you rebooted ?

If you run it again are any of these found again ?
If not run the updated MBAM scan again.

[elle_97]

I ran the TDSSKiller twice, once last night and once just now. I've attached those logs

Edit:
Forgot to say that MBAM is acting strange, I keep getting the error code "MBAM_ERROR_LOAD_DATABASE (0, 0)"

[elle_97]

Re-installed MBAM, seems to be working now. Here's the log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3956

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2010-04-05 16:07:06
mbam-log-2010-04-05 (16-07-06).txt

Scan type: Quick scan
Objects scanned: 102767
Time elapsed: 5 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.Tracur) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\fusjajwt.dat (Rootkit.Agent) -> Quarantined and deleted successfully.

[DavidR]

Well it looks like it has only got rid of the infected registry key not the rootkit file C:\WINDOWS\system32\drivers\mv61xx.sys.

However, the only reference to mv61xx.sys in the OTL logs is in the modified in the last 14 days, see below. Now that says it was modified on 04/04/2010 at 16:23 and is part of (Marvell Semiconductor, Inc.), so do you have any Marvel products, is this possibly a graphics card or does this ring any bells ?

========== Files - Modified Within 14 Days ==========
 
[2010-04-04 20:44:24 | 000,512,960 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010-04-04 20:44:24 | 000,435,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010-04-04 20:44:24 | 000,068,156 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010-04-04 20:40:04 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010-04-04 20:40:03 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010-04-04 20:39:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010-04-04 16:23:58 | 000,150,568 | ---- | M] (Marvell Semiconductor, Inc.) -- C:\WINDOWS\System32\drivers\mv61xx.sys

So I did a check on the file name, http://www.google.com/search?q=mv61xx.sys and many appear to be legit, but that is no guarantee.

Are you actually able to find this file on your system C:\WINDOWS\System32\drivers\mv61xx.sys ?
If it truly were a rootkit perhaps not. But under normal circumstances you may need to show hidden files and folders, etc.
- Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.

[elle_97]

Yeah found it. Should I run all the programs again and see if they find anything?

[elle_97]

Also found this, if it is of any interest.