Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Avast detecting Malware Win32:Malware-gen [Solved]

Started by Fredrik H , Apr 16 2010 03:33 PM

This topic is locked

#1
Fredrik H

Posted 16 April 2010 - 03:33 PM

Member

Member
10 posts

Hi!
I'm having a very annoying malware/virus of some sort. Avast keeps finding new malware about every 10th minute. It's (allmost or every time) a svchost.exe process thats infected,located in the windows\temp folder. Different file everytime, moved to the Chest and then I can delete them. I have made a bootscan and didn't find anything.
Sometimes I also get redirected to different webbpages, but Avast shuts down the connection.

Malwarebytes' Anti-Malware logg, OTL logs are attached as file to the post.

Gmer log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-16 22:39:27
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\Fredrik\AppData\Local\Temp\kfroauob.sys

---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C34AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C34104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C343F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1CFB4
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C341DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C34958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C346F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C34F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C351A8

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x8FCD050A]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x8FCD032E]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x8FCD0468]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwSaveKeyEx + 13B1 8284F8E9 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 8286F3D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE ntoskrnl.exe!ZwLoadDriver 829BB124 7 Bytes JMP 8FCD046C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 829FBDF7 5 Bytes JMP 8FCCC4AA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!RtlCompareUnicodeStrings + 50C 82A231AA 5 Bytes JMP 8FCCD9E4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!NtCreateSection 82A6CED5 7 Bytes JMP 8FCD0332 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 82AEB7C8 7 Bytes JMP 8FCD050E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9000B000, 0x267978, 0xE8000020]
.text peauth.sys 8FF54C9D 28 Bytes [D5, CA, ED, D3, E6, D9, 17, ...]
.text peauth.sys 8FF54CC1 28 Bytes [D5, CA, ED, D3, E6, D9, 17, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1024] ntdll.dll!NtProtectVirtualMemory 76E65360 5 Bytes JMP 0021000A
.text C:\Windows\system32\svchost.exe[1024] ntdll.dll!NtWriteVirtualMemory 76E65EE0 5 Bytes JMP 0022000A
.text C:\Windows\system32\svchost.exe[1024] ntdll.dll!KiUserExceptionDispatcher 76E66448 5 Bytes JMP 001B000A
.text C:\Windows\Explorer.EXE[1588] ntdll.dll!NtProtectVirtualMemory 76E65360 5 Bytes JMP 002A000A
.text C:\Windows\Explorer.EXE[1588] ntdll.dll!NtWriteVirtualMemory 76E65EE0 5 Bytes JMP 002B000A
.text C:\Windows\Explorer.EXE[1588] ntdll.dll!KiUserExceptionDispatcher 76E66448 5 Bytes JMP 0029000A
.text C:\Program Files\Firefox\firefox.exe[3884] ntdll.dll!NtProtectVirtualMemory 76E65360 5 Bytes JMP 0039000A
.text C:\Program Files\Firefox\firefox.exe[3884] ntdll.dll!NtWriteVirtualMemory 76E65EE0 5 Bytes JMP 0048000A
.text C:\Program Files\Firefox\firefox.exe[3884] ntdll.dll!KiUserExceptionDispatcher 76E66448 5 Bytes JMP 0037000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8567BAC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7B2F737E-77F0-4842-9816-C8D07ADF84B6}
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7B2F737E-77F0-4842-9816-C8D07ADF84B6}
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7B2F737E-77F0-4842-9816-C8D07ADF84B6}@Path \Microsoft\Windows Defender\MP Scheduled Scan
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7B2F737E-77F0-4842-9816-C8D07ADF84B6}@Triggers 0x15 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7B2F737E-77F0-4842-9816-C8D07ADF84B6}@DynamicInfo 0x03 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows Defender\MP Scheduled Scan@Id {7B2F737E-77F0-4842-9816-C8D07ADF84B6}

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

This is a log from Avast FileSystemShield:

* avast! Realtidsskydd Skanningsrapport
* Denna fil har genererats automatiskt
*
* Startade: den 12 april 2010 23:13:30
*

*
* avast! Realtidsskydd Skanningsrapport
* Denna fil har genererats automatiskt
*
* Startade: den 13 april 2010 01:47:42
*

*
* avast! Realtidsskydd Skanningsrapport
* Denna fil har genererats automatiskt
*
* Startade: den 13 april 2010 09:36:37
*

2010-04-13 09:41:23 C:\Windows\Temp\ovxe.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 09:46:30 C:\Windows\Temp\iiqo.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 09:47:10 C:\Windows\Temp\Igp.exe [L] Win32:Crypt-GDV [Trj] (0)
Filen flyttad till karantän...
2010-04-13 09:47:21 C:\Windows\Temp\Igp.exe [L] Win32:Crypt-GDV [Trj] (0)
Filen flyttad till karantän...
2010-04-13 09:47:24 C:\Windows\Temp\Igp.exe [L] Win32:Rootkit-gen [Rtk] (0)
Filen flyttad till karantän...
2010-04-13 09:47:29 C:\Windows\Temp\Igp.exe [L] Win32:Rootkit-gen [Rtk] (0)
Filen flyttad till karantän...
2010-04-13 09:47:32 C:\Windows\Temp\Igp.exe [L] Win32:Crypt-GDV [Trj] (0)
Filen flyttad till karantän...
2010-04-13 09:47:36 C:\Windows\Temp\Igp.exe [L] Win32:Crypt-GDV [Trj] (0)
Filen flyttad till karantän...
2010-04-13 09:52:01 C:\Windows\Temp\oyqg.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 09:57:08 C:\Windows\Temp\bgdn.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 10:02:18 C:\Windows\Temp\dwbi.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 10:07:25 C:\Windows\Temp\pfox.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 10:12:34 C:\Windows\Temp\rbri.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 10:17:43 C:\Windows\Temp\mwxj.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 10:22:50 C:\Windows\Temp\fhfd.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 10:28:10 C:\Windows\Temp\ounl.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 10:33:41 C:\Windows\Temp\nhxw.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 10:38:49 C:\Windows\Temp\gcpp.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 10:43:59 C:\Windows\Temp\qyxr.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 10:49:06 C:\Windows\Temp\lmjj.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 10:54:13 C:\Windows\Temp\lkny.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 10:59:19 C:\Windows\Temp\uiit.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 11:04:28 C:\Windows\Temp\ogds.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 11:09:38 C:\Windows\Temp\evra.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 11:14:47 C:\Windows\Temp\bxxt.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 11:19:53 C:\Windows\Temp\xuyh.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 11:24:59 C:\Windows\Temp\qakm.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 11:30:06 C:\Windows\Temp\mlpy.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 11:35:13 C:\Windows\Temp\fipu.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 11:40:27 C:\Windows\Temp\rara.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 11:45:35 C:\Windows\Temp\onhb.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 11:50:42 C:\Windows\Temp\nuuh.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 11:55:52 C:\Windows\Temp\rycs.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 12:01:05 C:\Windows\Temp\xijs.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 12:06:12 C:\Windows\Temp\kmhf.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 12:11:19 C:\Windows\Temp\vqdf.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 12:16:28 C:\Windows\Temp\dlck.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...
2010-04-13 12:21:34 C:\Windows\Temp\cqto.tmp\svchost.exe [L] Win32:Malware-gen (0)
Filen flyttad till karantän...

If anyone wounders it's in swedish.
Translation: "Filen flyttad till karantän"= File moved to chest.

Hope anyone can help me out here.
Best regards
Fredrik Hultman

Attached Files

mbam_log_2010_04_16__22_13_30_.txt 961bytes 172 downloads
OTL.Txt 65.01KB 154 downloads
Extras.Txt 34.18KB 343 downloads

#2
Essexboy

Posted 16 April 2010 - 03:52 PM

GeekU Moderator

Retired Staff
69,964 posts

Hi there

Two programmes for you to run

FIRST

Download TDSSKiller and save it to your Desktop.

Extract the file and run it.
Once completed it will create a log in your C:\ drive
Reboot your computer
Please post the contents of that log

SECOND

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#3
Fredrik H

Posted 16 April 2010 - 05:14 PM

Member

Topic Starter
Member
10 posts

Thanks for the really fast respons. But it seems like I'm not able to scan with Combofix, it starts scanning and gets to around 42, 43 and then the computer "crashes". A bluescreen (of death?) appears, I'm not sure, but I think it said something about an attempt to write to a read only memory.

The log from TDSSkiller:

23:57:55:227 1216 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
23:57:55:227 1216 ================================================================================
23:57:55:227 1216 SystemInfo:

23:57:55:227 1216 OS Version: 6.1.7600 ServicePack: 0.0
23:57:55:227 1216 Product type: Workstation
23:57:55:228 1216 ComputerName: FREDRIKHULTMAN
23:57:55:234 1216 UserName: Fredrik
23:57:55:235 1216 Windows directory: C:\Windows
23:57:55:235 1216 Processor architecture: Intel x86
23:57:55:235 1216 Number of processors: 2
23:57:55:235 1216 Page size: 0x1000
23:57:55:240 1216 Boot type: Normal boot
23:57:55:240 1216 ================================================================================
23:57:55:253 1216 UnloadDriverW: NtUnloadDriver error 2
23:57:55:253 1216 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
23:57:55:553 1216 wfopen_ex: Trying to open file C:\Windows\system32\config\system
23:57:55:553 1216 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:57:55:553 1216 wfopen_ex: Trying to KLMD file open
23:57:55:553 1216 wfopen_ex: File opened ok (Flags 2)
23:57:55:570 1216 wfopen_ex: Trying to open file C:\Windows\system32\config\software
23:57:55:570 1216 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:57:55:570 1216 wfopen_ex: Trying to KLMD file open
23:57:55:570 1216 wfopen_ex: File opened ok (Flags 2)
23:57:55:581 1216 Initialize success
23:57:55:581 1216
23:57:55:583 1216 Scanning Services ...
23:57:56:973 1216 Raw services enum returned 444 services
23:57:57:004 1216
23:57:57:005 1216 Scanning Kernel memory ...
23:57:57:008 1216 Devices to scan: 2
23:57:57:008 1216
23:57:57:008 1216 Driver Name: atapi
23:57:57:008 1216 IRP_MJ_CREATE : 8377B8C4
23:57:57:008 1216 IRP_MJ_CREATE_NAMED_PIPE : 828C8359
23:57:57:008 1216 IRP_MJ_CLOSE : 8377B8C4
23:57:57:008 1216 IRP_MJ_READ : 828C8359
23:57:57:008 1216 IRP_MJ_WRITE : 828C8359
23:57:57:008 1216 IRP_MJ_QUERY_INFORMATION : 828C8359
23:57:57:009 1216 IRP_MJ_SET_INFORMATION : 828C8359
23:57:57:009 1216 IRP_MJ_QUERY_EA : 828C8359
23:57:57:009 1216 IRP_MJ_SET_EA : 828C8359
23:57:57:009 1216 IRP_MJ_FLUSH_BUFFERS : 828C8359
23:57:57:009 1216 IRP_MJ_QUERY_VOLUME_INFORMATION : 828C8359
23:57:57:009 1216 IRP_MJ_SET_VOLUME_INFORMATION : 828C8359
23:57:57:009 1216 IRP_MJ_DIRECTORY_CONTROL : 828C8359
23:57:57:009 1216 IRP_MJ_FILE_SYSTEM_CONTROL : 828C8359
23:57:57:009 1216 IRP_MJ_DEVICE_CONTROL : 8376747C
23:57:57:009 1216 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8376744E
23:57:57:009 1216 IRP_MJ_SHUTDOWN : 828C8359
23:57:57:009 1216 IRP_MJ_LOCK_CONTROL : 828C8359
23:57:57:010 1216 IRP_MJ_CLEANUP : 828C8359
23:57:57:010 1216 IRP_MJ_CREATE_MAILSLOT : 828C8359
23:57:57:010 1216 IRP_MJ_QUERY_SECURITY : 828C8359
23:57:57:010 1216 IRP_MJ_SET_SECURITY : 828C8359
23:57:57:010 1216 IRP_MJ_POWER : 837674AA
23:57:57:010 1216 IRP_MJ_SYSTEM_CONTROL : 83776DB2
23:57:57:010 1216 IRP_MJ_DEVICE_CHANGE : 828C8359
23:57:57:010 1216 IRP_MJ_QUERY_QUOTA : 828C8359
23:57:57:010 1216 IRP_MJ_SET_QUOTA : 828C8359
23:57:57:028 1216 C:\Windows\system32\DRIVERS\atapi.sys - Verdict: 1
23:57:57:028 1216
23:57:57:028 1216 Driver Name: atapi
23:57:57:028 1216 IRP_MJ_CREATE : 8567BAC8
23:57:57:028 1216 IRP_MJ_CREATE_NAMED_PIPE : 8567BAC8
23:57:57:028 1216 IRP_MJ_CLOSE : 8567BAC8
23:57:57:028 1216 IRP_MJ_READ : 8567BAC8
23:57:57:029 1216 IRP_MJ_WRITE : 8567BAC8
23:57:57:029 1216 IRP_MJ_QUERY_INFORMATION : 8567BAC8
23:57:57:029 1216 IRP_MJ_SET_INFORMATION : 8567BAC8
23:57:57:029 1216 IRP_MJ_QUERY_EA : 8567BAC8
23:57:57:029 1216 IRP_MJ_SET_EA : 8567BAC8
23:57:57:029 1216 IRP_MJ_FLUSH_BUFFERS : 8567BAC8
23:57:57:029 1216 IRP_MJ_QUERY_VOLUME_INFORMATION : 8567BAC8
23:57:57:029 1216 IRP_MJ_SET_VOLUME_INFORMATION : 8567BAC8
23:57:57:029 1216 IRP_MJ_DIRECTORY_CONTROL : 8567BAC8
23:57:57:029 1216 IRP_MJ_FILE_SYSTEM_CONTROL : 8567BAC8
23:57:57:029 1216 IRP_MJ_DEVICE_CONTROL : 8567BAC8
23:57:57:029 1216 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8567BAC8
23:57:57:029 1216 IRP_MJ_SHUTDOWN : 8567BAC8
23:57:57:030 1216 IRP_MJ_LOCK_CONTROL : 8567BAC8
23:57:57:030 1216 IRP_MJ_CLEANUP : 8567BAC8
23:57:57:030 1216 IRP_MJ_CREATE_MAILSLOT : 8567BAC8
23:57:57:030 1216 IRP_MJ_QUERY_SECURITY : 8567BAC8
23:57:57:030 1216 IRP_MJ_SET_SECURITY : 8567BAC8
23:57:57:030 1216 IRP_MJ_POWER : 8567BAC8
23:57:57:030 1216 IRP_MJ_SYSTEM_CONTROL : 8567BAC8
23:57:57:030 1216 IRP_MJ_DEVICE_CHANGE : 8567BAC8
23:57:57:030 1216 IRP_MJ_QUERY_QUOTA : 8567BAC8
23:57:57:030 1216 IRP_MJ_SET_QUOTA : 8567BAC8
23:57:57:030 1216 Driver "atapi" infected by TDSS rootkit!
23:57:57:038 1216 C:\Windows\system32\DRIVERS\atapi.sys - Verdict: 1
23:57:57:038 1216 File "C:\Windows\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 23:57:57:039 1216 Processing driver file: C:\Windows\system32\DRIVERS\atapi.sys
23:57:57:426 1216 vfvi6
23:57:57:630 1216 dsvbh1
23:57:57:909 1216 fdfb1
23:57:57:909 1216 Backup copy found, using it..
23:57:57:942 1216 will be cured on next reboot
23:57:57:944 1216 Reboot required for cure complete..
23:57:57:979 1216 Cure on reboot scheduled successfully
23:57:57:979 1216
23:57:57:980 1216 Completed
23:57:57:982 1216
23:57:57:983 1216 Results:
23:57:57:984 1216 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
23:57:57:985 1216 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
23:57:57:986 1216 File objects infected / cured / cured on reboot: 1 / 0 / 1
23:57:57:987 1216
23:57:57:988 1216 fclose_ex: Trying to close file C:\Windows\system32\config\system
23:57:57:990 1216 fclose_ex: Trying to close file C:\Windows\system32\config\software
23:57:57:990 1216 UnloadDriverW: NtUnloadDriver error 1
23:57:57:995 1216 KLMD(ARK) unloaded successfully

#4
Essexboy

Posted 17 April 2010 - 04:58 AM

GeekU Moderator

Retired Staff
69,964 posts

OK the lets run OTS and see what that reveals to me. Has Avast stopped alerting ?

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
- Reg - Shell Spawning
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

#5
Fredrik H

Posted 18 April 2010 - 05:42 AM

Member

Topic Starter
Member
10 posts

I have now run OTS and the log is attached on my post.
It does looks like I'm clean now, avast has stopped warning/finding malware. So either I'm clean or the virus has got smarter, lets hope for the first option

Please have a look in the OTS-log and see if you can hint a virus, if not, I thank you alot.

This is by far my best experience of support, and this isn't even your firsthand job, thats truly amazing!

Attached Files

OTS.Txt 140.4KB 203 downloads

#6
Essexboy

Posted 18 April 2010 - 06:08 AM

GeekU Moderator

Retired Staff
69,964 posts

This is by far my best experience of support, and this isn't even your firsthand job, thats truly amazing!

We aim to please

Could you now retry combofix for me please, to ensure that nothing is hidden. Subject to the results of that all looks good

#7
Fredrik H

Posted 18 April 2010 - 07:47 AM

Member

Topic Starter
Member
10 posts

I managed to run ComboFix in failsafe-mode. It looks like it found that c:\windows\system32\dbghlp.dll is infected.
I attach the combofix-log to my replay.

Attached Files

ComboFix.txt 13.62KB 232 downloads

#8
Essexboy

Posted 18 April 2010 - 08:12 AM

GeekU Moderator

Retired Staff
69,964 posts

There is also a net service to remove. This will be in two parts, first I will remove the few that are left then I will need to find another copy of that file

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

NetSvcs::
uvwsbdkg

Driver::
uvwsbdkg

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt .

THEN

Run OTS. Make sure all other windows are closed and to let it run uninterrupted.
Under the Custom Scan box paste this in

/md5start
dbghlp.dll
/md5stop
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open a notepad window. OTS.Txt
Attach that log please

#9
Fredrik H

Posted 18 April 2010 - 08:53 AM

Member

Topic Starter
Member
10 posts

Here is the latest Combofix-log and OTS-log.

Attached Files

OTS.Txt 69.58KB 188 downloads
ComboFix.txt 12.63KB 255 downloads

#10
Essexboy

Posted 18 April 2010 - 09:31 AM

GeekU Moderator

Retired Staff
69,964 posts

OK that is good - it looks like the file was hooked by the net service we removed, thankfully as there was no spare copy of that file

How is your computer behaving now - any problems

#11
Fredrik H

Posted 18 April 2010 - 09:50 AM

Member

Topic Starter
Member
10 posts

It behaves as before the infection. No warnings of malware, nothing in the chest, no signs of infection.
I had a redirect before, but nothing now for a long time.

So far it looks good.
Thank you so much for your help!

Do you have any tips for the future? I mean, I have antivirus, and allways scan downloaded files. Maybe I had badluck this time? long time since I had a virus before...

Best regards
Fredrik H

#12
Essexboy

Posted 18 April 2010 - 10:21 AM

GeekU Moderator

Retired Staff
69,964 posts

It probably came from a drive by download. Normally Avast is good at stopping those, but malware changes

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Do not show hidden files and folders.
Click Yes to confirm.
Click OK.

SPRING CLEAN

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download Flush Flash from Here and follow the easy to use instructions on the same page

NEXT

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

SpywareBlaster to help prevent spyware from installing in the first place.
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe

#13
Fredrik H

Posted 18 April 2010 - 10:59 AM

Member

Topic Starter
Member
10 posts

I followed your last instructions, cleaning up the tools. But I'm keeping Malwarebytes, it looks like a usefull program.

For the coming days I'll be extra aware of signs of malware, and if I suspect I'm still infected, I'll let you know

And again, thanks for everything, and for your really fast respons!

Best regards
Fredrik H.

#14
Essexboy

Posted 18 April 2010 - 11:06 AM

GeekU Moderator

Retired Staff
69,964 posts

My pleasure - keep safe now

#15
Essexboy

Posted 19 April 2010 - 03:13 PM

GeekU Moderator

Retired Staff
69,964 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.