Avast "Protection".

[Seth]

As I write this, I have a lappy in my shop that is undergoing disinfection. It was running Avast which is soon to be removed. It would start in Safe Mode, but Normal Mode gave a brief BSOD and restarted. I slaved the drive and ran sas. Check this out (note the rootkits and driver infection):

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 11/27/2007 at 11:32 AM

Application Version : 3.9.1008

Core Rules Database Version : 3351

Trace Rules Database Version: 1350

Scan type : Complete Scan

Total Scan Time : 00:16:24

Memory items scanned : 437

Memory threats detected : 0

Registry items scanned : 4862

Registry threats detected : 0

File items scanned : 15204

File threats detected : 42

Trojan.IBM/Shell

D:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB FOLDERS\IBM00001.DLL

D:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB FOLDERS\IBM00002.DLL

D:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB FOLDERS\IBM00003.DLL

Trojan.Downloader-Gen/WinAble-Installer

D:\PROGRAM FILES\TEMPORARY\WININSTALL.EXE

Trojan.Net-Winable

D:\PROGRAM FILES\WINABLE\WINABLE.EXE

Rootkit.Rustock/Arp1349

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0018295.SYS

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0019299.SYS

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0021295.SYS

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0023285.SYS

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0025285.SYS

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0027285.SYS

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0029285.SYS

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0031285.SYS

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0033285.SYS

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0035285.SYS

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0037285.SYS

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0039285.SYS

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0041285.SYS

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0043285.SYS

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0045285.SYS

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0047285.SYS

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0049285.SYS

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0051285.SYS

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0053285.SYS

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0056294.SYS

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0058298.SYS

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0059298.SYS

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0061298.SYS

D:\WINDOWS\SYSTEM32\DRIVERS\ASWTDI.SYS

Trojan.Downloader-Gen/MROFINU

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0018304.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0019301.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0021298.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0054291.EXE

D:\WINDOWS\MROFINU390.EXE.TMP

Trojan.Downloader-Gen/Installer

D:\WINDOWS\B122.EXE

Trojan.Downloader-Gen/MROFIN

D:\WINDOWS\MROFINU390.EXE

Trojan.Downloader-2JZ/Slow

D:\WINDOWS\SYSTEM32\DRIVERS\RUNTIME.SYS

Rootkit.RunTime2

D:\WINDOWS\SYSTEM32\DRIVERS\RUNTIME2.SYS

Trojan.XPDX-Rootkit

D:\WINDOWS\SYSTEM32\XPDX.SYS

Trojan.Net-StartDrv/DH

D:\WINDOWS\TEMP\STARTDRV.EXE

Trojan.Downloader-Gen/WSUSUPD

D:\WSUSUPD.EXE

Trace.Known Threat Sources

D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN2DOT6B\17PHolmes[2].cmd

I just installed the drive back into the lappy and it boots up now. I'm currently running a new scan.

BTW- I disinfect anywhere from 6 to 10 computers a week using SAS. Of those, the majority are running Norton, AVG, or Mcafee.

_________________

Proud SAS reseller.

[fatdcuk]

Hey Seth ,

IBM0000(1-3).DLL is a Sinowal trojan.It is a password logger

You will need to advise your client to change all PW's across the board.Both on the computer and in general PC use if they do anything data sensitive from that machine.

[Seth]

Hey Seth ,

IBM0000(1-3).DLL is a Sinowal trojan.It is a password logger

You will need to advise your client to change all PW's across the board.Both on the computer and in general PC use if they do anything data sensitive from that machine.

Already done

Thanks for the reply fatdcuk.

[char971]

I downloaded the free version of SAS and found it to find more things than other software. However, I just recently found malware on my computer. The two files I know of are "mrofinu1001186.exe" and "17PHolmes1001186.exe". I did extensive research online and found this post that specifically states that the "mrofinu*.exe" and the "17PHolmes*.exe" were found using SAS (as stated above). So I did a full scan with SAS and it did not detect either. Mind you, this scan took over 6 hours. I figured I had to buy the full version because I did a full scan and SAS still did NOT DETECT them!!!! Was this post just a trick to get people to purchase the software?

The only other information I can find on these files is that there is no use trying to recover anything and I need to reformat my hard drive & reload WinXP.

Please, any advise would be greatly appreciated.

[fatdcuk]

No tricks here but hold the phone on the R&R as there is no need

SAS free has the identical detection and removal abilities of SAS Pro.They use the same scanning engine and same target definitions;)

Nowadays when malware files are imported from their source the md5 checksum is altered regulary(some cases each unique download and others daily/couple of days)but net result is a *new* file=new variant

This the causes the age old problem for md5 scanners when they don't know new variant,they won't detect or remove it despite the filename being a known offender or at least a rehash of known bad file name.

Next up i would suggest contacting SAS support they will have you run their diagnostic tool to lift these unknown variants and subsequently update their target definitions to detect and remove your variants

https://www.superantispyware.com/csrcreateticket.html

*Leave a link back to this topic in your support ticket so SAS hq have background information*

HTH:)

[char971]

Thanks for the information. I did sent a ticket. I just checked & did gete the response to run the online tool to send the information. I'll repost once I have more info. Thanks!

[infosponge]

Hi char971,

What I noticed is that your definitions 3351 (core) and 1351 (trace) are ancient. Current definitions are 3432 / 1424

You might also like tto upgrade the program itself to version 4.01154 as the new one is significantly superior to V3.9.

Hope this helps.

[infosponge]

Sorry char971,

I meant to respond to Seth's post.

Seth, I think you know what you're doing so I suppose you have your reasons for running 3.9 and the old definitions.

I would be interested in knowing what your strategy is.

[infosponge]

Seth,

Forget it!

I see I was referencing an old post from last November.

Sorry about that REALLY!

I wasn't paying attention, this is probably an SAS first!

[char971]

I'm running the most recent core & trace, but I'm having a problem downloading the very newest version. It keeps hanging. However, I did another scan and it found them, said it removed them, rebooted, and they are back. Now I have two instances of 17PHolmes1001186.exe running. I'm running yet another scan. I could live with it right now, but it has destroyed my printers. I cannot print anything. I have 3 printers (Brother MFC-7220, Epson CX-4600, HP Photosmart). I use the Brother EVERY DAY as this is my laser. I have deleted all my printers & drivers, and tried to reinstall my Brother from CD, but it will not print. It was working fine up until 4/4 when I noticed the malware and tried to manually delete it. Any suggestions on my printer????

I found another web site that specifically stated that since this malware attacks all files, I have to reformat & reload windows. I bought this laptop used and do not have ANY cds, so I'd have to go out & buy WinXP. I don't have a current backup of my data files, and I prepare taxes. I have not finished printing my clients tax files yet, and am running out of time. I don't want to print them to pdf & print them somewhere else as this might infect another computer. Also, after I read that post, I did a search for files that were modified/created on 4/5/08-4/5/08. I finally stopped the search after it found 15,000 + files.

I am desparately in need of advise. Can this malware be removed, or do I need to reformat my drive & loose all my data? Also, does anyone know the origin? Is it attached to an email attachment, to software? If so, what? My daughter (12) gets on my laptop every know and then so I just want to see if this may have been a culprit of something she did, or myself.

Thanks!

[SUPERAntiSpy]

Submit a support request here and we can run a custom diagnostic and find out what the problem is:

https://www.superantispyware.com/support.html

[char971]

Ok. I did the diagnostis 3 days ago (Saturday) and it says to wait 24 hours for a response. I have received NO response. I'm getting a little upset. I have tried several "removal" procedures including downloading all kinds of software (CWShredder, Spybot, Ad-Aware, RogueRemover, AVG Anti-Spyware, AVG Anti-Virus Software, plus the full version of SAS) and now I can no longer log into my computer in regular mode, only safe mode. Can I post a "HiJack This" log and get some help? As stated, its been 3 DAYS since I did the diagnostic & have received NO response from tech support yet.

[SUPERAntiSpy]

Ok. I did the diagnostis 3 days ago (Saturday) and it says to wait 24 hours for a response. I have received NO response. I'm getting a little upset. I have tried several "removal" procedures including downloading all kinds of software (CWShredder, Spybot, Ad-Aware, RogueRemover, AVG Anti-Spyware, AVG Anti-Virus Software, plus the full version of SAS) and now I can no longer log into my computer in regular mode, only safe mode. Can I post a "HiJack This" log and get some help? As stated, its been 3 DAYS since I did the diagnostic & have received NO response from tech support yet.

You submitted your diagnostic SUNDAY at 6:25 AM (Pacific Standard Time) - our technicians analyzed the diagnostic yesterday and updated our definitions to remove the few traces you had left over from the Vundo infection - your real-time protection was also turned OFF, and that's likely why you got infected in the first place.

Before you post statements like "It's been 3 DAYS", etc. - make sure you have your facts straight -it's been under 48 hours - we analyzed your diagnostic within 24 hours of you submitting it.

Check for definition updates and re-scan your system.

[char971]

Ok. I thought I got rid of 17PHolmes, etc., but it is now back. I think there were still traces that were dormant on my computer. My niece has been on it and ever since she was "playing" with her myspace, etc,. etc., I started getting all kinds of pop ups which I was not getting. Next thing you know, I do a control+alt+del to see what's running & there they are! 17pholmes1001186.exe is back. I tried running SAS but when I reloaded everything on my computer, I apparently only have the free version again and need my license number. I sent a request for it last night and am awaiting a response. However, my email is changed. It USED to be char971@comcast.net, but I am switching to verizon. In the meantime, I'm using a yahoo account which is outdoorgirl971@yahoo.com.

I need some help again to try to get this thing off my computer. I did what was said before, with no luck. Last time I couldn't get into windows except for safe mode and it appeared that after running all the anti-spyware & anti-virus programs that it was gone so I just reloaded windows. But my computer has never been right since. So I don't think it actually got rid of it the first time.

BIG PROBLEM I HAVE is that my laptop does not have any CD/DVD or floppy drives, only USB so I CANNOT BOOT FROM a CD or floppy. I would love to reformat my hard drive and just start over, but I cannot boot from an external drive apparently. Even if I select in my BIOS to run from USB storage, it does not recognize it.

HELP

[Pandato]

Please do not double post if you have already submitted a support request as it doubles our work to respond to both.

It sounds like this may be a re-infection if your niece has been on your machine. As it has been since April, the infection may have changed. Check that the version you are using is the latest and that the definitions are current. Provide that information in your support ticket, thanks