Any ideas which virus and how to scan or remove as NAV doesn't find anything

Norton Security | Norton Internet Security
1

Hello

Any ideas which virus and how to repair?

A week ago my XP Pro SP3 PC catched a virus, when opening with Opera browser a innocent looking website.
NAV2009 was installed but couldn’t stop attack
Later NAV stated braviax.exe and several other trojans, which all were removed by NAV2009.

ButI still believe that the virus exists but NAV doesn’t find it anymore.

There has been created a folder Windows\temp01 and now all exe and dll files exe files are copied there, when application has been run.

Most filenames in this folder are unchanged but some have a nasty extension:
ECMSVR32.DLLtЀ౒汇㩡௷椊
NAVENG32.DLLrࠧఱ汇㕡ᣢ℅
NAVENG32.DLLrࠧఋ敓摔ā
Extension varies, but most applications just can’t display correct characters and when copied into MS< word these look like chinese or something :slight_smile:

I used Avira Libnux based boot rescue CD for scan, it found some intrusions but weren’t able to fix anything but an

extract of it’s log:
ALERT: [RKIT/Kobcka.Patched.62633.6] /media/Devices/sda1/WINDOWS/system32/dllcache/ntfs.sys <<< Contains detection

pattern of the rootkit RKIT/Kobcka.Patched.62633.6

ALERT: [BDS/Rustock.AN.22] /media/Devices/sda1/WINDOWS/system32/drivers/64a3e1c.sys <<< Contains a detection pattern

of the (dangerous) backdoor program BDS/Rustock.AN.22 Backdoor server programs

ALERT: [RKIT/Agent.asn] /media/Devices/sda1/WINDOWS/system32/drivers/rawnut65d70.sys <<< Contains detection pattern

of the rootkit RKIT/Agent.asn

ALERT: [RKIT/Kobcka.Patched.62633.6] /media/Devices/sda1/WINDOWS/system32/drivers/ntfs.sys <<< Contains detection

pattern of the rootkit RKIT/Kobcka.Patched.62633.6


NTFS.SYS is clean by according to NAV2009 and 64a3e1c.sys is hidden or not present under Windows.
some Other files in a 750 files folder:

_IsRes.dll
_IsUser.dll
aaclient.dll
Accessibility.api
Accessibility.dll
acctres.dll
aclui.dll
Acrobat.exe
acrobat_sl.exe
AcrobatInfo.exe
AcroIEFavClient.dll
acspecfc.dll
activeds.dll
actxprxy.dll
AD2KUIGP.DLL
ADBC.api
ADDRPARS.DLL
ADDRPRSR.DLL
adist32.dll
Adobe Gamma Loader.exe
Adobelm_Cleanup.0001
Adobelmsvc Installer.dll
Adobelmsvc.exe
AdobePDF.dll
adsldpc.dll
AIKRC.dll
AIKRC2.dll
Aiod.dll
ALCFDRTM.EXE
ALCMTR.EXE
AlertEng.dll
AlertUi.dll
alg.exe
ALSNDMGR.CPL
ANALYS32.XLL
apphelp.dll
AppMgr32.dll
ARE.dll
arj.fmt
AskInstallChecker.exe
asneu.dll
asycfilt.dll
atipdsxx.dll
atipdxxx.dll
atiprbxx.exe
atiptaxx.exe
atl.dll
atl71.dll
ATL80.dll
atmlib.dll
atrpuixx.enu
AUPDATE.EXE
AUPDATERES.loc
authz.dll
AV.loc
AVExclu.dll
avicap32.dll
avifil32.dll
AVMail.dll
AVPAPP32.dll
AVPSVC32.dll
avScnTsk.dll
AXE8SharedExpat.dll
batmeter.dll
bbRGen.dll
BHClient.dll
BIB.dll
browselc.dll
browser.dll
bthprops.cpl
cab.fmt
cabinet.dll
Catalog.api
CatchOp.dll
catsrv.dll
ccEmlPxy.dll
ccErrDsp.dll
ccGEvt.dll
ccGLog.dll
ccIPC.dll
CCMSGHK.DLL
ccresrce.dll
ccScanw.dll
ccSet.dll
ccSEUPDT.exe
CCSTMGLB.DLL
ccSubEng.dll
ccSvc.dll
ccSvcHst.exe
CCUSTOM.DLL
ccVrTrst.dll
Cdfs.SYS
cdfview.dll
ceutil.dll
cfgmgr32.dll
clb.dll
cltAlDis.dll
cltLMC.dll
cltNAHD.dll
cltRes.loc
clusapi.dll
cmdsupt.dll
cnbjmon.dll
colbact.dll
comdlg32.dll
COMNCTR.DLL
compress.dll
compstui.dll
ConfServer.dll
CONTAB32.DLL
CORPerfMonExt.dll
Cpy2Clip.dll
credui.dll
cryptdlg.dll
cryptdll.dll
cryptext.dll
cryptnet.dll
cscdll.dll
cscui.dll
ctor.dll
Culture.dll
cuteftppro.exe
d3d8thk.dll
davclnt.dll
dciman32.dll
dcpr.dll
ddraw.dll
ddrawex.dll
defrag.exe
deploy.dll
desk.cpl
devenum.dll
DEVICES.DLL
devmgr.dll
dfdll.dll
dfrgntfs.exe
dfrgres.dll
dfshim.dll
dfsshlex.dll
dhcpcsvc.dll
diLueCbk.dll
diMaster.dll
dinput8.dll
directdb.dll
DistillerPI.api
dnsapi.dll
docprop.dll
docprop2.dll
dot3api.dll
dot3dlg.dll
drmclien.dll
drprov.dll
dskquota.dll
dssenh.dll
ducclib.dll
DuLuCbk.dll
dumprep.exe
duser.dll
DVA.api
dwintl.dll
dwwin.exe
dxtrans.dll
eapolqec.dll
eappcfg.dll
eappprxy.dll
ecmldr32.DLL
ECMSVR32.DLL




2

Hello

Any ideas which virus and how to repair?

A week ago my XP Pro SP3 PC catched a virus, when opening with Opera browser a innocent looking website.
NAV2009 was installed but couldn’t stop attack
Later NAV stated braviax.exe and several other trojans, which all were removed by NAV2009.

ButI still believe that the virus exists but NAV doesn’t find it anymore.

There has been created a folder Windows\temp01 and now all exe and dll files exe files are copied there, when application has been run.

Most filenames in this folder are unchanged but some have a nasty extension:
ECMSVR32.DLLtЀ౒汇㩡௷椊
NAVENG32.DLLrࠧఱ汇㕡ᣢ℅
NAVENG32.DLLrࠧఋ敓摔ā
Extension varies, but most applications just can’t display correct characters and when copied into MS< word these look like chinese or something :slight_smile:

I used Avira Libnux based boot rescue CD for scan, it found some intrusions but weren’t able to fix anything but an

extract of it’s log:
ALERT: [RKIT/Kobcka.Patched.62633.6] /media/Devices/sda1/WINDOWS/system32/dllcache/ntfs.sys <<< Contains detection

pattern of the rootkit RKIT/Kobcka.Patched.62633.6

ALERT: [BDS/Rustock.AN.22] /media/Devices/sda1/WINDOWS/system32/drivers/64a3e1c.sys <<< Contains a detection pattern

of the (dangerous) backdoor program BDS/Rustock.AN.22 Backdoor server programs

ALERT: [RKIT/Agent.asn] /media/Devices/sda1/WINDOWS/system32/drivers/rawnut65d70.sys <<< Contains detection pattern

of the rootkit RKIT/Agent.asn

ALERT: [RKIT/Kobcka.Patched.62633.6] /media/Devices/sda1/WINDOWS/system32/drivers/ntfs.sys <<< Contains detection

pattern of the rootkit RKIT/Kobcka.Patched.62633.6


NTFS.SYS is clean by according to NAV2009 and 64a3e1c.sys is hidden or not present under Windows.
some Other files in a 750 files folder:

_IsRes.dll
_IsUser.dll
aaclient.dll
Accessibility.api
Accessibility.dll
acctres.dll
aclui.dll
Acrobat.exe
acrobat_sl.exe
AcrobatInfo.exe
AcroIEFavClient.dll
acspecfc.dll
activeds.dll
actxprxy.dll
AD2KUIGP.DLL
ADBC.api
ADDRPARS.DLL
ADDRPRSR.DLL
adist32.dll
Adobe Gamma Loader.exe
Adobelm_Cleanup.0001
Adobelmsvc Installer.dll
Adobelmsvc.exe
AdobePDF.dll
adsldpc.dll
AIKRC.dll
AIKRC2.dll
Aiod.dll
ALCFDRTM.EXE
ALCMTR.EXE
AlertEng.dll
AlertUi.dll
alg.exe
ALSNDMGR.CPL
ANALYS32.XLL
apphelp.dll
AppMgr32.dll
ARE.dll
arj.fmt
AskInstallChecker.exe
asneu.dll
asycfilt.dll
atipdsxx.dll
atipdxxx.dll
atiprbxx.exe
atiptaxx.exe
atl.dll
atl71.dll
ATL80.dll
atmlib.dll
atrpuixx.enu
AUPDATE.EXE
AUPDATERES.loc
authz.dll
AV.loc
AVExclu.dll
avicap32.dll
avifil32.dll
AVMail.dll
AVPAPP32.dll
AVPSVC32.dll
avScnTsk.dll
AXE8SharedExpat.dll
batmeter.dll
bbRGen.dll
BHClient.dll
BIB.dll
browselc.dll
browser.dll
bthprops.cpl
cab.fmt
cabinet.dll
Catalog.api
CatchOp.dll
catsrv.dll
ccEmlPxy.dll
ccErrDsp.dll
ccGEvt.dll
ccGLog.dll
ccIPC.dll
CCMSGHK.DLL
ccresrce.dll
ccScanw.dll
ccSet.dll
ccSEUPDT.exe
CCSTMGLB.DLL
ccSubEng.dll
ccSvc.dll
ccSvcHst.exe
CCUSTOM.DLL
ccVrTrst.dll
Cdfs.SYS
cdfview.dll
ceutil.dll
cfgmgr32.dll
clb.dll
cltAlDis.dll
cltLMC.dll
cltNAHD.dll
cltRes.loc
clusapi.dll
cmdsupt.dll
cnbjmon.dll
colbact.dll
comdlg32.dll
COMNCTR.DLL
compress.dll
compstui.dll
ConfServer.dll
CONTAB32.DLL
CORPerfMonExt.dll
Cpy2Clip.dll
credui.dll
cryptdlg.dll
cryptdll.dll
cryptext.dll
cryptnet.dll
cscdll.dll
cscui.dll
ctor.dll
Culture.dll
cuteftppro.exe
d3d8thk.dll
davclnt.dll
dciman32.dll
dcpr.dll
ddraw.dll
ddrawex.dll
defrag.exe
deploy.dll
desk.cpl
devenum.dll
DEVICES.DLL
devmgr.dll
dfdll.dll
dfrgntfs.exe
dfrgres.dll
dfshim.dll
dfsshlex.dll
dhcpcsvc.dll
diLueCbk.dll
diMaster.dll
dinput8.dll
directdb.dll
DistillerPI.api
dnsapi.dll
docprop.dll
docprop2.dll
dot3api.dll
dot3dlg.dll
drmclien.dll
drprov.dll
dskquota.dll
dssenh.dll
ducclib.dll
DuLuCbk.dll
dumprep.exe
duser.dll
DVA.api
dwintl.dll
dwwin.exe
dxtrans.dll
eapolqec.dll
eappcfg.dll
eappprxy.dll
ecmldr32.DLL
ECMSVR32.DLL




3

Sysprot Antirootkit fails to display processes, while there is a single user account in admin rights, it still fails to start due to missing admin rights!

 

I run also a malwareBytes - it foud solme crapü and removed it but the temp01 folder is still there and new entries are created.

 

Any other ideas? 

4

Ok, I manged to start it - just removed it from dive f: to c:. Now checking results.

5

I'm not sure if Sysprot Antirootkit reveals much - but here it is attached:

 

6

rops:

 

Please attach your Malwarebytes log so we can view it.

7

Hi

I  passes another malwarebyte full scan but nothing found.

I attach here tghe first run results.

 

I renamed windows/temp01 folder but it was created  again and is now again full of exe and dll files.

Imo it's a clear sign that computer isn't clean. 

I checked few ones at virusscan.jotti.org but these were stated as clean. 

8
rops wrote:
Ok, I manged to start it - just removed it from dive f: to c:. Now checking results.
Removed what?? 

 

9

Hi

 

Sysprot.exe failed to start from local drive F:\, as stated in my previous message - with missing admin rights error ..., so I moved sysprot.exe to c:, where I was able to run it.

10

Hi

 

With you using programs, linux based cd's and searching yourself, I have no idea where you are up to.

 

but the infection looks similar (part of) to the one I  removed a week ago.  The back end removal of the leftovers and the logs for it are here with the swap over of ntfs.sys  http://homepages.slingshot.co.nz/~crutches/logs/

 

Quads