7 Gold

Re: Malware returned, please help

Please submit a sample of these files to Virus Total --
http://www.virustotal.com/en/indexf.html

c:\windows\system32\drivers\SndTVideo.sys
c:\windows\system32\drivers\SndTAudio.sys


At the top of the page you will see:
Select file>Browse>Send
Just follow the prompts.
The submission will then be tested against many different AV vendors’ scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

When you get the report, please post back the exact results.



Windows Insider MVP 2016 - Present

Microsoft MVP - Consumer Security 2006-2016

Social Media and Community Professional

0 Kudos
Evasa
1 Copper

Re: Malware returned, please help

SndTVideo.sys:

File SndTVideo.sys received on 12.14.2008 16:08:11 (CET)
Current status: finished
Result: 1/38 (2.64%)
Antivirus Version Last Update Result
AhnLab-V3 2008.12.12.2 2008.12.14 -
AntiVir 7.9.0.45 2008.12.12 -
Authentium 5.1.0.4 2008.12.13 -
Avast 4.8.1281.0 2008.12.13 -
AVG 8.0.0.199 2008.12.14 -
BitDefender 7.2 2008.12.14 -
CAT-QuickHeal 10.00 2008.12.13 -
ClamAV 0.94.1 2008.12.14 -
Comodo 749 2008.12.13 -
DrWeb 4.44.0.09170 2008.12.14 -
eSafe 7.0.17.0 2008.12.14 -
eTrust-Vet 31.6.6258 2008.12.12 -
Ewido 4.0 2008.12.14 -
F-Prot 4.4.4.56 2008.12.13 -
F-Secure 8.0.14332.0 2008.12.14 -
Fortinet 3.117.0.0 2008.12.14 -
GData 19 2008.12.14 -
Ikarus T3.1.1.45.0 2008.12.14 -
K7AntiVirus 7.10.553 2008.12.13 -
Kaspersky 7.0.0.125 2008.12.14 -
McAfee 5463 2008.12.13 -
McAfee+Artemis 5463 2008.12.13 -
Microsoft 1.4205 2008.12.14 -
NOD32 3689 2008.12.14 -
Norman 5.80.02 2008.12.12 -
Panda 9.0.0.4 2008.12.14 -
PCTools 4.4.2.0 2008.12.14 -
Prevx1 V2 2008.12.14 -
Rising 21.07.62.00 2008.12.14 -
SecureWeb-Gateway 6.7.6 2008.12.12 -
Sophos 4.36.0 2008.12.14 -
Sunbelt 3.2.1801.2 2008.12.11 -
Symantec 10 2008.12.14 -
TheHacker 6.3.1.4.187 2008.12.13 -
TrendMicro 8.700.0.1004 2008.12.12 -
VBA32 3.12.8.10 2008.12.13 suspected of Win32.BrokenEmbeddedSignature (paranoid heuristics)
ViRobot 2008.12.12.1515 2008.12.12 -
VirusBuster 4.5.11.0 2008.12.14 -
Additional information
File size: 3768 bytes
MD5...: de155a93101b1a0e590ab8d6c795b872
SHA1..: e0480ce2818da0894b724170a53fa81cd962f0eb
SHA256: 23ed90bf964a3cea203b3c9c5455e3073670c82fb570f37e58bc6921b053837e
SHA512: 1c6add7beff97f272e5232f58ff2d353a4d04a3e0808b692df1fcb8751afa8e2
6bf99afdd9e6440f443e42825323cb1eda171fc9046704040108992857ed2559
ssdeep: 48:qYHokic+2JgLFCkmHKkjbhJkoEjKDfnXthPsQCdjonSay+yW:mczpjIKDfnXt
h3CdjGy+y
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10362
timedatestamp.....: 0x491d4a8b (Fri Nov 14 09:53:15 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x300 0xdc 0x100 4.66 cbe461c87f3bfe4adb1eaf7170c1fd8a
.rdata 0x400 0x96 0x100 3.11 0e62875417f47da53dbaaa600e2d5fb0
INIT 0x500 0xb0 0x100 2.97 9418448320ab430939fcc31a4a6b9716
.rsrc 0x600 0x3a8 0x400 3.11 6459b1437c49842e0c41e10082f8d41a
.reloc 0xa00 0x24 0x80 1.19 dff249b3e33b2509e2d12bfe815f88fb

( 2 imports )
> ntoskrnl.exe: KeQueryInterruptTime
> VIDEOPRT.SYS: VideoPortZeroMemory, VideoPortInitialize

( 0 exports )

 

SndTAudio.sys:

File SndTAudio.sys received on 12.14.2008 16:13:15 (CET)
Current status: finished
Result: 1/37 (2.71%)
Antivirus Version Last Update Result
AhnLab-V3 2008.12.12.2 2008.12.14 -
AntiVir 7.9.0.45 2008.12.12 -
Authentium 5.1.0.4 2008.12.13 -
Avast 4.8.1281.0 2008.12.13 -
AVG 8.0.0.199 2008.12.14 -
BitDefender 7.2 2008.12.14 -
CAT-QuickHeal 10.00 2008.12.13 -
ClamAV 0.94.1 2008.12.14 -
Comodo 749 2008.12.13 -
DrWeb 4.44.0.09170 2008.12.14 -
eSafe 7.0.17.0 2008.12.14 -
eTrust-Vet 31.6.6258 2008.12.12 -
Ewido 4.0 2008.12.14 -
F-Prot 4.4.4.56 2008.12.13 -
F-Secure 8.0.14332.0 2008.12.14 -
Fortinet 3.117.0.0 2008.12.14 -
GData 19 2008.12.14 -
Ikarus T3.1.1.45.0 2008.12.14 -
K7AntiVirus 7.10.553 2008.12.13 -
Kaspersky 7.0.0.125 2008.12.14 -
McAfee 5463 2008.12.13 -
McAfee+Artemis 5463 2008.12.13 -
Microsoft 1.4205 2008.12.14 -
NOD32 3689 2008.12.14 -
Norman 5.80.02 2008.12.12 -
Panda 9.0.0.4 2008.12.14 -
Prevx1 V2 2008.12.14 -
Rising 21.07.62.00 2008.12.14 -
SecureWeb-Gateway 6.7.6 2008.12.12 -
Sophos 4.36.0 2008.12.14 -
Sunbelt 3.2.1801.2 2008.12.11 -
Symantec 10 2008.12.14 -
TheHacker 6.3.1.4.187 2008.12.13 -
TrendMicro 8.700.0.1004 2008.12.12 -
VBA32 3.12.8.10 2008.12.13 suspected of Win32.BrokenEmbeddedSignature (paranoid heuristics)
ViRobot 2008.12.12.1515 2008.12.12 -
VirusBuster 4.5.11.0 2008.12.14 -
Additional information
File size: 23096 bytes
MD5...: 9b6771c9451d8009a70a776bd5a3758f
SHA1..: dc5bf8062d24761e385bdaaa08f0ec83a1e12804
SHA256: aef6709e539a20f96209244ac5f7790ecd9aaf98ad8ee4eebf90b8834542d324
SHA512: 742aece76cddfde2cd0d968b4e1d4fc94414f1aa1169e40cee64bcb94ef9ae76
7d201832c1135c70a600d48af5fb47d330f0ff512daf0bb3d5d67ed8790cb9f3
ssdeep: 384:PGDCWfWc921mSMY6NrWN1/+w+PZX08pdC2tulft5EaUWdYjqg42sI5IDfXT3
8:KCuWw21mSYK1mXLQlfE3rs2o3
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x17067
timedatestamp.....: 0x491d4a8f (Fri Nov 14 09:53:19 2008)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1b0e 0x1c00 5.90 86a294ecb256713e900372f34992ed69
.rdata 0x3000 0x68c 0x800 4.85 2146797d6d7c872ecfaf8e7855e2f206
.data 0x4000 0x78c 0x600 2.45 973e89da7261e69b49d552abeae56fa6
PAGE 0x5000 0x18c6 0x1a00 6.12 a9ef58d1efdf99a0aade03005361707a
INIT 0x7000 0x5ea 0x600 5.40 e7182d486cf6e1f51f13162bfc38e42b
.rsrc 0x8000 0x3d0 0x400 3.25 5bfe7329489695278db3de63c84be8fd
.reloc 0x9000 0x3be 0x400 5.49 62b33859764ee112ddba64229f5edd5c

( 3 imports )
> ntoskrnl.exe: ExAllocatePoolWithTag, ExFreePoolWithTag, KeInitializeMutex, KeCancelTimer, KeReleaseMutex, KeWaitForSingleObject, _purecall, KeQueryInterruptTime, _aullrem, _aulldiv, _allmul, _alldiv, KeSetTimerEx, memset, KeInitializeTimerEx, KeInitializeDpc, InterlockedExchange, InterlockedIncrement, RtlQueryRegistryValues, DbgPrint, ZwClose, ZwWriteFile, InterlockedExchangeAdd, IoAllocateWorkItem, KeInitializeEvent, KeInitializeSpinLock, swprintf, ZwEnumerateKey, ZwQueryKey, ZwOpenKey, RtlInitUnicodeString, IoFreeWorkItem, KeSetEvent, IoQueueWorkItem, KeResetEvent, InterlockedCompareExchange, memcpy, KeTickCount, KeBugCheckEx, _vsnwprintf, ZwCreateFile, ExFreePool, InterlockedDecrement
> HAL.dll: KfAcquireSpinLock, KfReleaseSpinLock
> portcls.sys: PcNewMiniport, PcNewPort, PcRegisterPhysicalConnection, PcRegisterAdapterPowerManagement, PcAddAdapterDevice, PcInitializeAdapterDriver, PcNewServiceGroup, PcRegisterSubdevice

( 0 exports )
0 Kudos
7 Gold

Re: Malware returned, please help

It's time for some housekeeping.Sweeping Because the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, along with the folders created by these tools.
* Click Start then Run
* Now type Combofix /u in the runbox and click OK. Notice the space between the X and the /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Here is my standard list of simple steps that you can take to reduce the chance of infection in the future.

If you have used Malwarebytes' Anti-Malware as part of your cleaning procedures, keep it updated and use it to scan every so often for malware, or upgrade to the paid version for realtime scanning and auto updating.

The following suggestions are general prevention and are not customized for your computer. You may have already taken some of these steps, and depending on your current security, you may not need to implement all of these:

1. Visit Microsoft Update: Make sure that you have all the Critical Updates recommended for your operating system, Office, and IE. The first defense against infection is a properly patched OS from Microsoft Update at update.microsoft.com.

2. Please use a firewall and realtime anti-virus. Keep the anti-virus software and firewall software up to date.

3.You might consider installing Mozilla / Firefox.
http://www.mozilla.com/en-US/

4. Do not use file sharing. Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.

5. Before using or purchasing any Spyware/Malware protection/removal program, always check the following Rogue/Suspect Spyware Lists. http://www.spywarewarrior.com/rogue_anti-spyware.htm http://www.malwarebytes.org/database.php

6. If you have not already done so, you might want to install CCleaner and run it in each user's profile: http://www.ccleaner.com/ ** UNcheck the option to install the Yahoo toolbar that is checked by default for the Standard version, or download the toolbar-free versions (Slim or Basic) when given the option for those.

7.Web Of Trust , uses colored alerts to warn about risky websites warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Red for Warning = STOP
  • Yellow for Use Caution
  • Green for Safe
  • Grey for Unknown

There is a Web Of Trust version for Firefox as well.

8. You might consider installing SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
It will:
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
Block spyware/tracking cookies in Internet Explorer and Mozilla Firefox.
Restrict the actions of potentially unwanted sites in Internet Explorer.
Tutorial here:http://www.bleepingcomputer.com/forums/tutorial49.html
Periodically check for updates

9. Here are some helpful articles:
"How did I get infected?"
http://www.bleepingcomputer.com/forums/topic2520.html


"I'm not pulling your leg, honest"
by Sandi Hardmeier
http://www.microsoft.com/windows/IE/community/columns/pulling.mspx



Let us know if we have not resolved your problem. Otherwise, you are good to go.
Happy and Safe Surfing!

 


Windows Insider MVP 2016 - Present

Microsoft MVP - Consumer Security 2006-2016

Social Media and Community Professional

0 Kudos