TechSpot

Hidden driver disguised as rootkit?

By inputjack
Jun 21, 2009
  1. I found the following files with AVG, and it seems to be a particularly nasty virus. Does anyone have any ideas about how to get rid of this. AVG does attempt to delete it, but it comes back every time the computer is rebooted.


    "C:\WINDOWS\system32\drivers\MSIVXkyijnrufkfrqaiqimckapjyutodgablo.sys";"Hidden driver";"Object is hidden"

    "c:\WINDOWS\system32\drivers\MSIVXkyijnrufkfrqaiqimckapjyutodgablo.sys";"Hidden file";"Object is hidden"
    "c:\WINDOWS\system32\MSIVXcount";"Hidden file";"Object is hidden"
    "c:\WINDOWS\system32\MSIVXnvypulrhmtnictaxdodeevdlvcfttiuv.dll";"Hidden file";"Object is hidden"
    "c:\WINDOWS\system32\MSIVXpsupyjnboihigbqtjtypxnxfbrkwvvmf.dll";"Hidden file";"Object is hidden"
     
  2. touch

    touch TS Rookie Posts: 978

    Hello inputjack

    Combofix should be able to remove the infection(s) ->

    Please download combofix here ->
    ComboFix
    Before Saving it to Desktop, please rename it to 123.com to stop malware from disabling it.

    Now, please make sure no other programs are running, close all other windows.

    Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
    Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
    It may take a while to complete scanning and this is normal.

    You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
    scanning has completed.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post
     
  3. inputjack

    inputjack TS Rookie Topic Starter

    Combo Fix info

    Sorry it took so long to reply, I am having some internet connection issues as well.
     
  4. touch

    touch TS Rookie Posts: 978

    Open notepad and copy/paste the text in the codebox below into it:
    Name the file as CFScript
    and Save it on the desktop

    Code:
    Killall::
    Snapshot::
    File::
    c:\windows\msb.exe
    c:\windows\system32\xwr98477.dll
    c:\WINDOWS\system32\drivers\MSIVXkyijnrufkfrqaiqimckapjyutodgablo.sys
    c:\WINDOWS\system32\MSIVXcount
    c:\WINDOWS\system32\MSIVXnvypulrhmtnictaxdodeevdlvcfttiuv.dll
    c:\WINDOWS\system32\MSIVXpsupyjnboihigbqtjtypxnxfbrkwvvmf.dll
    Filelook::
    c:\windows\system32\drivers\TCPIP.SYS
    Folder::
    c:\program files\Shareaza
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E7E36E6-B7BF-3768-A3F3-8DA55E1EE651}]
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\xa155126437.exe"=-
    "c:\\WINDOWS\\system32\\xa155165906.exe"=-
    "c:\\WINDOWS\\system32\\xa121953.exe"=-
    "c:\\WINDOWS\\system32\\xa824625.exe"=-
    "c:\\WINDOWS\\system32\\xa2089500.exe"=-
    "c:\\WINDOWS\\system32\\xa2108828.exe"=-
    "c:\\WINDOWS\\system32\\xa86766140.exe"=-
    "c:\\WINDOWS\\system32\\xa86841578.exe"=-
    "c:\\Program Files\\Shareaza\\Shareaza.exe"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "6346:TCP"=-
    "6346:UDP"=-
    [​IMG]

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
     
  5. inputjack

    inputjack TS Rookie Topic Starter

    New log

    I ran the script you posted, and here are the results. Thanks for the help.
     
  6. touch

    touch TS Rookie Posts: 978

  7. inputjack

    inputjack TS Rookie Topic Starter

    More problems

    It seems that I have a power supply problem, and have had to order a new one. It arrived today, but I am having issues with installation. I will get back to the logs when I can get the unit running again. Thanks.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...