Hidden driver disguised as rootkit?

Status
Not open for further replies.
I found the following files with AVG, and it seems to be a particularly nasty virus. Does anyone have any ideas about how to get rid of this. AVG does attempt to delete it, but it comes back every time the computer is rebooted.


"C:\WINDOWS\system32\drivers\MSIVXkyijnrufkfrqaiqimckapjyutodgablo.sys";"Hidden driver";"Object is hidden"

"c:\WINDOWS\system32\drivers\MSIVXkyijnrufkfrqaiqimckapjyutodgablo.sys";"Hidden file";"Object is hidden"
"c:\WINDOWS\system32\MSIVXcount";"Hidden file";"Object is hidden"
"c:\WINDOWS\system32\MSIVXnvypulrhmtnictaxdodeevdlvcfttiuv.dll";"Hidden file";"Object is hidden"
"c:\WINDOWS\system32\MSIVXpsupyjnboihigbqtjtypxnxfbrkwvvmf.dll";"Hidden file";"Object is hidden"
 
Hello inputjack

Combofix should be able to remove the infection(s) ->

Please download combofix here ->
ComboFix
Before Saving it to Desktop, please rename it to 123.com to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post
 
Open notepad and copy/paste the text in the codebox below into it:
Name the file as CFScript
and Save it on the desktop

Code:
Killall::
Snapshot::
File::
c:\windows\msb.exe
c:\windows\system32\xwr98477.dll
c:\WINDOWS\system32\drivers\MSIVXkyijnrufkfrqaiqimckapjyutodgablo.sys
c:\WINDOWS\system32\MSIVXcount
c:\WINDOWS\system32\MSIVXnvypulrhmtnictaxdodeevdlvcfttiuv.dll
c:\WINDOWS\system32\MSIVXpsupyjnboihigbqtjtypxnxfbrkwvvmf.dll
Filelook::
c:\windows\system32\drivers\TCPIP.SYS
Folder::
c:\program files\Shareaza
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E7E36E6-B7BF-3768-A3F3-8DA55E1EE651}]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\xa155126437.exe"=-
"c:\\WINDOWS\\system32\\xa155165906.exe"=-
"c:\\WINDOWS\\system32\\xa121953.exe"=-
"c:\\WINDOWS\\system32\\xa824625.exe"=-
"c:\\WINDOWS\\system32\\xa2089500.exe"=-
"c:\\WINDOWS\\system32\\xa2108828.exe"=-
"c:\\WINDOWS\\system32\\xa86766140.exe"=-
"c:\\WINDOWS\\system32\\xa86841578.exe"=-
"c:\\Program Files\\Shareaza\\Shareaza.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:TCP"=-
"6346:UDP"=-

CFScriptB-4.gif


Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
More problems

It seems that I have a power supply problem, and have had to order a new one. It arrived today, but I am having issues with installation. I will get back to the logs when I can get the unit running again. Thanks.
 
Status
Not open for further replies.
Back