Jump to content

Avast showing rootkit gen not caught by MBAM


Edgor
 Share

Recommended Posts

Avast in background mode keeps finding a file it labels as a rootkit-gen in my documents and settings \ local settings \ temp folder. I move it to the chest, but eventually a new file is placed there. They are always exe files and always have what appears to be random names. I have run MBAM, SuperAntiSpyware, avast antirootkit, trend micro's antirookit, and Avast AV at bootup, and none of them have found a rootkit or any other problems. However, Avast A-V in background keeps squawking about a file that appears in the temp folder. (I've run MBAM on that file itself and it says it's clean). I've not installed anything new that I can think of lately, other than a Windows update, and Avast never complained about this before Feb 9.

I have run defogger and attached a log. DDS.scr and DDS.com would run, but they froze after a varying amount of time (usually within 30 seconds) after about 10 or so of those progression dots appeared in the DOS window... so I couldn't get a DDS log. I did run rsit and attached its log. I also tried to get a full GMER Rootkit Scanner log. It ran for about 15 hours (it would start fast then slow to a crawl), but once it was ready to save it just would not save... it said "not responding" and I had to do a hard reboot. I did run it until it started bogging down (which took about 5 minutes), and was able with difficulty to save a log. This log is attached. However, it wasn't a full log.

This has been consuming several days and is driving me up the wall. I just cannot figure out if I have a rootkit and, if so, how to get rid of it.

I can probably send you a copy of the offending exe the next time I see it if that will help. Just give me an address.

Hoping you can help! Thanks.

info.txt

ark.txt

mbam_log_2010_02_14__14_17_16_.txt

Link to post
Share on other sites

  • Staff

Hi,

It looks like you are dealing with a new Trojan.Riern variant.

Go to this page.

Enter the url of this thread in the first field.

Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

C:\Documents and Settings\Jon\Application Data\Adobe\Update\mmcnat.dat

Select it and click ok:

Then click the Send File button below.

Let me know once you have sent/uploaded the file.

Extra note, I see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player

Also, I see you have Cybersitter installed as well. This one may redirect some pages once in a while to advertisement pages (the lsp component is doing this). That's why I don't really recommend it as well, as this is somewhat a questionable behavior.

Link to post
Share on other sites

I have uploaded the file as you instructed.

Thanks for the extra tips. I uninstalled Viewpoint. I don't even remember why it was on the machine. As for Cybersitter, I uninstalled that years ago... it sounds like something may still be around from it? It doesn't show up in the list of programs to uninstall.

Link to post
Share on other sites

  • Staff

Hi,

For Cybersitter, to unhook the components from LSP, Go to start > run and type cmd

A dos Window will appear.

Type next in the dos window: netsh winsock reset catalog

hit enter.

Reboot.

Then, please update MalwareBytes.

  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • Once the updates are downloaded, perform a quick scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Whatever was in that update found a bunch of problems. I deleted what Mbam found and rebooted. After rebooting, a dialog with an ok prompt came up saying that mmcnat.dat was missing. I rebooted again and that message did not appear. I also reran MBAM and it showed no problems. As for Hijackthis, I wasn't sure what version I ran before, so I redownloaded it from Trend Micro's site. Both logs are attached.

Thanks for the tip on Cybersitter.

mbam_log_2010_02_16__13_19_20_.txt

Link to post
Share on other sites

It wasn't letting me attach the .log. Here is the text version...

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:33:55 PM, on 2/16/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\CE\nmSvc.exe

C:\WINDOWS\system32\kmw_run.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\KMW_SHOW.EXE

C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

C:\Program Files\CE\nmFlt.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\PopTray\PopTray.exe

C:\Program Files\TrayIt!\TrayIt!.exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\SERA 3.0\VPN Client\cvpnd.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Jon\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll

O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe

O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: PopTray.lnk = C:\Program Files\PopTray\PopTray.exe

O4 - Startup: TrayIt!.lnk = C:\Program Files\TrayIt!\TrayIt!.exe

O4 - Global Startup: APC UPS Status.lnk = ?

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll

O10 - Unknown file in Winsock LSP: cespy.dll

O10 - Unknown file in Winsock LSP: cespy.dll

O10 - Unknown file in Winsock LSP: cespy.dll

O10 - Unknown file in Winsock LSP: cespy.dll

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.com/awebui/jsp/answerwe...SWebManager.CAB

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab

O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/gold/default/gf.cab

O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/bingame/swet/default/S...ia.1.0.0.46.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\SERA 3.0\VPN Client\cvpnd.exe

O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: Virtual PDF Printer (Service1) - Unknown owner - C:\Program Files\Virtual PDF Printer\VirtualPrinting.exe

--

End of file - 9478 bytes

Link to post
Share on other sites

Couple of things:

1. Re: how things are now, the malware didn't really seem to do anything other than to cause Avast to throw up alarms when an exe it didn't like showed up in temp. Avast hasn't thrown up an alarm for 2 days, nor have I seen any exes in the temp folder since then. Not sure why it stopped 2 days ago even though the malware was still on the machine...

2. Re: ask.com, I noticed that for the first time yesterday in firefox and hid it, thinking that it was there the entire time and I'd inadvertently elected to view it. I'm not sure why it was installed or where it came from. It has been uninstalled... I hate toolbars...

3. Do you know what 24059136027.nls is? I always see it in my temp folder with the current day's date.

4. Did you guys make changes to the database so it would catch that malware based on my emails, or was it already addressed?

5. I really appreciate your perservering help in getting rid of this obnoxious malware, and in telling me about stuff I should eliminate on machine machine. I plan to purchase your license as a "thank you." However, I did have a few questions first because I wasn't clear on what the web site was saying... First, is the $24.95 a lifetime/one-time license or a yearly fee? Second, is it correct that 2 machines would cost about $45? it would be nice if 2 personal machines could be covered under the cost... I have a main machine and a secondary laptop. Third, if my computer craps out and I get a new machine, can the license be transferred/used on that machine?

Thank you!

Link to post
Share on other sites

  • Staff

Hi,

In either way, there was malware active and running here. This one downloaded additional malware, but it could be possible that the site it connected to to download more malware was shut down, which explains why no extra exe files in your temp were created. On the other side, if you see exe files in your temp folder, it's not always malware though. But in your case, it was.

You can delete that 24059136027.nls file present in your temp folder. It's actually a "copy" of the MMCNAT.DAT we deleted previously with malwarebytes. But since it's in your tempfolder and main loader and startup references were deleted already, it can't do anything and a simple temp cleanup should erase it anyway. (This will also be a feature in a new malwarebytes' version, where you can clean temp files as well)

4. Did you guys make changes to the database so it would catch that malware based on my emails, or was it already addressed?
Well, right after I posted my first message to you here that you were dealing with a new Trojan.Riern variant, I have been hunting for it in a meanwhile as well and could find another resource where I could gather that file. So I analysed it and added detection to the malwarebytes database for it a couple of hours ago :)

That's why it was detected after you updated. :)

First, is the $24.95 a lifetime/one-time license or a yearly fee?
lifetime license. Each computer requires a license.

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

24059136027.nls could not be deleted before. Something (the malware?) was always preventing it... I was just able to delete it now.

That is awesome that you updated it that quickly.

That's great... I'm signing up... A suggestion is to update your page to clarify the questions I asked... I'm not the brightest knife in the drawer, but it was a little confusing.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.