malware not removed

Discussion in 'Prevx Releases' started by mik1969, May 27, 2010.

Thread Status:
Not open for further replies.
  1. mik1969

    mik1969 Registered Member

    Joined:
    May 27, 2010
    Posts:
    4
    Hi,
    I've found a malware on my pc (rootkit type), but prevx don't remove it.

    What can I do?

    here is the log file
     

    Attached Files:

    • mik.log
      File size:
      154.9 KB
      Views:
      36
  2. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    Contact Prevx through the support link in the software. They will help fix it for free.
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Hi, re ohrpo.sys

    c:\windows\system32\drivers\ohrpo.sys

    Until Prevx is able to help, try to disable ohrpo.sys with Autoruns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx maybe in safe mode if normal mode doesn't work.

    Also what about these ?

    Previously Detected Files:
    (ACTIVE) c:\programmi\miranda im\plugins\aim.dll [PX5: E3EE95576CF98B00F0F502574E659300C68D8961] Malware Group: Medium Risk Malware
    c:\windows\system32\drivers\ecjsavu.sys [PX5: 41219E79005CA3D52E2908152D99C8007F3A3695] Malware Group: Medium Risk Malware
     
  4. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    c:\windows\system32\drivers\ecjsavu.sys [PX5: 41219E79005CA3D52E2908152D99C8007F3A3695] Malware Group: Medium Risk Malware

    this is also an rootkit.
    the best tool to use is avenger. cf can also not delete this stuff. but an remot session can help i think.
     
  5. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Yes that is the best thing to do to get it cleaned up for you as they Guarantee cleanup! http://info.prevx.com/service.asp

    TH
     
    Last edited: May 27, 2010
  6. mik1969

    mik1969 Registered Member

    Joined:
    May 27, 2010
    Posts:
    4
    thanks for fast reply

    but, actually, prevx report me "system cleaned", but the ohrpo.sys file is not cancelled.

    everytime I'll read the directory windows\system32\drivers, the file ohrpo.sys have the file time at currenty time.
    And, when I try to delete it, windows say me: "coulnd not read disk"
     

    Attached Files:

    • mik.log
      File size:
      136.4 KB
      Views:
      5
  7. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    you can not delete this file manuall.
    write a message to prevx help they can it do in a remot session. if you want
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    markusg

    c:\windows\system32\drivers\ecjsavu.sys [PX5: 41219E79005CA3D52E2908152D99C8007F3A3695] Malware Group: Medium Risk Malware

    Good catch :thumb:

    @mik1969

    Have you tried to disable the driver/s with Autoruns in safe mode ?
     
  9. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    and this is perhaps an fp
    (ACTIVE) c:\programmi\miranda im\plugins\aim.dll [PX5: E3EE95576CF98B00F0F502574E659300C68D8961] Malware Group: Medium Risk Malware
    but prevx help must check it.
    you can delete this as follow, but somebody must have a look at this.

    Please download
    -http://swandog46.geekstogo.com/avenger2/download.php-
    by Swandog46 to yo
    • Right click on the Avenger.zip folder and select "Extract All..."
    • Follow the prompts and extract the avenger folder to your desktop
    2. Copy all the text to your Clipboard by highlighting it and pressing (Ctrl+C):
    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings
    of your system.
    • Now, click on Execute. Just say Yes at every prompted
    The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    Please copy/paste the content of c:\avenger.txt into your reply.


    Drivers to disable:
    ohrpo
    ecjsavu
    Drivers to delete:
    ecjsavu
    ohrpo
    Files to delete:
    c:\windows\system32\drivers\ohrpo.sys
    c:\windows\system32\drivers\ecjsavu.sys


    ps prevx is not alone, other avs can also not remove it. also not combofix, avenger is the best tool for this i think
     
    Last edited by a moderator: May 27, 2010
  10. mik1969

    mik1969 Registered Member

    Joined:
    May 27, 2010
    Posts:
    4
    @cloneranger: not yet, autoruns don't find any ohrpo.sys....tomorrow I'll try in safe mode (is the pc on work, now I'm at home)

    @markus: thankyou for your help.


    Thanks to all for supporting! You're a "gold mine"!!!
    :-* :-*
     
  11. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Your log looks clean now can you go into the GUI>Tools>Undo Cleanup>View Cleanup log and post the results to make sure? And if you feel it's still not cleaned contact Prevx Support: http://info.prevx.com/service.asp

    TIA,

    TH
     
    Last edited: May 27, 2010
  12. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK


    This was a FP :) I've fixed it now - thank you all for the assistance - mik1969, if you do continue to have any other problems, please let me know and we will be able to help you further!
     
  13. mik1969

    mik1969 Registered Member

    Joined:
    May 27, 2010
    Posts:
    4
    RESOLVED! :-*

    ecjsavu.sys was removed by prevx after I posted the log file.

    with autoruns I don't find any ohrpo.sys but now avenger succesfully remove ohrpo.sys

    thanks a lot.
     
  14. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    this rootkit downloads more malware, perhaps not detected by prevx.
    We need to create an OTL Report

    1. Please download OTL
    -http://oldtimer.geekstogo.com/OTL.exe-

    2. Save it to your desktop.
    3. Double click on the icon on your desktop.
    4. Click the "Scan All Users" checkbox.
    5. Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
    6. Copy and Paste the following into the textbox.


    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    winlogon.exe
    ahcix86s.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

    7. Push "scan"
    8. Two reports will open.
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
    attach the reports.
     
    Last edited by a moderator: May 28, 2010
  15. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,735
    Location:
    Texas
    Please note:
    https://www.wilderssecurity.com/showthread.php?t=42148

    Unless Prevx requests a log, it will not be allowed here.
     
Thread Status:
Not open for further replies.