Hi, I've found a malware on my pc (rootkit type), but prevx don't remove it. What can I do? here is the log file
Hi, re ohrpo.sys c:\windows\system32\drivers\ohrpo.sys Until Prevx is able to help, try to disable ohrpo.sys with Autoruns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx maybe in safe mode if normal mode doesn't work. Also what about these ? Previously Detected Files: (ACTIVE) c:\programmi\miranda im\plugins\aim.dll [PX5: E3EE95576CF98B00F0F502574E659300C68D8961] Malware Group: Medium Risk Malware c:\windows\system32\drivers\ecjsavu.sys [PX5: 41219E79005CA3D52E2908152D99C8007F3A3695] Malware Group: Medium Risk Malware
c:\windows\system32\drivers\ecjsavu.sys [PX5: 41219E79005CA3D52E2908152D99C8007F3A3695] Malware Group: Medium Risk Malware this is also an rootkit. the best tool to use is avenger. cf can also not delete this stuff. but an remot session can help i think.
Yes that is the best thing to do to get it cleaned up for you as they Guarantee cleanup! http://info.prevx.com/service.asp TH
thanks for fast reply but, actually, prevx report me "system cleaned", but the ohrpo.sys file is not cancelled. everytime I'll read the directory windows\system32\drivers, the file ohrpo.sys have the file time at currenty time. And, when I try to delete it, windows say me: "coulnd not read disk"
you can not delete this file manuall. write a message to prevx help they can it do in a remot session. if you want
markusg c:\windows\system32\drivers\ecjsavu.sys [PX5: 41219E79005CA3D52E2908152D99C8007F3A3695] Malware Group: Medium Risk Malware Good catch @mik1969 Have you tried to disable the driver/s with Autoruns in safe mode ?
and this is perhaps an fp (ACTIVE) c:\programmi\miranda im\plugins\aim.dll [PX5: E3EE95576CF98B00F0F502574E659300C68D8961] Malware Group: Medium Risk Malware but prevx help must check it. you can delete this as follow, but somebody must have a look at this. Please download -http://swandog46.geekstogo.com/avenger2/download.php- by Swandog46 to yo • Right click on the Avenger.zip folder and select "Extract All..." • Follow the prompts and extract the avenger folder to your desktop 2. Copy all the text to your Clipboard by highlighting it and pressing (Ctrl+C): Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. • Now, click on Execute. Just say Yes at every prompted The Avenger will automatically do the following: • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.) • On reboot, it will briefly open a black command window on your desktop, this is normal. • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip. Please copy/paste the content of c:\avenger.txt into your reply. Drivers to disable: ohrpo ecjsavu Drivers to delete: ecjsavu ohrpo Files to delete: c:\windows\system32\drivers\ohrpo.sys c:\windows\system32\drivers\ecjsavu.sys ps prevx is not alone, other avs can also not remove it. also not combofix, avenger is the best tool for this i think
@cloneranger: not yet, autoruns don't find any ohrpo.sys....tomorrow I'll try in safe mode (is the pc on work, now I'm at home) @markus: thankyou for your help. Thanks to all for supporting! You're a "gold mine"!!!
Your log looks clean now can you go into the GUI>Tools>Undo Cleanup>View Cleanup log and post the results to make sure? And if you feel it's still not cleaned contact Prevx Support: http://info.prevx.com/service.asp TIA, TH
This was a FP I've fixed it now - thank you all for the assistance - mik1969, if you do continue to have any other problems, please let me know and we will be able to help you further!
RESOLVED! ecjsavu.sys was removed by prevx after I posted the log file. with autoruns I don't find any ohrpo.sys but now avenger succesfully remove ohrpo.sys thanks a lot.
this rootkit downloads more malware, perhaps not detected by prevx. We need to create an OTL Report 1. Please download OTL -http://oldtimer.geekstogo.com/OTL.exe- 2. Save it to your desktop. 3. Double click on the icon on your desktop. 4. Click the "Scan All Users" checkbox. 5. Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured. 6. Copy and Paste the following into the textbox. netsvcs msconfig safebootminimal safebootnetwork activex drivers32 %ALLUSERSPROFILE%\Application Data\*. %ALLUSERSPROFILE%\Application Data\*.exe /s %APPDATA%\*. %APPDATA%\*.exe /s %SYSTEMDRIVE%\*.exe /md5start userinit.exe eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys winlogon.exe ahcix86s.sys /md5stop %systemroot%\system32\drivers\*.sys /lockedfiles %systemroot%\System32\config\*.sav %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles CREATERESTOREPOINT 7. Push "scan" 8. Two reports will open. • OTListIt.txt <-- Will be opened • Extra.txt <-- Will be minimized attach the reports.
Please note: https://www.wilderssecurity.com/showthread.php?t=42148 Unless Prevx requests a log, it will not be allowed here.
