How do I pin out the suspect virus file?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
From ntbtlog.txt (xp boot log file), I found out there is a driver
file changed its name everytime I reboot.

Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
Loaded driver \SystemRoot\System32\Drivers\a5mzjxub.SYS
Loaded driver \SystemRoot\system32\DRIVERS\cfosspeed.sys

However, when I login xp, I can't find the suspect file.
This possible virus also appears in registry (HLKM/System/
CurrentControlSet/Services/), and also changes its name when I reboot.

I have used NOD32 2.7 (with updated virus code) to scan the hardrive
in safe mode, but no luck.
Can anyone give me some idea and tool to pin out this virus? Thank
you.

Re: How do I pin out the suspect virus file?


| From ntbtlog.txt (xp boot log file), I found out there is a driver
| file changed its name everytime I reboot.

| Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
| Loaded driver \SystemRoot\System32\Drivers\a5mzjxub.SYS
| Loaded driver \SystemRoot\system32\DRIVERS\cfosspeed.sys

| However, when I login xp, I can't find the suspect file.
| This possible virus also appears in registry (HLKM/System/
| CurrentControlSet/Services/), and also changes its name when I reboot.

| I have used NOD32 2.7 (with updated virus code) to scan the hardrive
| in safe mode, but no luck.
| Can anyone give me some idea and tool to pin out this virus? Thank
| you.

Place the drive on a surrogate PC.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: How do I pin out the suspect virus file?

wrote:
Quoted text here. Click to load it

Try http://onecare.live.com/site/en-us/default.htm  See if it finds
anything.

Manual Removal

Can you get the name of the file, boot from XP CD, and use Recovery
console to find it?  You will need administrator password.

I got rid of the TDSS by doing this.  Sounds similar.  Files could not
be seen or deleted. Also blocked access to antivirus sites.

You might also want to check device manager for non-plug and play
devices.
You will have to change to show hidden devices

Other option would be something like BartPE.  It is a boot CD that
will provide you access to the hard drive without
using the files on the hard drive.  Also has antivirus, adware removal
plugins.

Hope this helps

Re: How do I pin out the suspect virus file?

I tried avira antivir in safe mode, and nod32 4RC in windows, still
can't catch the virus.


Re: How do I pin out the suspect virus file?

On 02/20/2009 10:11 PM, oversky sent:
Quoted text here. Click to load it

FWIW

1) NOD32 AntiVirus 4.0.226 RC1 was released recently.  That makes a V2.7
at least a year and a half old.

2) Yes, something seems wrong but by definition you don't know if this
is a virus or not.  Malware maybe.  To that end. please consider running
the freeware versions of MBAM and SAS.

           MBAM: <http://www.malwarebytes.org/mbam.php
            SAS: <http://www.superantispyware.com/

Please post a follow-up to this thread with your progress.

Best of luck to you.

Pete
--
1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Re: How do I pin out the suspect virus file?

wrote:

Quoted text here. Click to load it

How significant is it that the AV framework is ~18 months old when the
definition files are still being updated multiple times a day? I'm
asking because I still run V2.7 myself.


Re: How do I pin out the suspect virus file?

On 02/21/2009 10:23 PM, Char Jackson sent:
Quoted text here. Click to load it

Hello

As a general rule of thumb, some of the bad folks have found the
weaknesses of the antivirus product such that the two year point is
where some products may be thought of as possibly inadequate and
probably dangerous.

It's not just the signatures/fingerprints that are being used in scan
comparisons.  It's also NOD32 Antivirus's updated heuristics and other
proprietary scanning techniques that mark the difference in revisions.

If you believe the ESET folks are following industry accepted version
number schemes, the recent update of NOD32 makes V2.7 about two whole
version numbers behind.  That likely constitutes two major updates.

       <http://en.wikipedia.org/wiki/Software_versioning

If you believe you will continue to place your trust in ESET's antivirus
product, then about $40USD per year is not unreasonable.  If not, some
worthy and interesting alternatives can be had for free.  Some of the
knowledgeables in similar newsgroups are recommending NOD32 on a daily
basis.

Regards,

Pete
--
1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Re: How do I pin out the suspect virus file?

MBAM got crashed two times within scaning. Found some ad scipts, but
no the one I am looking for.
SAS is more stable. Also found some ad-ware, but still no luck.

Finally, I moved the folds in the \program files with binary tree
method, and figured out the file is installed by
Daemon tools. When I uninstall it, the file disappear. I am not sure
it is done with purpose or not. Maybe it help daemon tool not to be
tracking by copy protection.



Quoted text here. Click to load it


Site Timeline