Recurring malware/rootkit/virus

This item shows up on a MbAM scan everytime and I think it's likely the culprit. However, the mbam log doesn't show it. Instead, I'm given this.



When I choose remove selected and restart, it'd show up again in the next scan I do. What's more worrying is it gives no information on its directory and name of infected file. It's a ghost and I still have to suffer a Adobe security error every 2 minutes, argh!

mbam log from this scan

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4723

Windows 5.1.2600 Service Pack 3, v.3300
Internet Explorer 6.0.2900.3300

2010-10-9 17:38:14
mbam-log-2010-10-09 (17-38-14).txt

Scan type: Quick scan
Objects scanned: 157488
Time elapsed: 36 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Yes, I tried DrWebCureIt. All it does is picking up and removing tracking cookies.

AVG identifies a Trojan.Droper.Agent.MVL on open.



The object is white listed because it's an important system file, I can't remove it. I've been given suggestions that this could be a false/positive but I'm not sure if this is the case.

------------------------

The result of this threat is very apparent and annoying. When I use my firefox browser, an Adobe security warning dialogue would appear and when I click ok it comes back a minute later. Nothing happens when I click the other option.



-----------------------

A list of things I've done:

- Cleared flash and browser cache and cookies
- Complete scan with MBAM, AVG, SUPERAnti-Spyware and DrWebCureIt

Note: I've also created another user account with admin rights and the security error dialogue doesn't appear when I use firefox browser on that account.

----------------------

Thanks for reading and please help.

Edited by Cabulb, 09 October 2010 - 01:17 PM.

Hello, I think it is a false positive. can you submit it?

JOTTI and VT scan ..This is possibly a False positive. We should double check it before we take action.

Lets' upload this file for a second opinion on what it actually is..

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
<filepath>suspect.file

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


NOTE:
For submission to a specific anti-virus vendor see Submitting Virus Samples: How to Submit a Virus.

Thank you for the reply. I've used Jotti to scan the suspected file wextract.exe and here are the results.

[ArcaVir]
2010-10-10 Trojan.Agent.Bwnc
[F-Secure Anti-Virus]
2010-10-10 Found nothing
[Avast! antivirus]
2010-10-10 Win32:Trojan-gen
[G DATA]
2010-10-10 Win32:Trojan-gen
[Grisoft AVG Anti-Virus]
2010-10-10 Dropper.Agent.MVL
[Ikarus]
2010-10-10 Packed.Win32.PePatch
[Avira AntiVir]
2010-10-08 TR/Agent.bwnc
[ESET NOD32]
2010-10-09 Found nothing
[Softwin BitDefender]
2010-10-10 Found nothing
[Panda Antivirus]
2010-10-09 Trj/Downloader.MDW
[ClamAV]
2010-10-10 Trojan.WoW-560
[Quick Heal]
2010-10-09 Found nothing
[CPsecure]
2010-10-10 Found nothing
[Sophos]
2010-10-09 Mal/Generic-A
[Dr.Web]
2010-10-10 Found nothing
[VirusBlokAda VBA32]
2010-10-08 Backdoor.Win32.Hupigon.nqr
[Frisk F-Prot Antivirus]
2010-10-09 Found nothing
[VirusBuster]
2010-10-10 Found nothing

A Virustotal scan log is as follows -

AhnLab-V3 2010.10.10.00 2010.10.09 Backdoor/Win32.Graybird
AntiVir 7.10.12.167 2010.10.08 TR/Agent.bwnc
Antiy-AVL 2.0.3.7 2010.10.10 Trojan/Win32.Agent.gen
Authentium 5.2.0.5 2010.10.10 -
Avast 4.8.1351.0 2010.10.10 Win32:Trojan-gen
Avast5 5.0.594.0 2010.10.10 -
AVG 9.0.0.851 2010.10.10 Dropper.Agent.MVL
BitDefender 7.2 2010.10.10 -
CAT-QuickHeal 11.00 2010.10.09 -
ClamAV 0.96.2.0-git 2010.10.10 Trojan.WoW-560
Comodo 6340 2010.10.10 TrojWare.Win32.Agent.bwnc
DrWeb 5.0.2.03300 2010.10.10 -
Emsisoft 5.0.0.50 2010.10.10 Packed.Win32.PePatch!IK
eSafe 7.0.17.0 2010.10.07 Win32.Banker
eTrust-Vet 36.1.7901 2010.10.08 -
F-Prot 4.6.2.117 2010.10.09 -
F-Secure 9.0.15370.0 2010.10.10 -
Fortinet 4.2.249.0 2010.10.10 -
GData 21 2010.10.10 Win32:Trojan-gen
Ikarus T3.1.1.90.0 2010.10.10 Packed.Win32.PePatch
Jiangmin 13.0.900 2010.10.10 -
K7AntiVirus 9.65.2713 2010.10.09 -
Kaspersky 7.0.0.125 2010.10.10 -
McAfee 5.400.0.1158 2010.10.10 Artemis!FFCFB7B644CC
McAfee-GW-Edition 2010.1C 2010.10.10 Artemis!FFCFB7B644CC
Microsoft 1.6201 2010.10.10 -
NOD32 5518 2010.10.09 -
Norman 6.06.07 2010.10.10 Agent.SWMC
nProtect 2010-10-10.01 2010.10.10 -
Panda 10.0.2.7 2010.10.10 Trj/Downloader.MDW
PCTools 7.0.3.5 2010.10.10 Backdoor.Graybird!rem
Prevx 3.0 2010.10.10 -
Rising 22.68.05.00 2010.10.09 -
Sophos 4.58.0 2010.10.09 Mal/Generic-A
Sunbelt 7030 2010.10.10 Backdoor.Graybird
SUPERAntiSpyware 4.40.0.1006 2010.10.10 -
Symantec 20101.2.0.161 2010.10.10 Backdoor.Graybird
TheHacker 6.7.0.1.054 2010.10.10 Trojan/Agent.bwnc
TrendMicro 9.120.0.1004 2010.10.10 TROJ_HUPIGON.NHR
TrendMicro-HouseCall 9.120.0.1004 2010.10.10 TROJ_HUPIGON.NHR
VBA32 3.12.14.1 2010.10.08 Backdoor.Win32.Hupigon.nqr
ViRobot 2010.9.25.4060 2010.10.10 -
VirusBuster 12.67.11.0 2010.10.10 -

Also, whatever's infected my system got my passwords and went onto spam my contacts in hotmail with links which most likely contain malware.

At the moment I'm considering a fresh OS install as soon as possible.

Yes it's surely infected.. About what was found... so you may want to nuke and pave.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.



Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech
Windows XP: Clean Install

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.

==============================

2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.

Since we don't know exactly which infections we're dealing with here, we should take some precautions before we attempt to move files from the infected machine. Run the following on your clean computer, and make sure you insert your flash drives at the prompt.
Download and Run FlashDisinfector

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
• Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.