How do I pin out the suspect virus file?

[oversky]

From ntbtlog.txt (xp boot log file), I found out there is a driver
file changed its name everytime I reboot.

Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
Loaded driver \SystemRoot\System32\Drivers\a5mzjxub.SYS
Loaded driver \SystemRoot\system32\DRIVERS\cfosspeed.sys

However, when I login xp, I can't find the suspect file.
This possible virus also appears in registry (HLKM/System/
CurrentControlSet/Services/), and also changes its name when I reboot.

I have used NOD32 2.7 (with updated virus code) to scan the hardrive
in safe mode, but no luck.
Can anyone give me some idea and tool to pin out this virus? Thank
you.

 

[jnez367]

From: "oversky" <[email protected]>

| From ntbtlog.txt (xp boot log file), I found out there is a driver
| file changed its name everytime I reboot.

| Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
| Loaded driver \SystemRoot\System32\Drivers\a5mzjxub.SYS
| Loaded driver \SystemRoot\system32\DRIVERS\cfosspeed.sys

| However, when I login xp, I can't find the suspect file.
| This possible virus also appears in registry (HLKM/System/
| CurrentControlSet/Services/), and also changes its name when I reboot.

| I have used NOD32 2.7 (with updated virus code) to scan the hardrive
| in safe mode, but no luck.
| Can anyone give me some idea and tool to pin out this virus? Thank
| you.

Place the drive on a surrogate PC.

Try http://onecare.live.com/site/en-us/default.htm See if it finds
anything.

Manual Removal

Can you get the name of the file, boot from XP CD, and use Recovery
console to find it? You will need administrator password.

I got rid of the TDSS by doing this. Sounds similar. Files could not
be seen or deleted. Also blocked access to antivirus sites.

You might also want to check device manager for non-plug and play
devices.
You will have to change to show hidden devices

Other option would be something like BartPE. It is a boot CD that
will provide you access to the hard drive without
using the files on the hard drive. Also has antivirus, adware removal
plugins.

Hope this helps

 

[oversky]

I tried avira antivir in safe mode, and nod32 4RC in windows, still
can't catch the virus.

 

[1PW]

From ntbtlog.txt (xp boot log file), I found out there is a driver
file changed its name everytime I reboot.

Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
Loaded driver \SystemRoot\System32\Drivers\a5mzjxub.SYS
Loaded driver \SystemRoot\system32\DRIVERS\cfosspeed.sys

However, when I login xp, I can't find the suspect file.
This possible virus also appears in registry (HLKM/System/
CurrentControlSet/Services/), and also changes its name when I reboot.

I have used NOD32 2.7 (with updated virus code) to scan the hardrive
in safe mode, but no luck.
Can anyone give me some idea and tool to pin out this virus? Thank
you.

FWIW

1) NOD32 AntiVirus 4.0.226 RC1 was released recently. That makes a V2.7
at least a year and a half old.

2) Yes, something seems wrong but by definition you don't know if this
is a virus or not. Malware maybe. To that end. please consider running
the freeware versions of MBAM and SAS.

MBAM: <http://www.malwarebytes.org/mbam.php>
SAS: <http://www.superantispyware.com/>

Please post a follow-up to this thread with your progress.

Best of luck to you.

Pete

 

[Char Jackson]

FWIW

1) NOD32 AntiVirus 4.0.226 RC1 was released recently. That makes a V2.7
at least a year and a half old.

How significant is it that the AV framework is ~18 months old when the
definition files are still being updated multiple times a day? I'm
asking because I still run V2.7 myself.

 

[1PW]

How significant is it that the AV framework is ~18 months old when the
definition files are still being updated multiple times a day? I'm
asking because I still run V2.7 myself.

Hello

As a general rule of thumb, some of the bad folks have found the
weaknesses of the antivirus product such that the two year point is
where some products may be thought of as possibly inadequate and
probably dangerous.

It's not just the signatures/fingerprints that are being used in scan
comparisons. It's also NOD32 Antivirus's updated heuristics and other
proprietary scanning techniques that mark the difference in revisions.

If you believe the ESET folks are following industry accepted version
number schemes, the recent update of NOD32 makes V2.7 about two whole
version numbers behind. That likely constitutes two major updates.

<http://en.wikipedia.org/wiki/Software_versioning>

If you believe you will continue to place your trust in ESET's antivirus
product, then about $40USD per year is not unreasonable. If not, some
worthy and interesting alternatives can be had for free. Some of the
knowledgeables in similar newsgroups are recommending NOD32 on a daily
basis.

Regards,

Pete

 

[oversky]

MBAM got crashed two times within scaning. Found some ad scipts, but
no the one I am looking for.
SAS is more stable. Also found some ad-ware, but still no luck.

Finally, I moved the folds in the \program files with binary tree
method, and figured out the file is installed by
Daemon tools. When I uninstall it, the file disappear. I am not sure
it is done with purpose or not. Maybe it help daemon tool not to be
tracking by copy protection.