[pchelpers] Rootkit virus/trojan report


FYI.

I sent this to AVG and to Avast!  I was going to send to Symantec, but
they foolishly assume that everyone on the planet runs Symantec.

--Scott.

===8<==============Original message text===============
Hi,

I found the attached files on a customer's system.  The password is
"virus".

The system was running Symantec Antivirus, and kept reporting LPT5.QVW
as a generic trojan, but was unable to remove it. AVG, which was also
on the system, did not seem to recognize any of the files.
RootkitRevealer showed this:

   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs 
7/18/2006 11:36 PM 66 bytes Windows API length not consistent with raw hive 
data.
   C:\WINDOWS\owlot1.dll        7/18/2006 11:36 PM      63.66 KB        Hidden 
from Windows API.
   C:\WINDOWS\Prefetch\HL2.EXE-02F98795.pf      8/11/2006 12:23 AM      58.11 
KB        Hidden from Windows API.
   C:\WINDOWS\system32\lpt5.qvw 8/24/2006 9:14 AM       120.38 KB       Hidden 
from Windows API.

I had difficulty fixing the AppInit_DLLs entry; it kept coming back. I
was finally able to do it with ERD Commander. I also managed to move
the PF and DLL files.

I had to use a disk editor to rename LPT5.QVW, since "LPTn" is a
device name protected by Windows. In the ZIP file, it's renamed to
LPX5.QVW.

On my own system, Avast! recognizes OWLOT1.DLL as "Win32:Agent-gen
[Trj]", but neither of the other two files.

I do not know if the three files are connected or not; I am assuming that
they are because all 3 were hidden from Windows.

-- 
Scott.



-- 
-------list-services-below-----------
Regards, John Durham (list moderator) <http://modecideas.com/contact.html?sig>
Freelists login at http://www.freelists.org/cgi-bin/lsg2.cgi
List archives at http://www.freelists.org/archives/pchelpers
PC-HELPERS list subscribe/unsub at http://modecideas.com/discuss.htm?sig
Latest news live feeds at http://modecideas.com/indexhomenews.htm?sig
Good advice is like good paint- it only works if applied.

Other related posts: