Virus/rootkit scare [Resolved]

Learn about Computer Security General Security Questions and Comments
#1

Hello,

Could you help me identify if I have a problem or refer me somewhere?

I ran GMER this morning and got the output attached as a log. What I wonder about is a file called IsDrv118.sys. A search on it turned up this at the F-Secure site, which linked it with the Alman-B virus:

"After the infected file is started the virus decrypts its body and drops two files:

* %WinDir%\linkinfo.dll
* %WinSysDir%\drivers\IsDrv118.sys

The DLL is the main virus component. The SYS file is a rootkit component that hides certain files and Registry keys.

The dropped DLL file is injected into Windows Explorer process and runs with system privileges."

I happened to run Windizupdate and SFC after that, and then ran GMER again. The references to IsDrv118.sys had disappeared. I could find no such file on my system (or any linkinfo.dll in the main Windows directory; the one in the System32 directory checked out clean when uploaded to virustotal.com), even after booting a Linux CD-ROM and searching (how could the files hide from Linux?). The AV, TrojanHunter, and a bevy of rootkit detectors turn up nothing in particular.

Do I have a problem? How best to be sure? I’m running Win2000 SP4, CFP 2.4, NOD32.

Edit: I’m also attaching a HijackThis log. Nothing there leaps out at me as suspicious.

[attachment deleted by admin]

#2

Try:

http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

Sophos claim to detect it, the program may be able to remove it.

I would suggest a reformat if it turns out to be real. (Backup ALL needed data first).

Also scan the backup’s with an up-to-date anti virus product before running files from the backup on the new install.

#3

Rotty, thanks for the tip.

I downloaded, installed, and ran the Sophos product. The scan came up negative. I’m sort of hoping that what I saw was a remnant of a failed attempt to install the virus.

Edit: The Sophos Threat Detection Test, which I think mirrors their AV detection, also came up negative.

#4

This was a false positive, a driver for the IceSword anti-rootkit tool, that loads when IceSword runs and remains until I reboot. I updated the program, and the driver name changed to match. I was thrown off by Googling on the filename and turning up the fact that a virus writer had also appropriated that filename.

#5

Ravenheart, I’m real glad to hear that was a false positive. I’ve had to redo my system no less than twice due to those freaking things. You may want to submit that FP to nod support. I too am running nod 2.7 and I rarely, if ever, see a FP. Shame, shame, shame.

Now that you have this resolved I’ll go ahead and lock it up and mark it as such. If you need it reopened please PM another mod or myself with this threads URL.

Dave