Malware? Botnet?

Hi,

I hope someone out there can help me. I have what seems to be the nastiest malware infection ever. It started back in October and all three of the computers in my house display the same symptoms. This bug has done all sorts of nasty things from locking me out of my own computers for hours to changing settings (ex: changing it so the off button doesn't turn the computer off, it puts it to sleep), to installing "generic" peripheral devices and drivers, swapping out my CD/DVD drive with a network drive, changing the boot order so the computer boots from a network drive instead of my hard drive, shuts down spyware/malware protection programs (in fact, it eats most of them for lunch!), shuts off Windows updates, changes my duo core processor to show just one processor, runs what I suspect is Windows NT or Server 2003 but uses graphics to make it look like I'm running Vista, uses a telephony program to call who knows where.. basically, it's a huge computer nightmare and all my efforts to rid myself of it have been unsuccessful. There are days that I can use my computers and days that I can't. I've purchased two new computers hoping to "start fresh" and they were instantly infected. I think this will be an interesting case for someone who is interested in spybots/malware, etc. and I am hoping you'll know how to help .

Let me give you some specifics about the situation.

Here's what's going on:

• Computer hooks up to some network that I don't know. There is a DNS/DHCP/Socks address that's not visible to me. I can't always tell when I'm connected to the network, but when the network is not connected, I have trouble connecting to my own ISP (Comcast). I usually have to do IPCONFIG /flushdns to get it to work and that doesn't always do the trick.
• Though I am supposed to be the administrator of my computers, I'm constantly told I don't have permission to do all sorts of things, including relatively benign tasks like removing game files or deleting Adobe Reader 8.0 after I learned it had vulnerabilities that could allow someone to take over your system (ya think!?)
• When I try to download updates or drivers, I'm often told "This driver only works with Windows Vista" and I'm like... uh... hello? I have Vista... what's the problem? This leads me to believe the malware runs either Windows NT or server 2003, plus, the interface is no where near as nice as the real Vista.
• Automatic updates for Windows won't work. When I manually install them, it acts as if it is working but I am quite sure it does not. If I view hidden folders, I see files called "spuninstall" and the update number. I'm not sure what this is but it seems suspicious to me.
• I now shut the computer off when I'm not using it but when I used to leave it on all the time, I remember getting up in the middle of the night and that thing was working like crazy - lights flashing away and the processor was going full speed ahead -- sort of scary. I've actually started unplugging it at night...
• The list of devices/peripherals is a mile long and all I have hooked to the computer that's not part of the original configuration is a printer.
• On start up, there is an icon in the tray on the lower right that says it's safe to remove a peripheral (I have no peripherals installed) When I click properties it shows a "mass storage device" and it shows as an "E" drive when I look at computer properties. I called the manufacturer and they said this is not normal.... though they could not tell me how to get rid of it. I do believe that this is how the network makes initial contact with my system and loads files, etc.
• There is a redirect on IE and it won't let me update to IE 8 Beta and I suspect that the emergency patch Microsoft issued in December isn't being applied, though I downloaded it.
• Latest - showing as 86-bit machine when I look under the device manager. That can't be right, can it?!?

There's probably more, but this is a list of the biggest issues. I know it sounds like multiple problems, but I am really quite sure it's all just pieces to one big puzzle.

Here's what I tried to fix the problem:

• Wiping the computer and reloading the system - I've done this literally a dozen times. A certified Microsoft tech did it at least two of those times. I even used a program that wipes the drive to US Government top secret security standards. It took like 72 hours to complete! It didn't work. I've learned that the malware installs an "X" drive and apparently, enough data lingers here for the malware to regenerate. I think the peripheral drive I mentioned above might be related here. The drive stays in and the malware connects to it and reinfects the clean system? The last time I wiped the drive, I got an error message about a peripheral I should remove.
• Editing the registry - I've literally wiped the registry by hand, deleting items line by line. There are several protected roots (are these part of a 'root kit' or just part of the computer?) that could not be deleted. I've tried numerous registry editor software packages but my expertise just runs out when it comes to the registry and I get over my head fast. I do think someone who is confident in that area could probably do wonders.
• Reviewed files in the system and programs folders (these don't always make sense to people, I know, but there's some stuff in there that seems just completely wrong... ) In fact there was something in there that labeled my computer a "volatile" environment no doubt due to the efforts I've made to get this garbage off my computers! They think I'M volatile!? These are my computers!! Who's calling whom volatile?!
• Changing out my cable modem and wireless modems (thinking maybe they had my MAC IDs) BTW - my wireless has WPA encryption and I live in an upscale building where most of the residents are older and barely know how to turn on their computers never mind hack one. I know this is no guarantee, but I'm reasonably sure this isn't one of my neighbors who hacked my wireless...
• Tried numerous spyware/internet security programs: Norton, Kaspersky (best so far...), Trend Micro, AVG, CA, Onecare and numerous online scans. None pick up any malware on my system.
• Tried Unhackme software and Spybot Search and Destroy but I seem to get into trouble when they start taking things off - system won't start, etc. so I need some guidance there.

[/list][/list]
Efforts to seek help...

• [list]
• Microsoft certified tech from Circuit City - came out and stripped all of the computers. They ran OK for about a day before they were totally reinfected. He stripped them again - same thing.
• Called Comcast security - basically got dismissed. They provide McAfee security free for customers and this should keep you safe. If you have malware, get professional help. Basically -- this is not our problem, lady. I was thinking they'd be concerned someone was using their wires for bad things... trust me, they were not concerned at all.
• Called Averatec - confirmed that it's not normal to have an icon to remove a peripheral or an E drive. Suggested I return the computer to CompUSA (the thing of it is, I already returned TWO thinking I could beat the bot that way and it didn't work.. why would this time be different??)
  
  
  Computer Specs:
  Averatec all in one dream machine
  22"
  Vista Home Premium
  Intel Duo Core processors 2.4 GHz
  3 gigs RAM

Sorry to be so long-winded. As you can see, it's not a simple, straight forward issue at all. Do you have any ideas what this could be and more importantly, how I can get rid of it? Obviously, I'll be glad to provide whatever you need to help with the diagnosis and at this point, I'll try anything to fix it too. Please note the Averatec is the only computer currently running in the house since the first of the year. I have shut the others down thinking I may have been cross contaminating them. If there's a virus/malware pro in south Florida willing to take this on, I'm open to paying for the services if someone knows what to do. Everyone I speak to want to wipe the drive and start again and I'm like... OK.. been there. Done that. There's more to it...

Any help and advice you can offer will be very much appreciated. Thanks in advance and I look forward to speaking with you soon.

Laurie O

Hello Laurie, welcome. I think we'll be ruuning some specialized tools soon. but let's get an MBam log first.

Please download Malwarebytes Anti-Malware (v1.32) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself.
• Press the OK button to close that box and continue.
• If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Hi,

Thank you for getting back to me so quickly. I did the Malwarebytes scan as you instructed but it didn't find anything at all. The strange thing about this bug is that most of the files it uses seem to be legitimate files, they're just set up to do bad things!

Here is the log:

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 6.0.6001 Service Pack 1

1/14/2009 9:52:23 PM
mbam-log-2009-01-14 (21-52-23).txt

Scan type: Quick Scan
Objects scanned: 44271
Time elapsed: 1 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I also ran a complete scan just to see if it would find anything and it did not.

I was off my computer for a few hours this afternoon and this evening, I find it loaded with all sorts of junk I didn't install and changes I didn't make (and the processor was running a mile a minute but nothing was open - nothing of mine, anyway....) It's scary to think that I have literally NO privacy on this brand new computer right now. I feel like there's an intruder in my office every day. My limited knowledge of botnets indicates that they're after my bandwidth and/or space on my computer far more than my personal information (which I've obviously removed from this computer anyway...) is that an accurate assumption?

What should I try next? One file in particular that I know means trouble is explorer.EXE (caps on the EXE, not lowercase like the real one) When that's open in my task manager, I know there's stuff going on.

Thanks again for your help. I'll look forward to your reply.
Laurie O

OMG, Boopme..

I just found something pretty amazing. Since I'm totally obsessed with getting rid of this darned bug, I couldn't just call it a night and leave well enough alone.... I ran RunAnalyzer (which I downloaded from the same sight where I originally found SpyBot Search and Destroy) and it provides a beautiful road map of absolutely everything, every file, .dll, etc. on my computer and how they relate to each other and where they are on the registry. It's a huge report, but if you're willing to look at it, I have seen nothing else that gives a more clear picture of everything that's going on with my computer. What do you think?

Laurie O

K... going to bed now... no.. really. Logging OFF my infected computer... and unplugging it so everyone else has to log off of it too!

Helllo again i can see how unnerving that is. As I won't be back on till the morningi want you to run a few things. in this order.

Botnet is a term derived from the idea of bot networks. In its most basic form, a bot is simply an automated computer program, or robot. In the context of botnets, bots refer to computers that are able to be controlled by one, or many, outside sources. An attacker usually gains control by infecting the computers with a virus or other malicious code that gives the attacker access. Your computer may be part of a botnet even though it appears to be operating normally. Botnets are often used to conduct a range of activities, from distributing spam and viruses to conducting denial-of-service attacks.US-CERT

EDIT: you should disable spyBot for these or else you may find yourself having to yes everything to death.
ATF
Please download ATF Cleaner by Atribune & save it to your desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.
• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
• Click Exit on the Main menu to close the program.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

SAS
Please download and scan with SUPERAntiSpyware Free

• Double-click SUPERAntiSypware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
• In the Main Menu, click the Preferences... button.
• Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
• Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen and exit the program.
• Do not run a scan just yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:

• Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes" and reboot normally.
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

Now Run Options 1 and 2... of SmitFraudFix by S!Ri
Post it's report. The report can be found at the root of the system drive, usually at C:\rapport.txt .

Edited by boopme, 14 January 2009 - 11:55 PM.

[quote name='CTSoprano' post='1093389' date='Jan 14 2009, 10:04 PM']One file in particular that I know means trouble is explorer.EXE (caps on the EXE, not lowercase like the real one) When that's open in my task manager, I know there's stuff going on.[/quote]

Don't mean to step on any toes but, I have to correct this assumption. Windows systems are NOT case sensitive, so it really does not matter if the file has an all caps extension or if it's lower case. To Windows, the file is the same.

I have a feeling that a lot of the problems you are experiencing are due to misconfiguration issues. But do get the scans and the reports from those programs in boopster's post.

Some of what you say up there doesn't make much sense. How do you know you're connected to some DNS/DHCP/Socks proxy if you can't see it? Vista has the UAC on by default, and even administrator accounts are limited in what they can run without the UAC prompts. So that's not strange at all. It's actually normal Vista behaviour. As for the computer running like crazy during the night, I would make sure there's not a backup system set to run when the computer is idle.

As for your mysterious drive E:, have you looked in device manager to see what was listed? Have you tried to actually browse this drive? What is it listed as when you open explorer? Local Disk? CD-ROM? There's nothing concrete in your posts, just assumptions. Not trying to blow you off by any means, but a lot of what you said could be explained. Try to give precise details as to what specifically doesn't work the way it should.

[quote]Computer hooks up to some network that I don't know. There is a DNS/DHCP/Socks address that's not visible to me. I can't always tell when I'm connected to the network, but when the network is not connected, I have trouble connecting to my own ISP (Comcast). I usually have to do IPCONFIG /flushdns to get it to work and that doesn't always do the trick.[/quote]
See above, what tells you about this network?

[quote]Though I am supposed to be the administrator of my computers, I'm constantly told I don't have permission to do all sorts of things, including relatively benign tasks like removing game files or deleting Adobe Reader 8.0 after I learned it had vulnerabilities that could allow someone to take over your system (ya think!?)[/quote]
UAC on?

[quote]When I try to download updates or drivers, I'm often told "This driver only works with Windows Vista" and I'm like... uh... hello? I have Vista... what's the problem? This leads me to believe the malware runs either Windows NT or server 2003, plus, the interface is no where near as nice as the real Vista.[/quote]

[quote]Windows 6.0.6001 Service Pack 1[/quote]
You're running Vista, as evidenced by the mbam log above.

[quote]Automatic updates for Windows won't work. When I manually install them, it acts as if it is working but I am quite sure it does not. If I view hidden folders, I see files called "spuninstall" and the update number. I'm not sure what this is but it seems suspicious to me.[/quote]
What is the problem with auto updates? spuninstall folders are normal, they are the backup folders windows uses when you uninstall a particular update or hotfix. Perfectly normal to have those.

[quote]I now shut the computer off when I'm not using it but when I used to leave it on all the time, I remember getting up in the middle of the night and that thing was working like crazy - lights flashing away and the processor was going full speed ahead -- sort of scary. I've actually started unplugging it at night...[/quote]
Again, could be a lot of things. What makes you so sure it's an infection?

[quote]The list of devices/peripherals is a mile long and all I have hooked to the computer that's not part of the original configuration is a printer.[/quote]
You'd be surprised at the list of peripherals I have on this laptop, even with nothing plugged in the USB. Most likely normal. But there are tools that will show you exactly what's what. If you can't tell what's legit, then the techs here probably can help you make sense of it.

[quote]On start up, there is an icon in the tray on the lower right that says it's safe to remove a peripheral (I have no peripherals installed) When I click properties it shows a "mass storage device" and it shows as an "E" drive when I look at computer properties. I called the manufacturer and they said this is not normal.... though they could not tell me how to get rid of it. I do believe that this is how the network makes initial contact with my system and loads files, etc.[/quote]

Do you by any chance have a card reader on that computer? have you tried to browse that drive and see what is in there?

[quote]There is a redirect on IE and it won't let me update to IE 8 Beta and I suspect that the emergency patch Microsoft issued in December isn't being applied, though I downloaded it.[/quote]

A redirect how? To where and when? Not enough info to help there.... In add/remove programs you can see all the updates applied. Just open it and there should be an option to show updates. Look for the KB number corresponding to the one from December, and see. If it's in there, it's applied.

[quote]Latest - showing as 86-bit machine when I look under the device manager. That can't be right, can it?!?[/quote]

x86 is a code for 32-bit processors.