Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help wanted to remove unknown malware


  • This topic is locked This topic is locked
2 replies to this topic

#1 ozeannie

ozeannie

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 05 February 2009 - 11:28 PM

Hello,

I have spent a good few days (bad ones actually) trying to eradicate this thing off my son's computer.

It is very similar to what is reported here:

http://www.bleepingcomputer.com/forums/t/70447/w32perlovga/

I followed the instructions and uploaded the 2 files required.

Symptoms are as follows:

Bad behaviour is that when in my computer and double clicking C or E drive (e is an external portable drive) I get a message "could not find file c:\recycler\S-#####-######-######-#####.com where ### represents a random series of numbers separated by hyphens - I don't know for sure how many numbers there are, it's just an example. Similar for E drive or it just doesn't open.

If I go into the registry to HKCU\Software\Microsoft\Windows\Current Version\Explorer\mountpoints2 there are a number of entries there, most of which have a value of Base = drive.

Originally both the C drive entry and E drive entry had subfolders there of autoplay and open, both of which had a subfolder command which ran along the lines of the one in the post above:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{a8b69ec1-bff7-11da-bcaf-806d6172696f}\Shell\AutoRun\command]
@="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe"

except my entry is then C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL C:\recycler\s-###-####-####-####.com

I deleted the subfolders from the C and E key and they didn't come back.
However there are 2 other keys in there that are long numbers in parentheses, one of which started with the number 13 and one with 4 - these had identical subfolders to the C and E drive keys, but no matter how many times I delete these they come back.

If I delete them, I can then open the icons in My computer. I can open anything on the comptuer via Windows explorer, and dialogue boxes to save or find a file etc all work fine. it's just in My computer, and just those 2 icons - I also have a network drive but it and the CD Rom aren't affected.

So I get rid of these entries and when I re-boot and check the registry the values of 13... and 4... are still looking normal eg base....drive and no subfolders. But as soon as I click on one of those icons I get the message again and the values go back in the registry.

I have updated my antivirus and two lots of malware and run it - over the last few days some has been found and removed, this morning more was found by malwarebytes and removed. I then ran AV over the entire machine and malwarebytes and nothing was found. But I bet if I restart the computer now, it will happen again...as has been the case.

Initially I also had problems connecting to my AV update site as well with a ZLob DNS changer, but got rid of that and all was ok with several reboots yesterday. First boot this morning...same problem - Malwarebytes found lots more Zlobs and deleted them, update working again now...but again, I wonder for how long?

Await a better mind than mine to help me figure this out...


many thanks

Ps just did an experiment and restarted the computer - Av still works, but this time when i double clicked My computer on the desktop, I went to regedit BEFORE opening the c drive just to take a look - and the subfolders were back. So it's the action of double clicking the My Computer icon that puts the values back in the registry as if I look at the registry before doing that it's fine.


STOP PRESS!!!! I think I might have fixed this after going here:

http://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/

I applied the reasoning there to my own case - I deleted all the mountpoints2 entries, then using icesword, I was able to find autorun.ini on both the c and e drives (that was a problem before as they weren't visible in normal mode). Deleted these 2 files on the C and e drive and now it all works on restart! I didn't do anything about a svchosts file or hosts file though - I dn't know whether one applied in this case but I wouldn't have known which one it was I had to find.

Wouldn't mind someone just doing some cross-checking with me to make sure we have this thing properly removed and there aren't any other things still lurking, as we had multiple viruses and trojans in the last few days - though AV is now reporting it clean. (But then again it didn't pick THIS one up, did it?)

Many thanks again

Anne

Attached Files


Edited by ozeannie, 06 February 2009 - 01:11 AM.


BC AdBot (Login to Remove)

 


#2 ozeannie

ozeannie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 07 February 2009 - 09:10 PM

Edit - For Autorun.ini read Autorun.inf ......typo, sorry

Also the second link given for the solution http://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/ is incorrect, sorry - that link was used to remove other malware on the computer.

The first link http://www.bleepingcomputer.com/forums/t/70447/w32perlovga/ contains within it a post with a link to another forum (kaspersky lab) and within that thread is a post with further details.

This problem is now solved, no further action required.

Edited by ozeannie, 07 February 2009 - 11:20 PM.


#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:04:38 AM

Posted 17 February 2009 - 12:34 PM

Thanks for telling us.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users