Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware that remains after a format?


  • This topic is locked This topic is locked
4 replies to this topic

#1 CameronJPU

CameronJPU

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 19 February 2009 - 08:14 PM

I've got a really unique problem here! First off, I'm a computer tech, I've been running my own support business for 5 years now. Suffice to say, I know how to remove spyware about as well as I know how to tie my shoes. I've got a client's computer here, which I worked on for 2 hours today. I think only a hack would need to reformat a computer to clean spyware, but that's the situation I found myself in today after working for two hours and the spyware not being removed.

I used MBAM, SAS, HJT and more. Repeatedly, in safe mode etc. I also have ERD Commander 2007 which I used to go in and delete files manually. So when none of that worked, I said it's time to cut bait and just do the reformat. So I brought the computer home with me and got started reformatting. Everything looked good until the first reboot, when Explorer.exe gave me a DEP error. I went to task manager and saw a number of things I didn't like, including 5 IExplore processes and a bunch of unknown processes that clearly indicated that despite the format and reinstall, the spyware remained.

So! I've never seen spyware that remains after a format. I suppose you'll ask for a HJT log, so I'll post it below, but again, no amount of HJT removal has done any good against this in the past so I think we're looking at something totally new here. Any help is appreciated.

Cameron

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:52 PM, on 2/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\System32\CcEvtSvc.exe
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\noytcyr.exe
C:\WINDOWS\system32\roytctm.exe
C:\WINDOWS\system32\soxpeca.exe
C:\WINDOWS\system32\tdydowkc.exe
C:\WINDOWS\system32\wsldoekd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\inf\rundll33.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\system32\grcrt.exe
C:\Documents and Settings\Tom Gordon\reader_s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\msrstart.exe
O4 - HKLM\..\Run: [DeskTopSrv] C:\WINDOWS\system32\grcrt.exe
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Tom Gordon\reader_s.exe
O4 - HKLM\..\Policies\Explorer\Run: [xccinit] C:\WINDOWS\system32\inf\rundll33.exe C:\WINDOWS\xccdf16_090131a.dll xccd16
O4 - HKLM\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Tom Gordon\reader_s.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [tjbqgxcb.exe] C:\WINDOWS\tjbqgxcb.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [services] C:\WINDOWS\services.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Tom Gordon\reader_s.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: afisicx Service (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe
O23 - Service: CcEvtSvc - Unknown owner - C:\WINDOWS\System32\CcEvtSvc.exe
O23 - Service: mabidwe Service (mabidwe) - Unknown owner - C:\WINDOWS\system32\mabidwe.exe
O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\WINDOWS\system32\noytcyr.exe
O23 - Service: roytctm Service (roytctm) - Unknown owner - C:\WINDOWS\system32\roytctm.exe
O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\WINDOWS\system32\soxpeca.exe
O23 - Service: tdydowkc Service (tdydowkc) - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe
O23 - Service: wsldoekd Service (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe

--
End of file - 3661 bytes

BC AdBot (Login to Remove)

 


#2 CameronJPU

CameronJPU
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 19 February 2009 - 10:04 PM

By the way, keep in mind that the HJT log above is from a computer that was reformatted maybe 10 minutes earlier. I had not yet installed anything except Firefox. The install was done with an SP2 version of Windows, so the firewall was enabled (not to mention the computer is connected to a router with firewall).

#3 CameronJPU

CameronJPU
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 20 February 2009 - 06:18 PM

Ah! So I figured it out - after each format I was reinstalling drivers onto the computer using a flash drive, and the source of those drivers was the original PC. I read another post on this site which explained that this spyware (which I guess is more of a virus) infected other files, which could then reinfect another computer. So that's how the computer was being reinfected. This time, I've done it clean, and the computer remains fine. Whew! Topic closed!

By the way, if you're dealing with this spyware/virus, don't bother trying to clean it. I've been at this for years, and in all my days I've never seen one that's so resistant to cleaning. Just reformat your computer. Not sure what to tell you about backing up your data - thankfully this computer didn't have any important data so I didn't have to deal with that.

Edited by CameronJPU, 20 February 2009 - 10:56 PM.


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:04 AM

Posted 21 February 2009 - 04:51 AM

Hi,

after each format I was reinstalling drivers onto the computer using a flash drive, and the source of those drivers was the original PC. I read another post on this site which explained that this spyware (which I guess is more of a virus) infected other files, which could then reinfect another computer. So that's how the computer was being reinfected. This time, I've done it clean, and the computer remains fine. Whew! Topic closed!

Yes, that makes perfect sense.
And you're absolutely right about the format and reinstall. It's really a waste of time if you try to clean this up manually. Mainly because infected files should be disinfected and since this is a buggy virus, scanners cannot properly disinfect.
I've blogged about this infection a couple of days ago:
Virut and other File infectors - Throwing in the Towel?

I really hope that people who are dealing with this one also make the right decision and format and reinstall asap instead of trying to clean it, because every minute that the infected computer is online is a minute too long since it's also responsible for infecting more computers in a meanwhile.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:04 AM

Posted 24 February 2009 - 08:41 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users