Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Obviously a virus/worm, but what?

  • Please log in to reply
1 reply to this topic

#1 CESDewar


  • Members
  • 1 posts
  • Local time:07:20 AM

Posted 16 April 2009 - 03:47 PM

I have been working on this now for 2 days. One of my websites got hacked (1 line of JavaScript added to all html pages). How, it's not clear, but they obviously had the log-in password. A few days prior to this I had noticed that my batch files weren't working - just returned to windows, File Explorer would blink. On finding no references in google and finding suspicious google results, such as pages coming up blank and an odd message about an improperly formatted search, I stumbled onto this website on my wife's computer which COULD see all the pages. There were a few people reporting somewhat similar symptoms. Sure enough CMD.EXE would not run, but the suggestion to rename to CMD2.exe was not successful either (nor was cmd3.exe). It was only an hour later that it occurred to me to rename it to TWIDDLE.EXE and sure enough that DID run(!). Well at this point, I figure it had to be a virus/worm and one that had already been updated to conveniently fail if cmd was renamed as suggested in the post - indicative perhaps that the author was reading this or other similar forums with suggestions like that? I assumed my website got hacked from the infection on my machine although my other website was untouched and if they had been stealing passwords, there was no evidence of them using any of them elsewhere. I had another known clean laptop - installed all latest versions of ZoneAlarm and AVG8.5, SpyBot. Everything seemed ok for a day, checked at last moment that cmd.exe was still ok to run, then left Acronis True Image running overnight to save an image. In the morning, I found a blank windows screen (as if just about to put up log-in screen) frozen - power-restart and windows reported it had installed an update. System was now infected - cmd.exe did it's new thing of returning with File Explorer crashing and rebooting. Obviously my new system had now been infected somehow.

I have run at least six anti-spyware/anti-virus programs including the very latest V-1.36 of MalwareBytes - couldn't do update online, but dl'd the rules separately and moved them over. Totally clean - no indication of a problem. No windows restore points worked. Ran test for Conficker and several other contemporary issues.

No antivirus/spyware program can download updates on-line - another clear indication of infection. I don't know what else to try and it's alarming that my second laptop got infected without my knowing how it occurred. The Windows Update said "software Distribution Service 3.0" - and I've seen comments about that being a problem, but as near as I can tell, this WAS a legitimate update, although at this point, I no longer know what is real any more :thumbsup:

I'm not sure many users would even know they were infected with this thing, as about the only symptom I've seen is the inability to run batch files, get to the registry and connect to certain web pages with anti-virus/spyware updates/information.

I'm rebuilding my second laptop from scratch with TrueImage and this time will prevent any Windows Update (since it's suspicious that was the ONLY thing I did after saving the image - although the laptop was connected to the internet and maybe just got hit by virtue of that?

Anyway, I've run AVG8.5, spybot, Malawarebytes, SpyDoctor, SpyHunter - but I'm having difficulty with those programs that want to start out by updating their databases on-line as that never works (update always conveniently 'fails').

I'm just baffled by this one. And I obviously don't want to log into any significant sites (like banking, etc.) until this is purged....

Any thoughts from the gurus on this one?

BC AdBot (Login to Remove)


#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,490 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:07:20 AM

Posted 16 April 2009 - 06:35 PM

Hello will an Malwarebytes(MBAM ) scan show us anything/
Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users