Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Worst infection I have ever seen./ Moved

  • Please log in to reply
1 reply to this topic

#1 Lazarus Long

Lazarus Long

  • Members
  • 35 posts
  • Location:People's Republic of Austin (Tx)
  • Local time:06:27 AM

Posted 19 April 2009 - 12:46 PM

I have to give a nod to the author of this one; none of the old tricks work.

background: Win XPH SP2, IE7, AVast, spybot, PC doctor installed

Here's what it is doing:

hijacker & malware runs in safe mode with networking!
false positive, routes to site to buy malware protection, obviously installing more malware, cannot nav to any other sites, thus no online scanning possible. I don't even know what this one is called!

Installs 3 rootkits, randomly generated names keep changing; Rootkit Revealer & Blacklight i.d. same
Regediting currentversion/run fails. once you click out of the key, the .dlls return. other keys return on reboot.
HJT runs, but removal fails to remove .dlls
rundll.exe fails to shut off when shutting system down.
System Restore points are missing.
I replaced the Hosts file manually; blocked site malware was redirecting to & locked the file, malware replaced it with its own hosts file - in safe mode!
rewrote win.ini to delete malware.dlls on reboot; malware changed the names again.

I am very close to formatting the drive, but wanted to get the Forums's opinion first.

Ideas, anyone?

BC AdBot (Login to Remove)


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 37,046 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:27 AM

Posted 19 April 2009 - 01:20 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

PLEASE DO NOT NOW POST LOGS unless a log is specifically requested.

I know you've done some of this, but describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results. Also tell us the kinds of sites you are being redirected to.

If needed, we will direct you to our HJT Preparation Guide.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users