Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Reformat, Clean Instal, SP3 Immediately, IE8 Crash Randomly


  • Please log in to reply
2 replies to this topic

#1 Psykostx

Psykostx

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:NY, USA
  • Local time:06:00 PM

Posted 22 July 2009 - 05:13 PM

I was infected with what appeared to be a Redlof.A variant. I was chatting on a forum discussing digital audio, when I got a PM from someone who sent me all kinda of information on the binary format of a PCM wav file. Sure enough, the second I accepted the PM (I always yell at my Mom for this) my secondary Hard Disk unmounted itself and then remounted with a little surprise on it... a desktop.ini folder and a folder.htt folder hidden in the root of the drive, unclearable and linked to a network drive. Also a myspace window popped up with the title "WORM Audio." PCTools removed hidden files inside the folders but couldn't remove the folders themselves. However, my modem light would still blink occasionally for no reason (really quite often, every minute or so) and on startup and shutdown. Being that this is not normal ( I uses WEP encryption on my wireless, so no freeloaders), I then used UBCD4WIN to backup and reformat. Then I reinstalled XP using a full reformat of my system disk. Now when ever I startup windows my modem light flashes once (not normal) and then when I restart the computer hangs for a second and the modem light goes crazy ( I can only assume I am botted). I did get all windows updates, SP3 first, before touching anything else on my system. I have found a whole bunch of info about BIOS resident malware which can escape a reformat...and even realized that this thing could be living on my GPU BIOS, or my AC'97 chip...or even my now unsupported by the manufacturer SiS661FX chipset...whose driver is in the beta version, and so is the RAID controller.
Besides my modem light, the only indication of something wrong at this point is a random "Internet Explorer has encountered a problem and needs to close.." Dr.Watson error. Without crashing, IE8 reloads the tab with no error. I thought this was random and just a bug in IE8, then I realized...IT ONLY HAPPENS WHEN I VISIT A PAGE ABOUT BIOS MALWARE OR BIOS FLASHING! Obviously the guy who PM'd me this hack is a VERY experienced hacker (he has almost infinite knowledge of the VST and WAV, and streaming and performing algorithms on audio.) He claimed he couldn't program...should have been a red flag!!!!
Anyways, it appears the Redlof.A variant was just a decoy for some new horrible Chernobyl style virus from a disgruntled assembly programmer, or VST hacker.... anyways...I know exactly who loaded the thing on and when, and I suspect he is someone on the top of the music industry's most wanted list...
After you help me fix my computer, how do I turn that forum account over to authorities so they can coax another attack out of this bastard?!

Thanks,
Jon

PS: The only thing installed on my machine is windows!

Edited by Psykostx, 22 July 2009 - 05:15 PM.


BC AdBot (Login to Remove)

 


m

#2 Psykostx

Psykostx
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:NY, USA
  • Local time:06:00 PM

Posted 22 July 2009 - 05:31 PM

Also, when I run malwarebytes to scan, my modem light will blink while its scanning! In fact it blinks everytime I run an .exe, whether it is internet related or not ! This really is not normal! I am not paranoid, I know my computer intimately, and it is not behaving like a fresh install should, and I did this twice. I know I am infected, maybe I should repost with a better title lol...

#3 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:00 PM

Posted 23 July 2009 - 09:47 PM

Hi and welcome to BC :thumbsup:

Let's update malwarebytes and retry a scan with your computer disconnected from the router. Please update first.

Then use this procedure to scan.

The process of cleaning your computer may require temporarily disabliling some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

This is looking at your computer's software - We will deal with that. I would also advise changing your routers password and all online passwords you may have - the latter from a known clean computer. Thanks!

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users