Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need serious help, ASAP.


  • Please log in to reply
1 reply to this topic

#1 jlrx

jlrx

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 29 September 2009 - 08:48 AM

It pains me to have to ask for help, but I know its going to be the best route.

(Windows XP Pro)

I came down with a combination of urdvxc.exe and irdvxc.exe that I first noticed as my virus software kept blocking those files from being copied to my C:\ drive directly.

I suspected something was wrong, but did not realize it for atleast a week after it started. After being unable to find anything with Malware Bytes or my Bitdefender TS 2009 I decided to try 2010 version, and also scanned the hard drive from a different install of XP. Nothing much was found off the bat, but I then discovered that my system restore was on (I originally had it turned off) even though it claimed it was off. I went into the registry and disabled it via its start value (I am an advanced user and a Sys Admin). Once I disabled the system restore, I was able to go back into the different install of XP and delete the system restore folders after I had taken ownership of them. Having done that I uninstalled SP3 and reinstalled it. I then found I had trouble with my registry permissions and ran a microsoft tool that reset the default permissions on the registry. At that point I had broken the back of the urdvxc.exe infection and suddenly my BD TS 2010 found in total 1700 infected files, all with the common 8 characters and file size, only different names. Suprisingly no html files were found to be infected (I had a few backups from my companies website on C:\ and I looked at the code and saw no sign of them).

That being done, Network Windows Service was found (previously the Extended tab in my services.msc was not showing, it now was) and I manually unregistered it and checked that it was also gone from the registry. I then ran a test and disabled my firewall and sure enough, I did not see urdvxc.exe attempt to copy, however I did see irdvxc.exe attempt to copy to my C:\ drive. The simple solution would be just be to disable netbios over TCP/IP but I am unable to do this as it is a required feature at this time (Network spanning 95, 98, NT 4 WS / Serv, 2000 and XP, Server 2000 and 2003). I scanned repeatedly with other tools and could not find it anything to do with irdvxc.exe.

Now I decided to try and figure out where irdvxc.exe was comming from and downloaded wireshark, disabled my firewall over night and waited. In the wee hours BD TS 2010 blocked irdvxc.exe and I turned my firewall on and saw I was being connected to by a remote computer with an ip ending in t-dialin.net. It was comming into port 139 I believe. The speed at which it connected, and sent commands leads me to believe it is/was just another infected machine, but I can't be sure. I then blocked all connections from the outside world to ports 137-139.

Blocking the problem is not solving it, and whatever I find or don't find, I know my computer must still be open from the infection, I just can't see how or from where. I have all the tools, so if someone has some experience with this, just ask me to post what you need me to post, if you have experience interpreting packet info from Wireshark, I'll try and copy some of that suspicious connection on over. So what's first? Hijack this Log? I'll wait till I get an answer to post anything else.

Thank you.

(PS: I am not looking to do a reinstall, I am more interested in figuring out whats going on than anything else)

++ADDED++

I forgot to add this, I found that I could not access my Alerter service from the services.msc window, though it was running, it simply said Alerter, no description, and Access Denied 0x5. I removed it from the registry (after exporting it) as the registry told me it was on and working (as well as sc query did.

Edited by jlrx, 29 September 2009 - 09:14 AM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:07:56 PM

Posted 29 September 2009 - 10:38 AM

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

There will also be instructions to create a Root Repeal Log

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

The HJT team is very busy and it will take awhile to get to your post
Please be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users