(Windows XP Pro)
I came down with a combination of urdvxc.exe and irdvxc.exe that I first noticed as my virus software kept blocking those files from being copied to my C:\ drive directly.
I suspected something was wrong, but did not realize it for atleast a week after it started. After being unable to find anything with Malware Bytes or my Bitdefender TS 2009 I decided to try 2010 version, and also scanned the hard drive from a different install of XP. Nothing much was found off the bat, but I then discovered that my system restore was on (I originally had it turned off) even though it claimed it was off. I went into the registry and disabled it via its start value (I am an advanced user and a Sys Admin). Once I disabled the system restore, I was able to go back into the different install of XP and delete the system restore folders after I had taken ownership of them. Having done that I uninstalled SP3 and reinstalled it. I then found I had trouble with my registry permissions and ran a microsoft tool that reset the default permissions on the registry. At that point I had broken the back of the urdvxc.exe infection and suddenly my BD TS 2010 found in total 1700 infected files, all with the common 8 characters and file size, only different names. Suprisingly no html files were found to be infected (I had a few backups from my companies website on C:\ and I looked at the code and saw no sign of them).
That being done, Network Windows Service was found (previously the Extended tab in my services.msc was not showing, it now was) and I manually unregistered it and checked that it was also gone from the registry. I then ran a test and disabled my firewall and sure enough, I did not see urdvxc.exe attempt to copy, however I did see irdvxc.exe attempt to copy to my C:\ drive. The simple solution would be just be to disable netbios over TCP/IP but I am unable to do this as it is a required feature at this time (Network spanning 95, 98, NT 4 WS / Serv, 2000 and XP, Server 2000 and 2003). I scanned repeatedly with other tools and could not find it anything to do with irdvxc.exe.
Now I decided to try and figure out where irdvxc.exe was comming from and downloaded wireshark, disabled my firewall over night and waited. In the wee hours BD TS 2010 blocked irdvxc.exe and I turned my firewall on and saw I was being connected to by a remote computer with an ip ending in t-dialin.net. It was comming into port 139 I believe. The speed at which it connected, and sent commands leads me to believe it is/was just another infected machine, but I can't be sure. I then blocked all connections from the outside world to ports 137-139.
Blocking the problem is not solving it, and whatever I find or don't find, I know my computer must still be open from the infection, I just can't see how or from where. I have all the tools, so if someone has some experience with this, just ask me to post what you need me to post, if you have experience interpreting packet info from Wireshark, I'll try and copy some of that suspicious connection on over. So what's first? Hijack this Log? I'll wait till I get an answer to post anything else.
(PS: I am not looking to do a reinstall, I am more interested in figuring out whats going on than anything else)
I forgot to add this, I found that I could not access my Alerter service from the services.msc window, though it was running, it simply said Alerter, no description, and Access Denied 0x5. I removed it from the registry (after exporting it) as the registry told me it was on and working (as well as sc query did.
Edited by jlrx, 29 September 2009 - 09:14 AM.