Posted 05 December 2009 - 10:36 PM
I have above average experience with malware, viruses, etc. What is now on all of my machines, however, is far beyond me...I hope there is a growing pool of knowledge here, because I frankly have no idea at this point.
Without writing a novel: I have spent the past 1.5 months attempting to fix a malware issue. I noticed my machine running rundll persistently, and more scvhosts than required for some time, but after successfully removing rundll (this was the malware with the two .cp files in the program files directory), it came back, and I let it go. It returned, shjortly thereafter, and so I simply installed AVG, and left it at that.
This was probably not wise, although it is only a guess...shortly thereafter, I started getting the persisent "upgrade to internet explorer 8" popups that I simply couldn't find the source file for. As I began digging around this, I found that certain folders were becoming inaccessible, and groups such as administrators (with the s), trusted installer, anonymous logins, etc were assuming control over most system files. When I would remove them, they would come back, and I would be locked out of even more files, and various odd system characteristics started manifesting. There were so many odd occurences, I really can't remember all, but Microsoft Paint, for example, would have a very small, vertical strip in the upper left, I think it was designed to blend in to most images. Also, I found a key logger, and stumbled upon a cache of my videos (some adult, but all completely legal if you are wondering) compressed and stored pretty deep down in the directory structure. Finally, It got so that i couldn't access almost any of my folders, and i was stuck in a cycle of killing processes, retaking ownership of directories, removing groups, etc. Not to freak anyone out, but at one point, the text of a file that I ewas reading in notepad (may have been wordpad) began moving horizontally, in a chaotic fashion...This was when I really started becoming unnerved, enough so that I simply decided to forget about it, reformat, reload, and move on...OH...Also, a A TON of programs were being prefetched including notepad, wordpad, and like 20 others.
Then it got really strange. I found that my machine wouldn't load any windows installation disks. Rather, it would report that there was no disk in the drive. Then, I tried other loading mechanisms (ie extermal drives, network locations). Not happening. When I was able to load an operating system finally, it was a cracked version, and wile I was able to replace the os, I found that the same exact behaviors persisted after the reinstall,
At this point, I had no choice but to do what it took to wrestle this issue out of my machine, and so I got process explorer, and started attempting to diagnose the cause in the absence of easy fixes. Since that time, I have burned through 5 harddrives ( 4 of which are still inaccessible), and have logged a huge array of symptoms and suspicious files. I do know that after using combofix with great results initally, the file now arrives at my machine larger than when it was sent. Also, the System,Services, and other windows processes come back as "unable to verify" in process explorer, and the threads they create and execute are very bad, to my untrained eye. The computer barely functions, and even having purchased a brand new copy of windows 7, the cavalcade of bad behavior persists. I suspect heavily that the W7 systems disk was corrupted at this point, although I am not sure, and don't know exactly how to find out.
During all of this, btw,. the machine came back as absolutely clean according to AVG, AVAST, Windows Defender, and a few other anti malware/spywas/virus programs. It still does. I am currently able to use the internet, and am hoping to be able to keep this machine alive and working and be able to use it to get data from previous hard drives, and hopefully rehabilitate them.
Hijacvk this spewed out a ton of bad items when I installed it last week. Today, however, it reports a mere two items that are pretty innocuous. This brings me to my major question: Is there malware out there capable of emulating software packages such as Real Player, Hijack This!, AVG, etc?? IO thought not, but I have to wonder based on the system behavior I am noticing. Please tell me what you would like to see in terms reports, files, etc, and I will hopefully be able to accomodate...
What i am hoping to get from this group: I would love to get a simple, "combofix", type of solution that squashes it once and for all. Or even a tried an true manual method would be great.
At the minimum, I would be very happy to know how to get my cd drives working in a brute force method if necessary, and reformat the hard drive without any space being reserved by the system. That would solve all of my problems, but I would like to see if this intrusion is widespread, and if not, how I can trace its origins.
Thanks in advance.
Edit: Moved topic from XP to the more appropriate forum. ~ Animal