Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The most difficult spyware I've ever encountered.


  • This topic is locked This topic is locked
1 reply to this topic

#1 falconaaa

falconaaa

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 05 December 2009 - 10:36 PM

I have above average experience with malware, viruses, etc. What is now on all of my machines, however, is far beyond me...I hope there is a growing pool of knowledge here, because I frankly have no idea at this point.


Without writing a novel: I have spent the past 1.5 months attempting to fix a malware issue. I noticed my machine running rundll persistently, and more scvhosts than required for some time, but after successfully removing rundll (this was the malware with the two .cp files in the program files directory), it came back, and I let it go. It returned, shjortly thereafter, and so I simply installed AVG, and left it at that.

This was probably not wise, although it is only a guess...shortly thereafter, I started getting the persisent "upgrade to internet explorer 8" popups that I simply couldn't find the source file for. As I began digging around this, I found that certain folders were becoming inaccessible, and groups such as administrators (with the s), trusted installer, anonymous logins, etc were assuming control over most system files. When I would remove them, they would come back, and I would be locked out of even more files, and various odd system characteristics started manifesting. There were so many odd occurences, I really can't remember all, but Microsoft Paint, for example, would have a very small, vertical strip in the upper left, I think it was designed to blend in to most images. Also, I found a key logger, and stumbled upon a cache of my videos (some adult, but all completely legal if you are wondering) compressed and stored pretty deep down in the directory structure. Finally, It got so that i couldn't access almost any of my folders, and i was stuck in a cycle of killing processes, retaking ownership of directories, removing groups, etc. Not to freak anyone out, but at one point, the text of a file that I ewas reading in notepad (may have been wordpad) began moving horizontally, in a chaotic fashion...This was when I really started becoming unnerved, enough so that I simply decided to forget about it, reformat, reload, and move on...OH...Also, a A TON of programs were being prefetched including notepad, wordpad, and like 20 others.

Then it got really strange. I found that my machine wouldn't load any windows installation disks. Rather, it would report that there was no disk in the drive. Then, I tried other loading mechanisms (ie extermal drives, network locations). Not happening. When I was able to load an operating system finally, it was a cracked version, and wile I was able to replace the os, I found that the same exact behaviors persisted after the reinstall,

At this point, I had no choice but to do what it took to wrestle this issue out of my machine, and so I got process explorer, and started attempting to diagnose the cause in the absence of easy fixes. Since that time, I have burned through 5 harddrives ( 4 of which are still inaccessible), and have logged a huge array of symptoms and suspicious files. I do know that after using combofix with great results initally, the file now arrives at my machine larger than when it was sent. Also, the System,Services, and other windows processes come back as "unable to verify" in process explorer, and the threads they create and execute are very bad, to my untrained eye. The computer barely functions, and even having purchased a brand new copy of windows 7, the cavalcade of bad behavior persists. I suspect heavily that the W7 systems disk was corrupted at this point, although I am not sure, and don't know exactly how to find out.

During all of this, btw,. the machine came back as absolutely clean according to AVG, AVAST, Windows Defender, and a few other anti malware/spywas/virus programs. It still does. I am currently able to use the internet, and am hoping to be able to keep this machine alive and working and be able to use it to get data from previous hard drives, and hopefully rehabilitate them.

Hijacvk this spewed out a ton of bad items when I installed it last week. Today, however, it reports a mere two items that are pretty innocuous. This brings me to my major question: Is there malware out there capable of emulating software packages such as Real Player, Hijack This!, AVG, etc?? IO thought not, but I have to wonder based on the system behavior I am noticing. Please tell me what you would like to see in terms reports, files, etc, and I will hopefully be able to accomodate...

What i am hoping to get from this group: I would love to get a simple, "combofix", type of solution that squashes it once and for all. Or even a tried an true manual method would be great.

At the minimum, I would be very happy to know how to get my cd drives working in a brute force method if necessary, and reformat the hard drive without any space being reserved by the system. That would solve all of my problems, but I would like to see if this intrusion is widespread, and if not, how I can trace its origins.



Thanks in advance.

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:09:22 PM

Posted 31 December 2009 - 07:20 PM

Member has posted in the HJT forum
Topic closed
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users