Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multipartite malware madness!


  • This topic is locked This topic is locked
5 replies to this topic

#1 Vistuck

Vistuck

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 14 December 2009 - 03:23 PM

First off, just a quick "thank you" for creating and operating this very helpful Web site. I've been trying for some time (about six months) to restore my computer to normal and have tried all the "official channels" (Dell and Microsoft technical support mostly) with no real sucess.

I have kept fairly detailed notes, but since I'm not very computer-savvy I can't be sure which information is relevant. I'll open this thread by providing:
1) my system specs;
2) a description of the problem;
3) the files that have been found in anti-virus scans; and a few other suspicious files I've personally found;
4) the DDS logs. (I tried to run RootRepeal but received an error saying it does not work on 64-bit Windows.)

1) My PC is a Dell XPS-430 desktop, with an Intel Core2 Quad processor (2.50 GHz), an ATI Radeon HD-3650 graphics card, and 6 GB of RAM. I have both a DVD-RW drive and a Blu-Ray/DVD-RW drive. Currently the Blu-Ray is disconnected because it had been malfunctioning and seemed to be causing some problems with the PC overall. Also, my Graphics card's driver is uninstalled because it, too, was causing serious system instability. The PC came with a built-in smart card reader and Bluetooth device, which is currently disconnected from the mobo. The original HDD is 750 MB, but I currently have that one disconnected and am using an older, 120 GB HDD from my previous, Windows XP system. This is mainly because the larger HDD was taking way too long to scan, seemed to be providing much more room for the malware to hide, and was larger than I really need anyway. I have a Dell OEM Reinstallation DVD for Vista x64 Home Premium Edition SP1, 5-language edition (Eng/Fre/Spa/Ger/Jap). I have gone through the motions of performing a full factory reinstall several times using the DVD, but there is evidence these reinstalls have not worked as they should have. I also have tried to install the usual Windows updates online, but that effort has been pretty fruitless, as well. At the time of infection my anti-virus software was TrendMicro Internet Security, a special Dell OEM version. Currently I have AVG's free anti-virus and MalwareBytes' free product installed, as well. I also have a licensed version of Kaspersky Internet Security 9.0, but it's not currently installed because it appeared to be creating problems rather than fixing them. Details to follow...

2) In a nutshell, something has invaded my PC and is in complete control at all times, from the instant I press the power button until the instant I yank out the power cord in frustration. Somehow the malicious program(s) are functional during what appears to be the pre-boot sequence (which I suspect is merely being mimicked), and the Windows preinstall/recovery environment. Even when I boot from a DOS or Linux boot disc, certain Windows files remain memory-resident, and others remain encrypted and archived, impervious to removal. The encryption appears to be BitLocker, even though my version of Windows (Home Premium) supposedly does not support BitLocker functionality. At one point, Kaspersky had identified three archived files as suspicious and had tried to delete them, but it was unsuccessful. At this point I'm not trying to save any files or prevent doing a full reinstall. I've reinstalled already, several times. But still, within three or four days my PC becomes completely unstable and crashes, locks me out at the login screen or BSODs at startup. A common stop error is "STOP:C0000218 {registry file failure} The registry could not load the hive (file):\systemroot\system32\config\components or its log or altrnative. It is corrupt, absent or not writeable." I could go on forever with specific examples of problems, so I'll switch to 10 or so bulleted examples:
* Windows does not appear to shut down fully at shutdown, even though I have set the power settings to disallow sleep mode and enable full shutdown. It appears to "cut off" part-way through the shudown process, and the HDD activity light immediately flashes on, almost solid on, as soon as I turn the power back on.
* There are dozens of "legacy drivers" installed, most of which cannot be uninstalled. Some of them are very suspicious, like the 12 "generic shadow volume" drivers that continually reactivate after I disable or uninstall them. After a reboot, they're back in business. Disabling system restore and previous file versions does not fix the problem.
* Both ReadyBoost and Prefetch are active, and I can't seem to disable them. The ReadyBoost thing is the real head-scratcher, because I don't have an external flash drive connected. Doesn't ReadyBoost require an external flash/thumb drive?
* The malware program is capable of caching and modifying programs and files as they are read directly off a DVD in such a manner that Windows cannot distinguish the genuine content from the virus-added content. When I insert a movie DVD in the drive, for instance, my computer becomes locked up for a few minutes as the malware furiously caches the entire disc content to a virtual disc image. All the while, Windows continues to insist the data is being read off the DVD. This never happened before the infection, and no cache settings changes have made a bit of difference since then.
* The malware has complete control over setting permissions and appears able to change settings for even the most critical, core OS files on the fly. I change them to permit my access, and the malware quickly finds a way to shut me back out, usually by removing my SID from the namespaces or policy groups that has access. It is patently obvious that this malware uses Group Policy Editor or something just as powerful, while again my version of Vista supposedly does not allow access to GPE.
* The malware appears to have created a mock "network" entirely within the confines of my PC tower. I am constantly being told by software that i don't have access to certain settings, and to contact my network administrator. Well, my network administrator is me. I'm not on a network at all. My PC is a standalone unit set up as a home PC. This next pat might sound a bit "out there," but it would appear this bogus network exists between the 32-bit and 64-bit branches of the Vista file system, perhaps connected via Teredo tunneling. I say this because if I open up a 32-bit and 64-bit GUI simultaneously -- such as C:\Windows\System32\mmc.exe and C:\Windows\SysWOW64\mmc.exe -- and I cut and paste a file from one window to the other, the file transfer process is extremely slow, and the darn network traffic animation starts moving on my network access icon! This happens even if I am disconnected from the Web. My network setting is set to "unidentified network" from the moment I fire up Windows following a DVD reinstall, and I can't seem to change it. When I connect my ethernet port to the cable modem, it changes to "Local and Internet."
* (I'll make this my last example.) Windows recovery/preinstall (PE) is not functioning as it should. Something is running in the background. Many files are protected and cannot be deleted. The Setup.exe GUI also looks strange -- a little washed-out and fuzzy, and it's missing some functionality. For instance it no longer asks me if I would like to install updates as part of the setup process. And I don't hear the DVD spinning at all. That made sense when i was using the OEM-proided HDD, which has a hidden recovery partition on it, but my old 120 GB HDD has no such partition. Also, should the Dell OEM version of Vista even allow me to install it on an old hard drive? I was surprised when it worked.

3) Malicious and suspicious files I've found. In most cases the A/V software either says they are OK, or that it has successfully removed them. But they always come back, even during periods in which I did not connect to the Web or install any software.
Application.Nircmd -- (I found these, a suite of utilities for good or evil, while browsing files from the command prompt in Windows PE. I deleted them, but nothing ever really gets deleted off my HDD. Just relocated, probably.
Troj_Crypter.A (found once only, by TrendMicro)
Crypt_Xed-10 (also found once, also by TrendMicro)
WMSysPR9.prx (A common "file infector," according to Prevyx. This file is ever-present. I delete it all the time.)
Win32.agent.jmh (can't recall which A/V found this one, but I've only seen it once)
Virus.Win32.Sality.aa (also can't recall, also just once)
I've also found a couple of Vundo varieties, which the A/V program said it successfully deleted.
Also strange, a number of trace log files, *.etl, that always seem to be loaded into memory and I can't make go away.
When I put the Dell OEM DVD in the DVD drive, it sometimes shows up in My Computer as: LMRC_FRE_EN_DVD. That's the ID for a free, pre-launch version of Vista that Microsoft released over the Web for evaluation purposes. You can find it available now on some BitTorrent sites. I NEVER downloaded any free copies of Vista or any other OS. The Dell DVD has a completely different ID.
Along those same lines, I also have sometimes found the wrong product key listed in my system information, that being the product key for the free version, and not for my Dell version.
And finally, lots of bizarre "devices" are always showing up in log files, things like LOGONSERVER:\\WIN-Q7GC1XFXG3. Is malware trying to boot my system remotely via PXE? I have PXE boot disabled in my BIOS. Yeah, like that's going to make any difference. It's pretty clear my PC has become a hall of mirrors.

4) See attached logs.

You're probably wondering, how did this dude get so much crap on his PC? I'm not going to sit here and insist I've never used BitTorrent to snatch a copy of Star Wars or an old Nintendo game. I have committed those sins, and now I am paying dearly for them. Never again. Beyond that, I can't think of how this might have happened. I really don't know.

P.S. -- Just a couple of other interesting (but probably not very useful) tidbits. I disconnected the Bluetooth device from my PC because the activity light had been flashing like crazy at boot-up, even though I never enabled Bluetooth or put the device in discovery mode. It was mostly just creeping me out, so I unplugged it. Also, I have a suspicion the malware uses Windows audio files as a means of communication with its remote server. Every so often, my computer's speakers will start hissing and scratching, and then it will suddently stop. I did find a legacy "analog modem" driver in one of the protected areas of my HDD. Wonder if malware could use audio files to escape A/V scrutiny and then just employ an old analog modem device to read them? The whole process could be done in memory, so there'd be no file to detect on the hard drive. Just a crazy thought...

Attached Files

  • Attached File  DDS.txt   6.71KB   15 downloads

Edited by Vistuck, 14 December 2009 - 03:53 PM.


BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:05:41 AM

Posted 26 December 2009 - 03:06 PM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 Vistuck

Vistuck
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 28 December 2009 - 01:19 AM

Suebaby41 - Thank you very much for responding and offering to help me! Unfortunately I cannot get my system to boot into windows at the moment. This has been a recurring cycle for me - I load the OS from my Dell DVD, and then I usually can start up Windows two or three times before it goes kaput (black screen after the Windows "green status bar" stage of bootup. It never gets to the round, multicolored Windows Vista logo. When I attempt booting into safe mode, it hangs on "crcdisk.sys" or this last time "avgrkx64.sys," which I assume is related to the AVG a/v software I had installed. Well I won't waste your time going further. I realize there's nothing you can do without the log files. Please give me a day or two to attempt a successful boot before you close this thread. I will update within 24 hours if possible. (This reply sent from my cell phone.)

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:05:41 AM

Posted 28 December 2009 - 11:18 AM

Please post your problems in BleepingComputer's Computer Forum, Windows Vista, where the computer experts may help you. My expertise is dealing with malware and I prefer that you get the help of computer expert(s) in answering your question(s) and/or solving your problem(s). Please include a link to this thread so that the computer experts may see what we have done.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#5 Vistuck

Vistuck
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 30 December 2009 - 06:08 AM

Understood. I will get help with the boot-up issue and then post the logs here as soon as I am able to generate them.

#6 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:05:41 AM

Posted 31 December 2009 - 04:23 PM

Please post new logs after you get your computer going.

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users