My computer stats are:
Microsoft Windows XP Professional
Service Pack 3
Lately, (about 1-2 weeks) in Firefox 3.5 (my default browser at the time, now 3.6) began acting strange. I would be on websites such as youtube, or other websites, and in a new tab it would head to a random website, which would redirect about 5 times to either a page asking me to download something, or it would be some kind of spam. I at the time figured it was adware, and scanned my computer with the tools i had. (AVG Free and Malwarebytes) AVG found nothing but tracking cookies, and Malwarebytes found nothing.
The problem persisted.
A few times i would be going about my business when all of a sudden a shutdown prompt would come up saying that a WINDOWS/NT (think that's how you spell it) process had ended and that the computer was required to reboot. It gave me a good minute to save what i was doing, and then would shut down. The second time this happened (today), when it rebooted, i was greeted by XP Antivirus 2010. I knew from the start this was an infection of malware, and after opening task manager, saw it was running as av.exe. I killed the process, but it would come back when i tried to run Malwarebytes. Using Process Explorer 11.33 (a trusted program that has helped me many times) i found that the program was located at
( C:\Documents and Settings\(onlyuseronpcalsotheadmin)\Local Settings\Application Data\av.exe )
and under command line it said something along the lines of ( "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /START "C:\Documents and Settings\(onlyuseronpcalsotheadmin)\Local Settings\Application Data\av.exe" )
However, when checking the location, it was not there, which to me meant it was hidden, so i checked my settings and i am allowed to see hidden files and folders. I knew now that it must be hiding itself.
Since the onslaught by Antivirus 2010 was continuing, and i couldn't run Malwarebytes, after looking online, i found that there were no files located where all my search results told me to look, which makes me presume that it is a new form of the same program, or an edited form from the attacker. You would think it was all just hidden, but since it's running as av.exe and not AV2010.exe, and that there is no Program Files folder made, nor a link a my desktop leads me to believe otherwise.
So, the only thing i could think to do is to become more powerful, so i used the trick to get onto the SYSTEM account to see what i could do. That is where i am currently typing this after restoring my ability to run applications and relinking the exe association. I re-enabled my firewall, and ever since this reboot has started, i have seen no sign of AVG accept it's running processes, which seem to be doing nothing of use. I have installed Malwarebytes on this account, and it's scan found nothing. I installed my antivirus of choice (Nod32) and did a scan that came up with the result
Operating Memory - Trojan.Win32/Olmarik (level 9 risk)
It gave me no option on how to remove it, and online results are also not helping, the same as with the antivirus. After using ESET SysInspector, i found one program that i had never seen before running as sttxsp.exe in C:\Windows\temp\
There was also a module being used by explorer.exe in C:\Program Files\WinRAR\Formats called z.fmt. It also came up for running memory the Trojan.Win32/Olmarik infection. It also gave me no way to remove it.
I ran a RootKit detector, and it came up that a few things were hooked, but it just found them and didn't give an option to fix them. I havn't restarted my computer since this, since i've been investigating it since.
My Run\RunOnce\etc is clean of any out of place apps
My Startup folder is completely clean (user and all users)
I forgot to mention, Internet Explorer isn't working, so i'm using Firefox (which i would be anyways)
Also, Nod32 can't collect it's two new updates, it gets halfway and then says the update failed.
Windows Live Messenger also will not connect, and when troubleshooted says it is port problems, but cannot repair them.
I have both ESET and the Messenger set as exceptions in my firewall, and exceptions are turned on.
So i come to you for help, since i'm not sure where to go from here.
EDIT: Topic moved to a more appropriate forum ~ Elise
Just a few updates, Firefox no longer works on the admin account at all. Websites don't load. Also when i open pretty much any application that needs to connect to the internet, it reopens av.exe.
Also, strangely enough, AVG crawled out of a hole per-se and is now back running on my system account.
Edited by Dark_, 26 January 2010 - 10:31 AM.