Posted 26 April 2010 - 05:52 PM
First off, Thanks for this great site - it has been a wonderful tool and reference for me in the past. I'm now in over my head and need help.
History (what I already did):
I've been beating on this computer for awhile now. It was initially unusable due to exe file handling having been hijacked - fixed that - and the Chrome and Internet Explorer browsers failing to be able to access any sites - iExplorer now works.
I installed firefox with noscripts addon and that worked too, though was eventually attempting to open new tabs to various sites, so I knew something was still in there that I was not seeing. Also several programs were persistently getting re-named with a space prior to the ".exe" and replaced with a small file with the original name (mbam.exe, CA antivirus, dwtrig20.exe, and others).
ESET online scanner removed "a variant of Kryptik.DTO" and Kryptik.DSA trojans and I rebooted and re-ran ESET and the PC crashed a few times when i tried to re-run it.
After attempts to use system restore to a previous time failed, the system became unstable - still won't boot into normal mode. I finally got it to boot stable into safe mode, though I don't recall all I did to get it to that point.
Now in safe mode with networking, ESET detected and removed those small files mentioned earlier as "a variant of Win32/TrojanDownloader.Unruy.BN"
But, not out of the woods yet.
Investigation while still in safe mode (using netstat and wireshark) found that svchost.exe was connecting to many URLs that looked suspicious - saw many DNS lookups for site I did not think the computer had any reason to visit on its own (akadns.net, bluseek.com, advertising.com, etc) and traffic from the svchost.exe process to those addresses. Further invstigation using process explorer showed that CryptSvc, Windows Management Instrumentation, and "Help and Support" services were running in this svchost instance.
So I killed the services in a few different orders and determined that if either WMIsvc or Crypt32 were running, there was lots of this background traffic. In order to keep them from respawning, I temporarily changed the dll names.
I also noticed that PID 0 (system idle process) was occasionally communicating (https) with 220.127.116.11. This does not happen while WMIsvc and crypt32 are down.
That is about it so far as I can recall. Computer is still sitting here in safe mode, mostly disabled. I'm afraid to reboot it since I still don't know exactly what is wrong/infected.
Please let me know what I should do next and thank you for your support.