Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware, flakey hardware, or am I just loopy?


  • Please log in to reply
No replies to this topic

#1 richardsplanet

richardsplanet

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 06 May 2010 - 03:53 PM

I was infected last Friday with some malware (which I managed to clean up using Kaspersky's Live CD). I've also tun Malwarebyte's Anti-malware, Sophos Anti-Rootkit, Rootkit revealer, and Spybot S&D. Everything seems to indicate the machine is clean, but ... I get these random shutdown problems (as if the power has been pulled) - they've been going on for the past few months or so, but now I can predictibly reproduce them.

My machine:

Gateway GT5056
3GB RAM
nVidia GeForce 9500 GT
Power supply: 500W (was upgraded to support the video card)
Onboard video card died about 8 months ago (hence, upgrade to 9500).

Since I was getting infrequent random shutdowns, I figured it might be a thermal problem. I cleaned out the computer, fans and applied new heatsink compound. Reduced the idling CPU temp from 43C to 39C (not bad). Even before all that, under load the CPU never rose above 50C.

Then tried running overnight memory tests. Everything came out fine.

(1) After being infected, I tried running Windows Defender to view processes in memory - the machine shuts down shortly after it starts listing the processes.
(2) I tried running sfc /scannow - runs a bit, then the machine shuts down.
(3) if I run sfc /scanonce, then it will run without shutting the machine down (it also prompts me to insert XP CDs - which I don't have because the Gateway didn't come with any - just a restore partition that doesn't work - it prompts me for a CD).

The kicker is that my machine is disconnected from the Internet since the infection. Yet, if I enter sfc / scanonce, the Windows shutdown dialog shows "Click turnoff to install important updates ...". It shows the same when I reboot the computer after sfc runs. Yet, it does not show this message if I don't enter sfc /scanone.

Disabled Automatic Update and this message disappeared.

(4) Thought I might have some success uninstalling XP SP3 (if something nasty was tied into it). Same problem - machine shuts down. Yet, I was able to uninstall many other software apps (including Visual Studio Express apps) without incident (in a bid to reduce the number of files AV need to scan - hence reducing scan time).

(5) Ran chkdsk - same problem. Ran chkdsk /R and the problem with chkdsk seems to have gone away.

(6) ran WD Lifeguard on the HD (Quick Test and Extended Test) no problems reported.

So my questions are the following:

(1) is this some sopisticated piece of malware trying to hide its presence by invoking ACPI critical shutdown (that's what it looks like, since there is no BSOD)when something might discover it?

(2) is the defective onboard video responsible?

(3) why is the problem so reproducible with sfc and Windows Defender?

(4) is it some sort of software conflict (ok, I am reaching)?

I am really getting frustrated. I am pretty certain the computer didn't come with an XP CD because of the recovery partition. And I am not about to shell out money for a new copy of Windows if my hardware is failing. I am at the point where I am seriously considering reformatting the drive and installing Linux just to see.

[UPDATE]

Ran SDfix and gamer this morning.

SDFix locates this hidden registry entry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{077F2F81-8322-7C94-EE60-546467C96B4D}]
"eaboffbeeb"=hex:66,61,6c,61,63,65,63,6a,6e,62,63,6c,00,fc
"damncgbo"=hex:64,62,64,63,65,6b,6e,70,6f,6e,65,66,62,63,68,65,65,67,65,6c,6e,..
"iajpgehpjaghbccgjp"=hex:6a,61,66,6d,65,6e,6b,6c,6a,6e,70,61,6c,70,62,64,69,61,6d,6b,00,..
"hadceemggaomjeal"=hex:6a,61,66,6d,65,6e,6b,6c,6a,6e,70,61,6c,70,62,64,69,61,6d,6b,00,..

Searching through the registry only reveals the CLSID in HKEY_CURRENT_USER and HKEU_USERS.

Googling on it reveals nothing.

Is it safe to remove?

Edited by richardsplanet, 07 May 2010 - 01:51 AM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users