Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijacker + rootkit? and/or drive issue?


  • Please log in to reply
No replies to this topic

#1 ChasingMyTail

ChasingMyTail

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 05 July 2010 - 10:32 PM

Hi, well where do I start? Acer netbook D250 with WinXP sp3 & IE8, Hitachi internal drive. 2GB internal ram.

Several obvious problems. Browser spontaneously pops up new window to random web sites that try to download php scripts.

Problems initially noticed & started with spontaneous periodic audio playback "You have won!".
Latest version of MBAM & Spybot cleared only to have other problems pop up within hours. Opened task scheduler and noticed 250 scheduled tasks installing something every hour on the hour. Task names were: AT99, AT100, etc.

I erased all tasks and disabled task scheduler service.

Simply Super Software's Trojan Remover (trial, runs out tomorrow) says clean.
MBAM quick scan shows clean.
MBAM full scan hangs computer on file mshta.exe.mui and will not complete. Hang requires hard shut down.
Spybot shows clean.

SUPERAntiSpyware finds several real and many false positives (including touchpad driver etc.). IE8 had black tool bar that finally went away when I allowed Superantispyware to delete QTTask.exe (Quicktime)
Initially it found three QTTasks: QTTask.exe, QTTask .exe, and QTTask .exe (extra blanks before extension)

Superantispyware is now finding two files, Trojan.Agent/Gen-FraudPack:
c:\documents and settings\all users\application data\XWVY7M46.EXE
c:\documents and settings\USERNAME\Local settings\temp\HKI178.exe
These same files, once removed, will be rewritten here after some time & a boot.
Also, Superantispyware will not complete a scan, but usually hangs at file:
c:\windows\ime\imjp8_1\imjputyc.dll
Again, hang reqires hard shutdown.
I have been interrupting the scan early to clean the malware.

Have used CCleaner to cleanup all temporary files.
Chkdsk shows no problems & no bad sectors.
HDTune show no problems on quick scan (60 seconds) but hangs on long scan at about 5%.
SFC /scannow hangs at about 40%
Microsoft Malicious Software removal tool shows no problems found.
MacAfee Stinger hangs at about 20%.
Memtest86+ run from a memory stick passes fine.
I have run all the scanners in safe mode as well. The only one that is finding anything is SuperAntiSpyware.
All scanners are the latest copies and are updated (manually) daily.
I have disabled most of the Browser Add-Ons and have no shown BHOs.
I am not running any unusual software and don't think that I have any fancy features activated.

After I installed ZoneAlarm 9.2.057 today, upon exiting IE8, this error message appears:
"iexplore.exe - Application Error
The instruction at "0x00000000" referenced memory at "0x00000000". The memory could not be "read".
Click on OK to terminate the program"
SuperAntiSpyware now sees ZA's FORCEFIELD.EXE as a false positive.

I find the following strange, is this a driver issue? I somehow feel it might be related.
The Windows drive hardware tab is empty under ACER (C:) properties, & the Disk Management panes are empty (there should be two volumes, PQSERVICE & ACER (C:) )
Windows Disk Defragmenter does see ACER (C:), & HDTune sees both partitions.
Windows Device Manager is missing the 'Drives' entry, but has the IDE controllers entry.
The BIOS sees the Hitachi 160Gb drive.

At the moment, the browser is still popping up new windows to (unwanted) web sites & SOMETHING is still infected & keeps writing those two files back that will cause the browser to have a black toolbar.

I have three nearly identical netbooks, (although the others have a Toshiba & a Western Digital drive) and I have no problems completing scans with the other two, including no false positives from SuperAntiSpyware. (if they are indeed false positives)

I can't think of anything else to write at the moment. I have been fighting this for the last several days and have tried to be as accurate as I can.
Thank you in advance for any assistance you can give me.
-David

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users