Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Very smart malware downloader, Its driving me nuts.


  • This topic is locked This topic is locked
7 replies to this topic

#1 elvarien

elvarien

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 07 September 2010 - 07:04 AM

I posted under
BleepingComputer.com > Security > Am I infected? What do I do?
And was refered to this area instead, so here is my story so far.

TLDR below.


To explain my current situation i`l describe my actions so far which have lead to this point.
I`m including as much detail as I can which could mean though this post gets a bit lengthy. I`m sorry about the long read. I`l try to summarize at the end to give a clear picture.

I have always considered myself to be computer savvy. I`ve killed my fair share of spyware, malware and viral infections on various computers. My own has remained relatively free from infection. [ignoring the occasional snag I`ve been able to expunge quickly.] A half year give or take a few months though I met my match.

It started as I noticed the general slowdowns, CPU at 100%memory at about 90% after a simple boot. Did another boot this time with all the software that I normally have boot up automatically turned off and saw somewhat similar results.

Task manager showed me several processes I did not recognize nor trust. I proceeded to kill these and check via msconfig to see if anything odd tried to start at boot. I found several pieces of malware, disabled these and rebooted to check for differences.

I almost thought the infection had sentience as this had surely pissed it off. On boot I was greeted with several popups belonging to rogue anti virus suites. I killed those but was greeted with new processes. My first "battles" with this entity resulted in me trying to kill processes faster then it could spam them at me. After a while I learnt to recognize what the processes would do by order of appearance and names.

I began to apply tactics by killing the processes that would spawn more processes first and then leaving the least annoying ones alone as if I killed those it would restart the cycle until eventually it 'won' or we ended in a 'draw' by winning it would have locked task manager and other tools before i could stop it from doing so. With a tie we would simply have a crash bsod or something similar.

I finally reached a point where I could use my pc, slow but usable leaving 1 or two processes in the background which were doing god knows what though left me alone enough to search for the source of it all.

While searching I actually found the infection adapting to me as the av popups returned this time hiding under regular processes and applications instead of random number combinations. I found something hiding behind my tablet drivers for example.

A lot of internet searching lead me to others with similar war stories. I decided to just start over. My drive was split in 2 having my OS on C: and everything else on D: I made a folder with everything I wanted to keep and in that folder did a search for .exe .com .js and a few other frequently infected file types. Deleted all of those and followed up with a format of both drives keeping only the backup folder intact [music pictures work material Photoshop documents that sorta stuff]

That fresh install has remained clean for about half a year until 3 days ago.

I was hit with anti virus suite. The moment its first popup came up I hit ctrl bleep del, killed the process looked it up and removed it from my pc. Ran malware bytes which cleaned the remains and thought that was it. However explorer.exe keeps crashing every few seconds which is not something I read about in other posts by people with this piece of malware. Cat came out of the hat when this morning I saw unknown processes in the taskmanager again which reminded me of the episode half a year ago.

Now I HOPE that this is not the same thing but something completely different as for one why would it lie dormant for half a year.

[TL;DR]
I`ve been very reluctant to seek help. Stepping over my ego for a change as this is way beyond my skill.
So for those still patiently reading here`s a summary of my current situation

I run windows 7 64bit

am experiencing issues with a virus or piece of malware that I have not been able to identify as of yet. It downloads and updates itself and adds more malware the longer I let it stay around.

My explorer.exe on boot stays around for about a minute and then crashes every 3 seconds I currently leave it 'crashed' and run my programs via taskmanager.

I thought something was simply killing explorer.exe so I copied it renamed it and used regedit to set the new renamed file as my shell, it did not change the crashing.

I run malware bytes and just finished a scan after using Rkill wich shows my system as squeaky clean.
I am pretty sure that if I reboot now and do a new scan it will find bleep, remove it to do it again next boot.

Gmer. If i try to run this program I receive an error message
GMER
C:\Windows\system32\config\system: the system cannot find the file specified
After this error message most of the checkboxes for the malware-rootkit section are grayed out leaving only services registry and files

dds.src gives me a orange windows security popup wich tells me
your internet security settings prevented one or more files from being opened


Help, please ?


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:37 AM

Posted 13 September 2010 - 12:54 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 elvarien

elvarien
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 13 September 2010 - 02:00 PM

Thanks for taking up the effort to respond to, what I have seen is indeed quite the torrent of new threads on this forum.
As it has taken some time I have tried to simply use the system untill the situation deteriorated to the point where at boot I got thrown grub boot loader errors and was unable to proceed onwards. On the forum I found my thread buried under a mountain of threads and took matters into my own hand.
I used an ubuntu live cd to gain access to my C partition, copied what I wanted to keep to my D drive and followed that up with a windows 7 DVD to re install/format the OS on C.

I am currently posting from what looks like a healthy OS. I have run a malwarebytes scan on the remaining D partition and so far seem to be completely clean.

Thanks for the response though I see you guys have been getting swarmed.

I have learned not to turn off Data execution protection in the future.

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:37 AM

Posted 13 September 2010 - 02:31 PM

Hi,

thanks for letting us know. smile.gif

Ubuntu is indeed a life saver, isn't it? smile.gif

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 elvarien

elvarien
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 13 September 2010 - 03:18 PM

quite. I always keep a live cd on handy.
If only it would actually run the software I need and use I would have ditched windows a long time ago. Or kept a small partition around for games or something ;p

Anyway, thanks for the service rendered here at bleeping computers.

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:37 AM

Posted 13 September 2010 - 03:30 PM

Hi,

yeah, maybe, some day, companies will provide software for windows and linux, that would be awesum.


if you have no more questions I will close this topic.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 elvarien

elvarien
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 13 September 2010 - 03:34 PM

Agreed on the win factor there.

And no I have no more further questions. This eppisode taught me to be less lax around security and has as far as I can tell now been fully fixed.
I`l make a new post if I turn out still infected, cheers.

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:37 AM

Posted 13 September 2010 - 03:55 PM

Since this topic appears to be resolved, I will now close it. Thanks for letting us know.

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users