Posted 28 April 2011 - 08:53 PM
I'm a hands on user, and noticed my system was running slow. Next, it was showing a lot of activity on the modem, and it wasn't me. It then played the music from a James Bond Movie, all by itself, and started re-directing firefox to hither and yon.
I noticed in Network Services folder, about 5 new subfolders with random names, under the temp internet folder, and new folder named "Content.IE5". These were small jpg's and js files, looked like scrapes from various websites - nothing I'd ever been to. When these new folders were deleted, they were replaced by the malware.
Also, the system's SVCHOST was being used - and grew in memory from a normal size, to 10X it's normal size. This continued until it crashed with the program was "refencing memory at <memory address> that memory can not be written to". When that crashes, then the entire system becomes unresponsive.
Another error is this one (just got it):
"Generic Host Process for Win32 Services"
Generic Host Process for Win32 Services has encounted a problem and needs to close. We are sorry for the inconvenience. Please tell Microsoft about this problem."
<start of error message for svchost crash>
The Error report contains this:
szAppName: svchost.exe szAppVer: 5.1.2600.5512 szModName: ntdll.dll
szModVer: 5.1.2600.6055 offset: 00022235
The following files will be included in this error report:
<end of Error message>
I don't take malware sitting down - so I've run everything I could get my hands on - MalwareBytes Anti-Malware, ComboFix, Microsoft Security Essentials, Avast! Free, Comodo Anti Virus, and done some poking around in the regedit. The above programs have found malware and deleted it, with complete system scans - unfortunately, as soon as I log back into my account, it starts up again.
I found a new folder "cmdcons", that had copies (maybe), of all the windows system files: atapi.sy_ (underline instead of a final s), for each one. The cmdcons folder was a hidden or system folder, whose files could not be deleted normally. I used "file assassin" to remove each of them (there were 223), one at a time. A sub folder was called "SYSTEM32", and had just two files in it: NTDDLL.DLL, and SMSS.EXE. Neither matched the Windows XP Pro, (sp 3), versions. They were also protected, but I managed to delete them.
When I view a webpage - before the last deletions. Links for downloads were not shown on the web page. The only way you'd find them was to notice the mouse cursor changed, and then highlight the page (Edit: select all). It's better now.
Thanks in advance for your help. I have d/l'ed Hijack This (that's how I heard about this forum), and have that log. Although I've run <many> scans and done corrections in the past several days, I understand now that you don't want that - naturally, (control is needed), so I have stopped.