Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Oh Yes, Bedeviled!


  • Please log in to reply
1 reply to this topic

#1 Adak

Adak

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 28 April 2011 - 08:53 PM

I'm a hands on user, and noticed my system was running slow. Next, it was showing a lot of activity on the modem, and it wasn't me. It then played the music from a James Bond Movie, all by itself, and started re-directing firefox to hither and yon.

I noticed in Network Services folder, about 5 new subfolders with random names, under the temp internet folder, and new folder named "Content.IE5". These were small jpg's and js files, looked like scrapes from various websites - nothing I'd ever been to. When these new folders were deleted, they were replaced by the malware.

Also, the system's SVCHOST was being used - and grew in memory from a normal size, to 10X it's normal size. This continued until it crashed with the program was "refencing memory at <memory address> that memory can not be written to". When that crashes, then the entire system becomes unresponsive.
Another error is this one (just got it):
"Generic Host Process for Win32 Services"
Generic Host Process for Win32 Services has encounted a problem and needs to close. We are sorry for the inconvenience. Please tell Microsoft about this problem."

<start of error message for svchost crash>
The Error report contains this:
Error signature:
szAppName: svchost.exe szAppVer: 5.1.2600.5512 szModName: ntdll.dll
szModVer: 5.1.2600.6055 offset: 00022235

The following files will be included in this error report:
C:Docum~1\Adak\LOCALS~1\Temp\WERecbf.dir00\svchost.exe.mdmp
C:Docum~1\Adak\LOCALS~1\Temp\WERecbf.dir00\appcompat.txt

<end of Error message>

I don't take malware sitting down - so I've run everything I could get my hands on - MalwareBytes Anti-Malware, ComboFix, Microsoft Security Essentials, Avast! Free, Comodo Anti Virus, and done some poking around in the regedit. The above programs have found malware and deleted it, with complete system scans - unfortunately, as soon as I log back into my account, it starts up again.

I found a new folder "cmdcons", that had copies (maybe), of all the windows system files: atapi.sy_ (underline instead of a final s), for each one. The cmdcons folder was a hidden or system folder, whose files could not be deleted normally. I used "file assassin" to remove each of them (there were 223), one at a time. A sub folder was called "SYSTEM32", and had just two files in it: NTDDLL.DLL, and SMSS.EXE. Neither matched the Windows XP Pro, (sp 3), versions. They were also protected, but I managed to delete them.

When I view a webpage - before the last deletions. Links for downloads were not shown on the web page. The only way you'd find them was to notice the mouse cursor changed, and then highlight the page (Edit: select all). It's better now.

Thanks in advance for your help. I have d/l'ed Hijack This (that's how I heard about this forum), and have that log. Although I've run <many> scans and done corrections in the past several days, I understand now that you don't want that - naturally, (control is needed), so I have stopped.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,848 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:21 AM

Posted 28 April 2011 - 09:42 PM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Since you have run ComboFix, please include the ComboFix log in the new topic. Please be sure to include a description of your computer issues and what you have done to try to resolve them.

If you cannot produce any of the other logs, then please create the new topic anyway, include the information that you were unable to produce the other logs and why and include the ComboFix log along with a description of your computer issues.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users