Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Looking for advice on a VERY suspicious "unknown" entry in device manager


  • Please log in to reply
13 replies to this topic

#1 ATGUNWAT

ATGUNWAT

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:29 AM

Posted 24 June 2011 - 07:02 PM

Late in the evening on 6/17/2011 while listening to some old Rush tunes on my computer, windows media player just decided to start playing, what sounded like, every song I have all at once. BTW OS=7x86

I could not close media player, and I could not turn down or mute the volume, in media player.

I opened the task manager to kill the process and noticed that there was a media player classic (MPC-HC) process still running from a Penn and Teller BS video I had watched earlier. I could "end process" on windows media player but could not end process or end process tree on media player classic.

I tried to terminate MPC with several 3rd party apps like the old APT from Diamond CS, Killbox, Daphne, System Explorer, Process Explorer, SpyDllRemover, and even Radix. Nothing worked. SpyDllRemover and Radix both claimed to have killed the resilient MPC, but when I would refresh my list it was really still there, which I confirmed by cross referencing with taskmanager. (Bill should have used MPC for the windows shell, rather than explorer.) :lmao:

I ran several malware scans, which all came up clean. (All but SpyDllRemover, which reported 53 hidden rootkit processes, that I simply dismissed as false positives because I have never heard of anyone having so many before) After that I ran a few of the log file generators too and came up with some suspicious files running from the appdata\local\temp folder that I think were created by rkill, but I am not 100% on that. I should have run rkill in a clean sandbox to see what files and folders were created first, but I didn't, so now I am left with uncertainty.
Can anyone confirm? Are these related to rkill?

Suspicious Files in temp folder list:

C:\Users\Owner\AppData\Local\temp\RarSFX0\h\explorer.exe
C:\Users\Owner\AppData\Local\temp\RarSFX0\h\iexplore.exe
C:\Users\Owner\AppData\Local\temp\RarSFX0\nird\iexplore.exe
C:\Users\Owner\AppData\Local\temp\RarSFX0\procs\explorer.exe
C:\Users\Owner\AppData\Local\temp\RarSFX0\procs\iexplore.exe
C:\Users\Owner\AppData\Local\temp\RarSFX0\procs\proc.dat
C:\Users\Owner\AppData\Local\temp\RarSFX0\curo.reg
C:\Users\Owner\AppData\Local\temp\RarSFX0\extra.dat
C:\Users\Owner\AppData\Local\temp\RarSFX0\lmro.reg
C:\Users\Owner\AppData\Local\temp\RarSFX0\lmroe.reg
C:\Users\Owner\AppData\Local\temp\RarSFX0\nircmd.chm
C:\Users\Owner\AppData\Local\temp\RarSFX0\nircmd.exe
C:\Users\Owner\AppData\Local\temp\RarSFX0\nircmdc.exe
C:\Users\Owner\AppData\Local\temp\RarSFX0\pev.exe
C:\Users\Owner\AppData\Local\temp\RarSFX0\prep.bat
C:\Users\Owner\AppData\Local\temp\RarSFX0\rkill.bat
C:\Users\Owner\AppData\Local\temp\RarSFX0\rkill.reg
C:\Users\Owner\AppData\Local\temp\RarSFX0\s.inf
C:\Users\Owner\AppData\Local\temp\RarSFX0\sed.exe
C:\Users\Owner\AppData\Local\temp\RarSFX0\serv.dat
C:\Users\Owner\AppData\Local\temp\RarSFX0\sh.vbs
C:\Users\Owner\AppData\Local\temp\RarSFX0\swreg.exe
C:\Users\Owner\AppData\Local\temp\RarSFX0\userinit.exe
C:\Users\Owner\AppData\Local\temp\RarSFX0\winlogon.exe
C:\Users\Owner\AppData\Local\temp\RarSFX0\wl.txt

and an empty folder located at:
C:\Windows\Xsxs\Xenocode\Sandbox

I did see several processes (not related to MPC) listed on the "process viewer" tab of SpyDllRemover, in the lower pane when I selected MPC's process and when I selected the svchost.exe process that was using the most memory. When I started to look these up on google I found many of the same files listed on a site called Exploit-ID.com (Exploit Information Disclosure) Link: http://www.exploit-id.com/dospoc/windows-media-player-with-k-lite-codec-pack-dos-poc. (I do have the k-lite codec pack installed, as an alternative to real player and quicktime) While comparing the list there with my list, I finally spotted this (Link: http://www.exploit-id.com/news/lulzsec-take-down-cia-website?) in an article to the right of the main story. When I read it, I saw that it said "2 hours ago" which was about the same time windows media player decided it wanted to play my entire music collection all at once. (Then I Totally Freaked Out) I was really shocked to think that my machine might have participated as a zombie\bot in a ddos attack on the CIA's website. (I am far from certain that this is what happened but, it is not out of the range of possibilities either) I got an update that had just been released for the k-lite codec pack from filehippo.com and applied it immediately. Thinking everything was cool now, I let it go for rest of the night. I had other things to do on the 18th and 19th so I didn't get a chance to look into it again until the 20th. I ran SpyDllRemover again and saw that the 53 hidden rootkit processes had multiplied into 114. I knew I had to get to the bottom of this so I started to run some full scans of everything I have. (I usually use the quick scan option or only scan my C: drive) That is just over 3.5TB spread across 8 drives and takes 40 forevers to complete. (actually it takes about 50 hours or so, depending on what else I am doing with the computer at the time) Sometime in the afternoon on the 22nd I walked into my office\shop\garage and found a BSOD. I restarted the computer into safemode, opened windows explorer and saw that where there were once 8 hard drives, there were now just 2.
I was about as bummed as you would imagine I would be, so after ranting around the house for several minutes, some choice words, and a few door slams, I went back to my garage, restarted my computer into safemode again and my drives were back. (whew) I then opened the MMC and went to the device manager.

As referenced in the topic title there is a new and VERY suspicious "unknown" entry in the device manager that I have never seen on my machine or any other machines that I have ever worked on.
It makes reference to multiple hardware devices and even some (but not all) of the scan tools I ran. I have NEVER seen an instance of software (other than drivers, of course) showing up in the device manager as a "sibling" of a hardware device. This is the first time I have ever seen multiple (unrelated) devices showing up under a single entry together too, although they are listed only as "siblings" on the details tab.

Here is the list:



Device Instance Path

ROOT\LEGACY_UZK3NJM1\0000

_________________________________________________

Physical Device Object Name

\Device\0000004b

___________________________________________________

Capabilities

00000000

____________________________________________________

Enumerator

ROOT

____________________________________________________

Install State

00000002

_____________________________________________________

Config Flags

00000040
CONFIGFLAG_FAILEDINSTALL

_____________________________________________________

Base Container ID

{00000000-0000-0000-ffff-ffffffffffff}

___________________________________________________

DevNode Status

01802401
DN_ROOT_ENUMERATED
DN_HAS_PROBLEM
DN_DISABLEABLE
DN_NT_ENUMERATOR
DN_NT_DRIVER

___________________________________________________

Problem Code

0000001C

___________________________________________________

Parent

HTREE\ROOT\0

_________________________________________________

Siblings

Root\*ISATAP\0000
Root\*TEREDO\0000
Root\ACPI_HAL\0000
Root\blbdrive\0000
Root\CNTX_VPCNETS2_MP\0000
Root\CNTX_VPCNETS2_MP\0001
Root\CNTX_VPCNETS2_MP\0002
Root\COMPOSITEBUS\0000
Root\ISCSIPRT\0000
Root\LEGACY_AEGISP\0000
Root\LEGACY_AFD\0000
Root\LEGACY_APPID\0000
Root\LEGACY_BEEP\0000
Root\LEGACY_CATCHME\0000
Root\LEGACY_CLFS\0000
Root\LEGACY_CNG\0000
Root\LEGACY_CSC\0000
Root\LEGACY_DISCACHE\0000
Root\LEGACY_DXGKRNL\0000
Root\LEGACY_EAPPKT\0000
Root\LEGACY_FRESHIO\0000
Root\LEGACY_FVEVOL\0000
Root\LEGACY_HITMANPRO35\0000
Root\LEGACY_HTTP\0000
Root\LEGACY_HWPOLICY\0000
Root\LEGACY_KSECDD\0000
Root\LEGACY_KSECPKG\0000
Root\LEGACY_LLTDIO\0000
Root\LEGACY_MOUNTMGR\0000
Root\LEGACY_MPSDRV\0000
Root\LEGACY_MSISADRV\0000
Root\LEGACY_NATIVEWIFIP\0000
Root\LEGACY_NDIS\0000
Root\LEGACY_NDISUIO\0000
Root\LEGACY_NDPROXY\0000
Root\LEGACY_NETBT\0000
Root\LEGACY_NNSALPC\0000
Root\LEGACY_NNSHTTP\0000
Root\LEGACY_NNSIDS\0000
Root\LEGACY_NNSPICC\0000
Root\LEGACY_NNSPIHS\0000
Root\LEGACY_NNSPOP3\0000
Root\LEGACY_NNSPROT\0000
Root\LEGACY_NNSPRV\0000
Root\LEGACY_NNSSTRM\0000
Root\LEGACY_NNSTLSC\0000
Root\LEGACY_NORMANDY\0000
Root\LEGACY_NSIPROXY\0000
Root\LEGACY_NULL\0000
Root\LEGACY_PBFILTER\0000
Root\LEGACY_PCW\0000
Root\LEGACY_PEAUTH\0000
Root\LEGACY_PSCHED\0000
Root\LEGACY_PSINAFLT\0000
Root\LEGACY_PSINKNC\0000
Root\LEGACY_PSINPROT\0000
Root\LEGACY_PSKMAD\0000
Root\LEGACY_PWDRVIO\0000
Root\LEGACY_PWDSPIO\0000
Root\LEGACY_QWAVEDRV\0000
Root\LEGACY_RASACD\0000
Root\LEGACY_RDPCDD\0000
Root\LEGACY_RDPDR\0000
Root\LEGACY_RDPENCDD\0000
Root\LEGACY_RDPREFMP\0000
Root\LEGACY_RSPNDR\0000
Root\LEGACY_SBIEDRV\0000
Root\LEGACY_SDTHELPER\0000
Root\LEGACY_SECDRV\0000
Root\LEGACY_STORFLT\0000
Root\LEGACY_TCPIP\0000
Root\LEGACY_TCPIPREG\0000
Root\LEGACY_TDX\0000
Root\LEGACY_VGASAVE\0000
Root\LEGACY_VOLMGRX\0000
Root\LEGACY_VOLSNAP\0000
Root\LEGACY_VSMRAID\0000
Root\LEGACY_VWIFIFLT\0000
Root\LEGACY_WANARPV6\0000
Root\LEGACY_WDF01000\0000
Root\LEGACY_WFPLWF\0000
Root\LEGACY_WUDFPF\0000
Root\mssmbios\0000
Root\MS_L2TPMINIPORT\0000
Root\MS_NDISWANBH\0000
Root\MS_NDISWANIP\0000
Root\MS_NDISWANIPV6\0000
Root\MS_PPPOEMINIPORT\0000
Root\MS_PPTPMINIPORT\0000
Root\MS_SSTPMINIPORT\0000
Root\NNSNAHSMP\0000
Root\NNSNAHSMP\0001
Root\NNSNAHSMP\0002
Root\NNSNAHSMP\0003
Root\NNSNAHSMP\0004
Root\NNSNAHSMP\0005
Root\NNSNAHSMP\0006
Root\NNSNAHSMP\0007
Root\NNSNAHSMP\0008
Root\NNSNAHSMP\0009
Root\NNSNAHSMP\0010
Root\RDPBUS\0000
Root\RDP_KBD\0000
Root\RDP_MOU\0000
Root\SYSTEM\0000
Root\UMBUS\0000
Root\vdrvroot\0000
Root\volmgr\0000

______________________________________________________________

Container ID

{00000000-0000-0000-ffff-ffffffffffff}

________________________________________________________________________

Install Error

There is no driver selected for the device information set or element.

E0000203

___________________________________________________________________________

Class Default Security

00 0C 90 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00
00 5C 00 04 00 00 00 00 00 14 00 00 00 00 10 01 01 00 00
00 00 05 12 00 00 00 00 00 18 00 00 00 00 E0 01 02 00 00
00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 00 00 00 C0
01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 00 00 00 80
01 00 00 00 00 00 05 0C 00 00 00

____________________________________________________________________________

Class Default Security SDS

D:P(A;;GA;;;SY)(A;;GXGWGR;;;BA)(A;;GWGR;;;WD)(A;;GR;;;RC)

_____________________________________________________________________________

Class Long Name

Other devices

_____________________________________________________________________

Class Short Name

Unknown

______________________________________________________________________

Display Name

Other devices

_________________________________________________________________________


Has anyone else ever even heard of such a thing? I am completely confuzzled by this "unknown device."
I have never, EVER seen anything even remotely like it. Maybe that just reflects a lack of experience on my part, or maybe I have something new.

Google would not accept a query of that length, so I was hoping someone here could advise me on how to approach this thing. I would also like to submit a sample but I'm not sure exactly what to submit or where to go to find it. (I do have a 1.99GB memory dump, if that helps)

ANY advice at all would really be appreciated.

(sorry if I rambled on too much, I have not gotten much good restful sleep for the past several days)

I'm feeling like I am in a little over my head this time.

Thanks for your time,

ATGUNWAT

Edited by ATGUNWAT, 24 June 2011 - 07:07 PM.


BC AdBot (Login to Remove)

 


#2 trojan.agent

trojan.agent

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 25 June 2011 - 02:19 PM

I will start my own question thread if you want but I believe we have the same trojan.

*A word about this trojan: after detecting it by running rKill to stop it, then SuperAntiSpyware to detect it, I reboot and delete/quarantine right away, allowing for the reboot. Upon reboot, I run rKill again then SAS again and it finds it again every time. I backed up to my second drive then removed it and reinstalled windows 7, 64-bit. So I reinstalled windows and it seemed to still be there after a short time of being on the network... but I was able to remove it using a combination of ComboFix, rKill and SAS. But, when I plugged in my second drive again BAM! it was back and irremovable again. It could be the virus is on the network here at home, or the second hard drive with my backup, or I could have gotten it from the internet while I was grabbing drivers. Regardless, once the PC is clean I will again clean reinstall, I just need it to be clean first so that I can perform the backup without backing up the trojan!

*I ran a scan on the other household computers and they all have it. So, I will disconnect the network cable from this computer and just transfer files to it from another (known clean linux PC) computer until I know how to fix it (so it won't get reinfected by the others). Then one by one fix the rest (then connect them to the network again).

I also have many of the same files (see here):
C:\Users\admin\AppData\Local\Temp\RarSFX0>tree /f
Folder PATH listing
Volume serial number is F4A5-1E44
C:.
│ curo.reg
│ extra.dat
│ lmro.reg
│ lmroe.reg
│ nircmd.chm
│ nircmd.exe
│ nircmdc.exe
│ pev.exe
│ prep.bat
│ proxycheck.exe
│ rkill.bat
│ rkill.reg
│ s.inf
│ sed.exe
│ serv.dat
│ sh.vbs
│ swreg.exe
│ userinit.exe
│ winlogon.exe
│ wl.txt

├───h
│ explorer.exe
│ iexplore.exe

├───nird
└───procs
iexplore.exe
proc.dat


C:\Users\admin\AppData\Local\Temp\RarSFX0>


This seems to be a new Trojan.Agent/Gen-IExplorer[Fake] type of trojan. I detect the trojan(s) only after running rKill before the SuperAntiSpyware scan, the other is called Trojan.Agent/Gen-PEC.

My scan results for mbam:
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6949

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

6/25/2011 11:26:51 AM
mbam-log-2011-06-25 (11-26-51).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 242377
Time elapsed: 8 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Here is the SAS log:


**Also I forgot to mention platform: Windows 7 64 bit Professional Edition

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/25/2011 at 01:09 AM

Application Version : 4.54.1000

Core Rules Database Version : 7313
Trace Rules Database Version: 5125

Scan type : Complete Scan
Total Scan Time : 06:21:29

Memory items scanned : 511
Memory threats detected : 0
Registry items scanned : 11409
Registry threats detected : 0
File items scanned : 90446
File threats detected : 11

Adware.Tracking Cookie
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@atdmt[2].txt
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@doubleclick[2].txt
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@kontera[1].txt
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@collective-media[2].txt
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@pro-market[1].txt
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@adxpose[1].txt
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@ads.bleepingcomputer[1].txt

Trojan.Agent/Gen-IExplorer[Fake]
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\RARSFX2\NIRD\IEXPLORE.EXE
C:\Windows\Prefetch\IEXPLORE.EXE-9A0BDDDA.pf

Trojan.Agent/Gen-PEC
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\RARSFX2\PROCS\EXPLORER.EXE
C:\Windows\Prefetch\EXPLORER.EXE-45275529.pf



And the DDS.txt:

Edited by elise025, 04 July 2011 - 08:44 AM.
Logs removed so this topic can stay in this forum ~Elise


#3 ATGUNWAT

ATGUNWAT
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:29 AM

Posted 25 June 2011 - 05:05 PM

trojan.agent

I would not take any drastic measures, yet.
We don't know that these files aren't a result of running rkill.
I have gotten no replies to that that question, and as you stated, you noticed those files only AFTER running rkill.
What if those files are CREATED BY RKILL?
Just hold off on taking ANY action for now.
I have been keeping google real busy the past couple of days.
I will post back as I figure things out.
There is lots that I don't know, but NOTHING I can't find out, as long as I am willing to put in the time to do the required research.
(that, and an interest in the subject helps too)

When in doubt, Don't !!!
ATGUNWAT

Edited by ATGUNWAT, 25 June 2011 - 05:20 PM.


#4 ATGUNWAT

ATGUNWAT
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:29 AM

Posted 26 June 2011 - 05:58 AM

OK
I got it.

It took a while, and was very tedious, but they are all gone.
I'll be come back tomorrow night and let you know exactly what I did.

All traces are gone, which means I have nothing I can submit for sUBs to study.
(I do still have that 2GB memory dump, if anyone is interested)

Right now, I am very tired.
I am going to put on some of my favorite Rush tunes, (yeah, I'm a drummer) and I'm going to bed.

C-Ya,
ATGUNWAT

Edited by ATGUNWAT, 26 June 2011 - 02:42 PM.


#5 ATGUNWAT

ATGUNWAT
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:29 AM

Posted 26 June 2011 - 01:47 PM

Well, it's back.

When I first detected the "hidden rootkit" processes I had 53 of them, which eventually multiplied into 114.

Throughout the day yesterday I picked away at them one by one, till late last night, (actually, I guess that was around 7am this morning) I had eliminated all of them. (or so I thought)

I slept till about 10:30am and checked again when I woke up and, 2 of them had returned. :angry:

Two turned into 4, and eventually into 10. :crazy: Using the same method (which worked so well yesterday) of removing non-present hidden drivers from the device manager, along with taking ownership of some hard headed registry keys, and deleting the related services when necessary, I have once again removed all but one of them.
(the %$@#&@$ Ras Async Adapter)
What kills me is, I don't even have a dial up modem installed. (go figure) :huh:

I have deleted the AsyncMac service and temporarily relocated the 6 related drivers associated with that service, but I can not (yet) uninstall the Ras Async Adapter, no matter what I try. It is also the only driver (that I have noticed) without the option to disable it.


Here is where I started on the 17th: Posted Image



Here is where I am now: Posted Image


I know many who read this may think I am going to mess up windows pretty bad.
Don't worry, I can fix windows. (I am still on line, and everything works, with no errors)
I have got to get this thing off my machine so I can confidently make remote connections without having to worry about infecting a clients system. Several of my clients are doctors and lawyers and due to confidentiality policies, I MUST BE CERTAIN that my system is secure before I can get back to work.

I have ordered a new barebones kit from tigerdirect, which should be here in the next couple of days, so one way or another, this will all be over soon. (and I can get back to work)

On the bright side, I get a new machine to build and play with. (woo hoo) :thumbsup:

I will keep you informed.

ATGUNWAT

Edited by ATGUNWAT, 26 June 2011 - 02:07 PM.


#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:29 AM

Posted 27 June 2011 - 04:42 PM

All of those files are put of rkill and should have been deleted when it was done. They can safely be removed.

Feel free to submit unlockercom.dll to http://www.bleepingcomputer.com/submit-malware.php?channel=3

#7 ATGUNWAT

ATGUNWAT
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:29 AM

Posted 27 June 2011 - 08:46 PM

All of those files are put of rkill and should have been deleted when it was done. They can safely be removed.

Feel free to submit unlockercom.dll to http://www.bleepingcomputer.com/submit-malware.php?channel=3



I did find out about those temp files by running rkill in sandboxie.
Thanks for that confirmation though.
I don't trust anything my computer tells me right now.

I uploaded Unlocker.com and the related driver and executable files.
I didn't realize when I did it that I wasn't signed in yet.
Let me know if I need to resubmit them.

Do you have any detailed info on the use of submitter.exe?
(for example, what value does one enter in the "BleepingComputer.com Channel" space provided?)

Thanks,
ATGUNWAT

Edited by ATGUNWAT, 27 June 2011 - 08:49 PM.


#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:29 AM

Posted 27 June 2011 - 09:09 PM

Certain members of the site have their own channel. Entering their number in allows you to submit directly to them.

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:29 AM

Posted 27 June 2011 - 09:26 PM

The unlocker files are from the legitimate unlocker program:

http://www.emptyloop.com/unlocker/

What version of Windows are you running?

#10 trojan.agent

trojan.agent

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 28 June 2011 - 03:15 PM

Hi ATGUNWAT,

You were right, the files were created by rKill and were not a threat.

I've learned about false positives from this adventure. And, I've learned to start my own thread, after posting to your other thread on computerhope dot com. I will no longer "hijack" a thread, thank you for improving my forum etiquette.

#11 ATGUNWAT

ATGUNWAT
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:29 AM

Posted 02 July 2011 - 09:24 PM

Sorry for not replying sooner, I hurt my back helping someone move and I have been laid up for days. (takes 2 canes to get around)
I have been too uncomfortable to spend much time upright but I will be back soon post an update.

ATGUNWAT


#12 ATGUNWAT

ATGUNWAT
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:29 AM

Posted 06 July 2011 - 06:39 PM

The unlocker files are from the legitimate unlocker program:

http://www.emptyloop.com/unlocker/

What version of Windows are you running?




I am running 7x86 on that box.

I received my new barebones kit last week and I just set it up two days ago. (7x64 on the new one)

I have lots of work to catch up on, but after that I am going to wipe the nasties off of the old box and use it as a server for my shop.

My new build is a 3.06ghz i3 with 4GB of DDR3, a 1.5TB SATA 3g on a MSI H55M-P33 motherboard with a 450w PSU, LG DVD burner and Thermaltake v2 case... for $299.00 (Sweet deal) :thumbsup:

That is (soon to be was) by far, the worst &@#$ infection I have ever run across.

I have removed TDL4 from 7 computers in the past 6 months, and it doesn't hold a candle to this thing.

I wish I knew what it was...
I think I will keep it and name it TDL5. (just kidding)

It really "Stux" that it got the best of me.
I have never had to just throw in the towel and give up like that before.
I take that very personally. <_<

Now I have to somehow seperate whatever it is from all of my files and move them to my new machine ASAP.
(any suggestions?)

ATGUNWAT


#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:29 AM

Posted 12 July 2011 - 12:05 PM

If its TDSS you dont have to worry about your data being infected. Just copy it over.

I am not 100% this was an actual infection rather than something being corrupted on your computer.

#14 ATGUNWAT

ATGUNWAT
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:29 AM

Posted 15 July 2011 - 08:38 PM

If its TDSS you dont have to worry about your data being infected. Just copy it over.

I am not 100% this was an actual infection rather than something being corrupted on your computer.




Thanks for all the help Grinler, I really do appreciate it.

The more I look into the logs and memory dumps, the more I tend to agree with you assessment on the OS and or driver corruption being the problem.

I had a temp house guest that was using my router for internet access and he had repeatedly gotten his machine infected as fast as I could clean it up.

I thought that was surely going to be the source of all my problems, but in retrospect, that was probably a rush to judgement.

I did have several viruses and rootkits, (tdl4 was among them) but they were all in my sandbox folder, on an external hdd, where they should be. (My menagerie was intact)

I have rescued all my data and am planning to wipe out the old system drive soon.
If I do discover something interesting there, I will post it here.


Thanks again,

ATGUNWAT





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users