First some background on me. I am a software engineer and a computer expert and also a Guru on the Norton Community Forum. It appears that I have been hit for only the second time in over 21 years with a virus.
I have Windows 7 Ultimate 32 bit with 4GB of RAM.
My saga is as follows. On Aug 30th I woke up one morning to find NIS (Norton Internet Security) alerting on a file called "cache.txt" located in C"\Windows\Offline Web Pages. Upon investigation it appears to be the W32.Morto WORM. The Symantec security response article is:
Upon checking the NIS logs I found that the alerts started about 1:30AM while I was sound asleep. Between that time and about 7AM when I woke up, NIS had alerted 49 additional times on this file showing that it was blocked. The first alert at 1:30AM showed that it was quarantined. I started monitoring this directory and as I watched it I could see this file appearing and disappearing over and over again about every 10-15 seconds!
I rebooted the computer and NIS alerted one last time and this time showed TWO things infected, the file + a registry key. It removed both and since then things appeared normal on the surface.
NIS scans were clean at this point as was MBAM. But I also wanted to scan with the NBRT (Norton Bootable Recovery Tool). Much to my dismay I found that the BIOS would no longer recognize the USB flash drive as being a bootable media. I tried TWO different flash drives and neither would boot if it was burned as an NBRT but both DID boot from the very same flash if it was burned as a Norton Ghost recovery disk! Long story short I ended up downloading the very same version of BIOS from the MB manufacturer which I already had and reflashed the BIOS. I rebooted the computer and all of a sudden both flashes started being recognized.
Though W32.Morto is not to my knowledge known to infect the BIOS, either it or some other malware which came after that actually did infect my BIOS.
I was still somewhat leery so I started browsing through my Norton Ghost Image backups and found that the file "cache.txt" had been present in my backup images since Aug 21st. Yet NIS never alerted until Aug 30th. Clearly I had been hit with a Zero day virus which apparently laid dormant (and hence unnoticed by NIS) for about 9 days.
So I ended up restoring my Norton Ghost image from Aug 18th which predated the first appearance of that file. I chose to also restore the MBR.
Everything was fine after this, until this morning.
This morning I woke up and hit Ctrl+Alt+Delete to log into my computer and instead of coming up with the password entry it went to the screen to select my username instead. I know from experience this only happens when a user is logged into the computer remotely. DANGER SIGN!
So I logged in and find that the "cache.txt" file is once again back! I ran a scan with MBAM and it now detects a TROJAN in "svchst.exe" which I recognize as a core Windows executable. I am attaching the logs from both MBAM and HijackThis.
NIS is also now alerting saying such and such IP address is trying to access my computer. It refers to the infection (not surprisingly) as W32.Morto. Please let me know if you want a screenshot attached of this attempted attack.
Some other information:
The indications from the Symantec Security response article is that someone likely hacked into my computer via the default Administrator account. I never have this account enabled – my normal account does have Admin but I never use the default Administrator account for security reasons. And yes I know using an account with Admin rights it not recommended but I do have my reasons for doing so. Much to my dismay I checked and sure enough the default Administrator account was active. Then I remembered that a couple of months ago I did use this account briefly when working on a minor problem which could have been due to a corrupted user account. Apparently I forgot to disable the default Administrator account when I was done. Argh, how stupid of me!
Of course I disabled it again after restoring the Norton Ghost image.
The fact that I was hit again today tells me that one of two things seems likely:
1. Someone managed to hack into my primary user account via RDP even though I had changed the password to what I believe is a strong password.
2. This infection somehow survived a Ghost Image restoral even though I also restored the MBR.
Both are scary but #2 is even more scary.
For number 1 I will not be enabling RDP again until I get it secured through an encrypted VPN and most likely will change the default RDP port as well. I am also considering installing a program called "Radmin" which was recommended by a friend which has built-in encryption.
Please help. At this point I am no longer comfortable just restoring a Ghost image given that I was hit again, or it was never truly gone in the first place.
EDIT: Forgot to mention that I pulled up "cache.txt" in Notepad. It is clearly an executable and not a text file. Again, please let me know if you want that file uploaded as well.
SECOND EDIT: My sincere apologies that I did not notice the logs that I needed to capture and upload. I am attaching them now. NOTE please that GMER caused a BSOD so I was not able to capture the logs for that.
Thanks very much
Edited by AllenM, 09 September 2011 - 11:14 PM.