Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP SP3, ping.exe, possibly afd.sys


  • Please log in to reply
1 reply to this topic

#1 Celestine

Celestine

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 13 December 2011 - 01:01 PM

Not sure what I was browsing or somebody else was browsing but I ended up with, judging from a couple of the newer forum posts, the latest bug that's been going around; that is to say an suspiciously active ping.exe.

A little more information.

This started with one of those fake anti-virus software things popping up. I don't remember the name, but it was tied to the process 'lgc.exe.' Got rid of that quickly. In case somebody finds this through a google search, this is what I did.

I located the source ( don't remember how I did this ), wrote a batch script to kill the process and delete the source ( this is accomplished by using 'taskkill /im <task name> /f' followed by 'del "<source>"' ), searched the registry for 'lgc.exe' and once I started getting funny hits, eradicated any trace of the sucker from the registry. I immediately ran the batch script. Gotta be quick on a lot of these things as they regenerate. After that, nothing on my PC worked anymore because 'lgc.exe' was a rather cleverly written shell that forced all .exe's to run through itself so it could do its job being a pain in the ass. So I went back to the registry and relinked something like 'HKEY_MACHINE_BLAH_BLAH_BLAH/.../.exe' back to 'exefile' when it had been prior linked to 'lgc.exe.' Easy peasy so far.

Now I'm left with this infected 'ping.exe' which consumes a ton of system resources. I'm not sure what its intent is exactly. It looks like all it does is visit a billion websites in the background because I'm noticing several secretive folders under 'C:\Documents and Settings\NetworkService\Application Data\Temporary Internet Files\Content.IE5\<random name>' getting filled with random junk super fast. Haha, I actually found this out be sheer stroke of stupid luck. I figured I would defragment to counter the slight sluggishness that I was experiencing, and noticed a high amount of fragmentation in that directory so I checked it out, only to see the folders refill as I cleaned them out.

AVG shows a hit on 'afd.sys,' ( Generic14.CBLO ) but lists it as white listed, so I'm afraid to touch it. However, I know what 'ping.exe' does so I deleted it, and surprise, surprise, it regenerates. I'm fairly certain 'pathping.exe,' 'ping6.exe' are also associated, but I can't be certain because none of the ping associated files turn up as hits in Malwarebyte's software, Kaspersky's root kill killer thing, Spybot Search and Destroy or AVG. But they all regenerate instantly as well.

Other than that, I appear to be running a clean rig.

Anyway, rather than be safe than sorry I have two batch scripts running in the background to keep 'ping.exe' from acting up.

I've attached the script just in case anybody else also wants it ( you'll need some Windows Server 2000 resource tool kit to get access to sleep as you won't be able to use the normal method of a delayed ping since you'll always be deleting ping ):

:Killswitch
cls
taskkill /IM ping.exe /f
sleep 8
goto Killswitch

:Killswitch
cls
del "C:\WINDOWS\system32\ping.exe"
del "C:\WINDOWS\system32\ping6.exe"
del "C:\WINDOWS\system32\pathping.exe"
sleep 1
goto Killswitch

That reminds me, I deactivate the batch scripts while I run various scans because otherwise, obviously, the scans wouldn't even find the files in the first place.

As you can tell, I've been extremely aggressive in my pursuit to find a cure. Anyway, nothing I do can get rid of this virus. Its ridiculously stubborn. Everything I delete regenerates instantly. I've tried to write in my own versions of 'ping.exe' marked as read only with access privileges set to deny for everybody, but nothing doing. Something is acting as a dropper, but I have no idea what. Could be 'afd.sys.' In any case, I could really use some assistance as I'd hate to do a reformat, but this is the only virus I haven't been able to take care of in one day, so I'm heading in that direction.

Thanks in advance and sorry the information is all jumbled. Lots of information to put out, and not a lot of time to organize it so its kinda flow of consciousness. Please do help quickly.

Edited by Celestine, 13 December 2011 - 01:40 PM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:25 PM

Posted 13 December 2011 - 04:40 PM

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users