Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware I can't identify returns (I think?) after reformat


  • This topic is locked This topic is locked
3 replies to this topic

#1 surge1223

surge1223

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 12 July 2012 - 12:59 PM

Hello all,

First, I'm glad to have finally joined, thanks for all the help you have posted on the site. I'm pretty knowledgeable about what I'm doing, and this is the first time I've ever had to get help. It all started about a month ago, when I was looking through autoruns and process explorer to determine why my cpu and hdd activity was high while doing nothing resource intensive on the laptop. While ruling out the normal windows updates and other items that usually account for the activity I noticed that the command lines for winlogin, svchost, explorer.exe were not right. When I started to investigate more, I found that my firewall had been completely turned off by something and that I had weird connections in netstat, Windows would not allow me to turn my firewall back on. Then before I could log or remember what all the symptoms were, my pc restarted on its own and took me to the windows login screen. Usually I am the only account on the pc but this time I was given the choice to login as Administrator or my account. I logged in my account and it went okay except that now my display had its brightness changed all the way to 0 (this is a laptop display btw) so I could barely see what I was doing and my desktop background changed to black. Eventually I figured out my group poilicy settings had been changed by an Unknown user acct and I was no longer able to do administrative tasks, or connect to the internet. I started in safe-mode and had difficulty trying to manage group policy on my pc, especially since its Windows 7 Home Premium. Oh by the way, I noticed my fiancees pc started to do the same thing, and determined through router logs that the malware was using the router to infect other pcs on the network.

Anyways to make a long story short I eventually changed the settings, got admin back and did the following:


1.Booted into recovery (Fixed Mbr, etc with bcdedit)
2.Booted into seagate tools and erased disk and reformatted
3.Disconnected router, and installed new router with different ssid and password
4.Reinstalled Windows 7 Home Premium with Service Pack 1 from an Iso burned to disk
5.Installed Windows 7 updates, installed drivers for laptop, changed firewall settings to block all incoming connections, (downloaded Microsoft security essentials with Win7 updates)

--also, downloaded win 7 from my microsoft store acct on my macbook instead of my infected sony laptop, I think the macbook was uninfected but not sure--

I have recovery disks, but Im afraid that the malware could have been on them. I am now back on my pc, but have noticed strange items in my system32 folder, stange messages in logs, my dns addresses are both the same as my default gateway,Lsass, csrss, etc running more than usual, explorer.exe's cmd line is "Explorer.EXE" idk if the exe is supposed to be caps or not? I have 7 svchost.exe's running, Firewall rules are being changed from disabled to active on their own, pc is using too many resources, IE has acro search hooks already but no redirects I could tell. Also in my start-up programs list, ccleaner reports that GrpConv -0 is set to runonce on restart, I dont know what that is, but I've never seen it before.

I could not scan win32k.sys on any online sites because It would dissapear from system32 when trying to upload, but instantly reappear if I opened system32 from windows explorer while not trying to upload. Event viewer had multiple concerning messages, although I'm unsure if its bad to have previous registry settings being opened by another user or not. My antivirus says system is clean but I don't know if I trust it. Any help/suggestions would be greatly appreciated. Also let me know If you need additional info.

Thanks


P.S. - I forgot to mention, I believe that I first started noticing problems when my ricoh sd card drivers were corrupt. I remember reading strange messages in the drivers ini files, but cant remember what they were. I dont know if this is significant or not.

Edited by surge1223, 12 July 2012 - 01:02 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:47 AM

Posted 27 July 2012 - 09:04 PM

Sorry for the delay. Please repost the above info with the logs below.


We need a deeper look. Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If GMER won't run (it may not on a 64 bit system) skip it and move on.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 surge1223

surge1223
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 28 July 2012 - 11:08 PM

It went well. Thanks for replying. I did as asked in the guide.

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,848 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:47 AM

Posted 29 July 2012 - 04:41 AM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic462929.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users