Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NASTY Google Update Worm Rootkit


  • This topic is locked This topic is locked
6 replies to this topic

#1 dsm185s

dsm185s

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 29 January 2014 - 08:33 AM

Greetings.  I have nowhere else to turn so I hope someone can help me here.  

About a week ago, I noticed one of my machines (XP) locking up.  This was the first sign that there might be an issue.  Checked the logs and I saw an unusual entry from the XP machine just prior to the lockup: 

"The browser was unable to retrieve a list of servers from the browser master \\XXXXXXXX-PC on the network \Device\NetBT_Tcpip_{CBC2EEE0-ED6B-4CC6-ABDC-B26B32A56A4D}. The data is the error code."
 

Looked up this error and it had to do with multihomed machines (does not apply here).  XXXXXXXX-PC is my wife's laptop (Windows 7) - Red flags going off at this point.  I confiscated the XXXXXXX-PC for reimaging and the lockups stopped but I felt the need to investigate further and put a sniffer on using Capsa 7 free (nice tool btw).  

 

Reviewed event logs and saw a lot of google update events on the XP machine.  Sniffer was showing all sorts of traffic to other countries which left me feeling more paranoid than usual.  Ran the following with no results:  

Malwarebytes (full scan)
AVG (full scan)
Trendmicro housecall 

RogueKiller (did find to PUPS but this might be a false alarm)
HitManPro (just found some tracking cookies)

Windows Security Essentials

Checked the event viewer and saw an awful lot of Google Update events in the app log.  

It was at this point that MY laptop started acting weird.  Running fine except it would make this random PHONE DIALER (4 BEEPS) tone out of the speakers at random times.  I could not isolate what was causing it so I put on ProcMon and reviewed the logs when it went off and I saw two things that stood out.  Lots of SVCHOST entries and lots of GOOGLE UPDATE entries at the time of the phone dialer event. 

Repeated scans above in safe mode on MY laptop and nothing came back.  At this point, I was questioning if I had a zeroaccess virus and we have three machines affected.  

Also at this time my wife reports her Android Samsung Galaxy 2 is acting weird.  Apps closing on her, etc.  

I'm thinking we have some kind of trojan/worm/rootkit because multiple machines are affected and we have no scans coming back but obviously something is going on here.  

Then Ripley from Aliens pops into my head and says "Nuke it from orbit... it's the only way to be sure."  

 

So I wiped ALL THREE machines and started from scratch.  Took the opportunity to upgrade the XP machine to Windows 7 so all three running Windows 7 now.  Everything seemed fine until my laptop started making the dialer tone again. Put on Procmon and monitored it for another event and sure enough... google update and svchost at that time.  Really feeling frustrated now.

 

Then I ran ComboFix on MY laptop (from reading other threads) and it did find something on the system file (infected) which it appeared to clean and rebooted.  Re-ran all scans above and nothing came back.  Sorry, I don't have the log :(

 

Ran ComboFix on the other two machines and no system file was infected so I'm hoping that the re-imaging worked on those and assuming they are clean (for now).  

 

So this begs the following questions: 

 

How did my laptop become reinfected?

Is the laptop clean now?

Are the other machines REALLY clean as well?

 

I did two things that could have reinfected MY Laptop.  First, I logged into Google Chrome and it re-synced everything.  If the virus was in a plugin or something else that synced, then it could have reinfected that way.  I did not re-sync on the other machines.  Second, I restored a backup of an application that I use for my work.  No executables in the backup.  

 

After I rebuilt the machines I also scanned my USB drives that had been used to backup information prior to the reinstall.  Microsoft security essentials found and cleaned the following on one of the USB drives.  

 

Generic 28.ATGK

 

I THINK we're clean now but I'm not positive.  This has been a hard virus to track down because nothing is catching it.   I would really appreciate a second opinion on my laptop as this is the one that appeared to be re-infected.  I would be happy to provide any logs that you need.  


Edited by hamluis, 29 January 2014 - 12:01 PM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 dsm185s

dsm185s
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 29 January 2014 - 12:13 PM

All three machines that I reimaged have junk text in the strings tab when viewing System Internals Process Explorer. This leads me to believe I am still infected. Nothing I know to do seems to be working on this one. Really stumped.

#3 dsm185s

dsm185s
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 29 January 2014 - 04:04 PM

Found these files without digital signature. Wmiprvse.exe (no digital signature) lsm.exe (no digital signature) crss.exe (no digital signature) conhost.exe (no digital signature) winlogin.exe (no digital signature)

#4 technonymous

technonymous

  • Members
  • 2,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:24 PM

Posted 29 January 2014 - 07:27 PM

Is there a chance that you or your wife maybe accidently connected to another open wifi network? Or maybe used it at another location, library, internet caffee shop? Check if your wifi router is secured.


Edited by technonymous, 29 January 2014 - 07:29 PM.


#5 dsm185s

dsm185s
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 30 January 2014 - 10:48 AM

Closing this thread as I KNOW we are still infected.  Opening a new thread in appropriate area for virus assistance.



#6 dsm185s

dsm185s
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 30 January 2014 - 11:09 AM

Please refer to the following :

 

Nasty Virus - Affects AudioDG.exe Windows 7 - Possily Rooted
 

#7 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 34,767 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:05:24 PM

Posted 30 January 2014 - 11:23 AM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/522625/nasty-virus-affects-audiodgexe-windows-7-possily-rooted/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users