Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

system compromised? possible infection - background processes


  • This topic is locked This topic is locked
2 replies to this topic

#1 cladiel

cladiel

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 19 September 2014 - 03:27 PM

Hello.

I have been worried about having a compromised system for quite some time now - particulary after reading "scary" stories about botnets and what not. I am using Windows 7 Ultimate, with Malwarebytes Premium and Avira Free as anti-malware protection. As for the firewall, it's only been the native Windows Firewall operated via an tiny extension called Windows Firewall Control (4.1.0.2), with medium security settings, but I'm not confident enough to use this and will probably try out Comodo once my issue has (hopefully) been resolved.

My current problem started yesterday. I woke up and checked my email, everything was working fine, no anti-virus alerts, nothing. After grabbing a coffee, I noticed that my connection was down. My pc wouldn't recognize my router connected through a LAN cable. Windows troubleshooting didn't fix it. Also, the router and connection were working just fine, because I could connect to it with my mobile deviced. I strongly believe that it is some virus that now causes my system to malfunction.

I'm using a Broadcom NetXtreme network adapter to connect my pc to the Internet via cable. After checking the Device Manager, I noticed that the adapter has somehow  disabled itself and checking the settings said that no drivers could be found. I looked at the driver path and everything was normal. I checked the driver path manually, it's a native Win7 driver found under "C:\Windows\System32\drivers\b57nd60a.sys" and nothing appears to have been modified within the file itself.

I run a MB malware search - nothing turned up. TDSSKiller - nothing. I tried to run Avira, first their Rootkit/active malware search, but it would freeze while trying to access hidden objects. A normal, full scan also wouldn't start - it would be stuck at the boot sector search, not having browsed any files at all. It wouldn't let me cancel it - it would freeze until I relogged.

Also, the computer wouldn't stop searching for the network, even after I: 1. turned off the router/modem, 2. disconnected the cable. I couldn't disconnect the LAN connection through the connection settings window - Explorer would freeze, too, then crash and restart. I tried to restart the Broadcom driver in Device Manager, but it would also freeze. I tried to disable the automatic "Network Discovery" - no changes to the Advanced network settings wouldn't aply and it kept on looking for an adapter.

I backed up some files and decided to just restart the pc. Unfortunately, I did not boot into safe mode... However, everything seemed to be "normal". The fixes I tried earlier have been applied - the Broadcom driver was recognized/accepted again and the device was ready to use. The network device search stopped and it just said that there's no connection. The "Turn off network discovery" setting was applied, too. Furthermore, Avira would now do scans - and find absolutely nothing. Same with TDSSKiller and Malwarebytes. The system was extremly laggy during the almost 5-hour-long Avira full scan, though. Also, in Task Manager, the CPU-usage displayed would differ from the apparent CPU use by the processes that were running, it was as if there was some unknown background process running (invisably) that hogged additional CPU power during the scan. It occured during the Avira scan and during other operations. It's as if the Task Manager doesn't display the memory used by processes correctly.

I would like to add that I have not connected my pc to the web after the driver problem occured - and while I was using my anti-malware software. I was afraid that whatever was on my pc would wreck havoc on my computer once I reconnected...

I decided to restore my connection because I'm out of ideas as to how to find the culprit and remove whatever it is that has attached itself to my system. I do hope you can guide me through a proper recovery procedure.

 

Thank you very much in advance for any assistance!


Edited by cladiel, 19 September 2014 - 03:28 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:31 AM

Posted 24 September 2014 - 07:21 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop For 32bit system or For 64bit system
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:31 AM

Posted 29 September 2014 - 07:31 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users