Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


A complex and crafty bit of malware

  • Please log in to reply
1 reply to this topic

#1 autodonewiththis


  • Members
  • 1 posts
  • Local time:07:10 PM

Posted 21 December 2014 - 05:13 AM

Okay, so I usually don't ask for help with computer problems, as figuring it out for myself leads to me learning more than letting someone else do it for me. But unfortunately, I'm completely at a loss and my continued lack of access to my files is causing issues. Not to mention, I'm not the only person I know who's infected with this and would like to help others as best I can. I humbly request your help with this problem.

So a bit of quick backstory. I'm a college student currently attending a community college close to my area. The semester is basically over and I've been spending loads of nights up late finishing papers. Some didn't quite get finished, so I put them on my flash drive in a desperate attempt to finish them in the library before class. I'm sure you can see where this is going. Blame my sleep deprivation for such a foolish move, as usually I'm much more security conscious. But in this instance, I plugged my flash drive in to one of the library laptops and wound up with a serious bit of malware. Its actually infected the entire school network and a few of my friends who don't attend that school, so I assume its relatively prevelant.

Story aside, here's what I currently know about it (based on observing it infect clean machines, using infected machines, and attempting to remove it):

-It seems to spread via autorun files. All usb devices that are subsequently plugged in are infected with an autorun.inf file, and a batch file. It downloads a file called "Au_.exe" to temp files along with a network .dll file (excuse my shoddy memory, I'm not in front of my computer or my notes right now)

-When its first beginning to infect, it will run multiple instances of svchost.exe (almost always followed by a -k) and other seemingly normal processes. It attaches threads to them that are abnormal though (lots of ntdll.dll) and will use up a lot of CPU. It will alter these and other programs, especially anti-virus and the like, so that it remains undetected. It also attaches itself to critical .sys and .dll files.


-During the infection it creates or alters "c:\system.sav" and "c:\recovery" directories. I actually zipped up their contents mid-way through this in hopes of assisting in determining what it is. It also begins connecting to massive amounts of other IP addresses and sometimes even what looks like random hex addresses. I assume its using the host network to launch a DDOS attack or something similar.

-Once infected, it becomes incredibly difficult to remove. As mentioned earlier, it tampers with anti-virus and similar types of software to ensure it is not detected. It will interfere with the updating of database files. And it will alter newly downloaded exe files. Almost every scan I've run has turned up nothing. The only way I think this could be beaten is by downloading the files needed on a fresh computer and burning them to an unalterable media. Or alternatively just running a live boot OS to try and get to the issue before anything from the drive is loaded.

-I also attempted to disable parts of it temporarily by disabling the network adapter. Foolish move on my part. My computer now no longer believes the adapter is there and I cannot connect to the internet. Its probably a simple driver issue, but I can't fix it until this is dealt with. And the rapid connections to seemingly random IPs continues, so the infection must've found a way back online.

I've googled most of the specific symptoms in an attempt to find out what malware this is. While certain symptoms seem to suggest one answer, others point in a completely different direction. Hell it could be multiple pieces of malware for all I know. Or a relatively new one that implements many different strategies of older ones and as of yet has evaded detection. Regardless, I really would like to regain access to my computer without a reformat if possible. Please and thank you!

EDIT: Wow, I forgot a really basic detail. I'm running Windows 7 Ultimate 64bit. I've attempted to use Malwarebytes Anti-Malware, Anti-Exploit, and Anti-Rootkit so far. I've also manually killed tasks via Process Explorer and tried to stop it from executing at boot with Autoruns, but no go. I also ran a scan with Windows Defender live boot CD, and also no dice.

Edited by autodonewiththis, 21 December 2014 - 06:27 AM.

BC AdBot (Login to Remove)


#2 pyroclastic


  • Members
  • 10 posts
  • Gender:Male
  • Local time:01:10 AM

Posted 21 December 2014 - 05:04 PM

Has Malwarebytes Anti-Malware or Anti-Rootkit reported anything? If so: could you post a log file, please? Did Anti-Exploit stop any exploit attempt?


You mentioned "Au_.exe". That usually is part of NSIS I believe, an installation utility, which is often mistaken for malware but actually goodware. There may be threats misusing the name to hide in plain sight, but it's ages ago I saw something like that. Are you also by any chance running a HP or Compaq machine, because "c:\system.sav" could be part of one of their solutions/utility programs. 


It also attaches itself to critical .sys and .dll files.


It also begins connecting to massive amounts of other IP addresses and sometimes even what looks like random hex addresses.


Almost every scan I've run has turned up nothing.


I've also manually killed tasks via Process Explorer and tried to stop it from executing at boot with Autoruns, but no go.

How do you know it attaches to sys, dll and exe files?

What program do you use to monitor the network usage, can you post a log file?

Which scan turned up something? Could you post that one?

Which tasks are you killing and which autorun entries are you blocking (name/path)?


Best regards.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users