Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible New Virus?


  • Please log in to reply
3 replies to this topic

#1 JimK907

JimK907

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 13 April 2007 - 12:58 PM

I seem to have been infected with a very tough virus/trojan of some type which is not detected by Symantec, CA, Adaware or Spybot. About a week ago it reared its ugly head as a blue screen of death and continues to randomly crash dump about twice a day. This a an XP Professional SP2 system on a Dell Latitude 610. Normally I manually track down and kill trojans, etc. but this one is very, very crafty. What I know:
He is a .DLL with a random file name guarded by an exact duplicate with the same file name .dll.BAK. Both are loaded and both can not be conventually deleted. The virus code is loaded three ways: as a BHO (which XP can apparently disable), as a WinLogin Notify object and the most insidious way, a dummy service is created (random name) with description Microcode Update Helper. The service is not a program but a proxy which links to the virus .dll. The service runs under Svchost and can not be stopped or disabled unless the host is killed. Now, heres the real crafty part. This virus constantly refreshes itself in the registry. If you delete any entries it recreates them immediately, if you disable the service, it re-enables it immediately, if you set up a program to delete it on reboot, it deletes the entries in the registery so the delete is never executed and it somehow prevents the system restore for working even though restores points are being created normally.
The service running in SVCHOST can be killed without crashing the machine, using the tasklist or taskmanager if you find the correct PID of the SVCHOST. But the DLL ends up attached to explorer.exe, svchost, winlogon and csrss. Killing it gives the blue screen of death.

I hate to have to reload the operating system since I have so much installed software. But this thing is very nasty and defied all of my best tricks to kill it. Has anyone heard of anything like this???

Moderator Edit: Moved topic to more appropriate forum. ~ Animal

Edited by Animal, 13 April 2007 - 01:30 PM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 13,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:44 AM

Posted 13 April 2007 - 01:35 PM

Install Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html

--------------------------------------------------------------------------------

Post a Hijack This log in the Hijack This Forum by following the directions in the link below if the programs above have not removed ALL malware. DO NOT post the log in this forum.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
--------------------------------------------------------------------------------

Getting into Windows Safe Mode
http://www.computerhope.com/issues/chsafe.htm
(pre-Vista OS's)

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 JimK907

JimK907
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 13 April 2007 - 09:33 PM

OK, installed and ran Superantispyware as instructed in Safe Mode. This is really an amazing product. Not only did it identify my virus as SPAM-Multisite/Gen it found a few others I didn't know I had including apparently two root-kit trojans. Superantispyware cleansed everything except the original problem now identified as the trojan Multisite/Gen.

Next ran the antivirus program BitDefender which took three hours plus. It found all the viruses I had disabled plus all in the various quarantines, etc. It also found my problem child and failed to clean/delete it.

Doesn't surprise me I'm still infected since this is particularly clever about how most software attempts to kill viruses. We need something that will delete these files before the XP services atart.

Anyway, I will now run the HJT log and move to the next thread as instructed.

Thanks for the help, and thanks for introducing me to Superantispyware. It is now my main spyware defender.

*sigh*

#4 buddy215

buddy215

  • BC Advisor
  • 13,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:44 AM

Posted 14 April 2007 - 07:31 AM

Definitely post a Hijack This log. I saw in another forum where Super Antispyware removed the " Multisite/Gen". Of course if the location of the malware is in a quarantine file or restore point, it can only be removed by manually deleting it. Let the Hijack This team decide that.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users