Tech Support banner

Status
Not open for further replies.
1 - 2 of 2 Posts

·
Registered
Joined
·
4 Posts
Discussion Starter #1
first off i'm going to explain Why im having trouble removing this virus. it was written by some hackers who MAKE their living coding botnets. not just anybody. and the fact of the matter is this code is not released anywhere yet nor has anyone exposed this new software yet, reason being. i think theyre keeping a lid on it because it doesnt yet work they way they want it to. (remember these hackers are in a cut-throat world where the more infected machines they can deliver on a month-by-month basis makes them more money and any they loose to 'competitors' costs them pay -- or even their lives)

so keep in mind if i have 3 machines that i cant remove the virus from (even with total formats) there are going to be 300 million machines running this software in the next 3-5 years! yes i may be acting dramatic but this is a real virus and i cant pinpoint where its coming back from, how it's spreading or anything other than certain firewalls can block it from the net at least in part, and that it requires an ntfs filesystem to 'live' in.

most likely the reason it isnt popular yet is their having trouble making it install a full botnet application after re-infection (none of my infected machines are having any problems, since i installed comodo v2 firewalls, and the one machine that has a few issues (with older games) im switching to a fat-32 format since the virus cant live in a fat 32 filesystem.) (yes it Lives in the ntfs filesystem, not in a file that can be scanned, but in the 'white space' of 'reserved' blocks imagine if av/anti spyware had to have an NTFS block reader to detect a virus!!!)

anyways the logs will be last in this post, and sorry but Dss crashes (perhaps because of the virus) so i just did the panda scan and the hijackthis logs. fwiw im running vmware as a webbrowser.
now ill paste what i put in on the comodo fourms.

Ok first off this mystery virus is infecting 3 different machines of mine. 1 has XP Pro and is patched up to date. 1 has xp home full retail again patched up to date. 1 has xp home oem, and i have 1 drive patched up to date, and 1 drive i installed specificially to find out more about this virus that is at sp2.

At the time my systems were first infected they were only at sp level 2 and all of them had XP Corp edition. (yes very bad, having hacked pirated oses... so what not everyone has an extra $150-300 at the time they buy a computer to allocate to an os, and yes computers are getting cheaper every day all of these systems are at least 3 years old) at the time they were infected they had file sharing enabled on all three machines and only 2 machines ran "AVG" free antivirus the 3rd had no av software at all.

currently 2 (xp home full and XP pro) machines run mcaffee suite and the other one (xp home oem) runs comodo av (well its not even on the net anymore as i do not have internet at my appartment but w/e)

at the time of original infection the primary firewall was a linksys wireless router, with zone alarm installed on all 3 machines. under the current config all three machines run comodo ver 2 firewall.

the only anti spyware we used before was lavasoft's free product, currently they all have bo clean.

now for the symptoms. first off. when windows is installed even on fully low level formatted drive a chkdsk error (under ntfs) comes that does not go away. it is as follows (although sometimes they find other problems especially if you havent chkdsk in a while) "Chkdsk Discovered Free Space marked as allocated in the volume bitmap"

Secondly Auto run is disabled magically with no user input whatsoever.

thirdly when a low level format and reinstall has been done the USB driver goes offline and the system 'hangs' for about 1 minute thereafter the associated chkdsk error pops up. (prior the the usb going offline the chkdsk returns no error) this all happens within a minute of installing windows if i wasnt a gamer i probally wouldnt have gotten chkdsk to run before the event of the virus taking control of the hd.

fourth when formatting to fat 32 none of the above symptoms occur, instead this lone error occurs "The size of \Windows\system32\config\software.log entry is not valid." when runing chkdsk on reboot no error is found so nothing is fixed.

i am 100% sure that the virus is specific to the ntfs file system and depends on it to run and load the bot that allows hackers remote control of the infected pcs. (there has been logged attempts with comodo firewall which i suspect are the virus/hackers attepting to figure out why the virus cant do it's dirty internet deeds)

i have used brand new sealed HDs and the virus still loaded when windows was installed with ntfs formatting. i believe the virus infects firmwares of the optical drives or else the sound or printer driver, and that the virus spreads through known exploits, and the full level of infection is done by hackers AFTER the initial virus gets in there, and the firmware/ntfs version replaces the 'origninal' virus exploit that infected the systems.

so far the only thing that stops this virus is installing with fat 32. nothing detects it and i suspect the original exploit was removed to make the virus 'transparent' (i saved one of the systems hds and scanned it with 3 av programs for exploits and it found none, but that system by then already had the chkdsk symptoms)

microsoft chalks the chkdsk errors up as a bug, however i am confident that the ntfs partition is infected to allow the virus to load and run in completely invisible 'memory' on the hd. if the virus is in the ntfs then only a non windows scanner even has the ability to check for it. fortunately fat32 supports 80 gig partitions and none of my hds really need any larger partition sizes, but i would rather know the exact virus that i have and how to properly remove it. it doesnt infect exes or zip files, if it infects anything theyre obscure drivers or firmwares, i havent yet backed up any of the firmwares to look for file size/check sum errors vs 'known good' firmwares... but i have at least isolated a weakness in the virus since it Depends on ntfs to run. i would have backed up and looked at the .log files (that occurs on the fat 32) but windows protects these files and they cannot be opened, or backed up, while windows is running, and the problem disappears on reboot (perhaps the virus removes any trace of itself in the log files on system shutdown.)

well hopefully someone where will know what to call this virus... it is Very real, and very scary that it can serially reinfect systems across low level formats and hides its files from everything exept chkdsk.

fwiw i believe the hackers that implanted the virus are the ones running the Battle.net botnet. since those were the only hackers i had any form of communication with other than on slashdot.org and there is no telling who might have done this if it was a slashdot hacker.

sigh besides i actually said to a hacker on battle. net "it's been 5 years since i had a computer virus"
well it had been. i also remember a tag name that i found in my registry looking for exploits, but i deleted it, and dont remeber the full name, and have since confused it with many breakfast cereal names. yes. my registry (on the machine with xp home oem) actually was TAGGED by hackers. for real, with their net handle, just to say they'd been there. i also saved an image file they put of a black helicoptor when i mentioned a jpg image name on battle net. it had been a random image from yahoo images, but then they replaced it with a black helicoptor pic. That image i actually achived.

i mean it is kinda cool in a scarey way that 30 seconds after you mention it they can upload a new pic to your pc... i saved 'before' and 'after' pics of that event. that btw was while i used zone alarm and was the primary reason for me dropping zone alarm from my list of trusted firewall programs.

oops i almost forgot. i had to 'decommission' my linksys wireless router because after i was hacked it did a wierd thing, all the lights would blink on, on start up, prior to the virus thing it never blinked its lights on start up and i suspect it was 'compromized' so i stopped using it entirely and actually bought a new one. it was an old one only did wireless.b access anyways. (note the new one is currently with wireless disabled, but when my parents move we might enable it with the highest level of security possible on it) they have both pcs in one room here but are moving and may want the other pc in a diffferent room.

Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Dena or Roy\Cookies\[email protected][2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Dena or Roy\Cookies\[email protected][1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Dena or Roy\Cookies\[email protected][1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Dena or Roy\Cookies\[email protected][2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Dena or Roy\Cookies\[email protected][1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Dena or Roy\Cookies\[email protected][2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Dena or Roy\Cookies\[email protected][1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Dena or Roy\Cookies\[email protected][1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Dena or Roy\Cookies\[email protected][1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Dena or Roy\Cookies\[email protected][1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Dena or Roy\Cookies\[email protected][1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Dena or Roy\Cookies\[email protected][1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Ryan\Cookies\[email protected][2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Ryan\Cookies\[email protected][2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Ryan\Cookies\[email protected][2].txt
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Ryan\Cookies\[email protected][2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Ryan\Cookies\[email protected][2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Ryan\Cookies\[email protected][2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Ryan\Cookies\[email protected][2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Ryan\Cookies\[email protected][1].txt Logfile of HijackThis v1.99.1
Scan saved at 6:34:56 PM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Ryan\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Ryan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190412329203
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7299ED8F-7AED-4932-9EE8-BBE715383490}: NameServer = 66.82.4.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{95A2B2F1-79A7-4950-86BA-0A760182C2F4}: NameServer = 66.82.4.8
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
 

·
Registered
Joined
·
4 Posts
Discussion Starter #2
just need to correct myself after ive teted my machines harder.

i did some more testing, there is a more descriptive set of chkdsk errors before the one that repeats forever, i missed it the first time but caught it the second time around.

"\Windows\Prefetch\chkdsk.exe-2cc4c59.pf first allocation unit is not valid. the entry will be truncated." and "\Windows\Prefetch\cmd.exe-087b4001.pf first allocation unit is not valid. the entry will be truncated."
secondly when retesting the 'autoplay' becoming disabled did not happen (i attached a usb hd that had been connected as well to my 3 main machines, i was using an old scrap hd from a long dead system) but the chkdsk errors were still occuring on all machines reguardless of exposure to infected data. i later realized that machine had been networked with the other 2 when i product activated/patched that hd. and that was when autoplay became disabled (if the chkdsk thing is not some wierd sp2 bug that ms is keeping a lid on then its not the 'full' virus that disables autoplay and caused alerts on comodo firewall)

on a side note 3 games which did not work with the patched/autoplay disabled machine work fine on the system where autoplay is not disabled, but still has chkdsk errors.

as for formatting to be specific of what i did i used a old freebsd 2.2.2 cd set to 'erase' the hd, since it replaces the mbr with bootez (a freebsd bootloader) but i do not know if their format util was truly erasing the hds. but remember, i put in a factory sealed drive and had the chkdsk problems. (one drive i bought ~2 years ago failed under warrenty, so they sent out a rmaed drive.) so i dont know that using seagate/maxtor tools to wipe the drive will return any better results. besides the 2 drives that i was using to test were from long ago pcs i used 5-7 years ago or more. kept in a spare parts box... if the chkdsk/cmd programs are being modified on load (the error seems to indicate they had to be truncated) then its either something wrong with windows itself (causing the chkdsk problem) or else the virus is living in some other piece of hardware.

but im pretty sure the virus that is causing games to crash etc was transmitted via the network now. i kept tabs and on the surface all the cmd.exe and chkdsk.exes looked and appeared to be the same, but if the virus is in the filesystem it doesnt need to replace cmd.exe or chkdsk.exe. and i cant figure out why chkdsk would always find that the .pf files for cmd.exe and chkdsk.exe needed to be truncated EVERY time windows was installed.
 
1 - 2 of 2 Posts
Status
Not open for further replies.
Top