Hello everyone,
So here's the story, the other day I was browsing the internet, clicked a link, and all of
a sudden my excessively maintained, thought to be impervious to viruses and all other forms
of malicious software computer, was swarmed by popups and AVG/Spybot alerts (I have now
decided to sacrifice the viewing of any webpage which "can only be viewed in Internet
Explorer"). An interesting note: during this swarm of popups I caught a glimpse of windows
picture viewer opening and closing, I'm sure this was part of the loophole that this nasty
little thing used to get in. After I yanked my LAN cable and managed to calm the squall of
windows and alerts, I found that the task manager button in the Ctrl+Alt+Del menu was grayed
out. tasklist showed a few processes running which I instantly knew to be bad and terminated
with killtask /F:
kernels64.exe
boot.inx
ibm00001.exe
paytime.exe
maxd64.exe
After that I ran a Spybot scan and fixed the following:
Windows Security Center.TaskManager
HKEY\USERS\S-...\Software\
Microsoft\
Windows\Cu
rrentVersi
on\Policie
s\System\D
isableTask
Mgr!=dword
:0
Smitfraud-C.
C:\WINDOWS\system32\vx8hjk
dq5.exe
Needless to say, that fixed my grayed out task manager button. I then ran a search for all
files created and modified from the time of the infection onward. I ran an AVG shell scan
which verified the following files as being infected and deleted them:
C:\WINDOWS\system32\maxd64
.exe - Dialer.BIB
C:\WINDOWS\system32\paytim
e.exe - Startpage.YJ
C:\WINDOWS\system32\kl.exe
- PSW.Agent.AMS
The search also yielded a few files that were fairly obviously part of the infection, but
passed the virus and spyware scans:
C:\boot.inx
C:\secure32.html (most of my Spybot alerts were a program trying to change all of my start
and search pages to this file which contains some BS about your computer
being infected by spyware and to go dl "SpySherrif")
C:\WINDOWS\secure32.html
C:\WINDOWS\uniq (no file extension and size of 0KB)
C:\WINDOWS\system32\kernel
s64.exe
C:\WINDOWS\system32\p2p.ex
e
C:\WINDOWS\system32\vx.tll
I created a folder on one of my storage hard drives and moved all of these files to it, I
then set the following security permissions on the folder in order to create my own personal
virus vault:
Disabled inheriting of permissions and cleared existing permissions
allowed my profile: read permissions, change permissions, list folder/read data
replaced permissions on child objects.
I then ran a complete test with AVG which came up clean. It did however have a few warnings
I had not noticed before (note: these could have been there, I may have just not noticed
them before):
Boot Sector of Disk : Changed : C:
Shell32.dll : Changed
I then cleared all system and internet temp files. I also ran a HijackThis scan and fixed
the following:
F2 - REG:system.ini: Shell=C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
(forgot to mention, I deleted that file as well, and I think there was a dll that went
with it too, can't remember, was in a bit of a panic)
Everything seemed fine, and I continued to use the computer problem free for the remainder
of the day. The next day, shortly after turning on my computer my CPU usage spiked to 100%.
It seemed to stay there for 30secs-1min then drop back down, then spike again within 30secs.
The process using my CPU was winlogon.exe. I ran a netstat -a and found multiple
connections established to a number of different SMTP servers, as well as some other
connections and listening ports that I did not recognize. from what I could see there were
no suspicious processes or services running, and I am not familiar enough with windows
components to pick out any bad dlls, but from what I could tell nothing was running that
shouldn't have been. I then ran an sfc /scannow, since then the CPU doesn't seem to spike
anymore, but the strange connections are still present whenever my computer has access to
the internet. I can however be connected to my LAN with the broadband disconnected without
any problems. I attempted a system restore, however I got an error saying that the system
was unable to restore to the selected restore point (regardless of which one I selected),
I have since cleared all system restore points since some of the infected files had copies
in the System Volume Information folder. I can't think of anything else to try and am lost
as to what to do next. I know there is a lot of data to wade through here, but any help
would be much appreciated. the attached file contains all of my comp specs, as well as
excerpts from the log files of any relevant apps or tools around the time of the infection.
I'm counting on you experts! :) and tks in advance.
Sorry for posting so much data, but I figure the more the better, and like I said, even
with this much detail I still can't see anything that shouldn't be there. Thanks again.
P.S. I hope to attach the file, but I don't see an option to do so, hopefully it'll be there after
I post :O
Start Free Trial
