Virus is Present - But it CANNOT be found!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by jwarne1, Dec 7, 2010.

  1. jwarne1

    jwarne1 Private E-2

    Note: 64-bit Windows 7 User

    Hello,

    About two weeks ago I had some friends over and they brought one of their friends that I did not know. He asked to borrow my computer, and the gracious person that I am, allowed him to use it. He was sitting on the single-person chair away from the rest of us and was typing vigorously and doing random whatevers. I had to walk behind him toward the end of him using it in order to put away some glasses. He panicked, began shutting windows, and I saw him remove a very tiny junk drive from the USB port.

    I didn't pay it much attention initially, and instead assumed he was just an oddball.

    The next day while utilizing my computer I began noticing strange things. If I typed real fast, or just laid my hand on the keyboard to continually output characters, the characters would be slower than usual to appear. I have also noticed a slight flickering from the screen every 10 minutes or so as if the computer is taking screen shots. I also opened McAfee and checked my firewall settings. I opened trusted programs and noticed a strange program on the trusted exceptions list. I didn't write the name of the program down and now cannot find it unfortunately.

    I've noticed via netstat my computer--running Windows 7 64bit, btw--randomly opens connections to something called softlayer.com (discovered this by doing a reverse lookup of the remote address, connection status: established.). One of the connections that keeps opening mentions 'cdnlayer' which a google search showed as a product produced by softlayer.com. Random connections are constantly being made, and many of them involve the epmap, netbios-ssn, llmnr, and isakmp ports. I've also noticed it has randomly been exchanging large of data with this server, mostly upstream.

    I immediately turned off all Remote Desktop Access features, deleted or disabled all ActiveX controls related to SupportSoft listener, Remote Assist, and Screenshot Class (the last of which I couldn't find information about on google.)I'm now lost.

    THANKS IN ADVANCE!
     

    Attached Files:

  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Are you recieveing help at another forum regarding this issue? I see OTL on your system, why is that? Who told you to run it?

    To begin with, please disable Spybot's TeaTimer. This can be done two ways.

    How to disable Spybot's TeaTimer


    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix exit HJT.

    Tell me, or show me with screengrabs what is inside of these folders:

    What are these?

    C:\Users\BleuOrleans\AppData\Local\tmpSNAPSHOT_20101011_11.0
    C:\Users\BleuOrleans\AppData\Local\tmpSNAPSHOT_20101011_11.JPG

    Delete this if it lets you:

    • C:\Windows\Ôõß

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    This folder here:

    Is it something you still have installed? If not then delete it.

    Reboot the machine

    Run Ccleaner. Not the registry part just the cleaner.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
  3. jwarne1

    jwarne1 Private E-2

    I performed all the steps.

    Teatimer wasn't actually on my PC. I had run one of the scans then found that spybot s&d was still on my system. I uninstalled it.

    Done.

    Done.

    The folder was empty, actually. I deleted it.

    The second one is a photo that I took of myself with my webcam (though I never saved it in that directory) and the first seems to be some sort of copy of it with a .0 extension. I'm not sure what this means or how it happened, but I just deleted both.


    Done, and it was successful.

    The second one doesn't seem to exist on the system. If it does, I am unable to access it for some reason and can't find it by browsing folders.

    The first one contained a file config.txt. I opened it in notepad and it contained the following:

    >>
    algo.advancedMode=0
    algo.compMode=0
    app.automaticallyPasteImages=0
    app.checkUpdates=0
    app.menuStyle=0
    app.showPreview=1
    browser.network=1
    browser.network.cacheIntervalSeconds=300
    browser.shellFolderIcons=0
    browser.showHidden=0
    browser.useShellLargeIcons=1
    color.error=-65536
    img.autoRotate=1
    img.bg.auto=1
    img.effect=0
    img.effect.custom=
    img.showInfo=1
    img.zoom=-3
    last.path=C:\
    last.path.object=
    last.path.object.save=0
    last.path.save=1
    last.sortMode=1
    last.viewType=2
    last.win.max=0
    last.winSizes=main|1550|810|-116|549|0#
    last.winsizes.save=1
    main.sp1=-1
    main.sp2=-1
    mainWindow.Icon=
    mainWindow.Title=
    mainWindow.Title.showPath=0
    run.tempDir=
    suffix.a2=.a2
    suffix.a2r=.a2r
    suffix.zip=.zip?.jar
    timer.active=0
    timer.interval=60
    <<

    I did not delete the file, as I don't know what it belongs to.

    Done.

    The log is attached.

    Thanks again!
     

    Attached Files:

  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes, leave that one alone.

    Only thing I am still curious about is that folder:

    SystemLook

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :dir
      {0DEDA9B6-CBF2-4777-A315-D4065A2E269E} 
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  5. jwarne1

    jwarne1 Private E-2

    It seems to have moved?

    The program could not find the directory.
     

    Attached Files:

  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds