Interesting new malware?

dataway · Mar 15, 2009

I spent 2.5 days last week removing an interesting piece of malware from my machine. Only obvious symptoms of it's presence was a persistent sychost.exe error ("0x75606eb5 at 0x000000080) plus the fact that NO virus removal tools would run, or update, including all MS products, AVG, SB, Malwarebytes....you name it, would not if installed and would not update. Of course Win Update would not work, nor would Defender etc.

It appears to be a variant of the Conflicker B++ . Although the normal registry entries were not there, or not in the typical locations. Also...kind of a strange symptom was that Windows DeFrag would also not run.

Ended up that combofix did the trick. Found two rootkit hacks, but instead of the normal 6-8 character random name chosen by Conflicker A/B it was creating file names of about 20-25 characters to hide itself. The telltale "autorun.inf" files were found in the root directory of all drives.

Also....none of the aforementioned AV programs would run or update in safemode either. I finally found combofix by reading this forum (much thanks to your expertise) it worked, I made a donation to sUBs.

Have no logs to post as I was just trying to power my way through the issue. But has anyone else come across this piece of malware? I contracted it between 3/10 and 3/11. Most likely through a p2p connection. Props to sUBs, he seems to be able to do things that giant software companies can't.
JohnnyB

chaslang · Mar 17, 2009

Welcome to Major Geeks!

Thanks for letting us know that ComboFIx helped you.

You should consider at least attach your ComboFix log. Most forms of Conficker can leave a driver or two hanging around that requires manual instructions to delete using ComboFix.

dataway · Mar 20, 2009

Combofix log below.
Couple of days since combofix got rid of the malware, so far so good. No anomalous behavior from the machine.

Note the long string, random characters generated to save the files in the system32 and system32/drivers directories.
And autorun.inf in the roots of all 3 harddrives.

Thanks agian for the help.
JohnnyB

chaslang · Mar 20, 2009

Looks like it got Conficker but you have other malware issues to take care of. You should complete the rest of our cleaning procedure

READ & RUN ME FIRST. Malware Removal Guide

And attach (do not post inline) the logs requested from SUPERAntiSpyware, Malwarebytes, and MGtools. You can skip the ComboFix part.

dataway · Mar 20, 2009

Yep...I found Vundo after another scan or two. Seems I've got that cleared up. Ended up restoring a backup copy of the primary drive and doing all the scanning again, everything seems clean.
Sorry about the log post. Figured I should have attached it.
What's your opinion of the MS online scan tool? Seems pretty deep, found a couple of minor issues that some of the others missed.
JohnnyB

chaslang · Mar 20, 2009

dataway said: ↑

Yep...I found Vundo after another scan or two. Seems I've got that cleared up.
Click to expand...

You may have more than Vundo according to just your ComboFix log.

dataway said: ↑

What's your opinion of the MS online scan tool? Seems pretty deep, found a couple of minor issues that some of the others missed.
Click to expand...

Average or below.

Log in or Sign up

Interesting new malware?

dataway Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

dataway Private E-2

Attached Files:

combofix.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

dataway Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member