[trampas]

Some general comments on the known issues with this PC.
- I haven't use WORD for several days
- the File System Check tends NOT to run now (but I had one yesterday, see below)
- the ZA client is still troublesome - possibly more so with the restricted user, not sure why. Also, after running ComboFix as admininstrator, and the system booted back up, there was no ZA client AT ALL in the system tray for admin-su (administrator). And when I restarted the PC I had an Avira process not closing down cleanly : ipmgui.exe. I clicked 'End Now' but the PC didn't shut down. I ordered another restart and this time got 'ZoneAlarm is not responding'. Odd. I clicked 'End Now' and the PC shut down this time. Back to normal after that, including ZA client.


This is the log from 9 April 2012 :
"Checking file system on C:
The type of the file system is NTFS.


One of your disks needs to be checked for consistency. You
may cancel the disk check, but it is strongly recommended
that you continue.
Windows will now check the disk.
Cleaning up minor inconsistencies on the drive.
Cleaning up 84 unused index entries from index $SII of file 0x9.
Cleaning up 84 unused index entries from index $SDH of file 0x9.
Cleaning up 84 unused security descriptors.
Correcting errors in the Volume Bitmap.
Windows has made corrections to the file system.
"

trampas

[Advertisements]

Check disk indicates some issues with your hard disk. That is usually not good. If your disk is bad it would explain everything what is going on on your system. After we make sure your system is clean we will check your disk for errors.

Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::

Registry::

FCopy::
c:\windows\ServicePackFiles\i386\ksuser.dll | c:\windows\System32\ksuser.dll

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2

Download Virus Removal Tool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

Click the cog in the upper right



Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan


Allow Virus Removal Tool to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and attach to your next post


Step 3

Please don't forget to include these items in your reply:

• Combofix log
• VRT log

It would be helpful if you could post each log in separate post

[maliprog]

Check disk indicates some issues with your hard disk. That is usually not good. If your disk is bad it would explain everything what is going on on your system. After we make sure your system is clean we will check your disk for errors.

Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::

Registry::

FCopy::
c:\windows\ServicePackFiles\i386\ksuser.dll | c:\windows\System32\ksuser.dll

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2

Download Virus Removal Tool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

Click the cog in the upper right



Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan


Allow Virus Removal Tool to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and attach to your next post


Step 3

Please don't forget to include these items in your reply:

• Combofix log
• VRT log

It would be helpful if you could post each log in separate post

[trampas]

Hi maliprog

Thanks for the new instructions. I'll get onto that once VRT has downloaded - I see that it's pretty big.

My desktop PC has a RAID 1 array (mirrored disks) so it probably makes it a bit harder for a faulty disk to cause the problems that I'm experiencing. I don't speak with much authority on this matter but if I had an error on one disk I would expect that to be detectable and recoverable, with the data moved to a new sector and the old sector marked as bad. As I haven't had a bad sector before I'm not sure about this though.

I continue to monitor the File System Checks and interference with the ZoneAlarm client. I booted up the PC with no problem, logged in with the restricted user and noticed that the problem with the ZoneAlarm client was present (UI initializing). The ZoneAlarm icon was present in the system tray. So, fairly normal. When I shut the PC down some time later I had ipmgui.exe not responding and then ZoneAlarm not responding. So this is a repeat of yesterday's experience. I'll continue monitoring.

I'm a bit less certain about this but I've noticed that the file corruptions have not been random, tending to occur on Avira files, ZoneAlarm files and registry files. If its not random (and I must stress the 'if') then I'd be inclined to suspect malware. I could retrieve further logs from winlogon if that would help. Also any other serious errors reported in the Events tool from now on.

I'll get those logs to you asap. Thanks once again.

trampas

[trampas]

Here is the first log :


ComboFix 12-04-09.07 - admin-su 11/04/2012 9:54.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.176 [GMT 10:00]
Running from: c:\documents and settings\admin-su\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\admin-su\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\WindowsUpdate.log . . . . Failed to delete
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\ksuser.dll --> c:\windows\System32\ksuser.dll
.
((((((((((((((((((((((((( Files Created from 2012-03-11 to 2012-04-11 )))))))))))))))))))))))))))))))
.
.
2012-04-10 23:54 . 2008-04-13 19:41 4096 -c--a-w- c:\windows\system32\dllcache\ksuser.dll
2012-04-10 23:54 . 2008-04-13 19:41 4096 ----a-w- c:\windows\system32\ksuser.dll
2012-04-10 07:23 . 2012-04-10 07:23 -------- d-----w- C:\_OTL
2012-04-06 04:46 . 2012-04-06 04:53 -------- d-----w- c:\documents and settings\serf.SERVER
2012-04-06 03:37 . 2012-04-06 03:37 -------- d-----w- c:\program files\SumatraPDF
2012-04-05 22:27 . 2012-04-06 03:37 -------- d-----w- c:\windows\system32\NtmsData
2012-04-05 14:28 . 2012-04-05 04:59 -------- d-----w- c:\windows\tmp
2012-04-05 04:40 . 2012-04-05 04:40 -------- d-----w- c:\documents and settings\Administrator
2012-03-28 20:45 . 2012-03-28 20:45 -------- d-----w- c:\documents and settings\serf\Local Settings\Application Data\Help
2012-03-28 20:38 . 2012-04-06 03:36 -------- d-----w- c:\program files\Support Tools
2012-03-25 07:36 . 2012-03-25 07:36 -------- d-----w- c:\documents and settings\serf\Application Data\SumatraPDF
2012-03-25 05:44 . 2012-03-25 05:44 -------- d-----w- c:\documents and settings\admin-su\Application Data\SumatraPDF
2012-03-16 07:06 . 2012-03-16 07:55 -------- d-----w- c:\documents and settings\serf\Local Settings\Application Data\Google
2012-03-16 06:59 . 2012-03-16 06:59 -------- d-sh--w- c:\documents and settings\serf\PrivacIE
2012-03-14 21:30 . 2012-03-14 21:30 -------- d-----w- c:\documents and settings\serf\Application Data\Avira
2012-03-12 21:26 . 2012-03-12 21:27 -------- d-----w- c:\windows\ie8updates
2012-03-12 21:25 . 2011-12-17 19:46 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2012-03-12 21:25 . 2011-12-17 19:46 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-03-12 21:25 . 2011-12-17 19:46 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-03-12 21:25 . 2011-12-17 19:46 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2012-03-12 21:25 . 2011-12-17 19:46 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-03-12 21:25 . 2011-12-17 19:46 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-10 05:11 . 2012-03-10 02:55 137416 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-02-03 09:22 . 2003-03-31 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mobile Partner"="c:\program files\3 MobileBroadband\3 MobileBroadband.exe" [2012-03-10 110592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-05 258512]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2011-03-17 1043968]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
.
R0 viaraid;viaraid;c:\windows\system32\drivers\viaraid.sys [13/02/2003 1:10 AM 61408]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [10/03/2012 12:55 PM 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/03/2012 12:55 PM 86224]
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1715567821-725345543-1004Core.job
- c:\documents and settings\admin-su\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-10 09:30]
.
2012-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1715567821-725345543-1004UA.job
- c:\documents and settings\admin-su\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-10 09:30]
.
2012-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1715567821-725345543-1005Core.job
- c:\documents and settings\serf\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-16 07:06]
.
2012-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1715567821-725345543-1005UA.job
- c:\documents and settings\serf\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-16 07:06]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-11 10:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3652)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-04-11 10:08:30 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-11 00:08
ComboFix2.txt 2012-04-10 08:01
.
Pre-Run: 56,711,553,024 bytes free
Post-Run: 56,678,334,464 bytes free
.
- - End Of File - - 83CE88315D83E726D43554BB4E410468

[trampas]

No malware was detected by VRT and in the 'Detected Threats' screen the SAVE button was greyed out. So I don't think I can even attach a log.

One point of interest though: when I downloaded VRT from Kaspersky it didn't have a random name - it was called setup_11.0.0.1245.x01_2012_04_11_01_27.exe

When I executed this from the desktop it failed to install, giving this message :

"Error

Some installation files are corrupt.
Please download a fresh copy and retry the installation."

In the application window the last three lines were
'Extracting Drivers\Win32
Extracting Drivers\Win64
Extracting Drivers
'

I renamed the program to wo999.exe on the flash drive and copied that to the desktop. This one ran okay. It was exactly the same file, just a different filename.

Some more odd things, which may mean nothing :
- since you've been assisting me Internet Explorer has been added to the desktop for user admin-su (that's not something I expected)
- every time I boot the PC and log on as admin-su my 3 MobileBroadband software loads. This doesn't happen when I log on with the restricted user.


Just a few more thoughts about the second oddity. The behaviour that I would expect (but not absolutely sure) is for the MobileBroadband application to run only when I double-click on it, or if I plugged in the actual modem/dongle. In the latter case the software would load from the dongle itself, which is a read-only device. If this application is loading as soon as I log in as admin-su that it means it's loading from an unprotected copy on disk. So, in my mind, there are three points or questions from this :
- how did MobileBroadband come to be in the startup sequence for user admin-su ?
- has the copy on disk been infected and, if I was to access the internet as admin-su right now, would this hand control immediately back to the hacker ?
- even if I don't access the internet, could this application be doing something else bad ?

I feel that I should probably uninstall 3 MobileBroadband for now. Please let me know your thoughts.

I've mentioned the hacker before and this person is still taking an interest in my PC. It's probably been going on for about 3 years now. That's easily long enough for the hacker to know that certain parts of my PC are unlikely to change and for them/him to prepare malware that has the best chance of surviving any rebuild of my PC. And also to make that malware unrecognisable, by its signature anyway, to commercially available malware scanners.

The kind of areas that the hacker *could* target are my RAID driver and broadband software. Those software modules are tied to hardware on the PC that will unlikely ever change, so it can be predicted by the hacker that they will be there every time I wipe the hard disk. The objective might then be to re-infect them asap. I only say this because there might be no easy way to identify newly-produced, "bespoke" malware on my PC.

A third oddity : as part of my recent PC rebuild I downloaded the Chrome browser. This installed fine for user admin-su but that copy of the browser wasn't usable by the restricted user. I only found out by searching on the internet that this is normal for the Chrome browser, so I then downloaded it again for the restricted user. This time the download was very difficult but not in a way that I've seen before. I downloaded ChromeSetup.exe which, admittedly, can be a bit troublesome as I've found in the past. But after that I wouldn't expect any problems. What I did find is that something seemed to be interfering with the installation. But because that was the first time I'd seen the problem, I didn't make any notes. All I can remember is that it took about five attempts ( running the same ChromeSetup.exe each time ) to get Chrome running and the nature of the errors reported left me feeling very suspicious.

The general impression I get is that I'm being encouraged by the malware to access the internet from this PC, that I should log on as admin-su to do this and that I should use IE rather than Chrome. If I did some or all of this then it would probably give access back to the hacker. So he'd have a chance to change things around, maybe infect another one of my personal files. Or maybe delete something.

It's a long, long post and I'm not sure if any of this is helpful but I felt I ought to mention it. Take from it what you will but would you please reply regarding uninstalling the MobileBroadband software ? Cheers again,

trampas

Edited by trampas, 10 April 2012 - 08:51 PM.

[maliprog]

Hi trampas,

Just a few more thoughts about the second oddity. The behaviour that I would expect (but not absolutely sure) is for the MobileBroadband application to run only when I double-click on it, or if I plugged in the actual modem/dongle. In the latter case the software would load from the dongle itself, which is a read-only device. If this application is loading as soon as I log in as admin-su that it means it's loading from an unprotected copy on disk. So, in my mind, there are three points or questions from this :
- how did MobileBroadband come to be in the startup sequence for user admin-su ?
- has the copy on disk been infected and, if I was to access the internet as admin-su right now, would this hand control immediately back to the hacker ?
- even if I don't access the internet, could this application be doing something else bad ?

I'm not using MobileBroadband but as far as I know it must be launched on startup. It's application like every other and I don't think hackers are using this particular for hacking your PC. Don't worry.

The kind of areas that the hacker *could* target are my RAID driver and broadband software. Those software modules are tied to hardware on the PC that will unlikely ever change, so it can be predicted by the hacker that they will be there every time I wipe the hard disk. The objective might then be to re-infect them asap. I only say this because there might be no easy way to identify newly-produced, "bespoke" malware on my PC.

I think you are too nervous about malware and you don't judge right. There are malware that infects drivers (of course) but our tools would detect them in no-time.

I've mentioned the hacker before and this person is still taking an interest in my PC. It's probably been going on for about 3 years now. That's easily long enough for the hacker to know that certain parts of my PC are unlikely to change and for them/him to prepare malware that has the best chance of surviving any rebuild of my PC. And also to make that malware unrecognisable, by its signature anyway, to commercially available malware scanners.

I also don't think this is the case. From all I see your PC is clean as a whistle. There are no trace of malware, hacker tools or anything like that.

Regarding Word macros... Macro viruses are well known way of infections and all anti-virus software have build in engines for that. They are also very easy to detect and clean. They have no place to hide.

All problems you write me here can be related to disk failure on you PC.

In good spirit let's check your system now

Step 1

• Go to Start -> My Computer
• Right click on C: disk and clik on Properties
• Click on tab Tools and click on Check now... button
• Check Automatically fix system errors and Scan for and attempt recovery of bad sectors
• Click Start button
• Confirm schedule disk check next time computer starts with Yes button
• Restart your system and wait while system checks your disk for errors

Step 2

We are going to run System File Checker, to make sure all of your protected files are not corrupt. The scan will automatically replace any corrupt files that it finds.

Click Start
Select Run
At the prompt type sfc /scannow Please note that there is a single space between sfc and /scannow.

Typing this will start the program, and a box should appear telling you how much longer the process should take.

Sometimes the scan will prompt you for your Windows XP disc upon starting the scan. if this happens please make sure that you can view protected files:

• My Computer
• Tools
• Folder Options
• View
• "Uncheck" Hide protected operating system files.

Then rerun the scan. If this still asks you to put in your windows XP CD, and you do not have the CD (If you bought it preinstalled) post back for more tips, otherwise enter Windows CD.

Once the scan is complete:

Check your Windows Updates! After using the File Protection Service, you might need to reapply some updates.

Please reboot, and let me know if anything has changed.

Also, please rehide the protected files:

• My Computer
• Tools
• Folder Options
• View
• "Check" Hide protected operating system files.

[trampas]

Hi maliprog

Thanks for that. I won't say too much in reply just that there are still some unexplained issues.

Here's the result of the File system check :

trampas

Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.
Attribute record of type 0x80 and instance tag 0x3 is cross linked
starting at 0x40720c for possibly 0x1 clusters.
Attribute record of type 0x80 and instance tag 0x3 is cross linked
starting at 0x40720c for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x3
in file 0x27d2 is already in use.
Deleting corrupt attribute record (128, "")
from file record segment 10194.
Cleaning up minor inconsistencies on the drive.
Cleaning up 58 unused index entries from index $SII of file 0x9.
Cleaning up 58 unused index entries from index $SDH of file 0x9.
Cleaning up 58 unused security descriptors.
Inserting data attribute into file 10194.
CHKDSK is verifying file data (stage 4 of 5)...
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.
Correcting errors in the Volume Bitmap.
Windows has made corrections to the file system.

78140128 KB total disk space.
22706720 KB in 61792 files.
19644 KB in 4214 indexes.
0 KB in bad sectors.
138240 KB in use by the system.
65536 KB occupied by the log file.
55275524 KB available on disk.

4096 bytes in each allocation unit.
19535032 total allocation units on disk.
13818881 allocation units available on disk.

Internal Info:
20 0e 01 00 e2 01 01 00 18 5f 01 00 00 00 00 00 ........_......
02 03 00 00 00 00 00 00 c3 03 00 00 00 00 00 00 ................
92 b2 e3 04 00 00 00 00 42 4f fb 27 00 00 00 00 ........BO.'....
36 a0 1c 08 00 00 00 00 30 36 c6 71 02 00 00 00 6.......06.q....
f2 8c bd 04 00 00 00 00 a4 5a 0f b3 02 00 00 00 .........Z......
10 80 39 b3 00 00 00 00 90 38 07 00 60 f1 00 00 ..9......8..`...
00 00 00 00 00 80 e8 69 05 00 00 00 76 10 00 00 .......i....v...

Windows has finished checking your disk.
Please wait while your computer restarts.


For more information, see Help and Support Center at http://go.microsoft....ink/events.asp.

[maliprog]

We will try to resolve all issues. Don't worry. As you can see your hard disk still have problems...

Did you manage to run sfc /scannow? Any problems detected?

[trampas]

For Step 2 I unchecked Hide system folders first, then ran sfc /scannow. After a short while I was asked to put in the Windows setup CD, which I did (the original SP 1A CD). The scan resumed automatically.

Afterwards in the event viewer I had this message from Windows File Protection :
"Windows File Protection file scan completed successfully".

I haven't done anything else yet. I could reboot the PC but I thought I ought to check. I think I understand what you mean by 'Check Windows updates' but wouldn't that require connecting the PC to the internet ?

I noticed that the File System check has identified OKB in bad sectors so the file corruptions do not seem to be explained by disk errors. The last check also found further errors in file 0x9. That's the only file that has been flagged up as corrupted since you started assisting me. Prior to that I was getting lots of corruptions and it seemed to stop when I did a system restore back to 10 March (the day when I installed WORD and the day before I restored my personal files onto the PC).

Apart from the corrupt file 0x9 I'm inclined to think that whatever was corrupting various files is no longer active on my PC, though the dropped file that was being run may yet remain. So this is mainly good news but what has corrupted file 0x9 twice ?

I'm still monitoring the situation with the ZoneAlarm client but it has failed to initialise a few times whilst you've been helping me. So I'm wondering what's causing that ?

I agree with the post-script at the end of your messages : not all malware is visible. At this time I think I'm still seeing suspicious behaviour on the PC and I'm pretty sure that
- in the past I had a trojan virus that was also placed on the backup drive in early Feb (prior to the last rebuild)
- I had some kind of malware that was in at least one WORD file AFTER the rebuild. I may have found all of the infected files but this is based on the idea that ALL infected files display the 'save changes' problem. This may turn out to be not a good assumption. No malware has been detected in those files during testing but it seems to be there.
- I think that a file was dropped onto the PC which began causing file corruptions but it may have been partially dealt with by the system restore. I don't see how the infected WORD files could have been doing this directly.

I can send one of the infected WORD files to you which will infect normal.dot and then any other WORD files that you load. But unless you have a spare PC I suspect you won't be very keen to prove this ! :) I wouldn't.

I realise there are limits to what can be done on a forum especially when malware is not detected. And I'm really grateful for the time several helpers have devoted already to this unusual problem. But, one of my final questions : does this virus mean that I must rebuild the PC again and throw away all of my personal files, just to be safe ?

I also have a laptop (XP) that was infected by the hacker, sometime during the first year that I had the malware. Does the same apply there ? And there are two more PCs in the UK that I used whilst visiting not long ago and one of those (that I know of) now has the 'save changes' problem. I'm ready to open a case for my own laptop but unsure what should happen with other PCs. It all seems to come back to the infected WORD docs. If there's nowhere for malware to hide, why do I see the behaviour that I do ?

I could open one of those files again if you're ready to agree to it.

Cheers (genuinely) for any ideas

trampas

Edited by trampas, 11 April 2012 - 03:28 AM.

[maliprog]

Let's try something.

Please write me full file path to two or three Word documents that you find infected. For example

C:\User\My Documents....Word1.doc
C:\Word2.doc
etc.

[trampas]

Ok sounds like an idea :)

c:\Documents and Settings\serf\serf's Documents\__samples\original.DOC
c:\Documents and Settings\serf\serf's Documents\__samples\Bell.DOC
c:\Documents and Settings\serf\serf's Documents\__samples\1108_Transfers.DOC

Note that there are two underscore characters before 'samples'.

Cheers

t

[trampas]

Could you please also advise if I should reboot the PC after the File Protection task just completed ?

[maliprog]

You can restart your PC now. No problems. After restart connect PC to Internet. We need this to take samples from your PC.

This program will take virus sample and upload it automatically for further analyze.

• Please download GrabSample.exe
• Start Notepad and copy and paste this into Notepad
  
  
  

  g2g:1:WordDOC
  c:\Documents and Settings\serf\serf's Documents\__samples\original.DOC
  c:\Documents and Settings\serf\serf's Documents\__samples\Bell.DOC
  c:\Documents and Settings\serf\serf's Documents\__samples\1108_Transfers.DOC
  

• Save it as getfiles.txt
• Drag and drop getfiles.txt to GrabSample.exe
• Wait until program finishes and press OK button at the end

[trampas]

I tried twice with that maliprog. It got as far as 'uploading files...' and timed out after 5 minutes...

The zip file was created okay.

t

[maliprog]

Let's try this way.

• Start Notepad and copy and paste this into Notepad
  

  c:\Documents and Settings\serf\serf's Documents\__samples\original.DOC
  c:\Documents and Settings\serf\serf's Documents\__samples\Bell.DOC
  c:\Documents and Settings\serf\serf's Documents\__samples\1108_Transfers.DOC
  

• Save it as getfiles.txt
• Drag and drop getfiles.txt to GrabSample.exe
• When it finish it will create C:\InfFiles MM_DD_YYYY.zip
• Attach this file in your next reply