Something has taken over my wife's computer

jp1engr · 28 Aug 2013

This evening I was passing by our computer room, when the computer suddenly started playing a mish-mash of audio streams or files. It starts with a musical introduction, then a woman speaking Spanish, then a "news" stream joining that, until several streams were stepping on one another, making all unintelligible.

I killed both her instances of IE, then her Word instance, finally everything. No help. I logged out of her account; even with no one logged in, it continued -- it seems to die out after 10 minutes or so, then restart half an hour or so later.

After I logged into my own account, I looked at the Task Manager, which showed no applications running (audio was still running full steam). I looked at processes, but, since I don't know what all the process names mean, I couldn't tell if anything was out of order.

I opened my corporate Symantec End Point Protection (required by my employer, since I occasionally log in to the facility via vpn), and it saw no problems. I checked for updates, and it said it was up to date.

I restarted Windows and it installed one update. A few minutes after it completed and I logged in, the audio mish-mash continued.

Any ideas>

SIW2 · 28 Aug 2013

Poltergeists?

Couldn't resist, the title sounds like a movie.

What happens if you disconnect from the net?

Jacee · 28 Aug 2013

Sounds like it might be the "Whistler Bootkit". This infection steals passwords and all 'critical' information. Banking and credit card institutions should be notified of the possible security breech.

My recommendation would be to wipe the OS (operating service) and do a "clean install".

cottonball · 28 Aug 2013

jp1engr,

Try the following for the "Poltergeists":

Please go to the TDSSKiller Download, and select the .exe version
Double-click on TDSSKiller.exe to run the program.

When the TDSSKiller console opens, click on: Change Parameters
Under Additional Options, place a check in the box next to: Detect TDLFS File System
Click: OK

Press: Start Scan

•If a suspicious object is detected by this program, the default action is Skip. Leave this action as is, and click on: Continue
•If malicious objects are found, they show in the Scan results.
•Ensure Cure (the default action) is selected, then click: Continue > Reboot now, to finish the cleaning process.
(Note: If Cure is not available, select Skip, >>Do not select: Delete<<)

When done, the tool creates a log on the disk with the Windows Operating System, normally C:\

Logs have a name like:
C:\TDSSKiller.X.X.X_08.30.2013_15.31.43_log.txt

Please attach the TDSSKiller log in your reply.

jumanji · 29 Aug 2013

Exorcist..

Stephanie · 29 Aug 2013

jp1engr said:

This evening I was passing by our computer room, when the computer suddenly started playing a mish-mash of audio streams or files. It starts with a musical introduction, then a woman speaking Spanish, then a "news" stream joining that, until several streams were stepping on one another, making all unintelligible.

I killed both her instances of IE, then her Word instance, finally everything. No help. I logged out of her account; even with no one logged in, it continued -- it seems to die out after 10 minutes or so, then restart half an hour or so later.

After I logged into my own account, I looked at the Task Manager, which showed no applications running (audio was still running full steam). I looked at processes, but, since I don't know what all the process names mean, I couldn't tell if anything was out of order.

I opened my corporate Symantec End Point Protection (required by my employer, since I occasionally log in to the facility via vpn), and it saw no problems. I checked for updates, and it said it was up to date.

I restarted Windows and it installed one update. A few minutes after it completed and I logged in, the audio mish-mash continued.

Any ideas>

Sounds bad, I would take Jacee advice, one method I use is Darik's Boot And Nuke its not fast but does do the job.

jp1engr · 29 Aug 2013

Jacee, Cottonball, Stephanie,

Thanks; I'll start with a complete cleanup. I'd been thinking of that for a while, since her disk was messed up by a failed linux install a few months ago (I've used unix and linux for decades, but between W7 and EFI, I couldn't handle it this time...).

Be in touch in a couple of days.

jp1engr · 29 Aug 2013

Ok,

As I was setting up to wipe the drive and reinstall, I decided to try TDSSKiller, so I'd at least know what happened. From Cottonball's recommendation, I installed and ran it.

It found and cleaned out (I hope?) Rootkit.Boot.Harbinger.a. As requested, here's the log; I hope it's ok to include this 132K file, as Cottonball asked?

Now I'll try Stephanie's recommendation, hoping it'll agree I'm clean. Thanks, all.

jp

jp1engr · 29 Aug 2013

So, while waiting for DBaN to download, I searched for info on Rootkit.Boot.Harbinger.a. I found here,

Guide to Completely Remove Rootkit.boot.Harbinger.a Virus (Manual Removal) - Tee Support Blog

a statement that it "can't be detected by any antivirus completely". This was written July 21 -- only a month ago. Has Kaspersky solved this by now, or should I undertake Ms. Young's long, involved, and risky-looking process?

By the way, you may notice that I forgot to enable the Detect TDLFS File System item. I ran it a third time (it ran twice the first time) with that enabled, and it found nothing.

jp

Jacee · 29 Aug 2013

It's totally up to you, but if it was my computer, I would never be able to trust that it would be stable again, without a wipe and clean install.

Read this too, if you want to try to work with a Bootkit/Rootkit How to remove a bootkit