Solved Something has taken over my wife's computer

[jp1engr]

This evening I was passing by our computer room, when the computer suddenly started playing a mish-mash of audio streams or files. It starts with a musical introduction, then a woman speaking Spanish, then a "news" stream joining that, until several streams were stepping on one another, making all unintelligible.

I killed both her instances of IE, then her Word instance, finally everything. No help. I logged out of her account; even with no one logged in, it continued -- it seems to die out after 10 minutes or so, then restart half an hour or so later.

After I logged into my own account, I looked at the Task Manager, which showed no applications running (audio was still running full steam). I looked at processes, but, since I don't know what all the process names mean, I couldn't tell if anything was out of order.

I opened my corporate Symantec End Point Protection (required by my employer, since I occasionally log in to the facility via vpn), and it saw no problems. I checked for updates, and it said it was up to date.

I restarted Windows and it installed one update. A few minutes after it completed and I logged in, the audio mish-mash continued.

Any ideas>

 

[SIW2]

Poltergeists?

Couldn't resist, the title sounds like a movie.

What happens if you disconnect from the net?

 

[Jacee]

Sounds like it might be the "Whistler Bootkit". This infection steals passwords and all 'critical' information. Banking and credit card institutions should be notified of the possible security breech.

My recommendation would be to wipe the OS (operating service) and do a "clean install".

 

[cottonball]

jp1engr,


Try the following for the "Poltergeists":

Please go to the TDSSKiller Download, and select the .exe version
Double-click on TDSSKiller.exe to run the program.

When the TDSSKiller console opens, click on: Change Parameters
Under Additional Options, place a check in the box next to: Detect TDLFS File System
Click: OK

Press: Start Scan

•If a suspicious object is detected by this program, the default action is Skip. Leave this action as is, and click on: Continue
•If malicious objects are found, they show in the Scan results.
•Ensure Cure (the default action) is selected, then click: Continue > Reboot now, to finish the cleaning process.
(Note: If Cure is not available, select Skip, >>Do not select: Delete<<)

When done, the tool creates a log on the disk with the Windows Operating System, normally C:\

Logs have a name like:
C:\TDSSKiller.X.X.X_08.30.2013_15.31.43_log.txt

:ar: Please attach the TDSSKiller log in your reply.

 

[jumanji]

Exorcist..

 

[Stephanie]

This evening I was passing by our computer room, when the computer suddenly started playing a mish-mash of audio streams or files. It starts with a musical introduction, then a woman speaking Spanish, then a "news" stream joining that, until several streams were stepping on one another, making all unintelligible.

I killed both her instances of IE, then her Word instance, finally everything. No help. I logged out of her account; even with no one logged in, it continued -- it seems to die out after 10 minutes or so, then restart half an hour or so later.

After I logged into my own account, I looked at the Task Manager, which showed no applications running (audio was still running full steam). I looked at processes, but, since I don't know what all the process names mean, I couldn't tell if anything was out of order.

I opened my corporate Symantec End Point Protection (required by my employer, since I occasionally log in to the facility via vpn), and it saw no problems. I checked for updates, and it said it was up to date.

I restarted Windows and it installed one update. A few minutes after it completed and I logged in, the audio mish-mash continued.

Any ideas>

Sounds bad, I would take Jacee advice, one method I use is Darik's Boot And Nuke its not fast but does do the job.

 

[jp1engr]

Jacee, Cottonball, Stephanie,

Thanks; I'll start with a complete cleanup. I'd been thinking of that for a while, since her disk was messed up by a failed linux install a few months ago (I've used unix and linux for decades, but between W7 and EFI, I couldn't handle it this time...).

Be in touch in a couple of days.

 

[jp1engr]

Ok,

As I was setting up to wipe the drive and reinstall, I decided to try TDSSKiller, so I'd at least know what happened. From Cottonball's recommendation, I installed and ran it.

It found and cleaned out (I hope?) Rootkit.Boot.Harbinger.a. As requested, here's the log; I hope it's ok to include this 132K file, as Cottonball asked?

Now I'll try Stephanie's recommendation, hoping it'll agree I'm clean. Thanks, all.

jp

 

[jp1engr]

So, while waiting for DBaN to download, I searched for info on Rootkit.Boot.Harbinger.a. I found here,

Guide to Completely Remove Rootkit.boot.Harbinger.a Virus (Manual Removal) - Tee Support Blog

a statement that it "can't be detected by any antivirus completely". This was written July 21 -- only a month ago. Has Kaspersky solved this by now, or should I undertake Ms. Young's long, involved, and risky-looking process?

By the way, you may notice that I forgot to enable the Detect TDLFS File System item. I ran it a third time (it ran twice the first time) with that enabled, and it found nothing.

jp

 

[Jacee]

It's totally up to you, but if it was my computer, I would never be able to trust that it would be stable again, without a wipe and clean install.

Read this too, if you want to try to work with a Bootkit/Rootkit How to remove a bootkit

 

[cottonball]

jp1engr,

Running TDSSKiller was a smart move on your part!
A Boot sector virus can survive a new install.

Please proceed with the following to make sure there is not a RootKit to deal with:

:info: Download the Farbar Recovery Scan Tool
Select the version that applies to the system.


Save to the Desktop.

• Double-click the downloaded file to run it.
• When the tool opens click Yes to disclaimer.
• Press the Scan button.
• FRST64 makes a log (FRST.txt) in the same directory from which the tool is run (Desktop).

:ar: Please provide the FRST.txt in your reply.
The first time the tool is run, it also makes another log: Addition.txt
:ar: Also post the Addition.txt in your reply. It will present a list of the programs that are installed on your computer, and any undesirables can be identified.

 

[jp1engr]

Jacee,

As I said, I did the Kaspersky thing just to be informed. There are also the other reasons to wipe & reinstall, as I mentioned earlier. I was just wondering whether there had been progress at Kaspersky that Ms. Young didn't know about.

And thanks for the new link, too.

jp

 

[jp1engr]

All,

Got the system reinstalled. Now neither of the malware scanners find anything (I've only tried tdsskiller and Symantec). When I tried to burn the Darvik, I found I'd left only an old cdrom reader in my system (for some reason, neither of the modern r/w drives will boot). So I have to wait until I can get the system from her long enough to power down and install one of the writers.

I really haven't turned my back on you all .

Actually, rereading Cottonball's last message just now, I see I can run it within the system. To work!

jp

 

[jp1engr]

So Cottonball,

Here are FRST.txt and Addition.txt. View attachment FRST.txt

View attachment Addition.txt

 

[cottonball]

:info: Please download Temp File Cleaner (TFC):
TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums
Save to the Desktop

Double-click on TFC.exe to run the program.
Be sure to save any work in progress before running TFC!!

Click on Start to begin the cleaning process.
TFC closes all running programs, and may ask to restart the computer.
If so, please restart.


:info: While we are at it, let’s check the system's Security status with the following...
Download Security Check:
http://screen317.spywareinfoforum.org/
Save to your Desktop.
Double-click: SecurityCheck.exe
Follow the onscreen instructions inside the black box.
When done, a Notepad report opens automatically, called: checkup.txt

:ar: Please post the checkup.txt in your reply.
(Please do not take any corrective actions!)