The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.

Stubborn computer virus...

IanatorIanator A predator cannot differentiatebetween prey and accompliceRegistered User regular
edited March 2011 in Help / Advice Forum
Somehow after replacing my computer's RAM it contracted what AVG says is a Trojan. When it scans it picks up the virus in "system32/csrss.exe(588)" and "explorer.exe(3552)", plus sometimes a Firefox file. Side effects are malicious popups, occasional loss of the taskbar and the corruption of my sound drivers.

Worse yet, it also finds the viruses in (I think) memory modules as well, all relating to the above files: "system32/csrss.exe(588):\memory_00270000" and "explorer.exe(3552):\memory_001a0000". AVG is refused access to these objects, thus rendering me unable to do anything about it. MalwareBytes doesn't even find it, so that's out.

I don't think I've been to any sites I haven't been to before. Any ideas on how I can excise this thing once and for all? (I've since replaced my old memory, but no such luck getting rid of this.)

steam_sig.png
Twitch | Blizzard: Ianator#1479 | 3DS: Ianator - 1779 2336 5317 | FFXIV: Iana Ateliere (NA Sarg)
Backlog Challenge List
Ianator on

Posts

  • Nakatomi2010Nakatomi2010 Registered User regular
    edited March 2011
    The way those errors read. Have you tried pulling the new ARM you installed out and trying again? Perhaps you got bad RAM.

    Nakatomi2010 on
    Check out me building my HTPC (NSF56K) (Updated 1-10-08)
    Movie Collection
    Foody Things
    Holy shit! Sony's new techno toy!
    Wii Friend code: 1445 3205 3057 5295
  • pacbowlpacbowl Los AngelesRegistered User regular
    edited March 2011
    I haven't seen any conventional virus/malware/spyware that actually invades memory in a long time. Usually a safemode reboot + mbam will clean regular malware in windows but you may actually have a boot sector infected. I use avast, but scanning with all known online scanners won't hurt. If it comes down to it, nuke it from orbit and reformat/reinstall.

    pacbowl on
    steammicro.php?id=pacbowl&pngimg=background&tborder=0
  • NATIKNATIK DenmarkRegistered User regular
    edited March 2011
    The way those errors read. Have you tried pulling the new ARM you installed out and trying again? Perhaps you got bad RAM.

    Bad RAM can cause sound corruption due to slowing down the computer in general, so his talk of sound driver corruption does support this idea.

    If you continue being unable to find anything, try pulling the RAM, it could very well be the culprit.

    NATIK on
    steam_sig.png
  • TetraNitroCubaneTetraNitroCubane Not Angry... Just VERY Disappointed...Registered User regular
    edited March 2011
    pacbowl wrote: »
    I haven't seen any conventional virus/malware/spyware that actually invades memory in a long time. Usually a safemode reboot + mbam will clean regular malware in windows but you may actually have a boot sector infected. I use avast, but scanning with all known online scanners won't hurt. If it comes down to it, nuke it from orbit and reformat/reinstall.

    Echoing these thoughts here, and throwing in a few other scanning options as well. The fact that the infection is being seen in csrss.exe and explorer.exe (from the trusted paths) is somewhat unsettling, and may indicate a bootkit type virus. The malicious popups seem to indicate a genuine infection, rather than a memory corruption issue.

    I'd also highly recommend burning a rescue CD or a Linux LiveCD, and using the available tools there to check your system from outside of your operating system. The fact that you're not seeing anything with scanners, but are observing suspicious behavior, further suggests a bootkit/rootkit infection of some kind - those are damned hard to pin down or identify from within the compromised OS. Here's a quick list of CDs you can try, if you wish. The 'Rescue CD' options are typically ones that will boot and run a specified program. The Live CDs will usually boot you into an operating system environment and let you do what you need to:

    If you find an infection with one of these scanners, I too would suggest using one of the LiveCDs to backup your important files, and then completely reformatting your hard drive, and reinstalling your operating system on the clean drive.

    TetraNitroCubane on
  • IanatorIanator A predator cannot differentiate between prey and accompliceRegistered User regular
    edited March 2011
    The way those errors read. Have you tried pulling the new ARM you installed out and trying again? Perhaps you got bad RAM.

    Yep. I actually didn't do anything that required the sound drivers until after I put my old memory back in.

    Anyways, I've got a lot of stuff to back up. Shoulda got that 2TB drive from Costco when it was still $30 off, I won't be able to afford a good external for another week.

    Ianator on
    steam_sig.png
    Twitch | Blizzard: Ianator#1479 | 3DS: Ianator - 1779 2336 5317 | FFXIV: Iana Ateliere (NA Sarg)
    Backlog Challenge List
  • IanatorIanator A predator cannot differentiate between prey and accompliceRegistered User regular
    edited March 2011
    It's official: my desktop has been virus'd something fierce; thus, I must work from the backup laptop.

    Things start to freeze after startup - AVG locks up if I try to scan, while avast! loses steam during a scan (think the speed of a BitTorrent winding down to zero when you finish it). I tried Safe Mode and it sorta works, but I can't internet with it and AVG will only let me do a "Command Line Scan" that ultimately didn't help much (I didn't try avast! yet). System Restore didn't do anything either, seeing as I "didn't make any changes" since the date I picked up the memory.

    Speaking of memory sticks, I picked these up second-hand. Though I'm sure RAM doesn't work like this, is there any chance I could've gotten infected by them? The symptoms started showing up about two days after I installed them.

    Ianator on
    steam_sig.png
    Twitch | Blizzard: Ianator#1479 | 3DS: Ianator - 1779 2336 5317 | FFXIV: Iana Ateliere (NA Sarg)
    Backlog Challenge List
  • NATIKNATIK DenmarkRegistered User regular
    edited March 2011
    You can't load data onto RAM and have it stay there after it losses power, so unless this was some dastardly mastermind thing where someone added flash memory to the sticks and wired up some amazing construction to try and infect you, it would be impossible to get infected that way.

    In other words it seems extremely unlikely, an infinitely more likely thing would be you installing something around that time or even just picking it up from netbrowsing.

    NATIK on
    steam_sig.png
  • IanatorIanator A predator cannot differentiate between prey and accompliceRegistered User regular
    edited March 2011
    I kinda figured. Anything else I could try in Safe Mode? Or is it time to start pricing parts on Newegg?

    ...Well, yeah, it's always time to price parts on Newegg.

    Ianator on
    steam_sig.png
    Twitch | Blizzard: Ianator#1479 | 3DS: Ianator - 1779 2336 5317 | FFXIV: Iana Ateliere (NA Sarg)
    Backlog Challenge List
  • TetraNitroCubaneTetraNitroCubane Not Angry... Just VERY Disappointed...Registered User regular
    edited March 2011
    At this point, it sounds like using a LiveCD is going to be a better option than safe mode, if you're really intent on cleaning the system. If you are really looking at a last ditch, Hail Mary type cleaning (i.e. About to reformat anyway), you can always try Combofix.

    Why price parts on NewEgg, though? This issue should be entirely software, if you're thinking it is malware related. I'd recommend you completely reformat the hard drive, and reinstall windows. Then install security software, and only after that restore critical files from backups.

    Edit: You mentioned using AVG and avast. Are you talking about the online scanners? Or did you install both full antivirus programs at the same time? Having more than one resident antivirus installed simultaneously is usually asking for trouble (like system lockups).

    TetraNitroCubane on
  • IanatorIanator A predator cannot differentiate between prey and accompliceRegistered User regular
    edited March 2011
    Pricing parts because I was already looking to build a new compy even before this happened.

    Also yeah AVG and avast! were both installed at the same time though not actively scanning. They were playing nice for a little while.

    Ianator on
    steam_sig.png
    Twitch | Blizzard: Ianator#1479 | 3DS: Ianator - 1779 2336 5317 | FFXIV: Iana Ateliere (NA Sarg)
    Backlog Challenge List
  • TetraNitroCubaneTetraNitroCubane Not Angry... Just VERY Disappointed...Registered User regular
    edited March 2011
    Ianator wrote: »
    Pricing parts because I was already looking to build a new compy even before this happened.

    Also yeah AVG and avast! were both installed at the same time though not actively scanning. They were playing nice for a little while.

    If you were pricing out parts before hand, then go for it.

    But, uh, if you had Avast! and AVG installed together, and both were running resident, you could pretty much cause every single problem that you've just described. They don't need to be "actively scanning" at the same time in the sense of 'I started a virus scan with both' - If both antivirus suites were installed resident they'd be scanning everything on-access, not on-demand. Most antivirus suites will scan every single file that you write, read, or open as you do it, regardless of whether or not you requested a scan.

    Having more than one antivirus running on-access can lead to lockups, and tons of false positives as one can AV see the other AV as a threat. I know some people have good luck with it, but I've never seen it work. Hell, most of the time, when switching from one AV to a different one, if you don't uninstall completely you'll run into problems.

    I'd uninstall one of them, then scan the entire system with MalwareBytes. If it comes up clean with MalwareBytes after that, I'd operate it carefully for a while and see if the problems persist.

    TetraNitroCubane on
  • IanatorIanator A predator cannot differentiate between prey and accompliceRegistered User regular
    edited March 2011
    Tried MalwareBytes already, didn't pick it up. AVG's the only one that seemed to find the bad things in system32.

    I've taken my box down and put it in the corner to think about what it's done, but I'll put it up again in a few days and uninstall avast.

    Ianator on
    steam_sig.png
    Twitch | Blizzard: Ianator#1479 | 3DS: Ianator - 1779 2336 5317 | FFXIV: Iana Ateliere (NA Sarg)
    Backlog Challenge List
Sign In or Register to comment.