Let me first start off this post by saying that I had a "complete idiot" moment. Normally, I scan every file still in it's compressed form before I even think about any form of uncompression. This sort of thinking has kept my systems clean for years.

Recently, I downloaded something and I forgot the "scan the damn file first" step. Once I knew something was up, it was already too late and I got something. I did a full system scan with Norton Anti-Virus 2008 and it only detected the files in their compressed state. Not wanting any repeat incidences, I nuked the archive as well as the entire directory that was found in the 'temp' folder to make sure it was gone.

The only reason I found out I had something was that a DOS prompt window would randomly come up and an error message will appear saying:

C:\Users\**YOUR NAME**\AppData\Temp\t2989.exe
The NTVDM CPU has encountered an illegal instruction.
CS:1204 IP:03c7 OP:63 68 65 22 20 Choose 'Close' to terminate the application.

[Close] [Ignore]

I Googled the error message and this particular issue has been linked to vairous forms of malware, but nothing consistent. I'm, at this point, 100% sure I have some form of malware floating around on my system. Every time the error message pops up, I hit close thinking it's a trojan/worm not agreeing with my setup.

While the general error message gets results, this specific line of code turns up with no results. So, wanting to figure out the source files of this error message, I went into ctrl+alt+delete when the error message popped up again and only found the NTVDM.exe process (which, after some research, seems to be a Windows Core file) and when I click on 'close', the process disappears.

I also browsed the directories to look for the t2989.exe file and I managed to get all the way to the Temp directory, but the executable file doesn't even exist.

While I was able to wipe the perpetrating files, it seems that the payload is still roaming somewhere in my system.

I can only think of two options at this point in time, removing the NTVDM.exe file (though I'm not sure if it contributes to system stability, so I chose not to) or a system restore (which Norton says is a bad idea)

I thought I might also just post my findings so far and see if there is any way I can launch something that will detect what is kicking up the error message (which is probably the malware)

Norton can't seem to pick up the malware even though it detected it in the compressed versions and some people who have had similar issues report that all the other scanners can't seem to pick up whatever is infecting their machines either (one person apparently reformatted and the error messages kept popping up after that still)

I also note that I have only gotten the round of error messages once after I nuked the file too.

I'm running Windows Vista Home Premium 32-bit.

Any help will be greatly appreciated. :)

You don't remember which program you were trying to install? Was it a 16 bits DOS program?

The THIRD option is to reformat. If all else fails. But that all depends on if you have all your driver disks and win vista disks.

Not a fun option I know,but if all else fails you can try that.

Wow way to resort to extreme tactics joebloe12.

You don't remember which program you were trying to install? Was it a 16 bits DOS program?

I remember which program I was trying to install and since it was a program that was about a year old, I highly doubt it's 16-bit. It seems strange that I managed to narrow this thing down to, what appears to be, a simple file-path, yet I hit a roadblock. I'll see if I can see this thing in DOS.

If I can't see it in there, I think I'll presume it's a rootkit and get something like blacklight to see if I can see what I'm dealing with. I can't see this working properly without the main exe file (unless it has a way of replicating itself)

I have another thought, remember I was about to install this thing two days ago, see if search can detect any file that was created in that time-frame, then Google each file and delete the unknown ones. If anti-malware programs can't auto-detect this thing, maybe I can manually root this thing out since I have some clues as to it's wherabouts.

Your cpu fan is lacking lubrication, just shoot some of your natural lube in that sucker. If your out of juice, just find some random homeless guy to jerk off.

For those who caught it, this advice is better than the previous suggestions.

Sorry, its too much fun abusing psychological effects. I'm an asshole I know, but I didn't have constructive advice. Hope you can take a joke Drew.

OK, I went through the directories in question and see nothing, but I notice a difference between what is being noticed and what is actually there. It keeps looking in a directory before temp that doesn't exist while the actual path has the 'local' dir.

what it says:

C:\Users\**USERNAME**\AppData\Temp\t2989.exe

What is actually there

C:\Users\**USERNAME**\AppData\Local\Temp\

I think I'll have to do a full system search for this particular executable. Maybe it's somewhere else and might lead me to the malware if it's not actually it.

Edit: OK, I'll give that a shot MR. Thanks. :)

:P

Nice edit.

Anyway, while I was in safe mode, I managed to find the event log and found the points in which it popped up the error message (which is apparently an information pop-up)

I also discovered that it popped up precisely once every 1 hour and 1 minute. Fortunately, I was in safe mode right before it was suppose to pop up and it didn't pop up right on schedule. Whether that's either because of the restart or the fact that safe mode disables internet, I'm not entirely sure.

However, I managed to write down the time stamp of the first pop-up, so I narrowed this time frame down to the second in which I started getting these pop-ups. So this stuff had to have been put on just moments before.

Another interesting thing is that the numbers keep changing. Clearly, this exe file is being created somehow and deleted when it runs into whatever problem it has.

I tried finding this through other means in safe mode, but no go. I couldn't find out anything about how these pop-ups are being generated other then there numbers and time stamps. I saved the results in safe mode so I can access it in normal mode.

If the pop-ups start again, I might want to try and boot into safe mode if I haven't figured out anything else in the mean time and waiting 1 hour and 2 minutes and see if the pop-up gets generated there.

In the mean time, I'll try *.* with a creation time of a nice narrow window. Shouldn't give me much, but hopefully it'll turn up some unwanted files. :)

Hey...if it aint bothering you, don't go fuckin' with it!

OK, update.

A little extra info on the two suspect files. There were two dll files and they were names winsock.dll and wsecedit.dll. The NFO instructed users to go into system32 and replace these files with these files (which I did not do - this seemed a little too odd to carry through with the application I thought I had - guess I should've known it was a fake at that point in retrospect)

Maybe this is why the malware generated the error, I didn't create the environment it needed.

The great news is that when things started going wrong, I basically stopped everything and went into "disinfecting mode" (I didn't work on anything critical until the issue was caught)

The other great news was that I explicitly remembered decompressing the nfo first before dinking around with the apparent malware.

So, I took the information gleaned off of the safe mode (the time-stamp the first error message that appeared) and then found the nfo through a system scan for files created after the 2nd. I then wrote down the time stamp the NFO was "created" and narrowed the time frame down 18 minutes (2:11 AM for the error message and 1:52AM when the NFO was created) After that, I went back through the search results (nearly 350 of them, ugh!) and narrowed it all down to a directory and 8 files.

The directory was an additional temp directory with the dll files from the original archive. NUKE!

I found an additional three files found in the mozilla cache directory. Since it was clearly a non-vital system related directory (and I can always re-install FireFox if things go horribly wrong), I nuked those three files as well to make sure.

I'll keep my fingers crossed that after all that, I managed to delete the malware in the process (or any critical files the malware needs to run in the first place)

This will actually be the second time I managed to manually disinfect a machine I have if successful. :)

I'll know for sure though if the pop-up doesn't reappear though.

Hey...if it aint bothering you, don't go fuckin' with it!

Well, possible malware included keyloggers, worms and general spyware. One example of the worm was that it spreads through USB devices (data storage) I use data storage and I also don't want key-loggers to be going around my machine, so I had reason to go after this little bastard. If there was a possibility that it was going to spread, I had to do everything I could to kill it.

Edit: Oh yeah, every file I deleted had some indication of what they were used for. If it was some sort of file located in, say, the kernal, I would go and verify what that file really was first before I made any decision. Since the files I was looking for had to be created in the span of 18 minutes, it was actually unlikely that what I was going to find was going to be found in a critical system AFAIK.

FUCK YEAH!!!!

No pop-up after a whole hour. Looks like my hair-brained solution actually worked.

Thanks MR for the safe mode suggestion. If you hadn't suggested it, I'd probably still be scratching my head over how in the world am I going to find this thing.

Looks like my not-so-bright moment turned into the best moment I've had this year so far! :D (which actually isn't saying much, but it'll be difficult to top this moment!)

I suspect it was that extra dll file sticking around causing the problems, but who knows? At least this shit is gone now. :)

Edit: I can't believe a series of time stamps, a pencil and a piece of paper ended up being a better anti-virus system then my Norton Internet Security, LMFAO!!!

I think it's time for some new programs to fight this kind of thing. Spybot and Ad-Aware seem antiquated. Maybe something like this is better. It's hard to tell what works or not.

"Malwarebytes' Anti-Malware is considered to be the next step in the detection and removal of malware. In our product we have compiled a number of new technologies that are designed to quickly detect, destroy, and prevent malware. Malwarebytes' Anti-Malware can detect and remove malware that even the most well known anti-virus and anti-malware applications fail to detect."


http://www.malwarebytes.org/mbam.php

Wow way to resort to extreme tactics joebloe12.

It was a suggestion if all else fails IDIOT! I could care LESS if you like it or not.


And it is NOT "extreme" if you cannot get rid of the malware.

What ever happen to system restore, go back to the night before when things were working properly.

firefox went totally corrupted on me
lost everything but favorites
now I have to reset 30 or so passwords

What ever happen to system restore, go back to the night before when things were working properly.

That was probably going to be my next step if this didn't work (which it did - no pop up messages all day)

Failing that, it was probably getting a rootkit detector and seeing what I could find. Failing that, a complete reformat.

It's why I was extatic when I found out that the second attempt to remove the malware worked because the the steps gradually got more extreme. :)

Edit: come to think of it, I'm not too sure a system restore in this particular case would have worked because it was just a pair of dll files sitting in my temp folder. To my knowledge, system restore simply goes to a point previously when it comes to whatever was installed.

Having said that, there was really no way of knowing this. If my second attempt never worked, then the system restore probably worked because it was formally (and stealthily) installed and system restore, in that case, probably would have wiped it off the system.

I got lucky and figured out (with a little help from MR) probably the best solution first and it was rather complicated. It was just the perfect set of circumstances that allowed me to stomp out the malware manually.

One way or another, the malware that got on my machine didn't stand a chance surviving on my machine for long. ;)

firefox went totally corrupted on me
lost everything but favorites
now I have to reset 30 or so passwords

Been meaning to respond to this.

Oops. Sorry 'bout that. Maybe I shouldn't have deleted those files! ;)

Wow way to resort to extreme tactics joebloe12.

If a reformat is extreme, then I guess using a 357 is out of the question...

*

>>> C:\Users\**YOUR NAME**\AppData\Temp\t2989.exe

Start -> Run -> 'cmd' (without the quotes) ENTER

CD USERS
CD **YOUR NAME**
CD Appdata
CD Temp
ATTRIB -H -R -S *.exe
ERASE t2989.exe
MKDIR t2989.exe
exit

The 'MKDIR' creates a "directory", instead of a "file",
which _may_ prevent the malware from recreating the file
that you just deleted.

nice work. :)

"Malwarebytes' Anti-Malware is considered to be the next step in the detection and removal of malware.

You are correct. Many anti-malware forums recommend Malwarebytes as a partial fix for many kinds of aggressive virus and malware infections. Superantispyware is also good, as corny as it sounds. Hijackthis, if used correctly, is another fine bit of work. Also, to finally confirm that you're clean, Kaspersky's online virus scan and or ESET's online scan, as well as a few other online scanners. I find Kaspersky to be very thorough.

I would place Kaspersky at the top of the heap for sure.Being very effective and so much less of a load on the pc resources than any Norton's product or McAfee makes it a great choice for sure.

I would place Kaspersky at the top of the heap for sure.Being very effective and so much less of a load on the pc resources than any Norton's product or McAfee makes it a great choice for sure.

I was only referring to online scanners, but Kaspersky AV is definitely good software from what I understand. I have never used it personally though. I've used ESET's NOD32 for several years now and am quite happy with it. I've heard 2009 Norton (Symantec) is not too bad now. No where's near the resource hog it once was.

+1 for malwarebytes. I'm a tech, and I always run accross infections (spyware malware etc) that are not removed fully by spybot and the likes. I usually resorted to manually removing infections, but not anymore! This program is great, and I highly recommend it to everyone, novice and computer pro's alike. Its amazing stuff, and FREE!

Glad things seem to have worked out for you.

I agree toker. Great little utility and it works very well.