Some Form of Malware Detected, but Can't Find and Remove it

**Drew Wilson** · January 3rd, 2009, 03:08 PM

Let me first start off this post by saying that I had a "complete idiot" moment. Normally, I scan every file still in it's compressed form before I even think about any form of uncompression. This sort of thinking has kept my systems clean for years.

Recently, I downloaded something and I forgot the "scan the damn file first" step. Once I knew something was up, it was already too late and I got something. I did a full system scan with Norton Anti-Virus 2008 and it only detected the files in their compressed state. Not wanting any repeat incidences, I nuked the archive as well as the entire directory that was found in the 'temp' folder to make sure it was gone.

The only reason I found out I had something was that a DOS prompt window would randomly come up and an error message will appear saying:

C:\Users\**YOUR NAME**\AppData\Temp\t2989.exe
The NTVDM CPU has encountered an illegal instruction.
CS:1204 IP:03c7 OP:63 68 65 22 20 Choose 'Close' to terminate the application.

[Close] [Ignore]

I Googled the error message and this particular issue has been linked to vairous forms of malware, but nothing consistent. I'm, at this point, 100% sure I have some form of malware floating around on my system. Every time the error message pops up, I hit close thinking it's a trojan/worm not agreeing with my setup.

While the general error message gets results, this specific line of code turns up with no results. So, wanting to figure out the source files of this error message, I went into ctrl+alt+delete when the error message popped up again and only found the NTVDM.exe process (which, after some research, seems to be a Windows Core file) and when I click on 'close', the process disappears.

I also browsed the directories to look for the t2989.exe file and I managed to get all the way to the Temp directory, but the executable file doesn't even exist.

While I was able to wipe the perpetrating files, it seems that the payload is still roaming somewhere in my system.

I can only think of two options at this point in time, removing the NTVDM.exe file (though I'm not sure if it contributes to system stability, so I chose not to) or a system restore (which Norton says is a bad idea)

I thought I might also just post my findings so far and see if there is any way I can launch something that will detect what is kicking up the error message (which is probably the malware)

Norton can't seem to pick up the malware even though it detected it in the compressed versions and some people who have had similar issues report that all the other scanners can't seem to pick up whatever is infecting their machines either (one person apparently reformatted and the error messages kept popping up after that still)

I also note that I have only gotten the round of error messages once after I nuked the file too.

I'm running Windows Vista Home Premium 32-bit.

Any help will be greatly appreciated. :)

**DigitalJunkie** · January 3rd, 2009, 04:17 PM

You don't remember which program you were trying to install? Was it a 16 bits DOS program?

**joebloe12** · January 3rd, 2009, 06:12 PM

The THIRD option is to reformat. If all else fails. But that all depends on if you have all your driver disks and win vista disks.

Not a fun option I know,but if all else fails you can try that.

**Hath** · January 3rd, 2009, 09:51 PM

Wow way to resort to extreme tactics joebloe12.

**Drew Wilson** · January 3rd, 2009, 10:50 PM

Originally Posted by DigitalJunkie

You don't remember which program you were trying to install? Was it a 16 bits DOS program?

I remember which program I was trying to install and since it was a program that was about a year old, I highly doubt it's 16-bit. It seems strange that I managed to narrow this thing down to, what appears to be, a simple file-path, yet I hit a roadblock. I'll see if I can see this thing in DOS.

If I can't see it in there, I think I'll presume it's a rootkit and get something like blacklight to see if I can see what I'm dealing with. I can't see this working properly without the main exe file (unless it has a way of replicating itself)

I have another thought, remember I was about to install this thing two days ago, see if search can detect any file that was created in that time-frame, then Google each file and delete the unknown ones. If anti-malware programs can't auto-detect this thing, maybe I can manually root this thing out since I have some clues as to it's wherabouts.

**mountain_rage** · January 3rd, 2009, 11:01 PM

Your cpu fan is lacking lubrication, just shoot some of your natural lube in that sucker. If your out of juice, just find some random homeless guy to jerk off.

For those who caught it, this advice is better than the previous suggestions.

Sorry, its too much fun abusing psychological effects. I'm an asshole I know, but I didn't have constructive advice. Hope you can take a joke Drew.

**Drew Wilson** · January 3rd, 2009, 11:02 PM

OK, I went through the directories in question and see nothing, but I notice a difference between what is being noticed and what is actually there. It keeps looking in a directory before temp that doesn't exist while the actual path has the 'local' dir.

what it says:

C:\Users\**USERNAME**\AppData\Temp\t2989.exe

What is actually there

C:\Users\**USERNAME**\AppData\Local\Temp\

I think I'll have to do a full system search for this particular executable. Maybe it's somewhere else and might lead me to the malware if it's not actually it.

Edit: OK, I'll give that a shot MR. Thanks. :)

**Drew Wilson** · January 4th, 2009, 12:21 AM

:P

Nice edit.

Anyway, while I was in safe mode, I managed to find the event log and found the points in which it popped up the error message (which is apparently an information pop-up)

I also discovered that it popped up precisely once every 1 hour and 1 minute. Fortunately, I was in safe mode right before it was suppose to pop up and it didn't pop up right on schedule. Whether that's either because of the restart or the fact that safe mode disables internet, I'm not entirely sure.

However, I managed to write down the time stamp of the first pop-up, so I narrowed this time frame down to the second in which I started getting these pop-ups. So this stuff had to have been put on just moments before.

Another interesting thing is that the numbers keep changing. Clearly, this exe file is being created somehow and deleted when it runs into whatever problem it has.

I tried finding this through other means in safe mode, but no go. I couldn't find out anything about how these pop-ups are being generated other then there numbers and time stamps. I saved the results in safe mode so I can access it in normal mode.

If the pop-ups start again, I might want to try and boot into safe mode if I haven't figured out anything else in the mean time and waiting 1 hour and 2 minutes and see if the pop-up gets generated there.

In the mean time, I'll try *.* with a creation time of a nice narrow window. Shouldn't give me much, but hopefully it'll turn up some unwanted files. :)

**Mels_Smileys45** · January 4th, 2009, 12:30 AM

Hey...if it aint bothering you, don't go fuckin' with it!

**Drew Wilson** · January 4th, 2009, 01:03 AM

OK, update.

A little extra info on the two suspect files. There were two dll files and they were names winsock.dll and wsecedit.dll. The NFO instructed users to go into system32 and replace these files with these files (which I did not do - this seemed a little too odd to carry through with the application I thought I had - guess I should've known it was a fake at that point in retrospect)

Maybe this is why the malware generated the error, I didn't create the environment it needed.

The great news is that when things started going wrong, I basically stopped everything and went into "disinfecting mode" (I didn't work on anything critical until the issue was caught)

The other great news was that I explicitly remembered decompressing the nfo first before dinking around with the apparent malware.

So, I took the information gleaned off of the safe mode (the time-stamp the first error message that appeared) and then found the nfo through a system scan for files created after the 2nd. I then wrote down the time stamp the NFO was "created" and narrowed the time frame down 18 minutes (2:11 AM for the error message and 1:52AM when the NFO was created) After that, I went back through the search results (nearly 350 of them, ugh!) and narrowed it all down to a directory and 8 files.

The directory was an additional temp directory with the dll files from the original archive. NUKE!

I found an additional three files found in the mozilla cache directory. Since it was clearly a non-vital system related directory (and I can always re-install FireFox if things go horribly wrong), I nuked those three files as well to make sure.

I'll keep my fingers crossed that after all that, I managed to delete the malware in the process (or any critical files the malware needs to run in the first place)

This will actually be the second time I managed to manually disinfect a machine I have if successful. :)

I'll know for sure though if the pop-up doesn't reappear though.

**Drew Wilson** · January 4th, 2009, 01:12 AM

Originally Posted by Mels_Smileys45

Hey...if it aint bothering you, don't go fuckin' with it!

Well, possible malware included keyloggers, worms and general spyware. One example of the worm was that it spreads through USB devices (data storage) I use data storage and I also don't want key-loggers to be going around my machine, so I had reason to go after this little bastard. If there was a possibility that it was going to spread, I had to do everything I could to kill it.

Edit: Oh yeah, every file I deleted had some indication of what they were used for. If it was some sort of file located in, say, the kernal, I would go and verify what that file really was first before I made any decision. Since the files I was looking for had to be created in the span of 18 minutes, it was actually unlikely that what I was going to find was going to be found in a critical system AFAIK.

**Drew Wilson** · January 4th, 2009, 01:48 AM

FUCK YEAH!!!!

No pop-up after a whole hour. Looks like my hair-brained solution actually worked.

Thanks MR for the safe mode suggestion. If you hadn't suggested it, I'd probably still be scratching my head over how in the world am I going to find this thing.

Looks like my not-so-bright moment turned into the best moment I've had this year so far! :D (which actually isn't saying much, but it'll be difficult to top this moment!)

I suspect it was that extra dll file sticking around causing the problems, but who knows? At least this shit is gone now. :)

Edit: I can't believe a series of time stamps, a pencil and a piece of paper ended up being a better anti-virus system then my Norton Internet Security, LMFAO!!!

**napho** · January 4th, 2009, 06:46 AM

I think it's time for some new programs to fight this kind of thing. Spybot and Ad-Aware seem antiquated. Maybe something like this is better. It's hard to tell what works or not.

"Malwarebytes' Anti-Malware is considered to be the next step in the detection and removal of malware. In our product we have compiled a number of new technologies that are designed to quickly detect, destroy, and prevent malware. Malwarebytes' Anti-Malware can detect and remove malware that even the most well known anti-virus and anti-malware applications fail to detect."

http://www.malwarebytes.org/mbam.php