Hi there. First of all, I want to say that I consider myself as a user with above average computer knowledge, and I am well aware of the rules of keeping a windows installation clean. That’s why, during the past 1 year, I haven’t caught any real virus infections.
However, today, a nasty malware invaded into my system literally out of nowhere, and I am still unable to find out how it hit me, what the precise identity of the malware is (besides it’s a rogue antispyware product that has taken over the desktop settings and internet connection), or how to get rid of it.
How I got infected
I just visited ipmart forum (yes, I am 100% sure I typed it correctly), a reputable site with nothing malicious till now. I tried to click on a subforum and then, disaster hit out of nowhere. Acrobat reader opened (!), and then a program named “a” (without the quotes), was detected by Windows Firewall, and I blocked it. However, I noticed the whole Windows Firewall had already being disabled before I managed to click the “block” button, and I had to enable the firewall manually after that. Then, a window with “Antispyware XP 2008” or something like that in it’s title apperared, with a block of text in the middle, and an “I accept and Agree” button at the bottom. I closed the window from the task manager and killed the “a” process, but the virus had already infected the system. Note that all these just happened by clicking on a single subforum of the ipmart, I didn’t even had the chance to view the page with the topics (and didn’t downloaded anything from the site).
Damages made to the system
First of all, the wallpaper had been changed (is this supposed to be some kind of sick humor by the malware maker?), the display settings had the “desktop” and “screensaver” tabs missing. The malware prevents IE from opening. Even with firefox, it wouldn’t allow me to access the sites of spybot and avast (I had to download spybot from download.com). Also, it prevented avast, spybot, and ad-aware from connecting to the servers and get any kind of update. So this thing took over my desktop and internet connection
Attempts to clean
When I started avast, it immediately detected one infected file in memory C:\WINDOWS\System 32\blphcp3aj0etbv.scr as Win32:Trojan-gen {other} and deleted it. I made a boot time scan. The full scan also detected C\Documents and settings<username>\Local Settings.ttF.tmp.vbs as VBS:Malware-gen and C:\System Volume Information_restore{FEA67111 - 3CBO - 4374 - AE5F - C4b91CA5BL0C3} RP232 \ A00066719.scr as Win32: Trojan-gen {other}.
When I deleted all of these infections (after a system lockup that happened when the boot time scan finished and a reset) all of the malicious files had been respawned back to their places. I started avast (it detected the file in the memory again), and made a boot time scan for second time, but it kept detecting and deleting the same files over and over again.
With spybot (it wasn’t able to retrieve any updates by the way), the only thing it did was to block some registery changes twice during (every) boot.
Finally, with hijack this (I will post a full report tomorrow) I managed to fix the C:\WINDOWS\System 32\lphcp3aj0etbv.exe infection which is obviously an infection Avast! missed. The malware/rogue antispyware actually complained for his “protection” being corrupted! This allowed me to change the wallpaper back to normal (but not the display settings), files stopped respawing, the spybot blocks only one regisery change now.
What was the identity of the malware that hit me? (so I can look it in a virus encyclopedia)
How can i completely fix this? (spybot keeps nagging about one registery change, the display settings still have missing tabs, Internet Explorer is still dead, so the problem is unfortunately still there).