PDA

View Full Version : Chinese Virus Removal - Getting ready to install SB 2.3



DBOBA
2014-05-05, 12:23
Aloha,

New to this forum and was once a user of SB but it's been a while, no disrespect to SB fans I just found the much earlier
version I had too CPU and RAM intensive, but now I am back...
System and running protection: Win 8 O/S Using, MWB, Fiddler 2 for monitoring, and running the useless do nothing Windows Defender.
I allow nothing to run through my advanced firewall and have numerous block rules in place inbound and outbound for mainly .exe's
no AV due to my belief most are data miners and keyloggers themselves...
I keep MWB on for DNS monitoring.

After 2 months of full scans using MWB periodically, as it found 3 potential viruses, it cannot find the "Chinese" virus that uses a second WINLOGON.EXE - every 3rd time I logon to my rig - if I kill the process it will jump ship - time out for a few minutes then I notice a new process that did not start up with the O/S like WINLAN or other WIN certs - and uses them to call home. I can kill the process tree but it doesn't help this * is using what I am assuming
Chinese code and nothing I have can find it, so far that is...
Shocked, MWB cannot find it or detect it, however during realtime monitoring using MWB from time to time MWB will block the outgoing data and display
the Chinese IP but he or she uses more than one IP. All of MWB stop actions are valid as Fiddler has proven that to me and MWB doesn't miss in this
department, so far.

So here I am ready to buy a ticket to China and try and hunt the guy down, as a broadband customer in the middle of the Pacific in a very rural mountain setting in Hawaii its bad enough my IS is maxing on a good day about 250Kbs and now I got a guy that chokes half of my Internet Speed!
I have nothing pertinent on this rig that he could ever use for gain, but none the less he still tries sending data packets home to read
and is killing my speed and connections.
.
So here is my question:
If this * was able to tunnel in and modify several Win.exe's will SB do me any good?
I have heard in some cases if the Chinese script/code is already on your system before any new AV install it can hide from it.
I also read in a couple places that not even a systems wipe can kill it as it doesn't know what to look for and after the wipe will regenerate.

Before I install SB which I am going to most likely do anyways - I want to know if anyone has a install path for SB that has been down this road
and wish they had or woulda coulda shoulda and can reveal their process here.

Mahalo in advance,

DB

tashi
2014-05-05, 17:39
Hello DBOBA,

I'd suggest someone takes a look at the system before you do anything else.

If this is a personal computer please start a topic in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) and a volunteer analyst will advise when available.

First see that forum's FAQ which also includes instructions in post #2 on how to provide DDS and aswMBR logs, which are used in the preliminary analysis.
http://forums.spybot.info/showthread.php?t=288

Also provide a link back to this thread.

Best regards.