This is dead serious. I have a Win XP-SP2 (NTFS) on my HP-520 laptop that's been infected for quite some time now.Some couple of months ago I found this suspicious 0 byte file "khw" under c,d,e drives ,googled it and possible explanation was that such files are ADS files (Alternate Data Stream). Just deleted them, scanned my system and AV removed some viruses which i do not remember. Some days later this "khw" file again appeared in same locations and Shared Documents folder (C:\Documents and Settings\All Users\Documents) and along with another file with crazy name. "eftr.exe" or etc with a devlish icon appeared in the same location and shared documents folder. Any moderate PC user could identify the crazy named file as a virus. Any way deleted it along with "khw" file and searched my system for file with those name, found and delted them. Scanned with AV and if i remember correctly AV found a couple of other suspicious files, quarantined them.
Some day later these "khw" file appeared now as "khv" so i just did not bother. Again couple of days later you could see those crazy named virus files again this time with a different name "sfdewx.exe" etc in the same location as khw/v file this time with an penguin icon. Searched my system for hose crazy named file, I found them in same location as previous finds so deleted them manually mostly networked shares. Scanned with AV and the same procedure followed couple of times more.
On one of the occasion (last month), my system got infected with Sality Virus ( i strogly feel that was courtesy "khw") and spread to my other desktop PC via USB drive. Desktop got infected due to the nature of Sality (patching virus) patching all exe on my PC as well as on my laptop thus made nearly impossible to execute any program as it took ages to load and when it did load all sort of error made the program to crash and many a times the system. System Crashes, system hangs were common during those 4-5 days. Meanwhile I had to carry out my business so was not able to find the time to scan or re-install xp on both my systems, on top of it i had to service my clients so i had to copy software from my infected pc or laptop onto pendrive (in safe mode). So client's PC too got infected via USB as most of the softwares which i copied from my infected system were patched by the sality virus.
All the while, I had Kaspersky's VRT (Virus Removal Tool) at my disposal. K-VRT on some occasions was able to prevent it's own exe from being patched while on other occasions it succumbed to the sality virus. If K-VRT got infected so i had to download a fresh copy from their site, boot system in safe mode and was able to cure most of the patched exe (even AV exe's were patched )however some software (patched ones) which warrants booting of the system if you happen to uninstall or reinstall them on a normal PC(uninfected PC) prevented the sality virus from being completely removed from the system and as rebooting in safemode did not clear their traces and for normal boots the virus will just not be cleaned completely.
I had to reinstall XP on my desktop and installed other essential softwares so was under the impression that all is well with atleast my PC which i use it for stock trading and online banking. However last week i checked
"My Network Places" folder and to my horror i found never created "networked shares" (see "scrnsht1.bmp"). I tried to check the workgroup under which those network shared were assigned by clicking on "View Workgroup Computers" (see scr1.bmp) but got an error (see scr2.jpg). Pls note I have an administrator account, do not have a network and have never created one so do not know where those shares came about.
I deleted all of them but again a couple of days later u could see there were other network shares with different shared names etc. This happened a couple more times. On every occasion i deleted the same as was not finding the time to sort this problem out. However yesterday again unidentified network share was found so I actually clicked on that share and to my surprise was able to browse to that share (computer) and open a file and then save it on my desktop PC. As soon as I finished saving the file the network share disappeared automatically as if it was never there. This makes me think that the virus actually knows what is executed on my PC and acts accordingly (may be every detail). After that I have been continuously checking the "My Network Places" folder but no shares are showing up. However, I continue to get the error (see scr2.jpg)when I tried to check the workgroup under which those network shared were assigned by clicking on "View Workgroup Computers" (see scr1.bmp).
This was enough a wake up call as my system was being actually hacked (which up until now been only read about on internet) and all my sensitive info are at grave risk (stock trading, online banking , confidential business details, may have already been hacked). One thing I like to point out that when I browsed to the unidentified network share, I saw "khw", "khv" file on the network share as well which makes me think that either the owner of that computer may have hacked into my system or it is just a bot and is actually a peer to my pc being made possible by those khv or khw (whatever u may want to call it) files which are on both systems.
I suspected Conficker however Symantec's Removal Tool found nothing.
I have attached a screenshot of the netstat command(scr2.bmp). I have never used/tried netbios, epmap, or microsoft-ds (i guess they are workgroup/domains created). In the root of every drive there is a system volume information folder created with hidden attribute though Sys Restore is disabled. I have Unlocker Installed and when I was not able to delete the folder with delete key Unlocker showed the screenshot (scr3.bmp).
Also attaching the K-VRT generated files (one in normal boot and other in safe mode) of my Desktop PC.
My plan is to first change all my banking details, buy a copy of good AV, backup all my docs on PC, delete partition (make raw), format with NTFS, reinstall XP and then try to track the hacker (the file I downloaded from the other unidentified network shared computer may have a clue to the hacker, it's banking document). Meanwhile I sincerely need your help, I hope u guys will not disappoint as you are experts. I attaching all suspicious files found on my system (even those khw's, pls test it on your system to identify the culprit and report of the virus removal tool generated during safe mode and in normal boot mode of my PC.I uploading the files from my laptop and to give you more example that the virus is tracking my action on my PC is when I tried copy "avptool_sysinfo.zip" and "avptool_sysinfo_safemode.zip" to my pen drive it will disabled the paste command while on the pen drive folder, so u can access the seriousness of the damage it is causing to my system. Symantec's VRT found nothing so my last line of hope is you guys, pls pls do not disappoint. I actually like Kaspersky very much as their pricing is very fair and the AV engine scores on many parameter's such as scanning time, heuristics, detection rate, ability to remove hard to get viruses etc. over others and overall is a much better bet.
Activity done on Feb 07 2010 on my infected DESKTOP (PC)
I deleted all the partitions on harddrive of my Desktop, formatted a single NTFS single partition installed XP-SP2. Connected to internet installed graphic, sound, usb 2.0 driver from intel's site, firefox, unlocker, winrar from download.com, disabled system restore. I checked C: drive, found "System Volume Information"(though Sys Restore disable) folder, clicked on it & got error "C:\System Volume Information" is not accessible, Access is denied. (WTF is going on, this is an absolutely clean install). I also tried to browse My Network Places (though did not create any, but just to check if i get the same error which occured before clean installing XP) I got the same error which I had before re-installing XP (error.bmp). What does this suggest. Pls pls plz, help.
- Archive of suspicious files.
- list.txt contains a list of suspicious files and their location.