OS: Vista Business 32-bit SP2 H/W: Dell Optiplex 755 RAM: 4G Symptoms: ========= None now. Previously, when connected to the network, AVG Network scanner Service would take a lot of CPU cycles (but not 50 or 100%). This would start a few seconds after being connected to the network (and thus the Internet) and stop when the NIC was disabled or unplugged. The (dual-core) system became so sluggish that the mouse cursor would stop responding for minutes at a time, sometimes the screen would go black for a few seconds and Windows would then display a balloon notification saying 'Display driver amdkmdap stopped responding and has successfully recovered.' I would guess there to be a high priority (possibly invisible) process using most of the CPU as Task Manger and System Explorer would not show any process using all the CPU cycles. Prior to these systems, the System would blue screen a minute or so after booting up, whether or not the machines was logged on. History ===== On 06-Mar-12, an up-to-date (in terms of definititions - obviously it is deprecated) AVG 9 detected Win32/Cryptor located in an EXE file %TEMP% where the process was javaw.exe. 1 second later, same virus, same file but the process was regsvr32.exe. 13 seconds later, the same virus in a different exe in C:\Windows\Temp (which is not an environment variable). Then the machine blue-screened. So: Code: "Virus found Win32/Cryptor";"c:\Users\%USERNAME%.%USERDOMAIN%\AppData\Local\Temp\0.5944445455683106g8j8.exe";"Infected";"06/03/2012, 11:42:45";"file";"C:\Program Files\Java\jre6\bin\javaw.exe" "Virus found Win32/Cryptor";"c:\Users\%USERNAME%.%USERDOMAIN%\AppData\Local\Temp\0.5944445455683106g8j8.exe";"Infected";"06/03/2012, 11:42:46";"file";"C:\Windows\system32\regsvr32.exe" "Virus found Win32/Cryptor";"c:\Windows\Temp\_ex-68.exe";"Infected";"06/03/2012, 11:42:59";"file";"C:\Users\JAMES~1.SYN\AppData\Local\Temp\0.2252302422435205g8j8.exe" The previous system shutdown at 11:43:08 on 06/03/2012 was unexpected. The computer has rebooted from a bugcheck. The bugcheck was: 0x00000050 (0xfffffffe, 0x00000001, 0x89d5c7ff, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. A few more blue screens followed and then I was told about the situation by the user. I immediately unplugged the machine from the network and determined that the machine would blue screen a few minutes after booting without logging it on. I asked my colleague what happened and he said that AVG had briefly popped up some virus alerts about a Cryptor virus and then the machine had blue screened. So I rebooted it in Safe Mode without problems at 12:24 and starting investigating. I ran a command-line AVG scan and it found the above two infected files and moved them to Virus Vault (Quarantine). While it was scanning I looked around myself found several files in %TEMP% and C:\Windows\Temp created at 11:42 and so after the scan had finished I renamed all of them prefixing their filenames with "Suspect ". I also looked in Task Manager and searched the registry. I found a registry entry pointing at \??\%TEMP%\5689.sys in: HKLM\System\ControlSet???(various)\Services\5689. This made me sure that at least one of these files was a virus that AVG9 was not picking up. As I had renamed it, I knew it would not start, so I didn't touch the registry. I rebooted in Normal Mode, and the machine no longer blue screened. As expected: The 5689 service failed to start due to the following error: The system cannot find the file specified. As I wanted Internet access to update virus definititions, etc., I put the computer an an isolated VLAN where it's Internet access was going through a firewall with only output access allowed to selected DNS servers, port 80 and 443. The firewall was running Snort with all categories enabled. I also changed its DNS servers to the openDNS ones (via DHCP). The next day I uploaded the 5689.sys file to VirusTotal but only 2 scanners detected it (Dr. Web and Sophos) with generic type names. It is now detected by 13 but still not AVG: https://www.virustotal.com/file/09f1512461887659ce803d17772075261bb5f6536f08a8d7afe6eef543e0829c/analysis/1331573345/ I also uploaded the other files and some were detected by a few scanners, increasing in number over the past week. Most relevant is probably E.class, detected by some as Exploit.Java.CVE-2011-3544.P (AVG did not detect it). This is obviously how the machine got the Cryptor virus and disabled UAC). But I also saw this later in the AVG Resident Shield logs: Code: "Trojan horse Agent3.WJV";"c:\Windows\System32\drivers\Wdf01000.sys";"Object is white-listed (critical/system file that should not be removed)";"06/03/2012, 15:58:15";"file";"System" I ran a manual scan and it no longer found any problem with Wdf01000.sys. I uploaded the file to VirusTotal but it was not detected as suspicious. I tried SFC /SCANNOW and it did not find any problems except tcpmon.ini being corrupt. (IIRC) I took the hashes of the file and googled them and people thought it was OK. I googled the tcpmon.ini issue and someone said it was OK and that SFC /SCANNOW had problems with it. Ref I installed System Explorer and did a Security Scan and nearly all the process came back OK, and I looked into the others and they all had a right to be there. As Sophos was one of the only scanners that seemed to detecting some of the suspected files I submitted to VirusTotal I installed their free manual scanning tool. It picked up 3 of the files I had already renamed, but not the Wdf01000.sys file. So I began to think I was clean. But I noticed that I was getting alerts from Snort saying things like executable code had been downloaded as well as other ones. I ran Wireshark on the PC and saw it was downloading lots of updates from various legitimate update software. But I also noticed that from time to time AVG would tell me that there were tracking cookies used by iexplore.exe. As I was using Firefox and Internet Explorer did not seem to be running, this was weird. I installed ThreatFire and it almost immediately told me there was a hidden iexplore.exe process running and did I want it to continue. I had seen that some service on the computer was doing GETs on IP address within the network that the machine had been on before I isolated it, so I assumed that that service may be using iexplore.exe to perform those GETs for the reporting that it does. Legitimate. However, I stopped that service and the AVG warnings continued. So I told Threatfire to block hidden iexplore.exe processes and it all quietened down. I noticed that if I connected to the machine via Remote Desktop, it was barely usable (CPU loaded so much) so I reverted to the local console. It seemed it may be connected to a cheduled Task that runs when someone connects to the machine. *(The machine no longer has this unresponsiveness problem today.) At some point, I rebooted the machine as I thought it was clean. I also updated Java, installed a Windows Update and installed the NoScript add-on for Firefox (enabling scripts globally but disabling plug-ins). At some point, it became apparent that whenever the machine was connected the network it became unresponsive, lots of CPU cycles would be taken by AVG Network Scanner, possibly even more by something hidden, and the hidden iexplore.exe was still starting up if I removed the allow from ThreatFire. Wireshark would just show what looked to be normal stuff, but analysis today of all websites visited on Friday showed 1 suspicious one (with the current Firefox User-Agent). I visited the URL myself on my PC and Firefox+NoScript tried to download the photos.jsp file that contained obfuscated HTML. Rather not the HTML was obfuscated, but what would be visibly displayed in a browser was unintelligable to me. I assumed it was very suspicious and so I googled the domain name. McAfee SiteAdvisor said it was risky I googled "solutionadnet.com photos.jsp" (without quotes) and found a page asking the op to download and run TDSSKiller. As this was made by Kaspersky and came with instructions from them, I decided that running it myself was not too risky. I downloaded it to my PC, immunized a USB stick, copied it onto the USB stick, ran it on the infected PC and it detected and fixed after a reboot: Wdf01000 ( Virus.Win32.Rloader.a ) - infected \Device\Harddisk0\DR0 ( Rootkit.Boot.Wistler.a ) - infected I will post the full log below. After the reboot, I wanted to see if the suspicious behaviour had gone so I removed the Threatfire rules on iexplore.exe and reconnected to the network. It no longer went unresponsive. iexplore.exe no longer starts up. I can now connect via Remote Desktop without unresponsivel behaviour. So is the machine clean? Looking back now, I can see something suspicious that may need looking at: When I booted into Safe Mode, this was one of the System errors in the EventLog: Source: sptd Driver detected an internal error in its data structures for .