- May 6, 2011
- 8,172
- 137
- 106
Ok this is a wierd one. I had this conficker infection that I removed using malwarebytes. Everything seemed fine, repeated scanned showed no infection. But at some unknown point it became reinfected. Malwarebytes would no longer remove it, it says it did but it jsut kept coming back. I tried TDSSKiller and that got rid of it. For a while. But it always comes back.
It seems to spawn from one particular file. That file name is random. On my machine lets just say it is called "ghydw.sjq". This file kept being recreated somehow. After a while it would spawn another file, the same name but a dll, ghydw.dll. After that file is created it gets flagged by my antivirus software. It quarantines it, but it keeps coming comes back until I run TDSSKiller again.
I thought I would be clever so I wrote a simple script to delete ghydw.sjq and ghydw.dll and set that script to run every minute via task manager. Problem solved eh? Nope. Here is where it gets weird. One day I ran TDSSKiller just for giggles, and it turned up 18 infections. They were all services with random names. There was also 18 scheduled tasks, all of which were starting the aforementioned services.
Has anyone seen anything like that?
I try using procmon to capture the very first instance of ghydw but procmon crashes after about 10 minutes. Either this worm is crashing it, or it is just running out of memory or whanot. So I cant really trust procmon to catch anything if it cant stay running.
It seems to spawn from one particular file. That file name is random. On my machine lets just say it is called "ghydw.sjq". This file kept being recreated somehow. After a while it would spawn another file, the same name but a dll, ghydw.dll. After that file is created it gets flagged by my antivirus software. It quarantines it, but it keeps coming comes back until I run TDSSKiller again.
I thought I would be clever so I wrote a simple script to delete ghydw.sjq and ghydw.dll and set that script to run every minute via task manager. Problem solved eh? Nope. Here is where it gets weird. One day I ran TDSSKiller just for giggles, and it turned up 18 infections. They were all services with random names. There was also 18 scheduled tasks, all of which were starting the aforementioned services.
Has anyone seen anything like that?
I try using procmon to capture the very first instance of ghydw but procmon crashes after about 10 minutes. Either this worm is crashing it, or it is just running out of memory or whanot. So I cant really trust procmon to catch anything if it cant stay running.
Last edited: