I spent about five hours investigating why I was getting DEP protection error on Explorer.exe. It kept crashing with memory cannot be read and DEP error. This happens immediately at start-up.
Apparently my visiting brother had used my computer while I was asleep (it was 1am).
NOD32 v2.70.39 with 07/14/2007 updates immediately caught THREE files being "modified" by svchost.exe that had the name: BIT20DF.tmp, BIT20EF.tmp, BIT20??.tmp. It flagged those as new unknown heuristic PE virus. This happens at the first start-up.
RogueRemover v1.20 gives the following in C:\WINDOWS\:
1. msddx.dll, msqnx.dll, a third dll file as Rogue.Misc (some sort of downloader)
2. two registry settings for the first two dll files.
SUPERAntiSpyware (latest) gives the following:
1. Same files and registry as RogueRemover except without the third dll file.
2. Some folder as NewMediaCodec (the folder was empty when I checked before removing).
I used RogueRemover to remove all those files and then SUPERAntiSpyware to remove the rest. Kaspersky online scan came up clean, but it gave me warnings of a few locked files. Most of them belonged to Windows Desktop Search but two are in: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader
Background Intelligent Transfer Service (BITS) as co-conspirator
The two files in the folder are: qmgr0.dat and qmgr1.dat which are locked by svchost.exe according to Unlocker v1.85. I was able to use Notepad to view the two files (mostly cryptic characters with a few visible plain text http links).
Both of them contained a link to the file: hxxp://update.bestmange.org/xarv0077.exe (can't remember the exact link and filename). Used Flashget to download it, but NOD32 wouldn't let it finish. The file was identified as a new unknown heuristic PE virus. There were also filenames of Windows Update security fixes.
The second link was something like http://195.xxx.xxx.xxx/?????/ which Dr. Web online website scan reveals it's a link to download a malware.
I believe BITS was used to download whatever else after the initial infection with the possible ability to bypass the Firewall, since BITS is probably trusted (Comodo Firewall). I read recently that BITS might be exploited for malicious purposes, and this might be one of it.
*******************************
EDITED:
Needless to say, I am pretty mad at him for downloading something from a pop-up asked him if he wanted to run the file. He wouldn't tell me how he got it, but my guess is some xxx website. The explorer.exe crashing and DEP errors stopped. To be safe, I will restore an image I had made about two months ago.
Apparently my visiting brother had used my computer while I was asleep (it was 1am).
NOD32 v2.70.39 with 07/14/2007 updates immediately caught THREE files being "modified" by svchost.exe that had the name: BIT20DF.tmp, BIT20EF.tmp, BIT20??.tmp. It flagged those as new unknown heuristic PE virus. This happens at the first start-up.
RogueRemover v1.20 gives the following in C:\WINDOWS\:
1. msddx.dll, msqnx.dll, a third dll file as Rogue.Misc (some sort of downloader)
2. two registry settings for the first two dll files.
SUPERAntiSpyware (latest) gives the following:
1. Same files and registry as RogueRemover except without the third dll file.
2. Some folder as NewMediaCodec (the folder was empty when I checked before removing).
I used RogueRemover to remove all those files and then SUPERAntiSpyware to remove the rest. Kaspersky online scan came up clean, but it gave me warnings of a few locked files. Most of them belonged to Windows Desktop Search but two are in: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader
Background Intelligent Transfer Service (BITS) as co-conspirator
The two files in the folder are: qmgr0.dat and qmgr1.dat which are locked by svchost.exe according to Unlocker v1.85. I was able to use Notepad to view the two files (mostly cryptic characters with a few visible plain text http links).
Both of them contained a link to the file: hxxp://update.bestmange.org/xarv0077.exe (can't remember the exact link and filename). Used Flashget to download it, but NOD32 wouldn't let it finish. The file was identified as a new unknown heuristic PE virus. There were also filenames of Windows Update security fixes.
The second link was something like http://195.xxx.xxx.xxx/?????/ which Dr. Web online website scan reveals it's a link to download a malware.
I believe BITS was used to download whatever else after the initial infection with the possible ability to bypass the Firewall, since BITS is probably trusted (Comodo Firewall). I read recently that BITS might be exploited for malicious purposes, and this might be one of it.
*******************************
EDITED:
Needless to say, I am pretty mad at him for downloading something from a pop-up asked him if he wanted to run the file. He wouldn't tell me how he got it, but my guess is some xxx website. The explorer.exe crashing and DEP errors stopped. To be safe, I will restore an image I had made about two months ago.
Facebook
Twitter