It's Snark hunting time again:)

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I've been wondering for a while now why my Torrent application seems to be
using all my upload bandwidth and slowing browsing to a crawl even when I
have the Torrent upload limit capped to a sensible level. I shut all apps
down and fired up the DSL modem meter and bugger me there's about 70kb/s of
upload ticking away in the background all the time. Me smells a Snark that's
insinuated its nasty little self onto my pc.

Nothing unusual appearing in Task Manager but then most nasties don't show
up there anyway. Fire up MBAM and it won't update itself. Hmmm. Check
firewall settings. Still no joy. Into Firefox and try to access the MBAM
website to download the current version. No joy. Hmmm. Nasty little Snark is
stopping anything MBAM related running it seems. Clever little Snark. I like
a challenge :)

Run "NETSTAT -B" and there's an unknown component running.

Time to dig all the Snark hunting tools out and see if I can pot myself
something tasty for lunch.
Dave Baker

Re: It's Snark hunting time again:)

Quoted text here. Click to load it

OK I'm getting pissed off now. It's disabled System Restore, Hijackthis is
not showing anything I can spot as an immediate problem and I can't run any
anti malware programs. This little sod might actually be too clever for me.
Any suggestions?

Re: It's Snark hunting time again:)

Update 3 - and hopefully finally

Damn thing kept coming back as fast as I could delete it, well within a
couple of hours usually anyway so time to get creative. There must be
another file tucked away somewhere that downloads the main Gremyvk.dll one
when it gets deleted. How to find that one now is the task. I decided to try
setting the System32 directory and its sub directories to read-only in case
the downloader wasn't quite smart enough to get round that.

Into My computer, C drive, System32, right click, properties and set it, its
subs and all files to read-only. Two files pop out that won't allow their
attribute to be changed. Haha mischievous little malware author. You've been
a bit too smart for your own good. In the attempt to enmesh things into the
disk structure and make them harder to delete you've given me a spoor to
follow. The hunter's hot on your trail now. In the System32/drivers
directory two little suspiciously named sys files called wqwvbfee.sys and
ywbqjlbb.sys with locked permissions.

No hits for either on Google so into Recovery Console and zap them. Several
hours later now and Gremyvk.dll still isn't back so it's looking good.

A pretty satisfying Snark hunt all things considered. Good fun tracking down
and deleting the nasties, no real damage done, just System Restore left to
fix when I can be bothered. So for the pros out there who might want to add
this one to their antimalware progs it basically seems to be just
Gremyvk.dll in the system32 directory and either or both of those sys files
in the System32/drivers directory plus a few registry entries in
HKLM/System/Controlset001 (plus 002 and currentcontrolset)/Services.

I'm not yet sure how the sys files were getting loaded but I'll maybe have
another dig around later. Couldn't find any reference to them in the
registry anyway.
Dave Baker

Site Timeline