Re: It's Snark hunting time again:)

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Update 2

Think I've nailed it. Browsing through the C drive with Ztree I spotted a
dll in the system32 directory called Gremyvk.dll. Firstly it had the read
only, system and hidden attributes set which made me suspicious, the name
immediately made me think of gremlin and it wouldn't let me look inside it.
Googled it but no hits so I popped into the Recovery Console, removed the
read only and other attributes and zapped it anyway. If it was a known
useful dll you'd think there'd have been some hits on Google so I figured it
had to be brand new and potentially nasty.

Result!!! - no more background uploading going on to microsoft-ds, MBAM
updates itself quite happily again, I can get into all the antivirus
websites again with Firefox. Job's a goodun. Funnily enough I can't get into
Bleepingcomputer now to let them know I've fixed it so either they're
coincidentally down at the moment or there's a small legacy of the nasty's
presence still lurking somewhere.

Score another one for the Snark hunter :)
Dave Baker

Re: It's Snark hunting time again:)

Quoted text here. Click to load it

Did you try Gmer yet? Maybe you have some other hiding things...Gmer can

Re: It's Snark hunting time again:)

FromTheRafters wrote:
Quoted text here. Click to load it

...and maybe a follow-up with SAS too.  A new one came out today.

1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Re: It's Snark hunting time again:)

Bah humbug. Noticed a programme slowing down a bit today and just on a hunch
had a look in System32 and the effing thing's back again. Same name,
Gremyvk.dll, but I'm sure the file size has changed. It used to be about
160k and now it's over 1mb. Maybe there's a little downloader still tucked
away somewhere which gets it back when I'm online. Otherwise I certainly
haven't visited any dodgy websites today, just my share dealing and news
sites and a couple of car forums.

It hadn't created any registry entries yet as far as I can see and wasn't
actually doing any uploading like it used to but I've zapped it again and
we'll see what happens. At least I know where to look now.

I've a nasty feeling this thing is morphing to block more and more antivirus
sites because it certainly changed to add last time
after I'd posted my issue in there and then later couldn't access it again.
If it's now 6 times the size already god knows what it contains.

Just for now I'm sat online but with no apps running and keeping an eye on
my ADSL meter to see if anything suddenly downloads. I think it's more
likely coming from a specific website though and quite possibly a supposedly
safe one. I might check one site at a time and see if it appears immediately
afterwards until I've pinned it down.

Still no hits for it on Google other than what I'm posting in here but it
can't be long before other people start getting infected.

I think I might create a backup directory for System32 so I have a file
count and a copy of everything currently in there. If I don't add any apps I
should be able to use it as a crosscheck that nothing new has appeared.
Dave Baker

Re: It's Snark hunting time again:)

Dave Baker wrote:
Quoted text here. Click to load it

Site Timeline