Jump to content

Advance unknown malware

Recommended Posts

Hi, this is my 1st post...

I am MCSE/CCNP etc... so consider myself close to expert.... but this new thread has fooled me big time.

On June 2nd, 2010, I was on one of the torrent sites with FireFox 3.6.3 & Java Version 6 Update 20

One of the malware banner installed itself... I noticed it within 10 secs of it installing on my pc. Disconnected my internet & cleared cache & disabled Java plugin. For next few days everything went smooth, however I never rebooted my PC. I had also checked my msconfig, did not found any odd entries. No new processes or at least names were familiar. 3 days later rebooted PC...

Problem started, within few mins I started noticing lot of internet traffic. RUN TcpView from MS. I saw lot of SMTP connections from services.exe & Run Wireshark to see lot of Viagra etc emails been streamed out.

Over the years I have learned some tricks to counter attack this...

I changed default gateway to something else, so connection will be their not no internet traffic. I can still use local network.

I connected to my router & setup filter to block all in/out SMTP 25 port traffic for my home subnet.

Looked into Registry for Run/RunOnce in Current User & local machine.


I submitted sample of





came out clean.

I also went into registry for

I did not find any new dll or other files listed in system32 folder sorted by date [DIR /OD]

Only connections I am seeing is from during startup of PC is svchost.exe to internet & later non-stop services.exe connectiing & once a while explorer.exe connecting. I have also installed Zone Alarm free version to block these programs from connecting outside.

I have also scanned PC with Norton AV, Trend, Malwarebytes, Superspyware, spybot, PCtool Spyware doctor.

None of them able to detect this unknown virus so far. Since doing all this now I am only seeing port 80 connections from services.exe

Here is a attached Zone Alarm Log file. Please ignore PCtools & "google update" blocking in it.

Help Please



Link to post
Share on other sites

any help guys?

well, none of the AV & other scanners detecting anything yet... however I was able to find the file that is doing this.

file was located at C:\Windows\System32\drivers\dleanxk.sys

I was unable to rename, copy or delete it.

same in Safe mode & Windows recovery DOS mode.

I was finally able to rename it with booting from CD & going to Windows recovery DOS mode. No services.exe connection anymore... nothing in firewall logs so far.

However as I was trying to upload it to Virustotal, file got deleted, by some unknown process. Anyway, here is registry it creates.... it's partial list.





"Group"="Boot Bus Extender"


I hope someone can explain this.

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.