HURST Posted December 9, 2007 Hi I'm cleaning a computer with multiple infections. There was a rootkit named kernelw.sys There were tons of trojans. Thera was this new stuff sol852.txt SAS kept BSODing, but not anymore. The rootkit is out, sol852 too. Still getting pop-up "your pc is infected" and that sort of crap. Can't access regedit, taskmanager or control panel on normal mode. Runned HijackThis and fixed some entries, but still no luck. Right now I'm running SAS on safe mode, with latest definitions. If any sugestions, I'd appreciate it. If more details are needed, please say so. If malware samples are needed, I'll try recovering from quarantine. Share this post Link to post Share on other sites
fatdcuk Posted December 9, 2007 Hi and welcome to the SAS forums It sounds as if there is still bad code running on your machine. *Once we remove the active mal code we can then reset the items that you are loacked out off Download a copy of Autoruns : http://www.microsoft.com/technet/sys.../AutoRuns.mspx Run a scan but press ESC to stop it . Click options . Check both "verify code signatures" and "hide signed microsoft entries" . This will make the list a lot shorter . Now press F5 to rerun the scan with the new settings . Click file , save as and save the log to your desktop . Open it , copy all and paste it into your next post . * if your firewall requests outbound connection for Autoruns(grant it permission) as it is phoning home to the central databse to verify signatures of files Share this post Link to post Share on other sites
HURST Posted December 9, 2007 in normal or safe mode? Share this post Link to post Share on other sites
fatdcuk Posted December 9, 2007 in normal or safe mode? Good question,if you can manage it then boot into safe mode with networking enabled as this allow Autoruns to connect to the web and do it's stuff If not reg mode will do for now Share this post Link to post Share on other sites
HURST Posted December 9, 2007 OK Will do, as soon as SAS finish scanning. Or should I stop it and do this right away? Share this post Link to post Share on other sites
fatdcuk Posted December 9, 2007 OKWill do, as soon as SAS finish scanning. Or should I stop it and do this right away? No let SAS have its bite of the malware pie and we can sort the remainders (if any). Ps Reboot if SAS needs to remove anything before generating Autoruns report Share this post Link to post Share on other sites
HURST Posted December 9, 2007 Thanks for all the help. SAS just finished scanning the registry, nothing found yet. Gotta go now, so I'll let it running. I'll post again in a few hours with the Autoruns report. Share this post Link to post Share on other sites
HURST Posted December 9, 2007 3 hours of scanning and still running. Until now, only found Trojan.Downloader-Gen/Micky and some cookies. Still not reached \Windows\... Share this post Link to post Share on other sites
fatdcuk Posted December 9, 2007 Something is not happy on your machine for sure Just press Next,let it remove what it has found.Reboot and shoot with Autoruns. Share this post Link to post Share on other sites
fatdcuk Posted December 9, 2007 Ok I'm only seeing the one suspect entry with 2 loading points in that log. + Undefined c:\windows\system32\winter.exe I'm 99.99% sure it is malware(Fake alert) but before we nuke the file can you upload it to Virustotal for malware checking>>> http://www.virustotal.com/ LMK if its flagged and then we will lay the smackdown Share this post Link to post Share on other sites
HURST Posted December 9, 2007 Ok Most AV from virustotal flagged it. (I had to edit Hosts file, most av-vendors and virustotal were blocked) So i'm nuking that file. What next? Share this post Link to post Share on other sites
fatdcuk Posted December 9, 2007 Ok's 1)In safe mode locate and delete winter.exe file Use Autoruns or HJT to remove its load values(x2) from the registry. 2)next up time to restore your access permissions(lock outs). Download this nifty 'lil tool http://www.castlecops.com/modules/Forum ... le_206.zip Extract file and run.If prompted to keep or remove , keep for now (then ok , continue) . On the left will be a list of categories . One by one go to each category and check each box , click apply , uncheck each box , click apply and then move on to the next category . Once all categories have been used to check and uncheck every option reboot your system and check to see if things have improved . 3)Time to reset your hosts files as other legitimate sites will be blocked. Download HostsXpert>>> http://www.funkytoad.com/content/view/13/ Select restore MS Hostfile Share this post Link to post Share on other sites
HURST Posted December 9, 2007 hosts files dissapeared. winter resisted erase software set up to erase at reboot, so i'm going to safe mode now.... Share this post Link to post Share on other sites
HURST Posted December 9, 2007 OK performed all steps. But I chosed MVP's HOSTS. OMG...still getting the fake alert! In safe mode...just performed all steps, haven't reboot yet. Share this post Link to post Share on other sites
fatdcuk Posted December 9, 2007 Just a thought if the fake alert persists when you reboot into reg mode. Can you post a fresh HiJackThis log in your next reply Share this post Link to post Share on other sites
HURST Posted December 9, 2007 hhmmm that proper.exe has been detected and removed on some scans... it's still there... winter.exe still there, but before running HJT I looked for it manually and didn't find it... Gotta leave now, i'll be back in about an hour. Share this post Link to post Share on other sites
fatdcuk Posted December 9, 2007 Ok This infection is respawning itself from 1 file We need to clobber them all in one sitting inorder to affect a full cleanup. So best to print this if you can as we need to hit them all in one sitting! Theses are malware files>>>> F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe O4 - HKLM\..\Run: [undefined] C:\WINDOWS\system32\winter.exe O4 - HKCU\..\Run: [undefined] C:\WINDOWS\system32\winter.exe O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe O4 - Startup: infos.exe O4 - Global Startup: autos.exe Download ProcessExplorer and install(Unzip)>>> http://www.microsoft.com/technet/sysint ... lorer.mspx Next up Boot into safemode. Open ProcessExplorer and highlight any of the files listed above if active.Right click and select *kill process* Next up HiJackThis to Fixcheck the load values for those files. Next up manually locate and delete the files listed above.Rescan with HJT to check that load values have not returned and then reboot. These are vacated load values that need removing(FixCheck by HJT). O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\system32\bronto.dll (file missing) I'm hoping this has got it nailed as i'm now off line for the next 20hrs. If the entries do not return then rerun XPreset inorder to unlock those functions again. All the best:) Share this post Link to post Share on other sites
HURST Posted December 10, 2007 I hope this does the trick, since I wont have access to the PC in several days. I'll post results Share this post Link to post Share on other sites
HURST Posted December 10, 2007 OK All done. All HJT logs seem OK, no trace of those entries. ProcessExplorer looks clean too... No more popups. Files are not there anymore, and HOSTS file stays there... However... regedit and task manager, still impossible to open, despite I tried XPsec in reg and safe mode. Control panel and windows update are working now... Thanks for all your help. I'll run SAS one last time, and i'll give the computer back...can't do anymore right now... Once again, thanks a lot! Share this post Link to post Share on other sites
HURST Posted December 10, 2007 UPDATE: regedit and taskmanager working OK THANKS! Share this post Link to post Share on other sites