Jump to content

multiple malware infection

Recommended Posts


I'm cleaning a computer with multiple infections.

There was a rootkit named kernelw.sys

There were tons of trojans.

Thera was this new stuff sol852.txt

SAS kept BSODing, but not anymore.

The rootkit is out, sol852 too. Still getting pop-up "your pc is infected" and that sort of crap. Can't access regedit, taskmanager or control panel on normal mode.

Runned HijackThis and fixed some entries, but still no luck. Right now I'm running SAS on safe mode, with latest definitions.

If any sugestions, I'd appreciate it. If more details are needed, please say so.

If malware samples are needed, I'll try recovering from quarantine.

Share this post

Link to post
Share on other sites

Hi and welcome to the SAS forums :P

It sounds as if there is still bad code running on your machine.

*Once we remove the active mal code we can then reset the items that you are loacked out off :wink:

Download a copy of Autoruns : http://www.microsoft.com/technet/sys.../AutoRuns.mspx

Run a scan but press ESC to stop it .

Click options .

Check both "verify code signatures" and "hide signed microsoft entries" . This will make the list a lot shorter .

Now press F5 to rerun the scan with the new settings .

Click file , save as and save the log to your desktop .

Open it , copy all and paste it into your next post .

* if your firewall requests outbound connection for Autoruns(grant it permission) as it is phoning home to the central databse to verify signatures of files

Share this post

Link to post
Share on other sites
in normal or safe mode?

Good question,if you can manage it then boot into safe mode with networking enabled as this allow Autoruns to connect to the web and do it's stuff :wink:

If not reg mode will do for now :)

Share this post

Link to post
Share on other sites

Will do, as soon as SAS finish scanning. Or should I stop it and do this right away?

No let SAS have its bite of the malware pie and we can sort the remainders (if any).

Ps Reboot if SAS needs to remove anything before generating Autoruns report :wink:

Share this post

Link to post
Share on other sites

Thanks for all the help. SAS just finished scanning the registry, nothing found yet. Gotta go now, so I'll let it running. I'll post again in a few hours with the Autoruns report.

Share this post

Link to post
Share on other sites

Ok I'm only seeing the one suspect entry with 2 loading points in that log.

+ Undefined c:\windows\system32\winter.exe

I'm 99.99% sure it is malware(Fake alert) but before we nuke the file can you upload it to Virustotal for malware checking>>>


LMK if its flagged and then we will lay the smackdown 8)

Share this post

Link to post
Share on other sites


Most AV from virustotal flagged it.

(I had to edit Hosts file, most av-vendors and virustotal were blocked)

So i'm nuking that file.

What next?

Share this post

Link to post
Share on other sites


1)In safe mode locate and delete winter.exe file

Use Autoruns or HJT to remove its load values(x2) from the registry.

2)next up time to restore your access permissions(lock outs).

Download this nifty 'lil tool 8)

http://www.castlecops.com/modules/Forum ... le_206.zip

Extract file and run.If prompted to keep or remove , keep for now (then ok , continue) .

On the left will be a list of categories . One by one go to each category and check each box , click apply , uncheck each box , click apply and then move on to the next category .

Once all categories have been used to check and uncheck every option reboot your system and check to see if things have improved .

3)Time to reset your hosts files as other legitimate sites will be blocked.

Download HostsXpert>>>


Select restore MS Hostfile

Share this post

Link to post
Share on other sites


performed all steps. But I chosed MVP's HOSTS.

OMG...still getting the fake alert! In safe mode...just performed all steps, haven't reboot yet.

Share this post

Link to post
Share on other sites

hhmmm that proper.exe has been detected and removed on some scans... it's still there...

winter.exe still there, but before running HJT I looked for it manually and didn't find it...

Gotta leave now, i'll be back in about an hour.

Share this post

Link to post
Share on other sites

Ok This infection is respawning itself from 1 file :(

We need to clobber them all in one sitting inorder to affect a full cleanup.

So best to print this if you can as we need to hit them all in one sitting!

Theses are malware files>>>>

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe

O4 - HKLM\..\Run: [undefined] C:\WINDOWS\system32\winter.exe

O4 - HKCU\..\Run: [undefined] C:\WINDOWS\system32\winter.exe

O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe

O4 - Startup: infos.exe

O4 - Global Startup: autos.exe

Download ProcessExplorer and install(Unzip)>>>

http://www.microsoft.com/technet/sysint ... lorer.mspx

Next up Boot into safemode.

Open ProcessExplorer and highlight any of the files listed above if active.Right click and select *kill process*

Next up HiJackThis to Fixcheck the load values for those files.

Next up manually locate and delete the files listed above.Rescan with HJT to check that load values have not returned and then reboot.

These are vacated load values that need removing(FixCheck by HJT).

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\system32\bronto.dll (file missing)

I'm hoping this has got it nailed as i'm now off line for the next 20hrs.

If the entries do not return then rerun XPreset inorder to unlock those functions again.

All the best:)

Share this post

Link to post
Share on other sites


All done.

All HJT logs seem OK, no trace of those entries. ProcessExplorer looks clean too... No more popups. Files are not there anymore, and HOSTS file stays there...

However... regedit and task manager, still impossible to open, despite I tried XPsec in reg and safe mode. Control panel and windows update are working now...

Thanks for all your help. I'll run SAS one last time, and i'll give the computer back...can't do anymore right now...

Once again, thanks a lot!

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now