Jump to content
HURST

multiple malware infection

Recommended Posts

Hi

I'm cleaning a computer with multiple infections.

There was a rootkit named kernelw.sys

There were tons of trojans.

Thera was this new stuff sol852.txt

SAS kept BSODing, but not anymore.

The rootkit is out, sol852 too. Still getting pop-up "your pc is infected" and that sort of crap. Can't access regedit, taskmanager or control panel on normal mode.

Runned HijackThis and fixed some entries, but still no luck. Right now I'm running SAS on safe mode, with latest definitions.

If any sugestions, I'd appreciate it. If more details are needed, please say so.

If malware samples are needed, I'll try recovering from quarantine.

Share this post


Link to post
Share on other sites

Hi and welcome to the SAS forums :P

It sounds as if there is still bad code running on your machine.

*Once we remove the active mal code we can then reset the items that you are loacked out off :wink:

Download a copy of Autoruns : http://www.microsoft.com/technet/sys.../AutoRuns.mspx

Run a scan but press ESC to stop it .

Click options .

Check both "verify code signatures" and "hide signed microsoft entries" . This will make the list a lot shorter .

Now press F5 to rerun the scan with the new settings .

Click file , save as and save the log to your desktop .

Open it , copy all and paste it into your next post .

* if your firewall requests outbound connection for Autoruns(grant it permission) as it is phoning home to the central databse to verify signatures of files

Share this post


Link to post
Share on other sites
in normal or safe mode?

Good question,if you can manage it then boot into safe mode with networking enabled as this allow Autoruns to connect to the web and do it's stuff :wink:

If not reg mode will do for now :)

Share this post


Link to post
Share on other sites
OK

Will do, as soon as SAS finish scanning. Or should I stop it and do this right away?

No let SAS have its bite of the malware pie and we can sort the remainders (if any).

Ps Reboot if SAS needs to remove anything before generating Autoruns report :wink:

Share this post


Link to post
Share on other sites

Thanks for all the help. SAS just finished scanning the registry, nothing found yet. Gotta go now, so I'll let it running. I'll post again in a few hours with the Autoruns report.

Share this post


Link to post
Share on other sites

3 hours of scanning and still running.

Until now, only found Trojan.Downloader-Gen/Micky and some cookies.

Still not reached \Windows\...

Share this post


Link to post
Share on other sites

:shock::?

Something is not happy on your machine for sure :?

Just press Next,let it remove what it has found.Reboot and shoot with Autoruns.

Share this post


Link to post
Share on other sites

Ok I'm only seeing the one suspect entry with 2 loading points in that log.

+ Undefined c:\windows\system32\winter.exe

I'm 99.99% sure it is malware(Fake alert) but before we nuke the file can you upload it to Virustotal for malware checking>>>

http://www.virustotal.com/

LMK if its flagged and then we will lay the smackdown 8)

Share this post


Link to post
Share on other sites

Ok

Most AV from virustotal flagged it.

(I had to edit Hosts file, most av-vendors and virustotal were blocked)

So i'm nuking that file.

What next?

Share this post


Link to post
Share on other sites

Ok's

1)In safe mode locate and delete winter.exe file

Use Autoruns or HJT to remove its load values(x2) from the registry.

2)next up time to restore your access permissions(lock outs).

Download this nifty 'lil tool 8)

http://www.castlecops.com/modules/Forum ... le_206.zip

Extract file and run.If prompted to keep or remove , keep for now (then ok , continue) .

On the left will be a list of categories . One by one go to each category and check each box , click apply , uncheck each box , click apply and then move on to the next category .

Once all categories have been used to check and uncheck every option reboot your system and check to see if things have improved .

3)Time to reset your hosts files as other legitimate sites will be blocked.

Download HostsXpert>>>

http://www.funkytoad.com/content/view/13/

Select restore MS Hostfile

Share this post


Link to post
Share on other sites

hosts files dissapeared.

winter resisted erase software set up to erase at reboot, so i'm going to safe mode now....

Share this post


Link to post
Share on other sites

OK

performed all steps. But I chosed MVP's HOSTS.

OMG...still getting the fake alert! In safe mode...just performed all steps, haven't reboot yet.

Share this post


Link to post
Share on other sites

Just a thought if the fake alert persists when you reboot into reg mode.

Can you post a fresh HiJackThis log in your next reply :)

Share this post


Link to post
Share on other sites

hhmmm that proper.exe has been detected and removed on some scans... it's still there...

winter.exe still there, but before running HJT I looked for it manually and didn't find it...

Gotta leave now, i'll be back in about an hour.

Share this post


Link to post
Share on other sites

Ok This infection is respawning itself from 1 file :(

We need to clobber them all in one sitting inorder to affect a full cleanup.

So best to print this if you can as we need to hit them all in one sitting!

Theses are malware files>>>>

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe

O4 - HKLM\..\Run: [undefined] C:\WINDOWS\system32\winter.exe

O4 - HKCU\..\Run: [undefined] C:\WINDOWS\system32\winter.exe

O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe

O4 - Startup: infos.exe

O4 - Global Startup: autos.exe

Download ProcessExplorer and install(Unzip)>>>

http://www.microsoft.com/technet/sysint ... lorer.mspx

Next up Boot into safemode.

Open ProcessExplorer and highlight any of the files listed above if active.Right click and select *kill process*

Next up HiJackThis to Fixcheck the load values for those files.

Next up manually locate and delete the files listed above.Rescan with HJT to check that load values have not returned and then reboot.

These are vacated load values that need removing(FixCheck by HJT).

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\system32\bronto.dll (file missing)

I'm hoping this has got it nailed as i'm now off line for the next 20hrs.

If the entries do not return then rerun XPreset inorder to unlock those functions again.

All the best:)

Share this post


Link to post
Share on other sites

I hope this does the trick, since I wont have access to the PC in several days.

I'll post results

Share this post


Link to post
Share on other sites

OK

All done.

All HJT logs seem OK, no trace of those entries. ProcessExplorer looks clean too... No more popups. Files are not there anymore, and HOSTS file stays there...

However... regedit and task manager, still impossible to open, despite I tried XPsec in reg and safe mode. Control panel and windows update are working now...

Thanks for all your help. I'll run SAS one last time, and i'll give the computer back...can't do anymore right now...

Once again, thanks a lot!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...