multiple malware infection

[HURST]

Hi

I'm cleaning a computer with multiple infections.

There was a rootkit named kernelw.sys

There were tons of trojans.

Thera was this new stuff sol852.txt

SAS kept BSODing, but not anymore.

The rootkit is out, sol852 too. Still getting pop-up "your pc is infected" and that sort of crap. Can't access regedit, taskmanager or control panel on normal mode.

Runned HijackThis and fixed some entries, but still no luck. Right now I'm running SAS on safe mode, with latest definitions.

If any sugestions, I'd appreciate it. If more details are needed, please say so.

If malware samples are needed, I'll try recovering from quarantine.

[fatdcuk]

Hi and welcome to the SAS forums

It sounds as if there is still bad code running on your machine.

*Once we remove the active mal code we can then reset the items that you are loacked out off

Download a copy of Autoruns : http://www.microsoft.com/technet/sys.../AutoRuns.mspx

Run a scan but press ESC to stop it .

Click options .

Check both "verify code signatures" and "hide signed microsoft entries" . This will make the list a lot shorter .

Now press F5 to rerun the scan with the new settings .

Click file , save as and save the log to your desktop .

Open it , copy all and paste it into your next post .

* if your firewall requests outbound connection for Autoruns(grant it permission) as it is phoning home to the central databse to verify signatures of files

[HURST]

in normal or safe mode?

[fatdcuk]

in normal or safe mode?

Good question,if you can manage it then boot into safe mode with networking enabled as this allow Autoruns to connect to the web and do it's stuff

If not reg mode will do for now

[HURST]

OK

Will do, as soon as SAS finish scanning. Or should I stop it and do this right away?

[fatdcuk]

OK

Will do, as soon as SAS finish scanning. Or should I stop it and do this right away?

No let SAS have its bite of the malware pie and we can sort the remainders (if any).

Ps Reboot if SAS needs to remove anything before generating Autoruns report

[HURST]

Thanks for all the help. SAS just finished scanning the registry, nothing found yet. Gotta go now, so I'll let it running. I'll post again in a few hours with the Autoruns report.

[HURST]

3 hours of scanning and still running.

Until now, only found Trojan.Downloader-Gen/Micky and some cookies.

Still not reached \Windows\...

[fatdcuk]

Something is not happy on your machine for sure

Just press Next,let it remove what it has found.Reboot and shoot with Autoruns.

[HURST]

[fatdcuk]

Ok I'm only seeing the one suspect entry with 2 loading points in that log.

+ Undefined c:\windows\system32\winter.exe

I'm 99.99% sure it is malware(Fake alert) but before we nuke the file can you upload it to Virustotal for malware checking>>>

http://www.virustotal.com/

LMK if its flagged and then we will lay the smackdown

[HURST]

Ok

Most AV from virustotal flagged it.

(I had to edit Hosts file, most av-vendors and virustotal were blocked)

So i'm nuking that file.

What next?

[fatdcuk]

Ok's

1)In safe mode locate and delete winter.exe file

Use Autoruns or HJT to remove its load values(x2) from the registry.

2)next up time to restore your access permissions(lock outs).

Download this nifty 'lil tool

http://www.castlecops.com/modules/Forum ... le_206.zip

Extract file and run.If prompted to keep or remove , keep for now (then ok , continue) .

On the left will be a list of categories . One by one go to each category and check each box , click apply , uncheck each box , click apply and then move on to the next category .

Once all categories have been used to check and uncheck every option reboot your system and check to see if things have improved .

3)Time to reset your hosts files as other legitimate sites will be blocked.

Download HostsXpert>>>

http://www.funkytoad.com/content/view/13/

Select restore MS Hostfile

[HURST]

hosts files dissapeared.

winter resisted erase software set up to erase at reboot, so i'm going to safe mode now....

[HURST]

OK

performed all steps. But I chosed MVP's HOSTS.

OMG...still getting the fake alert! In safe mode...just performed all steps, haven't reboot yet.

[fatdcuk]

Just a thought if the fake alert persists when you reboot into reg mode.

Can you post a fresh HiJackThis log in your next reply

[HURST]

[HURST]

hhmmm that proper.exe has been detected and removed on some scans... it's still there...

winter.exe still there, but before running HJT I looked for it manually and didn't find it...

Gotta leave now, i'll be back in about an hour.

[fatdcuk]

Ok This infection is respawning itself from 1 file

We need to clobber them all in one sitting inorder to affect a full cleanup.

So best to print this if you can as we need to hit them all in one sitting!

Theses are malware files>>>>

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe

O4 - HKLM\..\Run: [undefined] C:\WINDOWS\system32\winter.exe

O4 - HKCU\..\Run: [undefined] C:\WINDOWS\system32\winter.exe

O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe

O4 - Startup: infos.exe

O4 - Global Startup: autos.exe

Download ProcessExplorer and install(Unzip)>>>

http://www.microsoft.com/technet/sysint ... lorer.mspx

Next up Boot into safemode.

Open ProcessExplorer and highlight any of the files listed above if active.Right click and select *kill process*

Next up HiJackThis to Fixcheck the load values for those files.

Next up manually locate and delete the files listed above.Rescan with HJT to check that load values have not returned and then reboot.

These are vacated load values that need removing(FixCheck by HJT).

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\system32\bronto.dll (file missing)

I'm hoping this has got it nailed as i'm now off line for the next 20hrs.

If the entries do not return then rerun XPreset inorder to unlock those functions again.

All the best:)

[HURST]

I hope this does the trick, since I wont have access to the PC in several days.

I'll post results

[HURST]

OK

All done.

All HJT logs seem OK, no trace of those entries. ProcessExplorer looks clean too... No more popups. Files are not there anymore, and HOSTS file stays there...

However... regedit and task manager, still impossible to open, despite I tried XPsec in reg and safe mode. Control panel and windows update are working now...

Thanks for all your help. I'll run SAS one last time, and i'll give the computer back...can't do anymore right now...

Once again, thanks a lot!

[HURST]

UPDATE:

regedit and taskmanager working OK

THANKS!

[fatdcuk]

Your welcome