[SpySentinel]

Hi Deadpool57,

We have made some great progress with this new variant. We now know what it is and how to deal with it.

Please delete RootRepeal. This is a new way top use RootRepeal to delete this file:


Download RootRepeal.zip "You will need to rename RootRepeal to winlogon.exe\" and unzip it to your Desktop.

Double click winlogon.exe to start the program

and then to the Processes tab. Right-click on the randomly-named process with a name that is usually all numbers, and then click \"Terminate Process and Delete File\", which should do exactly that. Then, click Scan again. If the process isn\'t gone, or re-spawns on reboot, use \"Force-Kill Process and Wipe File\" to make sure it\'s gone.

Edited by SpySentinel, 22 July 2009 - 04:56 PM.

[Advertisements]

When I did this I got the same error as before but this time it said winlogon error and then RootRepeal looked blank the same way it in the picture I posted prior.

[Deadpool57]

When I did this I got the same error as before but this time it said winlogon error and then RootRepeal looked blank the same way it in the picture I posted prior.

[SpySentinel]

Hi Deadpool57,

Please rename RootRepeal to lsass.exe and then try to run it again.

[Deadpool57]

Same issue.

[SpySentinel]

Please make sure you do not currently have ComboFix installed. If so remove it.

There has been a new version released that should work on this threat.



Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Edited by SpySentinel, 26 July 2009 - 02:52 PM.

[Deadpool57]

I can't save directly to my desktop because I cant not access the internet on the infected computer. I am posting on another computer. That being said when I try to transfer the new combo fix to the broken computer I get the same old bubble at the bottom of the screen once I double click it. It says that ComboFix.exe has been infected.

[SpySentinel]

Download to your desktop and run this program


Navigate to the folder - C:\Documents and Settings\All users\Application Data
Look for a recently created folder whose name comprises of 8 numeric characters - eg. 32365894
Drag (not delete) the folder to desktop
Then reboot.

Now retry Combofix

[Deadpool57]

Ok I got ComboFix to actually open and work. But after it installed the Windows Recovery thing my computer rebooted itself and I don't think the scan ever took place. I looked in the C: drive to see if there was a log. There wasn't but their is a combo fix icon that it labeled as a folder. When I open it I am brought to the my computer window showing the c: drive and my documents and thats it no d: drive or anything.

[SpySentinel]

Did the steps above work? Did you find any folders whose name comprises of 8 numeric characters - eg. 32365894

[Deadpool57]

When I tried to run the other program you told me to before combo fix. Nothing really happened except a command type box popped up for a second and then went away. Not folder appeared but I was then able to run combo fix but then had the issue I explained in my previous post.

[SpySentinel]

Did you navigate to C:\Documents and Settings\All users\Application Data and look for any folders whose name comprises of 8 numeric characters - eg. 32365894

Thanks

[Deadpool57]

Yes, there wasn't even an application data folder.

[SpySentinel]

Hang in there, we will get rid of this nasty threat

It is a new variant, but once we delete the driver that is infecting you, the infection is dead.


Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google....rotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.

• Click on the Log tab.
• In the Write to log box select all items.
• Click on the Create Log button on the bottom right.
• After a few seconds a new Window should appear.
• Make sure Scan all drives is selected and click on the Start button.
• When it is complete a new Window will appear to indicate that the scan is finished.
• The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.

Edited by SpySentinel, 01 August 2009 - 03:44 PM.

[Deadpool57]

Sysprot was blocked as well.

[SpySentinel]

Let's try this step again:


Please Set Your System to Show Hidden Files
If you are using Windows XP or earlier:

• Go to Start -> My Computer (Or click the My Computer icon on your desktop)
• Go to the Tools Menu -> Folder Options.
• Select the "View" tab.
• Where you see , click the radio button.
• Uncheck "Hide extensions for known file types"
• Uncheck "Hide protected operating system files"
• Click Ok.
• Exit/Close My Computer.

If you are using Windows Vista:

• Please go to Start -> Computer
• Click on
• Click on
• Select the "View" tab.
• Where you see , click the radio button.
• Uncheck "Hide extensions for known file types"
• Uncheck "Hide protected operating system files"
• Click Ok.
• Exit/Close My Computer.

Navigate to C:\Documents and Settings\All users\Application Data and look for any folders whose name comprises of 8 numeric characters - eg. 32365894

Drag (not delete) the folder to desktop
Then reboot.