Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware System Security


  • Please log in to reply

#16
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
Hi Deadpool57,

We have made some great progress with this new variant. We now know what it is and how to deal with it.

Please delete RootRepeal. This is a new way top use RootRepeal to delete this file:


Download RootRepeal.zip "You will need to rename RootRepeal to winlogon.exe\" and unzip it to your Desktop.

Double click winlogon.exe to start the program

and then to the Processes tab. Right-click on the randomly-named process with a name that is usually all numbers, and then click \"Terminate Process and Delete File\", which should do exactly that. Then, click Scan again. If the process isn\'t gone, or re-spawns on reboot, use \"Force-Kill Process and Wipe File\" to make sure it\'s gone.


RootRepeal_systemsecurity.jpg

Edited by SpySentinel, 22 July 2009 - 04:56 PM.

  • 0

Advertisements


#17
Deadpool57

Deadpool57

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
When I did this I got the same error as before but this time it said winlogon error and then RootRepeal looked blank the same way it in the picture I posted prior.
  • 0

#18
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
Hi Deadpool57,

Please rename RootRepeal to lsass.exe and then try to run it again.
  • 0

#19
Deadpool57

Deadpool57

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Same issue.
  • 0

#20
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
Please make sure you do not currently have ComboFix installed. If so remove it.

There has been a new version released that should work on this threat.



Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Edited by SpySentinel, 26 July 2009 - 02:52 PM.

  • 0

#21
Deadpool57

Deadpool57

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I can't save directly to my desktop because I cant not access the internet on the infected computer. I am posting on another computer. That being said when I try to transfer the new combo fix to the broken computer I get the same old bubble at the bottom of the screen once I double click it. It says that ComboFix.exe has been infected.
  • 0

#22
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
Download to your desktop and run this program


Navigate to the folder - C:\Documents and Settings\All users\Application Data
Look for a recently created folder whose name comprises of 8 numeric characters - eg. 32365894
Drag (not delete) the folder to desktop
Then reboot.

Now retry Combofix
  • 0

#23
Deadpool57

Deadpool57

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Ok I got ComboFix to actually open and work. But after it installed the Windows Recovery thing my computer rebooted itself and I don't think the scan ever took place. I looked in the C: drive to see if there was a log. There wasn't but their is a combo fix icon that it labeled as a folder. When I open it I am brought to the my computer window showing the c: drive and my documents and thats it no d: drive or anything.
  • 0

#24
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
Did the steps above work? Did you find any folders whose name comprises of 8 numeric characters - eg. 32365894
  • 0

#25
Deadpool57

Deadpool57

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
When I tried to run the other program you told me to before combo fix. Nothing really happened except a command type box popped up for a second and then went away. Not folder appeared but I was then able to run combo fix but then had the issue I explained in my previous post.
  • 0

Advertisements


#26
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
Did you navigate to C:\Documents and Settings\All users\Application Data and look for any folders whose name comprises of 8 numeric characters - eg. 32365894

Thanks
  • 0

#27
Deadpool57

Deadpool57

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Yes, there wasn't even an application data folder.
  • 0

#28
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
Hang in there, we will get rid of this nasty threat :)

It is a new variant, but once we delete the driver that is infecting you, the infection is dead.


Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google....rotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.

  • Click on the Log tab.
  • In the Write to log box select all items.
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new Window should appear.
  • Make sure Scan all drives is selected and click on the Start button.
  • When it is complete a new Window will appear to indicate that the scan is finished.
  • The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.

Edited by SpySentinel, 01 August 2009 - 03:44 PM.

  • 0

#29
Deadpool57

Deadpool57

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Sysprot was blocked as well.
  • 0

#30
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
Let's try this step again:


Please Set Your System to Show Hidden Files
If you are using Windows XP or earlier:
  • Go to Start -> My Computer (Or click the My Computer icon on your desktop)
  • Go to the Tools Menu -> Folder Options.
  • Select the "View" tab.
  • Where you see Posted Image, click the Posted Image radio button.
  • Uncheck "Hide extensions for known file types"
  • Uncheck "Hide protected operating system files"
  • Click Ok.
  • Exit/Close My Computer.
If you are using Windows Vista:
  • Please go to Start -> Computer
  • Click on Posted Image
  • Click on Posted Image
  • Select the "View" tab.
  • Where you see Posted Image, click the Posted Image radio button.
  • Uncheck "Hide extensions for known file types"
  • Uncheck "Hide protected operating system files"
  • Click Ok.
  • Exit/Close My Computer.



Navigate to C:\Documents and Settings\All users\Application Data and look for any folders whose name comprises of 8 numeric characters - eg. 32365894

Drag (not delete) the folder to desktop
Then reboot.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP