 AntiSpy Protector 2009 + Rootkit = Big Trouble! |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.  |
 Aug 12 2009, 09:14 PM
Post
#1
|
|
 Bleep Bleep!  Group: Admin Posts: 31,601 Joined: 24-January 04 From: USA Member No.: 3  |
When AntiSpy Protector 2009 is installed on your computer it looks like every other rogue. It shows fake security alerts, displays fake scan alerts, and is a general nuisance. It is only when you try to remove this malware that you notice that your programs no longer work. While testing this program, I noticed that any program I ran to remove this malware was terminated, and then when I tried to run it again, I was told I did not have permission. It was then that I realized that something a little more devious was going on. 
At this point I knew we had a rootkit on our hand. After investigating further, I saw that the C:\Windows\System32\netlogon.dll was replaced by a malware file. This malware file having a size of 60,416 bytes, while the legitimate program is 407,040 bytes. After speaking to some security professionals, I learned that the files that were substituted are the actual loading point of the infection and if we replace them with the legitimate file, then the rootkit will be disabled. Other files that are substituted by this rootkit include scecli.dll and eventlog.dll. Luckily for us, a process has been developed to remove this infection, but it requires a customized solution for each person who may be infected. Therefore, I am unable to write a self-help guide on how to remove AntiSpy Protector 2009 or the rootkit defending it. If you are infected with this rogue, or your computer starts exhibiting the behavior of security programs terminating and then getting permission denied when you try to run them again, then there is a good chance you have this rootkit on your computer. If that is the case, I suggest that you create a new topic in our Malware Removal section in order to receive help cleaning your computer. On a last note, I strongly suggest that you do not delete the files listed above unless you are 100% sure that they are not the legitimate ones as doing so could affect the proper performance of your computer. -------------------- |
 |
 
|
Link:
 Aug 14 2009, 01:25 PM
Post
#2
|
|
|
Member Group: Members Posts: 48 Joined: 23-February 07 Member No.: 113,515 |
Is it possible to rename the 3 mentioned files or move the hidden one at least as a prophylactic measure to possible exposure to this virus?
Thanks -------------------- "Imagination is more important than knowledge "Albert Einstein"
|
|
|
|
|
Aug 14 2009, 11:18 PM
Post
#3
|
|
|
Bleep Bleep! Group: Admin Posts: 31,601 Joined: 24-January 04 From: USA Member No.: 3 |
No, the files that are replaced are legitimate microsoft files and should not be modified.
-------------------- |
|
|
|
|
Aug 16 2009, 03:04 AM
Post
#4
|
|
 Bleepin' Blond Group: HJT Team Posts: 3,306 Joined: 5-October 07 From: @Home Member No.: 160,991 |
Hi Grinler, thanks for the information!
I think I might have a few victims from this infection in AII. Before sending them to HJT, is there anything I can let them check to confirm? -------------------- Regards,
Elise  |
|
|
|
|
Aug 17 2009, 08:16 AM
Post
#5
|
|
|
Bleep Bleep! Group: Admin Posts: 31,601 Joined: 24-January 04 From: USA Member No.: 3 |
Rootrepeal logs will show it right off. Let me know if you find any.
-------------------- |
|
|
|
|
Aug 18 2009, 04:29 AM
Post
#6
|
|
|
New Member Group: Members Posts: 11 Joined: 14-August 09 Member No.: 364,536 |
hello grinler how do i check my rootrepeal logs , this thing won't even let me run malwarebytes. although i was able to run spyware terminator and stopzilla
|
|
|
|
|
Aug 18 2009, 05:59 AM
Post
#7
|
|
|
Bleep Bleep! Group: Admin Posts: 31,601 Joined: 24-January 04 From: USA Member No.: 3 |
Have you downloaded and run RootRepeal as of yet?
You should perform the steps here to receive help: http://www.bleepingcomputer.com/forums/topic34773.html -------------------- |
|
|
|
|
Aug 18 2009, 08:14 AM
Post
#8
|
|
|
New Member Group: Members Posts: 6 Joined: 17-July 09 From: Brazil Member No.: 353,967 |
Hello Grinler,
First, congratulations for the news. I have some questions. These two files, C:\WINDOWS\win32k.sys and C:\WINDOWS\system32\netlogon.dll, can be deleted by the tool KillBox? The rogue Anti Spy Protector 2009 ever uses these file names or they are random file names? Deleting the netlogon.dll rogue file, how I can restore the original file? Thanks |
|
|
|
|
Aug 18 2009, 08:34 AM
Post
#9
|
|
|
Bleep Bleep! Group: Admin Posts: 31,601 Joined: 24-January 04 From: USA Member No.: 3 |
The win32k.sys:1 file located in the C:\Windows folder is a memory resident driver loaded at runtime when the main loader runners. Netlogon.dll should be replaced with the legitimate file using a special method that could cause problems if done unattended and improperly.
Please do not use killbox to remove these files as unexpected behavior may occur. Remember this is the rootkit, and not AntiSpy Protector 2009, creating these files. This rootkit is starting to be common with other infections as well. As for the filenames, the C:\Windows\wink32.sys seems to be static. The loader, netlogon.dll, is not random, but could be other replaced files. It is for this reason we suggest you have someone examine your RR logs. -------------------- |
|
|
|
|
Aug 19 2009, 07:56 PM
Post
#10
|
|
|
New Member Group: Members Posts: 11 Joined: 14-August 09 Member No.: 364,536 |
hello grimler i tryed rootrepeal and it did not install without a pe image error but i could use some of the functions. what do i have to do with the rootrepeal
|
|
|
|
|
Aug 22 2009, 12:37 PM
Post
#11
|
|
|
New Member Group: Members Posts: 1 Joined: 22-August 09 Member No.: 367,584 |
I've had several customers recently with similar issues. Unfortunately, I couldn't identify the problem so we reloaded the computers after a reformat. Each of the computers was running anti-virus programs, McAfee, AVG, etc. Is there any anti-virus program out there that will prevent this type of infection?
Thanks |
|
|
|
|
Aug 23 2009, 03:04 AM
Post
#12
|
|
 Member  Group: Banned Posts: 125 Joined: 7-May 09 From: Right smack dab in the middle of HELL. Member No.: 329,600 |
QUOTE(fab4life4ever @ Aug 18 2009, 05:29 AM)  hello grinler how do i check my rootrepeal logs , this thing won't even let me run malwarebytes. although i was able to run spyware terminator and stopzilla STOPzilla is a ROGUE antispyware. Just saying... 
-------------------- Personal quotes: "He who does not remember the past is condemned to repeat it"
"Just because I'm crazy, it doesn't mean I'm stupid" "I swear to god, I never stuck my flash drive into your wives laptop, honest!" "I'm Microsofts' number one enemy. I FIX the computer errors." ComputerNutjob |
|
|
|
|
Aug 23 2009, 03:20 PM
Post
#13
|
|
|
New Member Group: Members Posts: 1 Joined: 21-August 09 Member No.: 367,022 |
I caught something similar, called totalsecurity, I succeeded to remove it, booting with ERD2008 .
using it's registry editor I deleted the "bad" entries in registry , and deleted the files. Moshe This post has been edited by MOSHE BERGMAN: Aug 23 2009, 03:34 PM |
|
|
|
|
Aug 27 2009, 01:13 PM
Post
#14
|
|
|
New Member Group: Members Posts: 2 Joined: 27-August 09 Member No.: 369,779 |
I have run into this nasty bug several times already. I found in some cases renaming combofix and the executable for malwarebytes allows it to run. I have about a 60% success rate on cleaning the pc's of the infections as long as I can get those two utilites to run.
|
|
|
|
|
Aug 27 2009, 07:37 PM
Post
#15
|
|
 Member Group: Members Posts: 52 Joined: 19-August 09 From: West Virginia Member No.: 366,365 |
Yes, hello grinler, you know how you said this:
"At this point I knew we had a rootkit on our hand. After investigating further, I saw that the C:\Windows\System32\netlogon.dll was replaced by a malware file. This malware file having a size of 60,416 bytes, while the legitimate program is 407,040 bytes." I can honestly say that some unknown Rouges have had this, I think i reccently found this on my friends computer, altought...this file name....C:\drivers\system\infcahce.1 Was inffected, replaced, and renamed into C:\Program Files\rootkit. (It took me 3 days to figure out which program it was hidding in) I think the program had 40. But, it was hard to tell. I think his computer is a....Microsoft 2000. Anything leading to this? or is it a prank i should know of? -------------------- ♣SoftWare Intermediate♣
|
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 22nd November 2009 - 12:05 AM |
© 2003-2009 All Rights Reserved Bleeping Computer LLC.