: One or more of the identified infections (2FIY.BAT) is related to a rootkit component
, backdoor Trojans
, and IRCBots
are very dangerous
because they compromise system integrity
by making changes that allow it to by used by the attacker for malicious purposes. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:
If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately
to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised
. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router
, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:
Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure
. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, please do the following.
MBAM has a built-in FileAssassin
feature for removing stubborn malware files.
-- If the file returns, then you probably have other malware on your system which is protecting or regenerating it.
- Go to the "More Tools" tab and click on the "Run Tool" button
- Browse to the location of the file(s) to remove using the drop down box next to "Look in:" at the top.
- When you find the file(s), click "Open".
- You will be prompted with a message warning: This file will be permanently deleted. Are you sure you want to continue?. Click Yes.
- Repeat the above steps to find and remove: D:\g1vn1.exe <- this file
- If removal did not require a reboot, you will receive a message indicating the file was deleted successfully, however, I recommend you reboot anyway.
Caution: Be careful what you delete. FileAssassin is a powerful program, designed to move highly persistent files. Using it incorrectly could lead to serious problems with your operating system.
The infected RP***\A00*****.exe/.dll file(s) identified by your scan are in the System Volume Information Folder
(SVI) which is a part of System Restore
. This is the feature that protects your computer by creating backups (snapshots saved as restore points) of vital system configurations and files. These restore points can be used to "roll back
" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. The SVI folder is protected by permissions that only allow the system to have access and is hidden by default on the root of every drive
, partition or volume including most external drives, and some USB flash drives.
System Restore is enabled by default
and will back up the good as well as malicious files
, so when malware is present on the system it gets included in restore points as an A00***** file. When you scan your system with anti-virus or anti-malware tools, you may receive an alert or notification that a malicious file was found in the SVI folder (System Restore points) but the anti-virus software was unable to remove it. Since the SVI folder is a protected directory, most scanning tools cannot access it to disinfect or delete these files. If not removed, they sometimes can reinfect your system if you accidentally use an old restore point.
To remove these file(s), the easiest thing to do is Create a New Restore Point
to enable your computer to "roll-back
" to a clean working state and use Disk Cleanup
to remove all but the most recent restore point.