Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32k.sys:1+2 infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 n2fc

n2fc

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:55 AM

Posted 03 September 2009 - 10:51 AM

I am helping a friend who has this infection and am at a loss as to how to proceed...

Steps taken so far:
1) I pulled the hard drive and did an offline virus scan to remove all known viruses
2) While offline I corrected registry errors including: many restrictive policies had been added to lock out REGEDIT, file displays, etc... ALL FIXED

Only thing left to do is to find the darn rootkit & remove!

When the machine is booted (even in safe mode) the virus comes in early and does the following:
1) adds a registry entry to HKCU/SW/MS/Windows/Run/ LOYUVEJO.DLL (since I already deleted it offline, it fails to load, but it inserts the key for next time, nonetheless!)
2) If ANY program is run that does a scan of any type (ex: Windows Defender, AntiMalware, AntiVirus, RootRepeal, Spybot, etc.) the virus KILLS the process, and removes ALL security access from that program preventing it from being run again! It replaces the security with "everyone" but access is still denied!

System is running XP HOME (SP3), so I can reset security if booted into safe mode, but it effectively locks out all attempts to cure and remove quite nicely!

Since I can pull the drive and view it offline on another system, does anyone have a clue as to where the virus is hiding so I can kill it before it comes in???

I am attaching the few logs that I can get from the machine, but it is difficult to run most tools on that box after is booted, since the virus is quite adept at killing any potential threats to itself!

The rootrepeal log is only the "drivers" section... If I attempt to run the "Files" scan it gets blown away by the rootkit.

I am almost ready to give up here, but I have seen other reports here from many other victims of this particular variant with no definitive solution (at least I haven't seen it yet!)

If someone has a good cure (even a manual one) short of packing it in and reformatting the drive,
IT WOULD BE GREATLY APPRECIATED!!!

THANKS IN ADVANCE!
===========================

Well, I did some more reading and found a recent post by Grinler describing how the rootkit loads...
http://www.bleepingcomputer.com/forums/t/249117/antispy-protector-2009-rootkit-big-trouble/

THANKS!

I took the drive offline and replaced the infected file (in this case eventlog.dll) and no more rootkit...
Then I was able to run the normal tools to clean up the rest!

Been reading at this site for over 5 years now... This was my first post...
Just wanted to thank the posters here for the invaluable info provided and to close out the issue...
===========================

Attached Files


Edited by n2fc, 03 September 2009 - 06:59 PM.


BC AdBot (Login to Remove)

 


#2 n2fc

n2fc
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:55 AM

Posted 03 September 2009 - 03:20 PM

Well, I did some more reading and found a recent post by Grinler describing how the rootkit loads...
http://www.bleepingcomputer.com/forums/t/249117/antispy-protector-2009-rootkit-big-trouble/

THANKS!

I took the drive offline and replaced the infected file (in this case eventlog.dll) and no more rootkit...
Then I was able to run the normal tools to clean up the rest!

Been reading at this site for over 5 years now... This was my first post...
Just wanted to thank the posters here for the invaluable info provided and to close out the issue...

#3 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 06 September 2009 - 08:48 AM

Thank you for sharing that with us all n2fc, I'm pleased your issue has been resolved. :(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users