Posted 09 August 2011 - 06:27 PM
I am fighting a virus that I have run into this problem a few times before on customer machines.
It spoofs rkill and mbam by using its own copy and then filling the report with info it generates from the regsitry or browser history.
A virus of some sort infects the machine and creates folders in the \localsettings\temp folder with the folder name RarSFX0 and then RarSFX1 and so on.
In the folder there other folders called Nird, h, and procs.
As well there are files called nircmdc, prep, rkill, s, serv, swreg, winlogon, nircmd, pev, proxycheck, rkill.reg, sed, sh, userinit, and wl
The 'h' folder contains a copy of
explorer and iexplorer
The Nird folder contains a copy of
The procs folder contains a copy of
explorer, 2 copies of iexplore, and proc.dat
When I run Rkill from a thumb drive I am watching Windows Task Manager and see that additional instances of Iexplore and explorer popup and disappear.
Rkill then gives me an installation error dialog box. The CMD window opens and closes quickly multiple times during this process
Then the CMD box pops up as if it is running Rkill.
It finds nothing and closes explorer then there is a pause while explorer restarts.
There is nothing unusual running in the processes under task manager except the occasional explorer or iexplore popping in and out
It then adds another folder to the temp folder called RarSFX3 or 4 or whatever the next number is.
When running mbam it comes up with nothing.
In some cases I have seen a copy of mabam in these folders. The current challenge does not have them.
When I run a rootkit search it finds nothing. When I run a temp cleaner like ATF or Oldtimer Tools it removes all the folders.
When I run rkill the folder comes back starting at RaRSFX0 and then will add one for each time I run rkill.
I have deleted the files out of these folders and watched a new folder be created with all the same files in there again.
Has anybody else seen this?
Is there a fix for it?
I appreciate any help on this.