Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus is spoofing rkill


  • Please log in to reply
6 replies to this topic

#1 malea11

malea11

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 09 August 2011 - 06:27 PM

I am fighting a virus that I have run into this problem a few times before on customer machines.

It spoofs rkill and mbam by using its own copy and then filling the report with info it generates from the regsitry or browser history.

A virus of some sort infects the machine and creates folders in the \localsettings\temp folder with the folder name RarSFX0 and then RarSFX1 and so on.
In the folder there other folders called Nird, h, and procs.

As well there are files called nircmdc, prep, rkill, s, serv, swreg, winlogon, nircmd, pev, proxycheck, rkill.reg, sed, sh, userinit, and wl

The 'h' folder contains a copy of
explorer and iexplorer

The Nird folder contains a copy of
iexplore

The procs folder contains a copy of
explorer, 2 copies of iexplore, and proc.dat

When I run Rkill from a thumb drive I am watching Windows Task Manager and see that additional instances of Iexplore and explorer popup and disappear.
Rkill then gives me an installation error dialog box. The CMD window opens and closes quickly multiple times during this process
Then the CMD box pops up as if it is running Rkill.
It finds nothing and closes explorer then there is a pause while explorer restarts.

There is nothing unusual running in the processes under task manager except the occasional explorer or iexplore popping in and out

It then adds another folder to the temp folder called RarSFX3 or 4 or whatever the next number is.

When running mbam it comes up with nothing.

In some cases I have seen a copy of mabam in these folders. The current challenge does not have them.

When I run a rootkit search it finds nothing. When I run a temp cleaner like ATF or Oldtimer Tools it removes all the folders.
When I run rkill the folder comes back starting at RaRSFX0 and then will add one for each time I run rkill.

I have deleted the files out of these folders and watched a new folder be created with all the same files in there again.

Has anybody else seen this?

Is there a fix for it?

I appreciate any help on this.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,058 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:21 PM

Posted 09 August 2011 - 08:53 PM

I will ask the Tools creator to look.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,541 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:21 PM

Posted 10 August 2011 - 06:58 AM

Do the folders/files return automatically or only after you run rkill?

#4 malea11

malea11
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 10 August 2011 - 08:25 AM

Only when I run rkill.

These RaRSFX folders existed when my customer brought in the computer. There was a program running in the task bar that would pop up occasionally saying that access to the Hard Drive was not working or something to that effect.

I have seen this on other customer computers with other virus issues.

When I received the computer All the folders were hidden all the start programs were missing. I went to the properties and showed hidden files. The folders then showed up. I then changed the attributes from hidden to visible. At that time I was able to see the files in the temp folder that I mentioned.

I ran a temp cleaner that erased all the files in that folder. When I ran rkill a new instance of the RaRSFX folder appeared. Every time I ran rkill a new folder would appear.

When I try to run spybot it shuts down when I try to update.

The RaRSFX folder contains a file called rkill which when I run rkill it seems to then shut down my program and run its own.

#5 malea11

malea11
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 10 August 2011 - 08:41 AM

Just found something interesting.

In Windows Task Manager there is a file called bcmwltry.exe running.

google says bcmwltry.exe is the tray bar process for the Broadcom Corporation Wireless Network software.

I am not running broadcom wireless. So I stop the process in task manager and try to end the process. It keeps popping back up.

I tried to search out the file and it is not showing up anywhere.

how can I find out where this is originating from?

I think it could be a "spoofed" file that is propagating these folders.

#6 malea11

malea11
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 10 August 2011 - 09:04 AM

A Folder WPDNSE has now been added to the Temp folder after running rkill again.

Any thoughts?

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,541 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:21 PM

Posted 10 August 2011 - 09:06 AM

The rar folders are normal and can be ignored. They are created by rkill.

The WPDNSE is normal and can be ignored.

U sure you are not using a broadcomm wireless network adapter?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users