Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Fix Oddity


  • Please log in to reply
3 replies to this topic

#1 I eat wyrms

I eat wyrms

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 05 December 2011 - 02:16 PM

Interesting infection if you get the bootkit bundle. Long and short of it, removed everything and cleaned up the MBR. No traces of anything. However, two system files reappear (%allusersprofile%\appdata) after every restart. At this point I suspect these are just files generated from an orphaned downloader. Analyzed all outgoing traffic, all normal.

Anyone else run into this?

Also, heads up for my IT friends. This particular bootkit variant was rough. Typical fixboot and fixmbr did not resolve. TDSSKiller would not run. Found an application that did remove the MBR infection, verified clean with MBRCheck. Not going to mention which as I know the occasional script kiddie glances around here looking for applications to add to their blacklists.

Nice to meet everyone. If I can ever be of any assistance please feel free to send me a message.

Edited by I eat wyrms, 05 December 2011 - 02:55 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:01 AM

Posted 05 December 2011 - 07:48 PM

Hello and welcome. As you mentioned this is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.

Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message.
Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 I eat wyrms

I eat wyrms
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 06 December 2011 - 03:50 AM

Hello and welcome. As you mentioned this is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.

Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message.
Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.


Thanks for responding. I should have been more clear about this. I am new to the forum and probably was posting in the wrong place. Wasn't really asking WHY, already figured that out, rather just seeing if anyone had run into these orphaned infected sys files after removal of the System Fix Bootkit variant. I am familiar with Autoruns and had already checked the registry and msconfig for startup entries. Nothing caught my eye, which was why I was curious about a possible orphaned downloader. Anyway thanks again. Love the work you do here at bleepingcomputer. I am an engineer myself, and if I can ever be of any assistance, feel free to message me :)

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:01 AM

Posted 06 December 2011 - 01:42 PM

No problem. It's not unusual to sometimes get orphans after removal.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users