Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zero-day virus? Nothing catches it.


  • This topic is locked This topic is locked
10 replies to this topic

#1 TrustThisPenguin

TrustThisPenguin

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 13 July 2014 - 06:52 PM

My Windows 8.1 PC just got infected with something that seems to mess with my administrator permissions. I can't open Malwarebytes, and downloading Chameleon and running it fails. Windows Defender's scans don't catch it. Plus, rkill doesn't seem to help either. I know how I got it, and it's because of my idiocy in downloading a skeevy file that I still have, if anyone wants it. It's called psr.exe and it appears to use Steps Recorder maliciously. In Task Manager Steps Recorder shows up and I can't end the task. Attached is a picture of the process. Help?

 

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:26 PM

Posted 13 July 2014 - 07:11 PM

Please submit the file to http://www.bleepingcomputer.com/submit-malware.php and I will have someone take a look.

#3 TrustThisPenguin

TrustThisPenguin
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 13 July 2014 - 07:41 PM

Thanks, I submitted it.



#4 TrustThisPenguin

TrustThisPenguin
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 13 July 2014 - 07:47 PM

Trying to end the process causes more to spawn  :angry:

Attached Files



#5 TrustThisPenguin

TrustThisPenguin
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 13 July 2014 - 07:50 PM

And it doesn't stop... 

Attached Files



#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:26 PM

Posted 14 July 2014 - 09:26 AM

Reboot into safe mode and remove the following:

%AppData%\csrss.exe
c:\WINDOWS\system32\NT Kernel\NTKernel.exe

Reboot and you shoudl be fine. Detected by a lot of AV programs:

https://www.virustotal.com/en/file/aae112b90a9b92111397de4c1d4c715c6c2bca24385b3bd94abd23f5eb4bd34c/analysis/

Appears to be a keylogger.

#7 TrustThisPenguin

TrustThisPenguin
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 14 July 2014 - 10:13 AM

I couldn't find the NT Kernel directory in System 32, and csrss.exe doesn't show up in Windows Explorer but does in WinRAR. So I deleted it in WinRAR and rebooted, but I checked again and it came back. Whatever it did to my permissions is still there, so I still can't reinstall Malwarebytes and Chameleon still fails to start it. Trying to install Malwarebytes comes up with numerous error dialog boxes. Rkill showed something in the logs, but it didn't seem to help. 

 

Rkill 2.6.7 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 07/14/2014 11:05:16 AM in x64 mode.
Windows Version: Windows 8.1 Pro 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * C:\Windows\SysWOW64\UTSCSI.EXE (PID: 2380) [WD-HEUR]
 * C:\Users\Jeffrey\AppData\Roaming\csrss.exe (PID: 7864) [SFI]
 * C:\ProgramData\NT Kernel\NTKernel.exe (PID: 5444) [AU-HEUR]
 
3 proccesses terminated!
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Modified HKCU\...\Winlogon: [Shell] => explorer.exe,"F:\Downloads\psr\psr.exe"
 
 * No issues found.
 
Checking Windows Service Integrity: 
 
 * E1G60 [Missing Service]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 07/14/2014 11:05:48 AM
Execution time: 0 hours(s), 0 minute(s), and 32 seconds(s)


#8 JohnC_21

JohnC_21

  • Members
  • 21,703 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:01:26 PM

Posted 14 July 2014 - 10:20 AM

C:\Windows\SysWOW64\UTSCSI.EXE (PID: 2380) [WD-HEUR]

 * C:\Users\Jeffrey\AppData\Roaming\csrss.exe (PID: 7864) [SFI]
 * C:\ProgramData\NT Kernel\NTKernel.exe (PID: 5444) [AU-HEUR]
 
You may be able to delete these files offline using a linux distro like Puppy. Burn the iso and boot the CD. Click once on your hard drive in the lower left of the desktop. Probably sda1. The file manager will open. Browse to the above files and delete or rename them. Another option is using the Kapsersky Rescue Disk (linux based) to do a scan. If the computer has a ethernet connection the database will be updated.


#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:26 PM

Posted 14 July 2014 - 10:29 AM

At this point, as we do not allow malware removal topics in this forum, I suggest you create a virus removal assistance topic using these steps:

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

#10 JohnC_21

JohnC_21

  • Members
  • 21,703 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:01:26 PM

Posted 14 July 2014 - 10:36 AM

Sorry about the post. Did not know this.



#11 Chris Cosgrove

Chris Cosgrove

  • Moderator
  • 5,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:06:26 PM

Posted 14 July 2014 - 05:19 PM

Since a topic has been raised in 'Virus and trojan etc logs', this topic is now locked to avoid confusion.

 

Chris Cosgrove






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users