Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Jojo51

Pages: [1]
1
Malware removal help / Re: [Gootkit/Xswkit] New rootkit found!
« on: January 05, 2015, 11:28:37 AM »
Yes, no problems! :) We can plan a Teamviewer session on an infected computer today @03:00pm (french time).

You can use my email (**********) to add me in Skype, I'm logged on at the moment.

Does it sound ok for you?

2
Malware removal help / Re: [Gootkit/Xswkit] New rootkit found!
« on: January 05, 2015, 11:04:53 AM »
Bad news :(

I have tested the BETA but it seems to fail to clean the infection. It can find it, start the remove but after the next reboot, the threat is back. We can spot it when we restart RogueKiller. You will find in attachment the two scan report, the first and the second after the cleaning/reboot.

Thanks for the help.


Johnny

3
Malware removal help / Re: [Gootkit/Xswkit] New rootkit found!
« on: January 05, 2015, 10:32:26 AM »
Thanks! I've just downloaded it.

Need I start it in safe mode or normally? Does it clean all the infected hives or only the one with the program is started??

Sorry for the questions, but I want to be sure to use your tool with the best practice! ;)


Johnny

4
Malware removal help / Re: [Gootkit/Xswkit] New rootkit found!
« on: January 05, 2015, 09:32:04 AM »
No, simply deleting the RUN value doesn't stop the infection. It seems that there is still something in it that makes the explorer.exe crash in loop.

5
Malware removal help / Re: [Gootkit/Xswkit] New rootkit found!
« on: January 05, 2015, 09:29:03 AM »
Hi!

Sounds good, it looks like that you've done a great job! Thank you very much!!

Yes, if you can give me the new version I will test it on our infected computers. I will be your BETA tester !! :D

Speak soon,


Johnny

6
Malware removal help / Re: [Gootkit/Xswkit] New rootkit found!
« on: January 02, 2015, 03:14:19 PM »
Yes, here the new "explorer.exe" created via Process Hacker : http://users.hexanet.fr/~pereira/explorer.exe.dmp

Already done this with RogueKiller, but the threat is still back after the reboot. The most strange is that on some computers, the threat seems to no be completely installed because I cannot find all the tracks that we spoke about in my last post. But, error message that show the "certificate Installation" is still present, RogueKiller still find Injected proc in services.exe, isass.exe, explorer.exe etc...  >:(

That's an big one! :(

7
Malware removal help / Re: [Gootkit/Xswkit] New rootkit found!
« on: January 02, 2015, 12:04:11 PM »
Hi!

First, I wish you all the best to all the Virus "Threat Fighters" for the new 2015 year!! :)

Back to the business...

Sorry for the delayed answers, I have investigated and spent a lot of time in this issue and discovered some usefull informations. So, thanks to your last message, I found infection in the registry at differents locations. The virus seems to put install itself in each NTUSER.DAT file that constitue the hive registry linked to each user. I each ones, I find track of it, here what it is :

Found an "xsw" registry key in HKEY_CURRENT_USER\Software\ xsw\
Found an "cxsw" registry key in HKEY_CURRENT_LOCAL_MACHINE\Software\
Found multiples binary in HKEY_CURRENT_USER\Software\ AppDataLow\
Found an value "Rundll32" in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Deleting the xsw registry key, binaries in AppDataLow and rundll32 value in RUN key seems to be good because the antivirus stop to report the threat after the reboot. BUT, the cxsw still comes back after the first reboot and the virus seems to be always in the system, RogueKiller still reporting the injected process in explorer.exe and others.

So, that is what I can bring you as new informations. At this address, http://users.hexanet.fr/~pereira/Virus.zip , you will find the dumps you asked, in differents formats to be sure you can exploit it. Anti-Malware doesn't solve anything, it even fail to report the infection... :(

Thanks again for your help, I hope that you will find the solution. :)

Best regards,

J. PEREIRA

8
Malware removal help / Re: [Gootkit/Xswkit] New rootkit found!
« on: December 30, 2014, 05:56:04 PM »
Many thanks for your feeback, I will get the informations you need and send you as quick as possible ! :)

9
Malware removal help / Re: [Gootkit/Xswkit] New rootkit found!
« on: December 24, 2014, 10:20:58 AM »
Hi!

Still working hard on the subject without finding a solution. :(

We've done the scan with OTL as you asked in your last post, but it cannot clean anything too. :( You can find the log in attachment.

Thanks for your help! :)


J. PEREIRA

10
Malware removal help / Re: [Gootkit/Xswkit] New rootkit found!
« on: December 22, 2014, 05:37:24 PM »
Yes, we already did the Anti-Malware and even Anti-Rootkit scan, this afternoon for the third time. No infection reported by this tools.  :(

By the way, our ESET Antivirus report now a threat on its log, speaking about a "Kryptic" virus variant. If it can help...  ;)

11
Malware removal help / Re: [Gootkit/Xswkit] New rootkit found!
« on: December 22, 2014, 03:03:29 PM »
Hi!

Thanks for the quick answer!  :)

We have analysed the "cwbrxd.exe" file on VirusTotal but it doesn't report any infection. Through this link, you will find an archive with two "explorer.exe" dumps files because we found two of them in memory, but impossible to know which is the good one...

http://users.hexanet.fr/~pereira/explorer.zip

Thanks a lot for any help you can grant! :)

Best regards,


J. PEREIRA

12
Malware removal help / [Gootkit/Xswkit] New rootkit found!
« on: December 22, 2014, 12:47:54 PM »
Hi,

We use Roguekiller for years and we found with it the best cleaning tool that we can add to our antivirus solution. You doing a great job and its a luck to being able to use your software to solve some crisis situations.

Sadly, we are reporting a new rootkit that have infected several computers on our network. This virus infect principal Windows process as "explorer.exe", "svchost.exe" and others by injecting his code on the fly. Roguekiller report the infection, can kill few infected process on memory but not clean it. Each time we make a scan with RK, the threat is back on the same process over and over.

In addition, the issue reported by our users is that they cannot work on their computer because the screen always flashing and showing a windows that ask to install a trusted certificate. The screen flashing because when the virus start its bad job, the antivirus (ESET Endpoint) kills the infected process but without being able to clean the infection. It seems that the virus only works completely on the user profil used to install it, we log on on the local administrator session without getting this error flashing message. But, even when we scan the system through this session, it reports some infested process (injected) but less.

You can find the RogueKiller's scan report and the screenshot of the error in this archive.

Hope you will provide a solution.

Best regards,


J. PEREIRA

Pages: [1]