Rootkit.Win32.Necurs.gen

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mixa, Oct 14, 2012.

  1. mixa

    mixa Private E-2

    Hi there. I am checking a laptop running Windows 7 Home Premium SP1 (in Spanish) that was infected with the ‘Police Virus’ - Trj-Ransom Ransomware. Via F8 and ‘Repair your computer’, I was able to run System Restore and get past the block and access Windows. Most things seemed to be back to normal but:

    - Panda Global Protection 2012 would not activate. It indicated that it needed to restart Windows in order to activate all the functions but returned each time to the same situation. Uninstalling and reinstalling of Panda did not change the situation.

    - Windows Update would not run because the WU service was not running. In fact, in Services, it did not even appear although the correct entries were present in the Registry.

    The owner of the laptop then explained that he had noticed the problem with Panda some time before the arrival of the Police Virus so it did seem to be a different malware that had installed itself earlier.

    I have run the processes indicated for Windows 7 in the Malware Removal Guide and TDSSKiller (using it’s default actions) removed Rootkit.Win32.Necurs.gen.

    Following completion of these processes, Windows Update works correctly and Panda GP2012 indicates that all components are functioning so all seems to be fine. However, I think there may still be some remains of malware that should be removed. I will attach the logs created and would be grateful if someone could review them.

    Thanks in advance for your help.
     

    Attached Files:

  2. mixa

    mixa Private E-2

    More logs. This TDSSKiller log is after the restart following the first run of TDSSKiller and looks cleaner.
     

    Attached Files:

  3. mixa

    mixa Private E-2

    One additional observation. After running the recommended cleanup processes, the Windows desktop shows "Safe Mode", "Windows 7" and "Compilation 7601" on 3 lines at the bottonm right just above the time and date in the Taskbar.
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Reun RogueKiller and run a scan. After it finishes the scan, select the Registry tab and then select any of the below that exist and then click the Delete button.

    Then select the Files tab and if the below exist, click the Delete button again.

    Then immediately reboot your PC.

    After reboot, run a new scan with RogueKiller and save a log as in original instructions and attach the new log.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below log:
    • the new RogueKiller log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  5. mixa

    mixa Private E-2

    Hi chaslang. Thank you for the instructions.

    I downloaded RogueKiller again today but, on running, it advised that the version was outdated and offered to download an updated version. I did this but it repeated the message so I ignored the offer to download a newer version and let it run. I attach the report from first and second runs. The 4 lines under Registry were present but none of those under Files appeared.

    I downloaded MGTools as instructed and attach the reports.

    I have not had much time to use the laptop today but it does seem to be working correctly. Panda Global Protection 2012 reports no security problems and there are no problems with startup, shutdown or web browsing.

    Thanks again for your help.
     

    Attached Files:

  6. mixa

    mixa Private E-2

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please do the below so that we can boot to System Recovery Options to run a scan.

    For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)
     
  8. mixa

    mixa Private E-2

    At this moment I cannot run the Farbar Recovery Scan Tool as I no longer have the laptop available because the owner needed it urgently for his work. I did eliminate the ‘Safe Mode’ watermark, removed the programs used, ran MGclean.bat and activated UAC before returning the laptop.

    I have e-mailed the owner to ask if I can have access to the laptop again and will update the post as soon as possible.

    Thanks for your help.
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay. We will be here when ready. ;)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds