MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 10-14-12, 11:02
mixa mixa is offline
Private E-2
 
Join Date: Aug 2006
Posts: 17
Thanks: 0
Thanked 0 Times in 0 Posts
Default Rootkit.Win32.Necurs.gen

Hi there. I am checking a laptop running Windows 7 Home Premium SP1 (in Spanish) that was infected with the ‘Police Virus’ - Trj-Ransom Ransomware. Via F8 and ‘Repair your computer’, I was able to run System Restore and get past the block and access Windows. Most things seemed to be back to normal but:

- Panda Global Protection 2012 would not activate. It indicated that it needed to restart Windows in order to activate all the functions but returned each time to the same situation. Uninstalling and reinstalling of Panda did not change the situation.

- Windows Update would not run because the WU service was not running. In fact, in Services, it did not even appear although the correct entries were present in the Registry.

The owner of the laptop then explained that he had noticed the problem with Panda some time before the arrival of the Police Virus so it did seem to be a different malware that had installed itself earlier.

I have run the processes indicated for Windows 7 in the Malware Removal Guide and TDSSKiller (using it’s default actions) removed Rootkit.Win32.Necurs.gen.

Following completion of these processes, Windows Update works correctly and Panda GP2012 indicates that all components are functioning so all seems to be fine. However, I think there may still be some remains of malware that should be removed. I will attach the logs created and would be grateful if someone could review them.

Thanks in advance for your help.
Attached Files
File Type: txt RKreport[1].txt (2.4 KB, 2 views)
File Type: txt mbam-log-2012-10-12 (21-26-40).txt (2.8 KB, 2 views)
File Type: txt TDSSKiller.2.8.10.0_12.10.2012_21.37.23_log.txt (328.2 KB, 1 views)
Reply With Quote
Sponsored links
  #2  
Old 10-14-12, 11:05
mixa mixa is offline
Private E-2
 
Join Date: Aug 2006
Posts: 17
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Rootkit.Win32.Necurs.gen

More logs. This TDSSKiller log is after the restart following the first run of TDSSKiller and looks cleaner.
Attached Files
File Type: txt TDSSKiller.2.8.10.0_12.10.2012_21.45.44_log.txt (134.1 KB, 2 views)
File Type: log HitmanPro_20121012_2200.log (1.8 KB, 2 views)
File Type: zip MGlogs.zip (337.6 KB, 2 views)
Reply With Quote
  #3  
Old 10-14-12, 11:13
mixa mixa is offline
Private E-2
 
Join Date: Aug 2006
Posts: 17
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Rootkit.Win32.Necurs.gen

One additional observation. After running the recommended cleanup processes, the Windows desktop shows "Safe Mode", "Windows 7" and "Compilation 7601" on 3 lines at the bottonm right just above the time and date in the Taskbar.
Reply With Quote
  #4  
Old 10-14-12, 21:39
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,439
Thanks: 62
Thanked 7,686 Times in 4,145 Posts
Default Re: Rootkit.Win32.Necurs.gen

Reun RogueKiller and run a scan. After it finishes the scan, select the Registry tab and then select any of the below that exist and then click the Delete button.

Quote:
[RUN][ROGUE ST] HKLM\[...]\Policies\Explorer\\Run : 26797 (C:\PROGRA~3\LOCALS~1\Temp\msvnqquci.exe) -> FOUND
[RUN][ROGUE ST] HKLM\[...]\Wow6432Node\Policies\Explorer\\Run : 26797 (C:\PROGRA~3\LOCALS~1\Temp\msvnqquci.exe) -> FOUND
[SHELL][SUSP PATH] HKCU\[...]\Windows : Load (C:\Users\Gonzalo\LOCALS~1\Temp\mstobnakc.pif) -> FOUND
[SHELL][SUSP PATH] HKUS\S-1-5-21-2817328077-4178328390-389620779-1000[...]\Windows : Load (C:\Users\Gonzalo\LOCALS~1\Temp\mstobnakc.pif)
Then select the Files tab and if the below exist, click the Delete button again.

Quote:
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : c:\windows\installer\{8cf6df75-fc61-116a-c00e-245d7d8ed242}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\windows\installer\{8cf6df75-fc61-116a-c00e-245d7d8ed242}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\windows\installer\{8cf6df75-fc61-116a-c00e-245d7d8ed242}\L --> FOUND
[ZeroAccess][FILE] @ : c:\users\sixpoint\appdata\local\{8cf6df75-fc61-116a-c00e-245d7d8ed242}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\users\sixpoint\appdata\local\{8cf6df75-fc61-116a-c00e-245d7d8ed242}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\users\sixpoint\appdata\local\{8cf6df75-fc61-116a-c00e-245d7d8ed242}\L --> FOUND
[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND
[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND
Then immediately reboot your PC.

After reboot, run a new scan with RogueKiller and save a log as in original instructions and attach the new log.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:
  • the new RogueKiller log
  • C:\MGlogs.zip
Make sure you tell me how things are working now!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #5  
Old 10-15-12, 16:04
mixa mixa is offline
Private E-2
 
Join Date: Aug 2006
Posts: 17
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Rootkit.Win32.Necurs.gen

Hi chaslang. Thank you for the instructions.

I downloaded RogueKiller again today but, on running, it advised that the version was outdated and offered to download an updated version. I did this but it repeated the message so I ignored the offer to download a newer version and let it run. I attach the report from first and second runs. The 4 lines under Registry were present but none of those under Files appeared.

I downloaded MGTools as instructed and attach the reports.

I have not had much time to use the laptop today but it does seem to be working correctly. Panda Global Protection 2012 reports no security problems and there are no problems with startup, shutdown or web browsing.

Thanks again for your help.
Attached Files
File Type: txt RKreport[1].txt (3.0 KB, 1 views)
File Type: txt RKreport[2].txt (2.9 KB, 3 views)
File Type: zip MGlogs.zip (336.9 KB, 1 views)
Reply With Quote
Sponsored links
  #6  
Old 10-15-12, 16:09
mixa mixa is offline
Private E-2
 
Join Date: Aug 2006
Posts: 17
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Rootkit.Win32.Necurs.gen

PS: I have seen the solution for the 'Safe Mode' watermark on the desktop here:
- http://support.microsoft.com/kb/2509241/en-us

This seems to have been caused by the 'necurs' rootkit as explained in the comments at the end of the following link:
- http://www.thewindowsclub.com/what-i...k-in-windows-7
Reply With Quote
  #7  
Old 10-16-12, 23:59
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,439
Thanks: 62
Thanked 7,686 Times in 4,145 Posts
Default Re: Rootkit.Win32.Necurs.gen

Please do the below so that we can boot to System Recovery Options to run a scan.

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Quote:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #8  
Old 10-19-12, 06:48
mixa mixa is offline
Private E-2
 
Join Date: Aug 2006
Posts: 17
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Rootkit.Win32.Necurs.gen

At this moment I cannot run the Farbar Recovery Scan Tool as I no longer have the laptop available because the owner needed it urgently for his work. I did eliminate the ‘Safe Mode’ watermark, removed the programs used, ran MGclean.bat and activated UAC before returning the laptop.

I have e-mailed the owner to ask if I can have access to the laptop again and will update the post as soon as possible.

Thanks for your help.
Reply With Quote
  #9  
Old 10-20-12, 01:17
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,439
Thanks: 62
Thanked 7,686 Times in 4,145 Posts
Default Re: Rootkit.Win32.Necurs.gen

Okay. We will be here when ready.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
rootkit.win32 Nasty walker428 Malware Removal 8 10-26-11 12:51
Win32.Rootkit nelchel05 Malware Removal 1 11-25-09 17:38
Help with Win32:RustNT [Rtk] and Win32:Rootkit-gen [Rtk] mchoi325 Malware Removal 4 07-17-09 16:47
Win32:Rootkit-gen cyspur Malware Removal 3 05-15-08 16:02


All times are GMT -5. The time now is 19:40.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright © MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger