win32k.sys:1 / 2 rootkit troubles

Discussion in 'Malware Help (A Specialist Will Reply)' started by pryogene, Sep 6, 2009.

  1. pryogene

    pryogene Private E-2

    Hi. when i run certain programs i have a tendency to have tskmgr running.
    When i noticed MSA.exe and A.exe i realised, "Hay! ive contracted a virus!", i imediately sought help on removal, did so, and then realised i have a rootkit after running multiple antivirus programs, 3 of which the rootkit has lovingly killed for me (avira, avast, malwarebytes - avg was unaffected). I ran a 5th program, AVG anti rootkit which picked up win32k.sys:1 and win32k.sys:2 in C:\windows\, on further inspection, the 'real' file is actually in System32.
    Someone please help me, the majority of my software library is being slowly killed off :(

    thanks in advance
     
    pryogene, Sep 6, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You are sort of on the right track but the win32k.sys file in system32 has nothing to do with the problem. The real problem is that either one are several of the below system32 files are infected:

    eventlog.dll
    netlogon.dll
    scecli.dll


    Run this Win32KDiag - How to run and attach the log. It will help us determine which file(s) we need to fix.

    Also try running this GMER - running with a random name and attach the log.


    See: HOW TO: Attach Items To Your Post
     
    chaslang, Sep 10, 2009
    #2
  3. pryogene

    pryogene Private E-2

    I was aware that the file in system 32 was nothing to do with the problem, it just struck me as strange.

    However, i have managed to clean my computer of the rootkit, after following the vista cleanup procedure on this site.

    HOWEVER, i must stress a few things:

    For this particular rootkit, SuperAntiSpyware and malwarebytes were killed off.
    ComboFix is about the only thing that ran, though it did solve my problem.

    Thankyou for your reply =]
     
    pryogene, Sep 10, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Yes we know that which is why the instructions stress to run all steps. You may still be having problems that you are yet unaware of. These infections can cause residual damage. Most notiably, permissions issues like you noticed with SAS and MBAM.
     
    chaslang, Sep 14, 2009
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds