Tech Support Forums - TechIMO.com - View Single Post

Tygur · July 24th, 2008, 08:00 PM

I thought I'd describe my experience with this thing. It has a rootkit, which makes detection and removal difficult.

The files I quickly found were:
c:\windows\braviax.exe
c:\windows\buritos.exe
c:\windows\system32\buritos.exe
c:\windows\system32\crypts.dll
c:\windows\system32\ntos.exe
(i think that was all of them)

In addition, its rootkit kept adding cru629.dat to AppInit_DLLs, which I don't think I ever did find.

I used hijackthis (renamed to ht.exe because the rootkit blocked hijackthis.exe from running) to find them. I used my standard procedure of booting off a linux cd and deleting them when they don't have a chance to undo my actions. After discovering that I couldn't log back into the computer with ntos.exe gone (I hadn't cleaned it with hijackthis before removing it, since I thought that to be pointless), I replaced it with a copy of ping.exe, and then deleted that later after cleaning with hijackthis.

I also used Rootkit Hook Analyzer to discover that beep.sys was infected, so I (from linux again) overwrote it with a good copy from an uninfected computer. I also deleted the beep.sys copy I found in c:\windows\system32\dllcache.

In addition, one out of the four infected computers I saw had an additional driver file called Wel63.sys (in my case anyway) that was spamming itself out to other computers like mad. This was more difficult to find, because using normal tools, it just looks like svchost.exe (launched with no arguments) is doing it. I found it by looking at the drivers listed by Rootkit Hook Analyzer for anything suspicious.

After all that, I double-checked on each computer to make sure everything was really gone - a combination of monitoring network connections, checking the existence of the files, and making sure hijackthis is no longer blocked from running. By the way, it also blocked Mcafee and SuperAntiSpyware.

This is what I did, but my suggestion to anyone else is to find some easy directions someplace - maybe a recommended antivirus that actually works, or a tool that's easier to use.

EDIT: Oh yeah, and it also installed "XPSecurityCenter" on some of the computers too, which I removed. And it does also make some files in your temp directory, so you might want to clear that.

July 24th, 2008, 08:00 PM	#22 (permalink)
Tygur Member Join Date: Feb 2002 Posts: 199	I thought I'd describe my experience with this thing. It has a rootkit, which makes detection and removal difficult. The files I quickly found were: c:\windows\braviax.exe c:\windows\buritos.exe c:\windows\system32\buritos.exe c:\windows\system32\crypts.dll c:\windows\system32\ntos.exe (i think that was all of them) In addition, its rootkit kept adding cru629.dat to AppInit_DLLs, which I don't think I ever did find. I used hijackthis (renamed to ht.exe because the rootkit blocked hijackthis.exe from running) to find them. I used my standard procedure of booting off a linux cd and deleting them when they don't have a chance to undo my actions. After discovering that I couldn't log back into the computer with ntos.exe gone (I hadn't cleaned it with hijackthis before removing it, since I thought that to be pointless), I replaced it with a copy of ping.exe, and then deleted that later after cleaning with hijackthis. I also used Rootkit Hook Analyzer to discover that beep.sys was infected, so I (from linux again) overwrote it with a good copy from an uninfected computer. I also deleted the beep.sys copy I found in c:\windows\system32\dllcache. In addition, one out of the four infected computers I saw had an additional driver file called Wel63.sys (in my case anyway) that was spamming itself out to other computers like mad. This was more difficult to find, because using normal tools, it just looks like svchost.exe (launched with no arguments) is doing it. I found it by looking at the drivers listed by Rootkit Hook Analyzer for anything suspicious. After all that, I double-checked on each computer to make sure everything was really gone - a combination of monitoring network connections, checking the existence of the files, and making sure hijackthis is no longer blocked from running. By the way, it also blocked Mcafee and SuperAntiSpyware. This is what I did, but my suggestion to anyone else is to find some easy directions someplace - maybe a recommended antivirus that actually works, or a tool that's easier to use. EDIT: Oh yeah, and it also installed "XPSecurityCenter" on some of the computers too, which I removed. And it does also make some files in your temp directory, so you might want to clear that. Last edited by Tygur : July 24th, 2008 at 08:04 PM.