A Weekend Of RootKits: Figaro.sys Rootkit
I took a few appointments this weekend and witnessed the same infection over and over again…Figaro.sys. The Figaro.sys rootkit is dropped in c:\windows\system32\drivers (on vista) and on XP i’ve seen it in the DLLCACHE folder.
I don’t know exactly what it does but I can give you the symptoms:
Random reboots
Virtumonde drops
Very slow logins
I removed Figaro.sys [...]
Antivirus XP 2008 – Rogue AntiVirus
I discovered a new rogue on Saturday over at a clients house (Barb S.).
This looks a lot like Windows Defender doesn’t it? Anyway, Barb had Trend Micro 2006 (which was working and updated) however Trend was completely unaware that there were applications like this running +40 pieces of malware hiding in System32.
Removal:
First [...]
TheSpyBot – Rogue Anti-Malware
I came across TheSpyBot while working in Webster, MO. It was pretty obvious to me that this was Rogue Anti-Malware, however my client had it confused with Spybot Search and Destroy…no doubt this is what the malware author’s intensions were.
TheSpyBot loads at startup and starts doing its fake scan. After only a few [...]
ComboFix Crashes
This is a note to self:
When Combofix crashes on or before stage1 or stage2 a Trojan.Vundo and/or a Rootkit is present in system32 and is terminating the combofix process causing a crash dump.
Workaround:
Install and Run Spyware Doctor with Antivirus and configure it to scan for rootkits. Register Spyware Doctor and then run a full [...]
ComboFix and Vista
ComboFix was designed for Windows XP (and not Vista). Please heed the warning below:
!!! DO NOT RUN COMBOFIX ON VISTA. IT WILL LEAVE VISTA IN A CORRUPTED STATE THAT IS NOT REPAIRABLE AND WOULD REQUIRE A SYSTEM RELOAD !!!
virtumonde removal
Virtumonde removal can be successfully accomplished via the following steps below. Please note that this fix only works on Windows XP. NEVER RUN COMBOFIX ON WINDOWS VISTA!!!
Warning: The fix below is a manual process and should only be attempted by professional anti-malware techs.
If you want to remove any [...]
how to get rid of popups left from vundo virus
Mark:
If you’re still getting popups after removing the vundo virus that means your still infected (with something). I would suggest that you download the latest version of combofix and run it in safemode.
ComboFix Latest Download
The latest version of combofix flat out tells you that 1/100 computers can be corrupted as a result of combofix cleaning infections. This is true…I know. Anyway, before you run combofix you should run a complete av using Spyware Doctor with AntiVirus
Why?
ComboFix will delete any infected files…that means system files. [...]
