Counterspy found Gromozon infection

Well, as I sit here currently scraping my machine to remove Gromozon - first infection of any kind in 8 years. Grrrrr.. - I am not overly impressed by Counterspy's reaction. My daily scan flagged it, but then clicking "Remove" indicated that all was OK. I immediately re-scanned while I looked up all I could on Gromozon and sure enough, it was still there. I have since discovered that it takes more than telling Counterspy to remove it to actually get it removed. Yet Counterspy errantly tells you that it is removed. And when I realized I had to do more, I went to the Counterspy site and it explained very briefly what Gromozon is, its only recommendation is "Remove". That would lead a user again to simply use Counterspy's "Remove" option - but that does not work with Gromozon.

Shouldn't there be a little more warning, along with some instructions to at least steer folks to a site that CAN remove it?

BTW, updated NOD32 2.7 did not see Gromozon with a full Blackspear setup.

 

Re: Dangerous trojans on the loose

Hi,

Symptoms of the Gromozon Rootkit - including removal information.

Good Luck !

 

Re: Dangerous trojans on the loose

Very disturbing that both Counterspy and NOD32 2.7 failed to deal with it! The link that Marianna gave to the Prevx removal tool, should take care of it for you, as i know it's worked for everyone i've recommended it to.


StevieO

 

Re: Dangerous trojans on the loose

You can run Rustbfix too, to check for Rustock B http://forums.spybot.info/showthread.php?p=66546

 

Re: Dangerous trojans on the loose

Hi TNT

If you can give EH the head's up with J-Mac prob but curiously this appeared over at RKR forums today
http://forum.sysinternals.com/forum_posts.asp?TID=9910&PN=1

I will give OP further diagnostic advice but possible F/P if PrevX tool drawing a blank(i will suggest a safe mode run next+RKU report just to rule out etc).

TIA

Ade

 

Re: Dangerous trojans on the loose

OK, before you posted this, I followed the CastleCops sequence:

• Downloaded the Symantec and Prevx removal tools
  
  
• Ran an F-Secure online scan - says I'm clean.
  
  
• Downloaded the latest AVG Anti-Spyware scanner and ran it - also says I'm clean
  
  
• Ran the Prevx Gromozon remover - it said that it was not found on my system
  
  
• Ran Counterspy - says I have Gromozon

Any thoughts? I'm feeling pretty clean, but yet.....

Thanks.

 

Re: Dangerous trojans on the loose

I would try with Rootkit Unhooker and SUPERAntiSpyware.

 

Re: Dangerous trojans on the loose

I'll think about it Lucas.

I guess I could just try everything out there...

 

Re: Dangerous trojans on the loose

Here is a write-up from Counterspy's Gromozon:

http://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.Gromozon&threatid=90548

Can you find the files mentioned on your computer?

 

Re: Dangerous trojans on the loose

None of the files mentioned there are on my PC. However the files shown on the Counterspy page differ from those on other pages. (CastleCops, Symantec, etc.)

Either it changed that fast, or it is a false positive. I'll have to keep on looking.

Thanks.

 

Re: Dangerous trojans on the loose

Yep F-secure and AVG AS are *blind* to Gromozon rootkit component,if they can't see it then they can't action a removal

Maybe if you like follow the instructions given to the OP here>>>
http://forum.sysinternals.com/forum_...?TID=9910&PN=1

If these 3 draw blanks with no Gromozon data returned then there is a very high likelyhood that it is a F/p detection by CS.

HTH

 

Re: Dangerous trojans on the loose

That link is returning q 404 server error.

Would the Prevx1 tool also be blind? Plus, why would CastleCops recommend the other two if they can't see it? Weird.

Thanks.

 

Re: Dangerous trojans on the loose

2nd go at the link
http://forum.sysinternals.com/forum_posts.asp?TID=9910&PN=1

Re :CC removal instructions,pass maybe it is to pick up any non cloaked stuff...

Re PrevX tool it has not failed me on the few times i have used it but that was when it was first introduced since then i found other tools that could nuke either the infection or the rootkit component

 

Re: Dangerous trojans on the loose

Did you try to contact Sunbelt?

 

Re: Dangerous trojans on the loose

This info has just been presented over at RKR forums from a member that has been in contact with CS support.

 

Re: Dangerous trojans on the loose

That explains it Guess, you are now "relieved"

 

Re: Dangerous trojans on the loose

Yes!!

Well, not actually - shoot, I'm paranoid now... but not too much!

I'll give it one more run around all the scans and such tonight, and then - if nothing - call it a F/P.

It does sound like it is an F/P, though. So my eight year infection-free run looks like it is still on. At least I got a pretty good workout on my threat reaction skills!

Thanks all - great people here!

 

+1 on relieved. I got the same FP fron counterspy yesterday. Tnx to fcukdat for the post and tnx to all the others for your info.
Jerry

 

BTW CS user's a little bit more info behind this issue from SB
http://www.castlecops.com/p896386-Gromozon_problems_please_help.html#896386

I take it your all still using Vers 1.5