Cloaked Malware

Discussion in 'Prevx Releases' started by erchavez, Jan 24, 2010.

Thread Status:
Not open for further replies.
  1. erchavez

    erchavez Registered Member

    Joined:
    Jan 24, 2010
    Posts:
    3
    Prevx3.0 can't seem to fix the cloaked malware found. I tried running in safe mode and installing randomized version. Any help would be appreciated

    Prevx Scan Log - Version v3.0.5.50
    Log Generated: 24/1/2010 11:16, Type: 1,1
    Windows XP Professional Service Pack 3 (Build 2600) 32bit|1033
    Hostname: WNADEC-RCHAVEZ2
    Some non-malicious files are not included in this log.
    Heuristics Settings: Age: 1, Pop: 1, Heu: 2 (Dir: 1)
    Last Scan: Sun 2010-01-24 11:14:40 Central Standard Time. Number of Scans: 23. Last Scan Duration: 2 minutes 8 seconds.
    c:\windows\system32\h8srtwmlltkckie.dll [PX5: F68023A8004217BFA02D0055A878AE005F8FD4CF] Malware Group: High Risk Cloaked Malware
    c:\windows\system32\h8srtpjmvcvjlkx.dll [PX5: BDF27BC70052C040A03A000830F32E00A720CBEA] Malware Group: High Risk Cloaked Malware
    c:\windows\system32\h8srtnyobqpoayb.dll [PX5: 8F5A9A1B00FC8AB3421B00693DABB300CEC1AFA2] Malware Group: High Risk Cloaked Malware
     
    Last edited: Jan 24, 2010
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    in settings make sure that heuristics is on high and self defense is at maximus and it will remove it on reboot;) try it
     
  3. ctrlaltdelete

    ctrlaltdelete Registered Member

    Joined:
    Oct 16, 2005
    Posts:
    318
    Location:
    NL
    Hi, didn't Prevx detect and/or remove a c:\windows\system32\drivers\h8srtxxxxxxxxxx.sys ? (x is random character)

    If not, try Tools > Manual File Cleanup and delete the c:\windows\system32\drivers\h8srtxxxxxxxxxx.sys


    I've used Prevx for similar infections and besides the h8srtxxxxxxxxxx.dll's there was always a c:\windows\system32\drivers\h8srtxxxxxxxxxx.sys detected and removed by Prevx. And Prevx removed the regkey wich loads the h8srtxxxxxxxxxx.sys
     
  4. erchavez

    erchavez Registered Member

    Joined:
    Jan 24, 2010
    Posts:
    3
    Jmonge,

    tried it....no luck....it sees them it just can't remove them..tells me to contact customer support. I have tried that and otrher than telling me to install in safe mode they have not responded since yesterday noon

    Prevx Scan Log - Version v3.0.5.50
    Log Generated: 24/1/2010 12:39, Type: 1,1
    Windows XP Professional Service Pack 3 (Build 2600) 32bit|1033
    Hostname: WNADEC-RCHAVEZ2
    Some non-malicious files are not included in this log.
    Heuristics Settings: Age: 1, Pop: 1, Heu: 4 (Dir: 1)
    Last Scan: Sun 2010-01-24 12:38:27 Central Standard Time. Number of Scans: 27. Last Scan Duration: 2 minutes 17 seconds.
    c:\windows\system32\h8srtwmlltkckie.dll [PX5: F68023A8004217BFA02D0055A878AE005F8FD4CF] Malware Group: High Risk Cloaked Malware
    c:\windows\system32\h8srtpjmvcvjlkx.dll [PX5: BDF27BC70052C040A03A000830F32E00A720CBEA] Malware Group: High Risk Cloaked Malware
    c:\windows\system32\h8srtnyobqpoayb.dll [PX5: 8F5A9A1B00FC8AB3421B00693DABB300CEC1AFA2] Malware Group: High Risk Cloaked Malware
     
    Last edited: Jan 24, 2010
  5. erchavez

    erchavez Registered Member

    Joined:
    Jan 24, 2010
    Posts:
    3
    CRTLATLDELETE,

    did the manual file cleanup and now pc seems hung on "downloading disinfection files"....normal?
     
  6. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    must be some thing new and nasty in the wild
     
  7. ctrlaltdelete

    ctrlaltdelete Registered Member

    Joined:
    Oct 16, 2005
    Posts:
    318
    Location:
    NL
    As far as i know there are no disinfection files needed when you remove only the c:\windows\system32\drivers\h8srtxxxxxxxxxx.sys file.
    But maybe the file "seems" necessary due to the way it's loaded by the regkey ?
     
  8. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Last edited: Jan 24, 2010
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Yes :) I would strongly recommend following these instructions to get in contact with our support engineers - they will gladly assist you in cleaning this and implement measures to prevent having to manually work on the infection in the future!

    Please let me know if you have any other questions or problems connecting with our support team.
     
  10. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    It sounds to me like the OP has done that and is not getting very timely assistance...
     
  11. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    True but he should continue with them, but he will have to wait till they are back to work Monday morning and ask for a remote session and let them clean it up that's what we pay for! ;)

    TH
     
    Last edited: Jan 24, 2010
Thread Status:
Not open for further replies.