Jump to content


  • Posts

  • Joined

  • Last visited

Everything posted by Aspirina

  1. Run everything you can in safe mode to detect any other malware, and you should be clean, unless your antimalware doesn't work in safe mode. In that case run in normal mode, disconnect from the internet, run everything you have to remove malware and get online again. If you have any doubts you can run another kind of program to check. There are some to detect rootkits or to detect changes in the registry or files etc. If you think you're still infected and you want to reduce risk, you can work offline and at least you won't get more infected. Look for antirootkits in the web you will find some. I detected the one I have with one of those but they're not providing info enough to get rid of it but at least I know I have something and what I don't have...
  2. Are you trying to delete it when running Windows in safe mode? If you try to delete it running normal you won't be able to do it, if you have administrator privileges you should be able to delete it in safe mode or copy, and if you can't then try with some tool for file deleting, like the one included in malwarebytes antimalware or the secure shredder bundled with spybot s&d. But if you don't delete it in safe mode it will deploy again.
  3. This is a new malware so any antimalware program won't find it for a while. And you should get it out fast before it installs a new rootkit that I have, almost indetectable B) I can't find it I only know its possible names but I can't find a way to get a copy of it's contents because it changes its name a lot so I can't do anything.
  4. I think this downloader has downloaded another downloader that is still active and I didn't find it yet (I just noticed it). Malwarebytes didn't detected it either. Somebody should let the downloader downloading to watch the other stuff it downloads to make the Anti-Malware detect them too. I will try to find it and upload it.
  5. Here I go again: HERE you should search in regedit for the key I told you to write down and delete it. Maybe you have to set total control permissions for this key but you can do it with regedit.
  6. That's the name of the file of the virus. Just take a note of the name of the key and then do a simple search with search of windows (you know how to do that) and then you can remove the file. Anyway you should first disable the virus from that key before deleting it. If you start Windows in Safe Mode you can access to that key and delete it because the malware won't load at start. And don't forget to set the keys you change to the normal permissions they have (that is total control for Administrators) with regedit.
  7. I uploaded it at http://uploads.malwarebytes.org/ as "3d16ee25.sys.VIRUS" (it is renamed with .VIRUS because i need to know which of my files are infected) Anyway i'm uploading again. So if you don't let me upload here, then don't ask me for that. Go to upload.malwares.org and check out there. I would share my virus file but i don't know if it is legal sharing viruses! I never tried. mMmM I don't think so, I'm a pro . It took a while but i had to remove it by myself since I didn't find any help about this malware on the whole internet. I can remove virus and rootkits without using your antimalware programs, but I still wanted to "give you" "antimalware removers" or infected unexperienced people a "hint" on finding this one because ... I'm nice =). The malware was written with the driver developement kit from microsoft as I could find and as I don't know much about driver programming I couldn't go on with my reverse engineering on this but I hope you can find the file in upload.malwarebytes or if you can't... I don't really have much time to try again and again so mail me or add me to messenger contacts as - minuevolive at hotmail dot com - I use it to work so I'm online a lot and then I can send you the so called file and maybe who knows help you finding more malware. I like to learn so even when I'm infected it is so fun! Thanks for your support anyway and please make the upload system more easy to find =) or enable the upload system of the forum that it wouldn't let me upload anything or tell me how to upload because I don't want to read a whole tutorial on how to do you a favor. I'm sure you understand. Good luck!
  8. Here is what you should do: to check the name of the malware file (in case the malware uses a random name when installing) you should do this - Go to Start -> Run and type REGEDIT.EXE - Find this key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and walk over the keys you find here with the Down Arrow button of your keyboard. You will easily find it because you will get a popup from regedit telling you that the key can't be read. Write down the name of the key and then do the following (you can close regedit for now): - Run Malwarebytes' Anti-Malware or some antimalware tool. - Remove everything you find (if you have this malware, then you will find seneka and some other nasty stuff like crypts.dll). - If it asks for restart to fix everything click on Yes. - Restart your system in Safe Mode. - Go to Start -> Run and type REGEDIT.EXE (again) - Go to Edit -> Search and search for fystemroot in the registry (be sure to find EVERY match) - In every key you find the value, you have to go to Edit -> Permissions and set permissions (total control) for you (administrator) then apply and double click on the key, replace %fystemroot% with %Systemroot% every time and then restart your computer normally. - Just in case... run your antimalware program again, because the downloader can install it again after you removed the malware the first time, as it can download it and you won't notice (before starting in safe mode). Well I wrote this because I couldn't find anything about before so I hope it works for you too. By the way.. malwarebytes anti-malware halts my system badly when performing a full scan in both drives (sometimes it finishes the full scan of the smaller partition completely but not always, so i think it may be the amount of files and the memory of my computer or something that can make the whole system freeze.) - Ah and I don't speak English very well so I hope you understand everything. I tried to do .. not my best but... I tried (?)
  9. successfully uploaded =) looking forward to find it soon in your database
  10. Upload failed. You are not permitted to upload this type of file sorry guys I think I'm gonna post the malware somewhere else. Good luck finding the file =)
  11. I post here because i couldn't find in the whole internet a solution for this malware and I was enable to disable it from registry but it would be better if some day some antimalware software is enable to remove it for me. Maybe this help can be useful for antimalware software developers and for anyone else who wants to remove this malware manually You can find some info about the malware here in my answer to this topic: http://www.malwarebytes.org/forums/index.p...amp;#entry62920
  12. Hello, I had the same problem and I solved it. It is a malware that installs itself in the folder %Systemroot%\system32\drivers and in this case the file was called 3d16ee25.sys. I don't know if it copies itself with the same name or uses a random one. The file registers itself as a system service in \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and it is really easy to find because if you step on its key you won't be able to read it. Anyway, you can restart your system in safe mode and easily remove the key. Be sure you don't have any other malware/downloader that can install it again but since I removed it i haven't had any other problem. If you don't disable this malware, it will keep on installing malware on your computer, so every time you perform a normal scan for virus you will find some. Please let me know if this worked for you. I kept the file of the malware so if some1 tells me where to upload it for analysis, I will appreciate.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.