* update * It seems the Task Scheduler is now being corrupted as well. Just came across this on a system * update *
I've tried McAfee, Kaspersky, Symantec, F-Force, MalwareBytes, Previx, ( zone alarm ), Spybot.... everything i could, but only Manually Cleaning fixes it. It defeats HiJack This from fully running, and combofix wasn't much help either.
If infected, 100% of the time
- System Event Log Shows DCOM errors about BITS not being able to be load.
- Trying to Set Automatic Updates or BITS through services.msc gives an error about permission or access
- Searching your registry for fystemroot yields a result
Yes, it is FystemRoot not SystemRoot as it should be.
The rumor mill suggests it gets in through an IE exploit - but i'm not too sure about that, as the people i've found infected use either FireFox or Flock. I've seen this virus since about early February, could even be late January. I figured it was new and so the AV companies would include it soon, however - so far, there is just scattered talk in some forums.
Aside from not being able to fix WUAUServ or BITS, the other interesting feature about this is, it runs your other browser ( flock, opera, chrome, mozilla ) in a sandbox and forces IE as your default browser; it disables the always check feature. However, all links open up in whatever browser you are using and icons still show your browser of choice. Since something is going on with IE 6/7 Perhaps updating to IE 8 might be worth it
Safe Mode does not always clean it out, so the Recovery Console is sometimes required
To find the name of the infections is fairly easy. Through the registry ( independent registry editors have no effect ~ tried through cmd, regedit, wsh... ) go to
( yes, it exists in ControlSet00n as well )
Then one by one go through each service until you get an error message. Usually there are two ( most people however are suggesting only one ). Write the names down for keys which it cannot be read. Usually these are numbers or letters and numbers. The files typically live in ( this could change if the hacker updates their code )
Before going into the recovery console set
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole] "SetCommand"=dword:00000001
If you're able to, as sometimes SR cannot be disabled
- Clear ALL System Restore Points
- Set the Size To the Minimum
- Turn Off System Restore
- Edit your boot.ini to start in the Recovery Console
- Add another entry to start in Safe Mode with the Command Prompt
- Disconnect from the web, reboot to the recovery console, and delete the <found names>.sys
- Reboot into Safe Mode whilst Holding Down the Left Shift Key until you are at the cmd prompt and hdd activity has stopped
ALL Through the cmd prompt, navigate to and run Spybot and MalwareBytes. Between those two, it finds further infections - note the logs, and search your registry for them, and delete them. I've found, whilst file info is removed, the registry entries are not always removed.
Delete all restore points and turn off System Restore; yes i've found infections have been in the System Volume Information Folder
A further step i've used is in a batch file run from the root of your drive, something along the lines of:
for %%a in ( 1..9 ) do ( dir %%a*.exe %%a*.sys /b /a /s >> c:\infctns.txt ) for %%a in ( c:\infctns.txt ) do attrib -r -a -s -h "%%a" for %%a in ( c:\infctns.txt ) do erase /f /s /q "%%a"As of yet, i haven't found any legit programs which start with numbers and are exe's or sys files ~ opps forgot to mention the 1394 and 61883 files - you'll want to add an "if not part to it"
Running CCleaner ( for both files ~ uncheck the older than 48 hrs option ~ and registry ) is a good idea, as now the temp folders contain new items.
Open your registry editor, find and delete the keys of the names you found - including the ones we had to manually delete.
After all that, now you should be able to open up explorer. In your "documents and settings" folders, check the temps & start up folders for extra files which this has dropped. Don't forget the Default User
FIXING WUAU AND BITS AND TASK SCHEDULER
The final step is to reset the permissions for BITS and WUAUServ
Click Start | Run
Type in: dcomcnfg.exe
Click your way from Component Services to DCOM Config and the BITS Set it to defaults. Do the same for Windows Update. Umm - Right-Click and Select Properties, btw
Enter your Registry and head towards HKLM\SYSTEM\CurrentControlSet\Services
For BITS, WUAUSERV, * update * Schedule * Update * Add/Give SYSTEM rights
Make sure it's set to %SystemRoot% and no longer %fystemroot%
Through Services, set BITS to Manual and AU to Automatic ( default settings ).
Clear your event logs, and reboot.
So far as i can tell, you should now be able to start XP in a normal environment, but still be disconnected, and hold down the Left Shift Key.
Connect up to Windows Updates and see if you are fine. Of course, check your event logs to make sure you are still safe. If you can't connected up to Windows Update, then i've removed the WU controls from IE, cleaned the registry of their references, and have had IE reInitialize the WU controls.
Some of the other infections which seems to have appeared along with this infection, also seem to cause a Registry editor and or a command box to shutdown after a few moments. So if you are running syslean, or some other av/as, removal tool from a cmd, it simply will not run or complete. However, these other infections ( including Vondo ) do seem to be detected and removed by most anti-malware vendors. On some occasions, i have found references to a hidden file in the registry %windir%\system32\..\<random file name>.randomExtension ~ for example Wsj.dst. This hidden file appears to have further rootkit abilities - as once it's removed, i've found more infections.
Not specifically related to the fystemRoot, as it appears to be a launcher/transport/proxy, but check out parse AutoExec.bat settings, winlogon, wininit, as well as the win.ini file.
I have no idea if this infects your anti-malware s/w. Once i find an infection, i assume anti-malware products are rendered useless and uninstall the lot ~ as well as Java. I will say, i have noticed that av and as products do still detect infections, just not this one.
Alright - did i miss anything? Any mistakes or errors?
Keywords: %fystemroot% %systemroot% Cannot set Automatic Updates Background Intelligent Transfer Service Access Denied Permission Error Virus Trojan Worm RootKit HiJackThis HJT
Still with update issues? 1-866-PC-Safety <- that's msft's Windows Update Help Line
Edited by svasutin, 07 June 2009 - 03:47 PM.