+ Post New Thread
Results 1 to 10 of 10
Windows Thread, Urgent Help required - sysinfo.exe in Technical; Does anyone know anything about a virus called sysinfo.exe? It duplicates itself on share folder it recreates itself as a ...
  1. #1
    rad
    rad is offline
    rad's Avatar
    Join Date
    Jan 2009
    Location
    Middlesex
    Posts
    2,482
    Thank Post
    335
    Thanked 308 Times in 236 Posts
    Rep Power
    109

    Urgent Help required - sysinfo.exe

    Does anyone know anything about a virus called sysinfo.exe? It duplicates itself on share folder it recreates itself as a shared folder also.

    Any help would be greatfully received. (This is not where I work, but posting for a non forumite)

  2. #2
    jamesreedersmith's Avatar
    Join Date
    Sep 2009
    Location
    Ruskington
    Posts
    1,158
    Thank Post
    78
    Thanked 253 Times in 227 Posts
    Rep Power
    77
    Could it be conflicker and the account is called sysinfo therfore calling the exe sysinfo.exe

  3. #3
    tommccann's Avatar
    Join Date
    Jun 2009
    Posts
    252
    Thank Post
    46
    Thanked 39 Times in 31 Posts
    Rep Power
    0
    Lifted this from a website

    1. Please download ATF Cleaner
    It does not require any installation.. It is set up to clean Windows TEMP folders, as well as IE, FireFox and Opera, Temporary Internet Files and Cookies.
    • Double-click ATF-Cleaner.exe to run the program.

    First Step:
    • Under Main choose: Select All
    • Click the Empty Selected button.
    Next, if you use Firefox (and some Mozilla-based browsers)
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
    Next, if you use the Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button. :!: Click Exit on the Main menu to close the program.

    Reconfigure Windows XP to show hidden files:
    To enable the viewing of Hidden files follow these steps:
    • Close all programs so that you are at your desktop.
    • Double-click on the My Computer icon.
    • Select the Tools menu and click Folder Options.
    • After the new window appears select the View tab.
    • Put a checkmark in the checkbox labeled Display the contents of system folders.
    • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
    • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
    • Remove the checkmark from the checkbox labeled Hide protected operating system files.
    • Press the Apply button and then the OK button and exit My Computer.
    • Now your computer is configured to show all hidden files.

    2. Please download OTMoveIt3 by OldTimer:
    With your mouse, highlight and then do a Right-click | Copy of the entire list of file entries in the Code box below:
    view plaincopy to clipboardprint?
    1. :Files
    2. c:\recycler
    3. d:\recycler
    4. f:\recycler
    5. g:\recycler
    6. h:\recycler
    7.
    8. :commands
    9. [EmptyTemp]
    10. [start explorer]
    11.

    • Click to Run OTMoveIt3 on your Desktop
    • Right click in the "Paste Instructions for Items to be Moved" left panel and choose Paste.
    • Click the red Moveit! button.
    • Close OTMoveIt3. If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    3. Download (to your Desktop location) DDS by sUBs
    If your Antivirus has "Script Blocking" features, disable any script blocker features, and then double click DDS.scr to run the tool.
    When done, DDS.txt will open.
    Click Yes at the next prompt for Optional Scan.
    Save both reports to your desktop.
    DDS.txt
    Attach.txt

  4. Thanks to tommccann from:

    rad (4th December 2009)

  5. #4
    rad
    rad is offline
    rad's Avatar
    Join Date
    Jan 2009
    Location
    Middlesex
    Posts
    2,482
    Thank Post
    335
    Thanked 308 Times in 236 Posts
    Rep Power
    109
    Tom - can you provide a link please to that site,.

    thanks

  6. #5
    tommccann's Avatar
    Join Date
    Jun 2009
    Posts
    252
    Thank Post
    46
    Thanked 39 Times in 31 Posts
    Rep Power
    0
    sure can

    HJT Log - Sysinfo.exe Virus, Removal Next to Impossible - dslreports.com


    "Sysinfoexe-Virus-Removal-Next-to-Impossible" Good Luck!!!

  7. Thanks to tommccann from:

    rad (4th December 2009)

  8. #6
    busby's Avatar
    Join Date
    Dec 2009
    Location
    manchester
    Posts
    147
    Thank Post
    38
    Thanked 13 Times in 12 Posts
    Rep Power
    12
    I Copied this from a site on google, The programs is known as malware. try getting rid with Malwarebytes.

    Hope that helps you.

    W32.HLLW.Gaobot.FQ is a variant of W32.HLLW.Gaobot.BF.
    It attempts to spread to network shares that have weak passwords and allows attackers to access an infected computer through an IRC channel.

    Copies itself as %System%\Sysinfo.exe and %System%\Winhlpp32.exe.

    Adds the value:
    "Configuration Loader"="%System%\sysinfo.exe"
    to the registry keys:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices

    Performs Distributed Denial of Service (DDoS) attacks against targeted systems. The IP addresses of the targets are randomly calculated.
    Steals the CD keys/Product ID, ends some processes associated with antivirus and firewall software, attemps to kill some processes associated with other worms.
    Listens on randomly calculated ports, and waits for other computers to download the worm.

  9. Thanks to busby from:

    rad (4th December 2009)

  10. #7

    Join Date
    Feb 2006
    Location
    Derbyshire
    Posts
    1,381
    Thank Post
    181
    Thanked 211 Times in 171 Posts
    Rep Power
    65
    Upload the file to VirusTotal and Jotti for a better idea of what you're dealing with -

    VirusTotal - Free Online Virus and Malware Scan

    Jotti's malware scan

    These will scan it with multiple AV engines and report back - then you can google up a repair tool (if available)

  11. #8
    rad
    rad is offline
    rad's Avatar
    Join Date
    Jan 2009
    Location
    Middlesex
    Posts
    2,482
    Thank Post
    335
    Thanked 308 Times in 236 Posts
    Rep Power
    109
    Following the original post, I have updated for info of others. Still working with the site it has hit.

    The "virus" seems to be unknown and its characteristics do not compare to other virus's we know of.

    What happens -
    the virus adds itself to the firewall as an exception and allows itself through
    It hides the first folder on a shared list and dupliactes it copying the same name with a lot of space and then ... at the end.
    It changes the Sysinfo.exe and sysinfo.bat files in Windows/system32 to that of a certain date and file size of 60kb.

    The way we have removed it from a few computers for now is to stop the sysinfo.exe process using task manager
    delete the files out of the system32 folder
    delete the exception rule in the registry.

    We are still trying to work it out but it doesnt seem to have any hits when entered into Google.

    symantec are helping but keep refering us to other definitions it is not.

  12. #9

    Join Date
    Feb 2006
    Location
    Derbyshire
    Posts
    1,381
    Thank Post
    181
    Thanked 211 Times in 171 Posts
    Rep Power
    65
    Quote Originally Posted by rad View Post
    The "virus" seems to be unknown and its characteristics do not compare to other virus's we know of.
    Unknown by every single scanner on Jotti and Virustotal?

  13. #10
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,765
    Thank Post
    898
    Thanked 416 Times in 350 Posts
    Blog Entries
    12
    Rep Power
    87
    A good way to stop these kind of virus's moving around your network is to make the root of your shared drives read only. I do this for all drives and only allow write access to sub directories.

    We used to have loads of problems with conflicker and others and this method simply stopped them spreading in the first place.

SHARE:
+ Post New Thread

Similar Threads

  1. Annoying csrss.exe final.exe virus
    By AXE in forum Windows
    Replies: 1
    Last Post: 17th August 2010, 07:58 AM
  2. Projector bulb required urgent-supplier?????
    By Jamie_a in forum Hardware
    Replies: 4
    Last Post: 12th November 2009, 02:05 PM
  3. Replies: 1
    Last Post: 4th November 2009, 09:50 AM
  4. Replies: 9
    Last Post: 17th January 2008, 12:45 PM
  5. Lsass.exe and Lssas.exe
    By ndavies in forum Network and Classroom Management
    Replies: 5
    Last Post: 30th October 2007, 03:19 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •