Does anyone know anything about a virus called sysinfo.exe? It duplicates itself on share folder it recreates itself as a shared folder also.
Any help would be greatfully received. (This is not where I work, but posting for a non forumite)
Printable View
Does anyone know anything about a virus called sysinfo.exe? It duplicates itself on share folder it recreates itself as a shared folder also.
Any help would be greatfully received. (This is not where I work, but posting for a non forumite)
Could it be conflicker and the account is called sysinfo therfore calling the exe sysinfo.exe
Lifted this from a website
1. Please download ATF Cleaner
It does not require any installation.. It is set up to clean Windows TEMP folders, as well as IE, FireFox and Opera, Temporary Internet Files and Cookies.
• Double-click ATF-Cleaner.exe to run the program.
First Step:
• Under Main choose: Select All
• Click the Empty Selected button.
Next, if you use Firefox (and some Mozilla-based browsers)
• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
Next, if you use the Opera browser
• Click Opera at the top and choose: Select All
• Click the Empty Selected button. :!: Click Exit on the Main menu to close the program.
Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:
• Close all programs so that you are at your desktop.
• Double-click on the My Computer icon.
• Select the Tools menu and click Folder Options.
• After the new window appears select the View tab.
• Put a checkmark in the checkbox labeled Display the contents of system folders.
• Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
• Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
• Remove the checkmark from the checkbox labeled Hide protected operating system files.
• Press the Apply button and then the OK button and exit My Computer.
• Now your computer is configured to show all hidden files.
2. Please download OTMoveIt3 by OldTimer:
With your mouse, highlight and then do a Right-click | Copy of the entire list of file entries in the Code box below:
view plaincopy to clipboardprint?
1. :Files
2. c:\recycler
3. d:\recycler
4. f:\recycler
5. g:\recycler
6. h:\recycler
7.
8. :commands
9. [EmptyTemp]
10. [start explorer]
11.
• Click to Run OTMoveIt3 on your Desktop
• Right click in the "Paste Instructions for Items to be Moved" left panel and choose Paste.
• Click the red Moveit! button.
• Close OTMoveIt3. If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
3. Download (to your Desktop location) DDS by sUBs
If your Antivirus has "Script Blocking" features, disable any script blocker features, and then double click DDS.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.
Save both reports to your desktop.
DDS.txt
Attach.txt
Tom - can you provide a link please to that site,.
thanks
sure can
HJT Log - Sysinfo.exe Virus, Removal Next to Impossible - dslreports.com
"Sysinfoexe-Virus-Removal-Next-to-Impossible" Good Luck!!!
I Copied this from a site on google, The programs is known as malware. try getting rid with Malwarebytes.
Hope that helps you.
W32.HLLW.Gaobot.FQ is a variant of W32.HLLW.Gaobot.BF.
It attempts to spread to network shares that have weak passwords and allows attackers to access an infected computer through an IRC channel.
Copies itself as %System%\Sysinfo.exe and %System%\Winhlpp32.exe.
Adds the value:
"Configuration Loader"="%System%\sysinfo.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices
Performs Distributed Denial of Service (DDoS) attacks against targeted systems. The IP addresses of the targets are randomly calculated.
Steals the CD keys/Product ID, ends some processes associated with antivirus and firewall software, attemps to kill some processes associated with other worms.
Listens on randomly calculated ports, and waits for other computers to download the worm.
Upload the file to VirusTotal and Jotti for a better idea of what you're dealing with -
VirusTotal - Free Online Virus and Malware Scan
Jotti's malware scan
These will scan it with multiple AV engines and report back - then you can google up a repair tool (if available)
Following the original post, I have updated for info of others. Still working with the site it has hit.
The "virus" seems to be unknown and its characteristics do not compare to other virus's we know of.
What happens -
the virus adds itself to the firewall as an exception and allows itself through
It hides the first folder on a shared list and dupliactes it copying the same name with a lot of space and then ... at the end.
It changes the Sysinfo.exe and sysinfo.bat files in Windows/system32 to that of a certain date and file size of 60kb.
The way we have removed it from a few computers for now is to stop the sysinfo.exe process using task manager
delete the files out of the system32 folder
delete the exception rule in the registry.
We are still trying to work it out but it doesnt seem to have any hits when entered into Google.
symantec are helping but keep refering us to other definitions it is not.
Unknown by every single scanner on Jotti and Virustotal?Quote:
Originally Posted by rad
A good way to stop these kind of virus's moving around your network is to make the root of your shared drives read only. I do this for all drives and only allow write access to sub directories.
We used to have loads of problems with conflicker and others and this method simply stopped them spreading in the first place.