Trojan:WinNT/Necurs, rootkit and Advanced PC Shield 2012

Hi,

One of the computers in my office got infected by Trojan:WinNT/Necurs. It installed a rootkit.
Hidden service: 501fe1599aea8c1.sys
File location C:\WINDOWS\System32\Drivers\501fe1599aea8c1.sys

http://oi51.tinypic.com/293k3yf.jpg

As if that wasn’t bad enough, the virus also installed a fake anti virus product called Advanced PC Shield 2012, here’s what it looks like http://deletemalware.blogspot.com/2011/09/remove-advanced-pc-shield-2012.html

Comodo Antivirus didn’t detect this malware. Malwarebytes and some other tools won’t even run. TDSSKiller found suspicious service but was unable to cure it. I managed to find the dropper. The malicious system files was locked, however, I was able to make a copy of it using GMER. I don’t know how to send those files to you guys, so I attached them here. Archive password = infected

Please update your antivirus software. I do not want to run into this again. Thanks!!!

mod edit: removed malware file and submitted to comodo, thanks.

how do you have CIS configured, this should have easily been stopped by the sandbox/D+.

Next time you want to submit malware to Comodo please follow Submit Malware Here To Be Blacklisted - 2011 (NO LIVE MALWARE!) to submit.

Just use the AVP tool…

Fill in the short form and download will start…Install,update and scan…and choose to delete if disinfections is not possible:wink: