REAP Posted September 5, 2014 Share Posted September 5, 2014 (edited) Hello I have a Win 7 computer that has been infected with a bruteforce password virus. When the computer is able to connect to a DC the computer constantly tries to determine the password for some user account that it has chosen. I've tried scanning the computer with a number of AV's without success: MBAMMBARTDSKillerGmerVipre After doing some analysis on the computer I've been able to determine that the infected process on the computer is the Windows System process. Worked this out by identifying which ports the virus was using from the server logs and then using CurrPorts (from Nirsoft) and Process Monitor (SysInternals) to monitor the desktop. I've also tried SysMon (SysInternals) but while SysMon does log activity, it doesn't log the relevant virus activity. The questions that I have: 1. If I were to replace ntoskrnl.exe on this computer with a "clean" version of ntoskrnl.exe from another W7 system am I likely to remove the virus from this computer. OK as I expected it's not as simple as that I can see from Process Explorer that there are many threads reported as "System". Even if replacing ntoskrnl were to work then this would fix this computer, but it wouldn't prevent a future infection. 2. Suggestions on how to identify or remove this malware? greetz Edited September 5, 2014 by REAP Link to comment Share on other sites More sharing options...
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!Register a new account
Already have an account? Sign in here.Sign In Now