I recently set a machine that was infected by a virus that works like this : Each time you click on a directory, an error message is displayed that goes like this : BQ. Attention, [name]! Some dangerous Trojans detected in his system. Microsoft Windows XP corrupted files. This can lead to the destruction of important files in C: \ WINDOWS. Download the software protection now!
This error message is followed by a dialog. Clicking on it takes you to the website http://free-viruscan.com/id/4912933/4/1/ (warning: The site is a fake intended to deceive the visitor into downloading and executing a program that create more virii. Do not interact with it).
Normally leads me 5 minutes to find a kill a virus, but today I am stumped. The manner in which the virus was operated unusual. Do not load any memory-resident programs. There are loaded at boot. It does not run a service.
Finally convinced that this was beyond my own power, I downloaded and ran
HijackThis. Still nothing. Now things were getting really interesting. I did not want to resort to the use of a virus. That would be too easy. He wanted to know what exactly does the virus and how.
After what seemed hours of research that eventually came to the FixIEDef program developed by ShadowPuterDude of Malwareteks. Ran was bye bye virus. The records showed the following entries :
Files that have been deleted!!!
C:\WINDOWS\system32\dadef.dll
C:\WINDOWS\system32\dapol.dll
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\tmp.txt
Registry entries that have been removed!!!
HKEY_CURRENT_USER\SOFTWARE\Microsoft\bind “comment”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BhoNew.BhoApp
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BhoNew.BhoApp.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2FF811E6-8925-4084-A649-C159955E67E8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2FF811E6-8925-4084-A649-C159955E67E8}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “KernelFaultCheck”
I would like to know more about how it worked, but I suppose that should be happy and satisfied for the moment that the virus se ha ido.
Addendum : It seems that a new strain of this "Trojan horses dangerous virus comes out almost every week, if running the program does not solve the problem, or if you have any support requests, please visit the official website at http://www.malwareteks.com/
Tidak ada komentar:
Posting Komentar