16 replies to this topic

[Tester001]

Hello,

I ran into a very stange situation. Yesterday I got an Windows Genuine Advantage Installation Wizard Installer notice. I cancelled the install since I alread have legit copy etc. I updated my malwarebytes and did my regular maintenance. It found a few hits and they were removed and required reboot. Once I completed the reboot I have had problems. My browser will not stay up. It will crash by saying it has encountered a problem and needs to close. I updated lavasoft Adaware to see if perhaps it would see something and also updated Symantec defs. The system scans came back clean. I then tried to check for another update with Malwarbytes in the evening to see of there was a new definition since I was having my browser redirect to other sites and acting unstable. It would not update? It would hang on looking for stage.. I then uninstalled malware and tried to reinstall. I had the same outcome. I waited until today and tried again and nothing. I tried to get the manual database update and the gt500 site but it was only had the 1954 and I could see on my other machine it was 1987? I decided copy the rules.ref file from the hidden files in APPDATA and install to the down machine. It updated fine and I did another full scan this time in safe mode. It came back clean. NOTHING? The browser will not stay up and then I notice that my windows firewall is down? I try to start the service and I get a error 5. I then reset thru the comand prompt and it is resolved. I went and grabbed HighJackThis and decided to post the findings. I tried to run SFC / SCANNOW and the cmd will not open now. I know this has something in it and for some reason Malware/ Adaware / Symantec is not picking it up.

Please look at this and let me know your thoughts.. Thanks in advance...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:58 PM, on 4/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\Trirot.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\XGI\XWatDog.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\BCMSMMSG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Matt\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Trirot] Trirot.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ACT_APL] "C:\Program Files\ACT\ACT for Windows\ACT_APL.exe"
O4 - HKLM\..\Run: [XGIWatchDog] C:\Program Files\XGI\XWatDog.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: http://*.rapmls.com
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.liv...es/MSNPUpld.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - http://ml.sitexdata....ads/arview2.cab
O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - https://www.clickloan.com/CAB/PtClickLoan/1...PtClickLoan.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://naasystem.we...bex/ieatgpc.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8716 bytes

[miekiemoes]

Hi,

This smells like you're dealing with the new Win32:Daonoll variant. This one is responsible for "locking" a lot of (commandline)tools, plus cmd, regedit etc.. blocking updates etc...
MalwareBytes does detect this variant, but since you can't update, we need to deal with this manually.

Navigate to your C:\Windows folder and search for the file regedit.exe
Rightclick it and select to rename the file. Rename it to reg3dit.exe
Then launch the reg3dit.exe in order to open your Registry Editor.

There, browse to the following key:

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

You'll see on the left that you can expand the keys (they will look like folders). So expand them until you get drivers32
Rightclick the drivers32 key (folder) and select to export:



Give it a name and export it as a txtfile on your desktop.


Then copy and paste the contents of it in your next reply.

If confused, please ask first.

Extra note.. after you have used the renamed regedit.exe (reg3dit.exe), look in your Windows folder if Windows File Protection placed a new regedit.exe there again (it should). If not, then rename reg3dit.exe back to regedit.exe.

Extra note... I see you are running AdWatch.
I suggest you disable it because it can interfere with the fixes.

To disable AdWatch:

* Right click on the Ad-Watch icon in the system tray.
* At the bottom of the screen there will be two checkable items called Active and Automatic.
o Active: This will turn Ad-Watch On\Off without closing it.
o Automatic: Suspicious activity will be blocked automatically.
* Uncheck both of those boxes.
* (When done, you can re-enable it using the same steps but this time check both boxes.)

[Tester001]

miekiemoes, on Apr 16 2009, 10:04 AM, said:

Hi,

This smells like you're dealing with the new Win32:Daonoll variant. This one is responsible for "locking" a lot of (commandline)tools, plus cmd, regedit etc.. blocking updates etc...
MalwareBytes does detect this variant, but since you can't update, we need to deal with this manually.

Navigate to your C:\Windows folder and search for the file regedit.exe
Rightclick it and select to rename the file. Rename it to reg3dit.exe
Then launch the reg3dit.exe in order to open your Registry Editor.

There, browse to the following key:

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

You'll see on the left that you can expand the keys (they will look like folders). So expand them until you get drivers32
Rightclick the drivers32 key (folder) and select to export:



Give it a name and export it as a txtfile on your desktop.


Then copy and paste the contents of it in your next reply.

If confused, please ask first.

Extra note.. after you have used the renamed regedit.exe (reg3dit.exe), look in your Windows folder if Windows File Protection placed a new regedit.exe there again (it should). If not, then rename reg3dit.exe back to regedit.exe.

Extra note... I see you are running AdWatch.
I suggest you disable it because it can interfere with the fixes.

To disable AdWatch:

* Right click on the Ad-Watch icon in the system tray.
* At the bottom of the screen there will be two checkable items called Active and Automatic.
o Active: This will turn Ad-Watch On\Off without closing it.
o Automatic: Suspicious activity will be blocked automatically.
* Uncheck both of those boxes.
* (When done, you can re-enable it using the same steps but this time check both boxes.)

Thanks for the reply miekiemoes..

Here is the findings of the EXPORT FILE

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Class Name: <NO CLASS>
Last Write Time: 4/10/2009 - 7:28 PM
Value 0
Name: midimapper
Type: REG_SZ
Data: midimap.dll

Value 1
Name: msacm.imaadpcm
Type: REG_SZ
Data: imaadp32.acm

Value 2
Name: msacm.msadpcm
Type: REG_SZ
Data: msadp32.acm

Value 3
Name: msacm.msg711
Type: REG_SZ
Data: msg711.acm

Value 4
Name: msacm.msgsm610
Type: REG_SZ
Data: msgsm32.acm

Value 5
Name: msacm.trspch
Type: REG_SZ
Data: tssoft32.acm

Value 6
Name: vidc.cvid
Type: REG_SZ
Data: iccvid.dll

Value 7
Name: vidc.iv31
Type: REG_SZ
Data: ir32_32.dll

Value 8
Name: vidc.iv32
Type: REG_SZ
Data: ir32_32.dll

Value 9
Name: vidc.mrle
Type: REG_SZ
Data: msrle32.dll

Value 10
Name: vidc.msvc
Type: REG_SZ
Data: msvidc32.dll

Value 11
Name: wavemapper
Type: REG_SZ
Data: msacm32.drv

Value 12
Name: msacm.lhacm
Type: REG_SZ
Data: lhacm.acm

Value 13
Name: msacm.msg723
Type: REG_SZ
Data: msg723.acm

Value 14
Name: vidc.M263
Type: REG_SZ
Data: msh263.drv

Value 15
Name: vidc.M261
Type: REG_SZ
Data: msh261.drv

Value 16
Name: vidc.I420
Type: REG_SZ
Data: msh263.drv

Value 17
Name: msacm.iac2
Type: REG_SZ
Data: C:\WINNT\System32\iac25_32.ax

Value 18
Name: vidc.iv50
Type: REG_SZ
Data: ir50_32.dll

Value 19
Name: vidc.iv41
Type: REG_SZ
Data: ir41_32.ax

Value 20
Name: vidc.iyuv
Type: REG_SZ
Data: iyuv_32.dll

Value 21
Name: vidc.uyvy
Type: REG_SZ
Data: msyuv.dll

Value 22
Name: vidc.yuy2
Type: REG_SZ
Data: msyuv.dll

Value 23
Name: vidc.yvu9
Type: REG_SZ
Data: tsbyuv.dll

Value 24
Name: vidc.yvyu
Type: REG_SZ
Data: msyuv.dll

Value 25
Name: wave
Type: REG_SZ
Data: wdmaud.drv

Value 26
Name: midi
Type: REG_SZ
Data: wdmaud.drv

Value 27
Name: mixer
Type: REG_SZ
Data: wdmaud.drv

Value 28
Name: msacm.msaudio1
Type: REG_SZ
Data: msaud32.acm

Value 29
Name: msacm.sl_anet
Type: REG_SZ
Data: sl_anet.acm

Value 30
Name: msacm.l3acm
Type: REG_SZ
Data: C:\WINNT\System32\l3codeca.acm

Value 31
Name: vidc.XVID
Type: REG_SZ
Data: xvidvfw.dll

Value 32
Name: vidc.DIVX
Type: REG_SZ
Data: DivX.dll

Value 33
Name: vidc.yv12
Type: REG_SZ
Data: DivX.dll

Value 34
Name: aux
Type: REG_SZ
Data: C:\WINNT\system32\..\qbasdn.avn


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server
Class Name: <NO CLASS>
Last Write Time: 5/24/2005 - 3:16 PM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP
Class Name: <NO CLASS>
Last Write Time: 5/24/2005 - 3:52 PM
Value 0
Name: wave
Type: REG_SZ
Data: rdpsnd.dll

Value 1
Name: MaxBandwidth
Type: REG_DWORD
Data: 0x56b9

Value 2
Name: wavemapper
Type: REG_SZ
Data: msacm32.drv

Value 3
Name: EnableMP3Codec
Type: REG_DWORD
Data: 0x1

Value 4
Name: midimapper
Type: REG_SZ
Data: midimap.dll

Value 5
Name: mixer
Type: REG_SZ
Data: rdpsnd.dll


************************
In regards to updating Malware.. I did grab the rules.ref that was updated off another computer and manual updated but after scanning it did not find anything? That was yesterday database 1987. Please let me know your thoughts and I will check back shortly. Thanks again..

[miekiemoes]

Hi,

I would need a sample first so I can add it to the detections. Navigate to the following file:

C:\WINNT\qbasdn.avn

Rightclick it and select to zip it. This will create the file qbasdn.zip
Go to this thread: http://www.malwarebytes.org/forums/index.p...amp;#entry72988 , post something and attach the zipfile there (as the others have done). This because it's the same variant, so everything stays together

Once you've uploaded the zip file,

* Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\WINNT\qbasdn.avn

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system should reboot now.

Then, after reboot, Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

Quote

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux"="wdmaud.drv"

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this:
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Let me know in your next reply how things are after following above steps.

[Tester001]

Okay.. I will do that now.

Quick Question? The regedit.exe file is still there and the duplicate file reg3dit.exe. Do you want me to manually delete the regedit.exe since it still does not work and then rename the reg3dit.exe to regedit.exe? Thanks..

[Tester001]

Here is the file requested..

Thanks..

[miekiemoes]

Quote

Quick Question? The regedit.exe file is still there and the duplicate file reg3dit.exe. Do you want me to manually delete the regedit.exe since it still does not work and then rename the reg3dit.exe to regedit.exe? Thanks..

No, you don't have to delete the regedit.exe. Not sure where you have read that. No need to do anything with regedit anymore since I already have that log.
You can delete the renamed reg3dit.exe again, but it's fine if you leave it as well.

Also, you were supposed to attach the file in that other thread I gave you. Anyway, I'll delete the attachement from here once I've downloaded it

[Tester001]

please remove the last post with variant file. I just added to the correct thread you provided earlier.

[miekiemoes]

Tester001, on Apr 16 2009, 05:34 PM, said:

please remove the last post with variant file. I just added to the correct thread you provided earlier.

already deleted

[Tester001]

Sorry about that..

I am doing the final steps now in regards to fix reg

[Tester001]

I just completed the fix.reg portion. It said it was successful. So I should manual delete the ZIP file I created since that the variant is within in it. Correct?

Is this a NEW VARIANT FILE?

Thanks for all of your help on this!

[miekiemoes]

Yes, delete the zip file as well now.

Detection for this one will be in next update.

How are things now?

[Tester001]

miekiemoes, on Apr 16 2009, 03:44 PM, said:

Yes, delete the zip file as well now.

Detection for this one will be in next update.

How are things now?

It appears to be resolved. CMD and regedit and working and the system is responding very well. I have no errors on IE as of yet. Thanks for the help on this. I was really scratching my head on this one! Not too sure how this came in. I have been getting a lot of SPAM thru outlook and perhaps that was where the intrusion took place? I did not open them but selected for deletion? Perhaps one of the files loaded into the temp files and made a new home?

Thanks again for the very quick help in getting this resolved!

[miekiemoes]

Hi,

Quote

Not too sure how this came in. I have been getting a lot of SPAM thru outlook and perhaps that was where the intrusion took place? I did not open them but selected for deletion? Perhaps one of the files loaded into the temp files and made a new home?

No, you got infected via a website or infected pdf document. In most cases it's via legitimate websites which have been compromised/hacked. An script is then inserted and people who visit the site get infected. In most cases, the legitimate compromised websites are hosted by IX Webhosting or Godaddy.
Also, it could be via an infected PDF document as well, so make sure your adobe reader is up to date.
Also read here for more info about this infection (where I explained the older variants as well): http://miekiemoes.blogspot.com/2008/10/fak...archengine.html

And glad I could help

[Tester001]

I will read up on this right away!

I have a few sites that run on IX Webservers? I hope the servers are not infected? I always do a scan of the host files and there is not ftp or upload options for an end user to compromise but I will do more research.

I opened a few pdf documents on a hotel resort site in hawaii the same day this happened. I will not name the url of course, but that must be how it happened. I will do my research and thanks again for all the hard work.

[miekiemoes]

Quote

I have a few sites that run on IX Webservers? I hope the servers are not infected? I

That makes sense why you got infected. Unfortunately, it's their fault. Also see here: http://miekiemoes.blogspot.com/2009/01/ix-...g-reliable.html

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.