1 reply to this topic

[Quad]

I'm not sure how I picked this one up on my work computer, but somehow it popped. Symantec AV was able to ID the iehelper.dll it tried to install and blocked it, but the program itself was able to get on and run (I was running Firefox 3.5 at the time). Here's the info I have.

It installed to:

C:\Program Files\hynjvl\idewsysguard.exe

I found a few keys in the registry by searching for "sysguard.exe", which seems to be the common part of the mutated file name. I found a couple of strings that I deleted:

HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "system tool"

I ran Malwarebytes and it didn't find these files, even as they were running. I had to manually track it down because it was not in the usual location.

Hosts file was modified to contain (links altered to protect):

::1 localhost
91 [dot] 206 [dot] 201 [dot] 8 osadwarekill [dot] microsoft [dot] com
91 [dot] 206 [dot] 201 [dot] 8 osadwarekill [dot] com
91 [dot] 206 [dot] 201 [dot] 8 www [dot] osadwarekill [dot] com


Sorry if this is a repost, but it was annoying to try and remove this when all the sites I found referenced files that didn't exist on my machine (e.g., c:\windows\sysguard.exe). And that's about all I have, but if there's anything else that would be useful, please ask and I'll try to figure it out. Let's nail this stupid thing in all its forms.

[Fatdcuk]

Thanks Quad and welcome to the MBAM forums

I will have alook into our DB and see if there are any new attack instructions i can add.