3 replies to this topic

[AdvancedSetup]

FYI

As posted on another site. MB is not detecting or removing C:\Windows\System32\ZXDNT3D.CFG - appears SAS is having trouble removing it as well.

Quote

I've been running SAS and MB scans. MB is saying this is OK. SAS keeps finding C:\Windows\System32\ZXDNT3D.CFG. Every time it finds this file, it says that I need to restart to complete the job. So I restart, run the scan and get this files comes up again and again it says I need to restart to complete the job.

I don't see this in msconfig Startup. I do see the file in C:\Windows\System32

Not sure why MB is not detecting it. Will try to get more details on the MB version and the system.

Quote

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:31 PM, on 4/1/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

[nosirrah]

My next update will have better coverage of this .

[nosirrah]

The best I can tell its this :

http://www.symantec.com/security_response/...-093012-3104-99

@Mike , link me up if you are finding something different .

[AdvancedSetup]

From the guy who is running MB on the infected system.

Quote

I'm running MB v1.10. I ran MB which found 3 entries and then power down, power up and run MB again which finds the same entires. I've done this 3 times. It says it has removed the items, but it hasn't. Here's the log.

Malwarebytes' Anti-Malware 1.10
Database version: 587

Scan type: Full Scan (A:\|C:\|)
Objects scanned: 93219
Time elapsed: 19 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\Deewoo Network Manager (Adware.Radio) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\zxdnt3d.cfg (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wayne\Start Menu\Programs\Startup\Deewoo.lnk (Malware.Links) -> Quarantined and deleted successfully.

2nd post

Quote

The machine is getting Deewoo popups. I had it turned off in msconfig, but it's now enabled again. Messenger and ctfmon have also been enabled in msconfig - I didn't do it.

I'm going to remove the Deewoo files in Win\Sys32 - maybe that will help as SAS and MB aren't working.

3rd post

Quote

I used HJT to remove Deewoo - there was another instance of it in Prefetch - something to watch out for.

Anyway, SAS and MB are now not finding anything