I recently fixed a machine that got infected by a virus that works like this: every time you click on a directory, an error message gets displayed that goes like this:
bq. Attention, [name]! Some dangerous trojan horses detected in your system. Microsoft Windows XP files corrupted. This may lead to the destruction of important files in C:\WINDOWS. Download protection software now!
This error message is then followed by a dialog box. Clicking on it takes you to the website http://free-viruscan.com/id/4912933/4/1/ (WARNING: The website is a FAKE meant to deceive the visitor into downloading and executing a program that will create more virii. Do not interact with it).
bq. Attention, [name]! Some dangerous trojan horses detected in your system. Microsoft Windows XP files corrupted. This may lead to the destruction of important files in C:\WINDOWS. Download protection software now!
This error message is then followed by a dialog box. Clicking on it takes you to the website http://free-viruscan.com/id/4912933/4/1/ (WARNING: The website is a FAKE meant to deceive the visitor into downloading and executing a program that will create more virii. Do not interact with it).
After what seemed like hours of research I finally came upon the FixIEDef program developed by ShadowPuterDude of Malwareteks. Ran it, it was bye bye virus. The logs showed the following entries:
!!! Files that have been deleted !!!
C:\WINDOWS\system32\dadef.dllC:\WINDOWS\system32\dapol.dllC:\WINDOWS\system32\tmp.regC:\WINDOWS\system32\tmp.txt
!!! Registry entries that have been removed !!!
HKEY_CURRENT_USER\SOFTWARE\Microsoft\bind “comment”HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BhoNew.BhoAppHKEY_LOCAL_MACHINE\SOFTWARE\Classes\BhoNew.BhoApp.1HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2FF811E6-8925-4084-A649-C159955E67E8}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2FF811E6-8925-4084-A649-C159955E67E8}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “KernelFaultCheck”
Wish I knew more about how it worked, but I guess I should be happy and contented for now that the virus is gone.
Addendum:
It appears that a new strain of this “dangerous trojan horses” virus comes out almost every week, if running the program does not solve your problem, or if you have any support requests, please visit the official website at http://malwareteks.com/. Note again that I did not create this program. ShadowPuterDude did. Hence, I cannot provide any support
Share This
You can use spyware doctor to remove another spyware. ( Good..)
source: http://blog.codesignstudios.com
