http://www.sophos.com/blogs/gc/g/2009/03/23/dhl/ said:
DHL tracking number emails contain malware | Graham Cluley's blog
My sister got hit with this via email in a 0-day attack - she was infected as of 8 AM on Monday, 23 March. Symantec did not find anything, at first, until she had already run the executable inside the ZIP file, and it started downloading known viruses. This is a pretty generic Trojan that downloads other trojans and backdoors and viruses to the system and begins a systematic onslaught on the machine, starting with adding proxy settings to IE redirecting it to a local 'server' running on port 7171, and going from there.
The bad news is that when it hoses IE, it also hoses MBAM's ability to update - but fortunately, Sophos has already added it to their definition collection (called IDEs) and you can follow the instructions at Sophos - Removing Trojans including the downloading of the IDEs from Sophos - Download latest virus identity (IDE) files to get rid of most of the infections. Once this is done you can then reset IE to default settings (or, as I walked her through, manually check all your settings (a painstaking 1 hour 25 minute process - We checked *everything* and I had he change some settings that would make her IE a little bit safer) and then you can update MBAM and run a full scan to find the rest of the little buggers and clean yer system.
Her explorer.exe may still be hosed, we'll see - all of this is performed in Safe Mode.
Just to give you and idea - she first called me at 9:56 PM yesterday - and it is now 3:10 AM....
EDIT: Added the following:
Also, Sophos found 1 item corrupt (word doc), 1 was PW protected (a legitimate PW protected Excel spreadshhet - she's a mortgage officer), and a third that it was unable to remove (Major malware) - and it removed 3 viruses.
Then, MBAM comes back and finds *all* of these:
Code:
Malwarebytes' Anti-Malware 1.34
Database version: 1890
Windows 5.1.2600 Service Pack 3
3/24/2009 3:53:10 AM
mbam-log-2009-03-24 (03-53-10).txt
Scan type: Full Scan (C:\|)
Objects scanned: 207109
Time elapsed: 49 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c24d7016-d00f-41ef-9781-984b6b5ff38f} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ec88fcd0-2ed5-4d65-9b4c-71d146b43a2e} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e532cfb1-5edd-4663-8c22-bcd67b5e5bd4} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500798ec-60e8-4654-9014-20698652f9db} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500798ec-60e8-4654-9014-20698652f9db} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a11ff88f-09dd-46e3-a75c-e608d9a30186} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a11ff88f-09dd-46e3-a75c-e608d9a30186} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a11ff88f-09dd-46e3-a75c-e608d9a30186} (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\ConTest.dll (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\system32\lowsec (Spyware.StolenData) -> Delete on reboot.
Files Infected:
C:\WINDOWS\system32\ConTest.dll (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Spyware.StolenData) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Spyware.StolenData) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds.lll (Spyware.StolenData) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mfc42locac.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.My Computers
-
At a glance
Windows 11 21H2 Current buildAMD Ryzen 9 3950X4 * 32 GB - Corsair Vengeance 3600 MHzEVGA GeForce RTX 3080 Ti XC3 ULTRA GAMING (12...- Computer type
- PC/Desktop
- Computer Manufacturer/Model Number
- The Beast Model A (homebrew)
- OS
- Windows 11 21H2 Current build
- CPU
- AMD Ryzen 9 3950X
- Motherboard
- MSI MEG X570 GODLIKE
- Memory
- 4 * 32 GB - Corsair Vengeance 3600 MHz
- Graphics Card(s)
- EVGA GeForce RTX 3080 Ti XC3 ULTRA GAMING (12G-P5-3955-KR)
- Sound Card
- Realtek® ALC1220 Codec
- Monitor(s) Displays
- 2x Eve Spectrum ES07D03 4K Gaming Monitor (Matte) | Eve Spec
- Screen Resolution
- 3x 3840 x 2160
- Hard Drives
- 3x Samsung 980 Pro NVMe PCIe 4 M.2 2 TB SSD (MZ-V8P2T0B/AM) } 3x Sabrent Rocket NVMe 4.0 1 TB SSD
- PSU
- PC Power & Cooling’s Silencer Series 1050 Watt, 80 Plus Plat
- Case
- Fractal Design Define 7 XL Dark ATX Full Tower Case
- Cooling
- SteelSeries Apex Pro Wired Gaming Keyboard
- Keyboard
- SteelSeries Apex Pro
- Mouse
- Logitech MX Master 3S | MX Master 3 for business
- Internet Speed
- AT&T LightSpeed Gigabit Duplex Ftth
- Antivirus
- Windows Defender + MB 3
- Browser
- Nightly (default) + Firefox (stable),Chrome, Edge
-
At a glance
ChromeOS Flex Dev Channel (current)Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz, 250...16 GBIntel(R) HD Graphics 520- Computer type
- PC/Desktop
- System Manufacturer/Model Number
- Dell Latitude E5470
- OS
- ChromeOS Flex Dev Channel (current)
- CPU
- Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz, 2501 Mhz, 2 Core(s), 4 Logical Processor(s)
- Motherboard
- Dell
- Memory
- 16 GB
- Graphics Card(s)
- Intel(R) HD Graphics 520
- Sound Card
- Intel(R) HD Graphics 520 + RealTek Audio
- Monitor(s) Displays
- Dell laptop display 15"
- Screen Resolution
- 1920 * 1080
- Hard Drives
- Toshiba 128GB M.2 22300 drive
INTEL Cherryville 520 Series SSDSC2CW180A 180 GB SATA III SSD
- PSU
- Dell
- Case
- Dell
- Cooling
- Dell
- Keyboard
- Dell
- Mouse
- Logitech MX Master 3S (shared w. Sys 1) | Dell TouchPad
- Internet Speed
- AT&T LightSpeed Gigabit Duplex Ftth
Which vendors have released solutions, removal programs? Many thanks in advance