Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I finaly caught one i can't beat (virus)


  • Please log in to reply
1 reply to this topic

#1 WaxyChicken

WaxyChicken

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 14 September 2010 - 12:34 PM

THIS HAS BEEN RESOLVED.
thank you.



System:
Win7 Ultimate 32bit (x86)

Installer:
File Name: Oburaa.exe
Size: 220 KB (225,280b)
Description: Daniels
Original File Name: Daniels.exe
Version: 1.2.7.0

Worm Files installed:
File Names:<Random>.SYS
Location: %Windows%\ServiceProfiles\NetworkService\AppData\Local
Size: 61.7KB (63,232b) (62KB in folder details view)

Effect:
installer copies worm files to the system.
the worm files are repeatedly copied under new names.
Originally it was displaying pop-ups (defeated that).
Problem still remains that it hijacked my google clicks - it redirects me to spam sites.
typing in a URL will have the proper result. but visiting google.com and clicking on a search result will get me directed to a spam site or simply not load the next page.

Suggestions?

All .SYS and .EXE files have been manually quarantined.
All created registry entries have been removed.

oddly enough - also can't start Malware Bytes or use the default Super Anti-Spyware startup.

Super Anti-Spyware fails to detect this virus.

I've restored my FFox About:Config and restored my IE settings to default.

Edited by WaxyChicken, 14 September 2010 - 11:12 PM.
Moved from Win 7 to Am I Infected ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 WaxyChicken

WaxyChicken
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 14 September 2010 - 11:11 PM

never mind - i found a tool that works.
http://www.review-buddy.com/spyware-remove...rect-virus.html
TDSSkiller
the final piece of infection was a .sys file i missed - NETBT.SYS found in c:\windows\system32\Drivers
was being loaded up as a driver during boot up so it didn't show up on processes, tasks, or msconfig.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users