Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


I finaly caught one i can't beat (virus)

  • Please log in to reply
1 reply to this topic

#1 WaxyChicken


  • Members
  • 2 posts
  • Local time:11:06 AM

Posted 14 September 2010 - 12:34 PM

thank you.

Win7 Ultimate 32bit (x86)

File Name: Oburaa.exe
Size: 220 KB (225,280b)
Description: Daniels
Original File Name: Daniels.exe

Worm Files installed:
File Names:<Random>.SYS
Location: %Windows%\ServiceProfiles\NetworkService\AppData\Local
Size: 61.7KB (63,232b) (62KB in folder details view)

installer copies worm files to the system.
the worm files are repeatedly copied under new names.
Originally it was displaying pop-ups (defeated that).
Problem still remains that it hijacked my google clicks - it redirects me to spam sites.
typing in a URL will have the proper result. but visiting google.com and clicking on a search result will get me directed to a spam site or simply not load the next page.


All .SYS and .EXE files have been manually quarantined.
All created registry entries have been removed.

oddly enough - also can't start Malware Bytes or use the default Super Anti-Spyware startup.

Super Anti-Spyware fails to detect this virus.

I've restored my FFox About:Config and restored my IE settings to default.

Edited by WaxyChicken, 14 September 2010 - 11:12 PM.
Moved from Win 7 to Am I Infected ~ Hamluis.

BC AdBot (Login to Remove)


#2 WaxyChicken

  • Topic Starter

  • Members
  • 2 posts
  • Local time:11:06 AM

Posted 14 September 2010 - 11:11 PM

never mind - i found a tool that works.
the final piece of infection was a .sys file i missed - NETBT.SYS found in c:\windows\system32\Drivers
was being loaded up as a driver during boot up so it didn't show up on processes, tasks, or msconfig.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users