Hallo,
Ik post even mijn ervaringen zodat ik misschien iemand kan helpen die hetzelfde virus heeft.
Uiteindelijk ben ik via de windows XP repair tool van de installatie toch weer in XP gekomen door handmatig de bootlijnen opnieuw in te stellen.
Vervolgens heb ik een paar dingen ontdekt door mijn opstartmodules, prefetch folder, windows en system 32 folders handmatig te bekijken. Ik heb alle items gesorteerd op laatst gewijzigd en het is uiteindelijk gelukt om om het virus heen toch onzichtbare files te zien.
Ik stuitte hier op 2 voor mij onbekende items en heb wat research gedaan.
Een exe stond in de opstartsectie van msconfig;
update7.exe
Dit was een verborgen trojan in de /WINDOWS map.
Deze kon met Hijackthis vernietigd worden na een reboot.
AVG en Avast hebben deze allebei niet gevonden na een scan.
En
wiacmfgr.exe verborgen in system32, ook onzichtbaar voor Avast en AVG antivirus, die niet te verwijderen is zonder specifieke stappen. Hijackthis kan hem niet verwijderen en unlockthis (programma) kan hem ook niet verwijderen.
Ik heb gegoogeled naar
wiacmfgr.exe en vond dit:
Code:
Backdoor (001356571)
Overview
[COLOR="Red"][B]Date Discovered 17-Feb-10 12:02:00[/B][/COLOR]
Added DAT Info 9.37.821
Threat assesment Low
Virus Type Backdoor
Affected OS Windows Vista
Windows XP
Windows 2003 Server
Windows 2000
Windows 7
Length 145920
Aliases Backdoor.Win32.EggDrop.afq (AVP)
Technical Information
* May sends one of the following messages with a link to all Instant Messengers contacts on the infected machine:
Want to be better in bed ?
[url]http://www.tl[/url][Removed].com
Check Out This Selection Of ED Meds!
[url]http://www.ku[/url][Removed].com
* Copies itself as wiacmfgr.exe in the Windows System folder.
* Drops the file [Random Name].exe in the %Temp% folder.
* Adds the value
Debugger = "wiacmfgr.exe"
under the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe
in the Windows registry to hook system startup.
* Adds the value
DisableConfig = 1
under the key
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
* Adds the value
%System%\wiacmfgr.exe = %System%\wiacmfgr.exe:*:Enabled:DHCP Router"
under the key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
DomainProfile\AuthorizedApplications\List
* Modifies the value
AntiVirusOverride = 1
FirewallOverride = 1
under the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
in the Windows registry to lower security settings.
* Modifies the value
CheckedValue = 1
under the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\SuperHidden
[B][COLOR="Red"] * Attempts to terminate the following Processes:[/COLOR][/B]
123.COM
123.EXE
A2HIJACKFREESETUP.EXE
APM.EXE
APORTS.EXE
APT.EXE
ASVIEWER.EXE
ATF-CLEANER.EXE
AUTORUNS.EXE
AVENGER.EXE
AVGARKT.EXE
AVINSTALL.EXE
AVZ.EXE
AVZ.EXE
BC5CA6A.EXE
BOOTSAFE.EXE
BUSCAREG.EXE
CATCHME.EXE
CF9409.EXE
COMBOFIX.BAT
COMBOFIX.COM
COMBOFIX.EXE
COMBO-FIX.EXE
COMBOFIX.SCR
COMPAQ_PROPIETARIO.EXE
CPF.EXE
CPORTS.EXE
CPROCESS.EXE
CUREIT.EXE
DAFT.EXE
DARKSPY105.EXE
DELAYDELFILE.EXE
DLLCOMPARE.EXE
DUBATOOL_AV_KILLER.EXE
ELISTA.EXE
EULALYZERSETUP.EXE
FILEALYZ.EXE
FILEFIND.EXE
FIXBAGLE.EXE
FIXPATH.EXE
FOLDERCURE.EXE
FPORT.EXE
FSB.EXE
FSBL.EXE
GMER.EXE
GUARD.EXE
GUARDXKICKOFF.EXE
GUARDXKICKOFF.EXE
HACKMON.EXE
HELIOS.EXE
HIJACK-THIS.EXE
HIJACKTHIS.EXE
HIJACKTHIS_SFX.EXE
HIJACKTHIS_V2.EXE
HJ.EXE
HJTINSTALL.EXE
HJTSETUP.EXE
HOOKANLZ.EXE
HOOKANLZ.EXE
HOSTSFILEREADER.EXE
HOSTSXPERT.EXE
ICESWORD.EXE
IEFIX.EXE
INSTALLWATCHPRO25.EXE
ISSDM_EN_32.EXE
JAJA.EXE
K7TS_SETUP.EXE
KAKASETUPV6.EXE
KILLAUTOPLUS.EXE
KILLBOX.EXE NETALYZ.EXE
LISTO.EXE
LORDPE.EXE
MBAM.EXE
MBAM.EXE
MBAM-SETUP.EXE
MBR.EXE
MRT.EXE
MRTSTUB.EXE
MSASCUI.EXE
MSMPENG.EXE
MSNCLEANER.EXE
MSNFIX.EXE
MYPHOTOKILLER.EXE
NETSTAT.EXE
NTVDM.EXE
OBJMONSETUP.EXE
OLLYDBG.EXE
OTL.EXE
OTMOVEIT.EXEMBAM-SETUP.EXE
OTMOVEIT3.EXE
P08PROMO.EXE
PAVARK.EXE
PENCLEAN.EXE
PG2.EXE
PGSETUP.EXE
PORTDETECTIVE.EXE
PORTMONITOR.EXE
PROCDUMP.EXE
PROCESSMONITOR.EXE
PROCEXP.EXE
PROCMON.EXE
PROJECTWHOISINSTALLER.EXE
PSKILL.EXE
RAVP.EXE
REANIMATOR.EXE
REG.EXE
REGALYZ.EXE
REGCOOL.EXE
REGEDIT.COM
REGEDIT.SCR
REGISTRAR_LITE.EXE
REGMON.EXE
REGSCANNER.EXE
REGSHOT.EXE
REGUNLOCKER.EXE
REGUNLOCKER.EXE
REGX2.EXE
RKD.EXE
ROOTALYZER.EXE
ROOTKIT_DETECTIVE.EXE
ROOTKITBUSTER.EXE
ROOTKITNO.EXE
ROOTKITREVEALER.EXE
ROOTREPEAL.EXE
SAFEBOOTKEYREPAIR.EXE
SDFIX.EXE
SEEM.EXE
SPF.EXE
SPYBOTSD.EXE
SPYBOTSD160.EXE
SRENGLDR.EXE
SRENGLDR.EXE
SRENGPS.EXE
SRESTORE.EXE
STARTDRECK.EXE
SUPERANTISPYWARE.EXE
SUPERKILLER.EXE
SYSANALYZER_SETUP.EXE
TASKKILL.EXE
TASKLIST.EXE
TASKMAN.EXE
TASKMON.EXE
TCPVIEW.EXE
TEATIMER.EXE
TrendMicro_TISPro_16.1_1063_x32.EXE
TSNTEVAL.EXE
UNHACKME.EXE
UNIEXTRACT.EXE
UNLOCKER.EXE
UNLOCKER1.8.7.EXE
UNLOCKER1.8.7.EXE
UNLOCKERASSISTANT.EXE
USBGUARD.EXE
VBA32-PERSONAL-LATEST-ENGLISH.EXE
VIPRE.EXE
VIRUS.EXE
VIRUSUTILITIES.EXE
WINDOWS-KB890930-V2.2.EXE
WIRESHARK.EXE
WITSETUP.EXE
XP_TASKMGRENAB.EXE
ZLCLIENT.EXE
[B][COLOR="Red"] * It may attempts to terminate the following Services:[/COLOR][/B]
Agnitum Client Security
Avast Antivirus
AVG AntiVirus Pro
Avira premium Antivir guard
BitDefender Virus Shield
COMODO Internet Security
ESET NOD32
Kerio Pesronal Firewall
McAfee
NOD32
Outpost Firewall Pro
Sophos Anti-Virus
Sunbelt Personal Firewall
Sygate Personal Firewall
Trend Micro Personal Firewall
ZoneAlarm firewall
[B][COLOR="Red"] * Modifies the Hosts file with the following to deny access to certain security-related Web sites.[/COLOR][/B]
13iii.com
acs.pandasoftware.com
acs.pandasoftware.com
ad13.geekstogo.com
ad-aware-se.uptodown.com
aknow.prevx.com
alerta-antivirus.inteco.es
alerta-antivirus.inteco.es
alerta-antivirus.red.es
alfrasha.maktoob.com
andymanchesta.com
andymanchesta.com
angui123.cn
antitrick.com
anti-virus-software-review.toptenreviews.com
ar.answers.yahoo.com
ariefew.com
atazita.blogspot.com
avast-home.uptodown.com
avg.vo.llnwd.net
baike.360.cn
baike.360.com
bb1.th3kings.net
bbs.360safe.cn
bbs.360safe.cn
bbs.360safe.com
bbs.360safe.com
bbs.cfan.com.cn
bbs.duba.net
bbs.ikaka.com
bbs.kafan.cn
bbs.kafan.com
bbs.kaspersky.com.cn
bbs.kpfans.com
bbs.s-sos.net
bbs.taisha.org
bbs.winzheng.com
beniono.wordpress.com
beta.eset.com
blog.hispasec.com
blog.rnsafe.com
blog.threatfire.com
blogs.icerocket.com
blokvesti.net
boardreader.com
bub.th3kings.net
cairopt.net
cairopt.net
cert.inteco.es
changelog.fr
cit.kookmin.ac.kr
club.myce.com
cmmings.cn
codehard.wordpress.com
cofradia.org
community.mcafee.com
community.thaiware.com
community.thaiware.com
comprolive.com
comprolive.vox.com
comunidad.wilkinsonpc.com.co
customer.symantec.com
deckard.geekstogo.com
destavision-forum.com
devbuilds.kaspersky-labs.com
devirusare.com
diamondcs.com.au
discussions.virtualdr.com
dl.360safe.com
dl2.agnitum.com
dlpe.antivir.com
dnl-eu8.kaspersky-labs.com
down.360safe.cn
down.360safe.com
down.[url]www.kingsoft.com[/url]
download.bleepingcomputer.com
download.bleepingcomputer.com
download.eset.com
download.f-secure.com
download.mcafee.com
download.microsoft.com
download.nai.com
download.sysinternals.com
download.zonealarm.com
downloads.andymanchesta.com
downloads.malwarebytes.org
downloads.novirusthanks.org
downloads.sophos.com
dr-web-cureit.softonic.com
egavisa.blogspot.com
es.answers.yahoo.com
es.answers.yahoo.com
es.kioskea.net
es.kioskea.net
es.mcafee.com
es.trendmicro-europe.com
es.wasalive.com
es.wasalive.com
esetnod32antivirus.blogspot.com
espanol.answers.yahoo.com
espanol.dir.groups.yahoo.com
espanol.groups.yahoo.com
fgp.e2doo.com
file.ikaka.cn
file.ikaka.com
files.filefont.com
fixmyim.com
foro.el-hacker.com
foro.elhacker.net
foro.elhacker.net
foro.ethek.com
foro.infiernohacker.com
foro.noticias3d.com
foro.portalhacker.net
foros.abcdatos.com
foros.softonic.com
foros.softonic.com
foros.toxico-pc.com
foros.zonavirus.com
forospyware.com
forum.antivir-pe.de
forum.avira.com
forum.avira.de
forum.burek.com
forum.chip.de
forum.clubedohardware.com.br
forum.clubedohardware.com.br
forum.dobreprogramy.pl
forum.drweb.com
forum.gsmhosting.com
forum.hardware.fr
forum.hijackthis.de
forum.hocit.com
forum.hocit.com
forum.kaspersky.com
forum.kaspersky.com
forum.kasperskyclub.com
forum.lowyat.net
forum.lrytas.lt
forum.malekal.com
forum.piriform.com
forum.romeonet.ro
forum.securitycadets.com
forum.skype.com
forum.smadav.net
forum.smadav.net
forum.smadav.net
forum.softpedia.com
forum.sysinternals.com
forum.telecharger.01net.com
forum.tweaks.com
forum.zazana.com
forums.afterdawn.com
forums.avg.com
forums.cnet.com
forums.comodo.com
forums.devshed.com
forums.maddoktor2.com
forums.techguy.org
forums.techguy.org
forums.whatthetech.com
forums.whatthetech.com
forums.zonealarm.com
free.antivirus.com
ftp.drweb.com
ftp.drweb.com
ftp.drweb.com
ftp.f-secure.com
ftp01net.telechargement.fr
golpe.dyndns.org
gotoknow.org
greatis.com
guru.avg.com
guru0.grisoft.cz
guru1.grisoft.cz
guru2.grisoft.cz
guru3.grisoft.cz
guru4.grisoft.cz
guru5.grisoft.cz
hana-ahmad.blogspot.com
heavenward.ru
hi.baidu.com
hijackthis.download3000.com
hjt.networktechs.com
hjt-data.trend-braintree.com
housecall.trendmicro.com
housecall65.trendmicro.com
images.malwareremoval.com
info.prevx.com
inspiresoft.blogspot.com
irc.ekizmedia.com
irc.snahosting.net
it.answers.yahoo.com
k2r.th3kings.net
kaba.360.cn
kaba.360.com
kaspersky.com
kb.eset.com
kr.ahnlab.com
ladooscuro.es
lexikon.ikarus.at
linhadefensiva.uol.com.br
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
lurker.clamav.net
mailcenter.rising.com
mailcenter.rising.com.cn
majorgeeks.com
malwarebytes.org
mast.mcafee.com
melcy.wordpress.com
mks.com.pl
modelayu.com
msncleaner.softonic.com
msnfix.changelog.fr
msntubers.freehostia.com
mustlovewine.com
mvps.org
mx.answers.yahoo.com
mx.answers.yahoo.com
myantispyware.com
new.taringa.net
news.support.veritas.com
nod32-antivirus.en.softonic.co
ntfaq.co.kr
oldtimer.geekstogo.com
onecare.live.com
oolbar.cyberdefender.com
p3dev.taringa.net
pcvids.wordpress.com
pogonyuto.forospanish.com
research.pandasecurity.com
research.sunbelt-software.com
rootrepeal.googlepages.com
rootrepeal.psikotick.com
sabithpocker.blogspot.com
safecomputing.umn.edu
samroeng.hi5.com
sapcupgrades.com
scanner.virus.org
search.mcafee.com
secubox.aldria.com
secunia.com
secure.sophos.com
security.symantec.com
securityresponse.symantec.com
securitywonks.net
service1.symantec.com
share.skype.com
share.skype.com
****it.net
shv4.ath.cx
sip4.voipkosovasite.com
smadaver.com
sniff.runescapetube.com
social.microsoft.com
software-files.download.com
softwaresecuritysolutions.com
sophos.com
sopiansantosa.blogspot.com
sosvirus.changelog.fr
sosvirus.changelog.fr
spywarefiles.prevx.com
spywarehammer.com
static.commentcamarche.net
stdio-labs.blogspot.com
story.dnsentrymx.com
subs.geekstogo.com
support.emsisoft.com
support.f-secure.com
support.kaspersky.com
tech.pantip.com
thaicert.nectec.or.th
thejokerx.blogspot.com
trbotnet.sytes.net
update.360safe.cn
update.360safe.com
update.symantec.com
updatem.360safe.cn
updatem.360safe.com
upload.changelog.fr
us.mcafee.com
us3.download.comodo.com
us4.download.comodo.com
usa.kaspersky.com
v.dreamwiz.com
vaksin.com
vil.nai.com
vil.nail.com
virscan.org
virusinfo.info
virusinfo.prevx.com
wakoopa.com
wap.elakiri.com
wasteland-bg.com
[url]www.247fixes.com[/url]
[url]www.2-spyware.com[/url]
[url]www.360.cn[/url]
[url]www.360.com[/url]
[url]www.360safe.cn[/url]
[url]www.360safe.com[/url]
[url]www.4-gsmteam.com[/url]
[url]www.51nb.com[/url]
[url]www.abgenis.net[/url]
[url]www.analysis.seclab.tuwien.ac.at[/url]
[url]www.antirootkit.com[/url]
[url]www.antivir.es[/url]
[url]www.antivirus.about.com[/url]
[url]www.antivirus.comodo.com[/url]
[url]www.arswp.com[/url]
[url]www.askmehelpdesk.com[/url]
[url]www.auditmypc.com[/url]
[url]www.avast.com[/url]
[url]www.avg-antivirus.net[/url]
[url]www.avira.com[/url]
[url]www.avp.com[/url]
[url]www.avpclub.ddns.info[/url]
[url]www.avsoft.ru[/url]
[url]www.babooforum.com.br[/url]
[url]www.bakunos.com[/url]
[url]www.betterantivirus.com[/url]
[url]www.bitdefender.com[/url]
[url]www.bitdefender.es[/url]
[url]www.bleedingthreats.net[/url]
[url]www.bleepingcomputer.com[/url]
[url]www.blindedbytech.com[/url]
[url]www.blogschapines.com[/url]
[url]www.box.net[/url]
[url]www.ca.com[/url]
[url]www.castlecops.com[/url]
[url]www.castlecrops.com[/url]
[url]www.cddchiangmai.net[/url]
[url]www.cddchiangmai.net[/url]
[url]www.cfan.com.cn[/url]
[url]www.changedetection.com[/url]
[url]www.chkrootkit.org[/url]
[url]www.cisrt.org[/url]
[url]www.clamav.net[/url]
[url]www.clamwin.com[/url]
[url]www.clubic.com[/url]
[url]www.codelain.com[/url]
[url]www.commentcamarche.net[/url]
[url]www.commentcamarche.net[/url]
[url]www.computerforum.com[/url]
[url]www.computerhilfen.de[/url]
[url]www.computing.net[/url]
[url]www.configurarequipos.com[/url]
[url]www.configurarequipos.com[/url]
[url]www.cwsandbox.org[/url]
[url]www.cyberdefender.com[/url]
[url]www.cybertechhelp.com[/url]
[url]www.daboweb.com[/url]
[url]www.daniweb.com[/url]
[url]www.darkclockers.com[/url]
[url]www.dazhizhu.cn[/url]
[url]www.decido.de[/url]
[url]www.devirusare.com[/url]
[url]www.dicasweb.com.br[/url]
[url]www.dougknox.com[/url]
[url]www.drweb.com.es[/url]
[url]www.duba.net[/url]
[url]www.eeload.com[/url]
[url]www.elakiri.com[/url]
[url]www.elguruinformatico.com[/url]
[url]www.el-hacker.com[/url]
[url]www.elhacker.org[/url]
[url]www.elitepvpers.de[/url]
[url]www.eliters.com[/url]
[url]www.emsisoft.com[/url]
[url]www.emsisoft.de[/url]
[url]www.eradicatespyware.net[/url]
[url]www.eset.com[/url]
[url]www.eset.com[/url]
[url]www.eset.eu[/url]
[url]www.eset-la.com[/url]
[url]www.ewido.net[/url]
[url]www.ewido.net[/url]
[url]www.experts-exchange.com[/url]
[url]www.faravirusi.com[/url]
[url]www.feedage.com[/url]
[url]www.file.net[/url]
[url]www.fileresearchcenter.com[/url]
[url]www.final4ever.com[/url]
[url]www.firewallguide.com[/url]
[url]www.fixya.com[/url]
[url]www.forospanish.com[/url]
[url]www.forospyware.com[/url]
[url]www.forospyware.es[/url]
[url]www.forospyware.es[/url]
[url]www.fortiguardcenter.com[/url]
[url]www.fortinet.com[/url]
[url]www.forum.kaspersky.com[/url]
[url]www.forums.majorgeeks.com[/url]
[url]www.f-prot.com[/url]
[url]www.free.avg.com[/url]
[url]www.free.avg.com[/url]
[url]www.free.avg.com[/url]
[url]www.free.grisoft.com[/url]
[url]www.free-av.com[/url]
[url]www.freedrweb.com[/url]
[url]www.freefixer.com[/url]
[url]www.freespywareremoval.info[/url]
[url]www.f-secure.com[/url]
[url]www.funkytoad.com[/url]
[url]www.futurenow.bitdefender.com[/url]
[url]www.gamexeon.com[/url]
[url]www.geekpolice.net[/url]
[url]www.geekstogo.com[/url]
[url]www.geekstogo.com[/url]
[url]www.gmer.net[/url]
[url]www.greatis.com[/url]
[url]www.grisoft.com[/url]
[url]www.groupwhere.org[/url]
[url]www.gsmph.com[/url]
[url]www.gsmph.net[/url]
[url]www.guiadohardware.net[/url]
[url]www.guiadohardware.net[/url]
[url]www.gyakorikerdesek.hu[/url]
[url]www.gyakorikerdesek.hu[/url]
[url]www.hijackthis.de[/url]
[url]www.hijackthis.de[/url]
[url]www.hotshare.net[/url]
[url]www.housecall.trendmicro.com[/url]
[url]www.housecall.trendmicro.com[/url]
[url]www.huaifai.go.th[/url]
[url]www.hvaonline.net[/url]
[url]www.identi.es[/url]
[url]www.ikaka.cn[/url]
[url]www.ikaka.com[/url]
[url]www.ikarus.net[/url]
[url]www.incodesolutions.com[/url]
[url]www.incodesolutions.com[/url]
[url]www.indowebster.web.id[/url]
[url]www.infos-du-net.com[/url]
[url]www.infosecpodcast.com[/url]
[url]www.infospyware.com[/url]
[url]www.ipaddresser.com[/url]
[url]www.jackbloodforum.com[/url]
[url]www.javacoolsoftware.com[/url]
[url]www.javacoolsoftware.net[/url]
[url]www.jbtalks.cc[/url]
[url]www.jiwang.org[/url]
[url]www.jvme.com[/url]
[url]www.k7computing.com[/url]
[url]www.kaldata.com[/url]
[url]www.kaskus.us[/url]
[url]www.kaspersky.com[/url]
[url]www.kaspersky.es[/url]
[url]www.kaspersky-labs.com[/url]
[url]www.killtrojan.net[/url]
[url]www.kosandpol.elakiri.com[/url]
[url]www.krupunmai.com[/url]
[url]www.kztechs.com[/url]
[url]www.laneros.com[/url]
[url]www.lavasoft.com[/url]
[url]www.leforo.com[/url]
[url]www.linhadefensiva.org[/url]
[url]www.looktr.com[/url]
[url]www.malwarebytes.org[/url]
[url]www.malwareremoval.com[/url]
[url]www.manuelruvalcaba.com[/url]
[url]www.manuelruvalcaba.com[/url]
[url]www.mcafee.com[/url]
[url]www.Merijn.org[/url]
[url]www.messengeradictos.com[/url]
[url]www.misec.net[/url]
[url]www.mostz.com[/url]
[url]www.mozilla-hispano.org[/url]
[url]www.msnvirusremoval.com[/url]
[url]www.mvps.org[/url]
[url]www.mxttchina.com[/url]
[url]www.mycity.rs[/url]
[url]www.mypcsafe.com[/url]
[url]www.nabble.com[/url]
[url]www.net-security.org[/url]
[url]www.networkworld.com[/url]
[url]www.norman.com[/url]
[url]www.offensivecomputing.net[/url]
[url]www.onlinescan.avast.com[/url]
[url]www.oprekpc.com[/url]
[url]www.oprekpc.com[/url]
[url]www.ozzu.com[/url]
[url]www.pandasecurity.com[/url]
[url]www.pandasecurity.com[/url]
[url]www.pandasecurity.com[/url]
[url]www.pantip.com[/url]
[url]www.pc1news.com[/url]
[url]www.pcentraide.com[/url]
[url]www.pcentraide.com[/url]
[url]www.pcguide.com[/url]
[url]www.pchell.com[/url]
[url]www.pcsupportadvisor.com[/url]
[url]www.pctools.com[/url]
[url]www.pcworld.com[/url]
[url]www.personal.psu.edu[/url]
[url]www.personalfirewall.comodo.com[/url]
[url]www.pinoyden.com[/url]
[url]www.precisesecurity.com[/url]
[url]www.prevx.com[/url]
[url]www.psicofxp.com[/url]
[url]www.quickheal.co.in[/url]
[url]www.raymond.cc[/url]
[url]www.regrun.com[/url]
[url]www.resplendence.com[/url]
[url]www.rising.com[/url]
[url]www.rising.com.cn[/url]
[url]www.rolandovera.com[/url]
[url]www.rootkit.com[/url]
[url]www.rootkit.nl[/url]
[url]www.runscanner.net[/url]
[url]www.safer-networking.org[/url]
[url]www.sandboxie.com[/url]
[url]www.securitynewsportal.com[/url]
[url]www.securitywonks.net[/url]
[url]www.sergiwa.com[/url]
[url]www.****it.net[/url]
[url]www.siteadvisor.com[/url]
[url]www.smokey-services.eu[/url]
[url]www.soccersuck.com[/url]
[url]www.softonic.com[/url]
[url]www.sophos.com[/url]
[url]www.spyany.com[/url]
[url]www.spybot.info[/url]
[url]www.spybotupdates.com[/url]
[url]www.spychecker.com[/url]
[url]www.spywarecease.com[/url]
[url]www.spywaredb.com[/url]
[url]www.spywarefri.dk[/url]
[url]www.spywareinfo.com[/url]
[url]www.spywareterminator.com[/url]
[url]www.sunbeltsecurity.com[/url]
[url]www.sunbeltsoftware.com[/url]
[url]www.superantispyware.com[/url]
[url]www.superdicas.com.br[/url]
[url]www.superdicas.com.br[/url]
[url]www.superuser.co.kr[/url]
[url]www.symantec.com[/url]
[url]www.sysinternals.com[/url]
[url]www.sz-pet.com[/url]
[url]www.tallemu.com[/url]
[url]www.taringa.net[/url]
[url]www.taringa.net[/url]
[url]www.techimo.com[/url]
[url]www.techspot.com[/url]
[url]www.techsupportforum.com[/url]
[url]www.techsupportforum.com[/url]
[url]www.tecno-soft.com[/url]
[url]www.thaicert.org[/url]
[url]www.thailandsusu.com[/url]
[url]www.thecomputerpitstop.com[/url]
[url]www.thehelper.net[/url]
[url]www.thetechguide.com[/url]
[url]www.thinkpad.cn[/url]
[url]www.threatexpert.com[/url]
[url]www.threatexpert.com[/url]
[url]www.tpu.ro[/url]
[url]www.trendmicro.com[/url]
[url]www.trendsecure.com[/url]
[url]www.trendsecure.com[/url]
[url]www.trucoswindows.es[/url]
[url]www.trucoswindows.net[/url]
[url]www.tweaksforgeeks.com[/url]
[url]www.ulop.net[/url]
[url]www.unhackme.com[/url]
[url]www.usbcleaner.cn[/url]
[url]www.utilidades-utiles.com[/url]
[url]www.utilidades-utiles.com[/url]
[url]www.vietcaravan.us[/url]
[url]www.viprasys.org[/url]
[url]www.virscan.org[/url]
[url]www.viruschief.com[/url]
[url]www.virusdoctor.jp[/url]
[url]www.viruslist.com[/url]
[url]www.virusspy.com[/url]
[url]www.virusspy.com[/url]
[url]www.virustotal.com[/url]
[url]www.vivalared.com[/url]
[url]www.vsantivirus.com[/url]
[url]www.webimmune.net[/url]
[url]www.webphand.com[/url]
[url]www.webroot.com[/url]
[url]www.whatthetech.com[/url]
[url]www.wikio.es[/url]
[url]www.wilderssecurity.com[/url]
[url]www.winbots.es[/url]
[url]www.windowexe.com[/url]
[url]www.yoreparo.com[/url]
[url]www.ziggamza.net[/url]
[url]www.zonavirus.com[/url]
[url]www.zonavirus.com[/url]
[url]www.zonavirus.com[/url]
[url]www.zonealarm.com[/url]
[url]www.zonealarm.com[/url]
[url]www.zyzoom.org[/url]
www2.gmer.net
www3.malekal.com
wwww.experts-exchange.com
wwww.mcafee.com
x.360safe.com
zastita.com
zastita.com
zhidao.baidu.com
zhidao.ikaka.com
z-oleg.com
zone.arminboutique.com
* May connect to a specific IRC channel on a certain IRC server to await remote commands.
* This worm also propagates via removal device and Instant Messenger applications.
Removal Procedure
* Update the product to the latest version.
* Restart the system in safe mode.
* Run a full system scan.
* Delete all the files detected as infected with this virus.
* Open the Windows Registry Editor.
* Delete the value
Debugger = "wiacmfgr.exe"
under the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe
* Delete the value
DisableConfig = 1
under the key
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
* Delete the value
%System%\wiacmfgr.exe = %System%\wiacmfgr.exe:*:Enabled:DHCP Router"
under the key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
DomainProfile\AuthorizedApplications\List
* Restore the Default value
AntiVirusOverride = 1
FirewallOverride = 1
to
AntiVirusOverride = 0
FirewallOverride = 0
under the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
* Restore the Default value
CheckedValue = 1
to
CheckedValue = 0
under the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\SuperHidden
* Close the Windows Registry Editor.
* Restart the system.
De diverse TMP### processen werden random gemaakt door de trojan en kwamen terecht in de map /WINDOWS/TEMP
Hier zijn deze gewoon te verwijderen.
Ik zal nu zelf nog wat stappen proberen om het virus te verwijderen en daarna alsnog een schone format en reinstall van Windows doen.
Het leek me wel belangrijk het resultaat te posten, helemaal omdat het zo'n k*tvirus is dat processen terminate, antivirus onklaar maakt en hulpwebsites blokkeert.
Hopelijk heeft iemand er iets aan.
Cheers.