Jump to content

Recommended Posts

MSE first alerted me of this. Not too concerned about removal as I will be reformatting.

Unfortunately I don't know much about this besides what was detected and posted here. There was no intrusive behavior such as browser hijacks etc.

Because the infected files were found in the Java directory, perhaps it was a java exploit. Here's some evidence:

BI9VK.png

When you visit this address, a java application tries to start and reappears every time you click cancel. If you want to look at the malicious application yourself, 'cr' are the obscured letters.

VirTool:Win32/DelfInject

file:C:\Windows\SysWOW64\whv3.exe

file:C:\Program Files (x86)\Java\jre6\bin\d9C4yGXb.ico

file:C:\Users\User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\4df7102f-6d635e16

VirTool:Win32/DelfInject.gen!BI

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8266

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

29/11/2011 8:51:57 p.m.
mbam-log-2011-11-29 (20-51-57).txt

Scan type: Full scan (C:\|)
Objects scanned: 348854
Time elapsed: 24 minute(s), 15 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
c:\Windows\SysWOW64\config\svchost.exe (Heuristics.Reserved.Word.Exploit) -> 2720 -> Unloaded process successfully.
c:\Windows\SysWOW64\config\svchost.exe (Heuristics.Reserved.Word.Exploit) -> 1488 -> Unloaded process successfully.
c:\Windows\SysWOW64\config\svchost.exe (Heuristics.Reserved.Word.Exploit) -> 3876 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\SOUNDMNGR (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\soundmngr\ImagePath (Trojan.Agent) -> Value: ImagePath -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\config\systemprofile\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\62AXOPQ5\pr[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\config\systemprofile\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\62AXOPQ5\pr[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Temp\lod1E78.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\System32\config\svchost.exe (Trojan.StartPage) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\config\svchost.exe (Trojan.StartPage) -> Quarantined and deleted successfully.
c:\Windows\System32\config\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\config\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.