Jump to content

Medfos.b and others

Recommended Posts

I read Medfos topic at http://forums,malwarebytes.org/index.php?showtopic=121173,

moderated by Gringo (William Rowland).

I did not find a solution found in the solutions area that I was requested to review before making a post.

After my initial description below,

I give a list of the logs I got from various programs used in the above topic,

in the order they were generated.


The system is Compaq Presario SR5710F with Windows XP SP3, 3 GB RAM,

Firefox v23 browser, Malwarebytes Pro, ClamWin, Spybot, and Spyware Blaster with Java 7 enabled.


About one week ago, the following activity began in about the order listed:

links began intermittently redirected to suspicious sites, then

an intermittent, ultimately continual dialog box:


Data Execution Prevention - Microsoft Windows

To help protect your computer, Windows has closed this program.

Close Message


If this message was closed by clicking "Close Message" or the upper right hand "X"

or using process explorer,

the the following dialog box appeared:


Windows Explorer

If you were in the middle of something, the information you were working on might be lost.

Please tell Microsoft about this problem.

We have created an error report that you can send to help us improve Windows Explorer.

We will treat this report as confidential and anonymous.

To see what data this error report contains, click here.

Debug                  Send Error Report                   Don't Send


If this message was closed by clicking "Don't Send" or the upper right hand "X"

or using process explorer,

the the original dialog box - Data Execution Prevention - appeared.


Copying a new copy of explorer.exe from the dllcache or

expanding from the i386 folder, made no change.


Trying to use Recovery Console to return to a prior configuration failed

with a message about their being 414 KB low memory and

requiring 512 KB (3GB RAM has been installed for years).


Running Malwarebytes on a full scan revealed two copies of Medfos trojan,

two malware dll's (uteri.dll and maons.dll, both in %APPDATA%), some malware that was effecting memory, and four other pieces of malware.


Running Malwarebytes multiple times after multiples removals continued to reveal a variety of malware,

some Medfos, some new.


Soon the computer monitor began refreshing every 5 to 10 seconds, clearing any window present.

The only thing I could use was the cmd windows from the run command.


After reading the Malwarebytes article described initially,

I applied the following tools in the following order, as had occurred in that post:


Security Check

Adw Cleaner

Rogue Killer


ComboFix with a ClearJavaCache:: CFScript

Revo Uninstaller to remove Java


Malwarebytes for a Quick Scan which revealed no malware




Hear I stopped because the moderator created a script for OTL

that was unique to that individual's computer

which computer was also running Windows 7 instead of mine's XP.


After all this the only effect of malware left was the infinite loop

of the Data Execution Prevention and subsequent dialog boxes.


The various logs created by the anti-malware programs above

are given as an attachment.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.