Malware? - lewineri

[elmerrn]

I have a registry entry found by HiJack this that contains this entry:

O4 - HKLM\..\Run: [vadijovahe] "C:\WINDOWS\system32\lewineri.dlg,x

The full path is:

HKEY_LOCAL_MACHINE/SOFTWARE/MICROSOFT/Windows/CurrentVersion/Run

When I delete the registry entry, it reappears within 5 seconds.

I have had this infection before and was able to kill the process by using Security Task Manager.

I had also used Microsoft TASKLIST command to find the malware program in a running process. The malware program name was not named lewineri.dlg.

I ended the process and then I would then go to the SYSTEM32 directory and delete obvious malware programs, e.g. a.exe, b.exe, etc. I would then delete the registry entry, reboot and the problem disappeared.

I also noticed that if I left the malware process running and tried to delete the programs from the SYSTEM32 directory, new programs would reappear and the names would be a different letter e.g. delete a.exe and a new program j.exe would appear.

However, I have become reinfected and the malware programs are not easily identified now.

I have googled "lewineri" and have found nothing.

Has anybody else ran into this or knows how to rid the machine of this malware?

Thanks in advance for any help.

[LDTate]

Please don't attach the scans / logs, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

XP Users

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Uncheck "Hide file extensions for known file types."

Under the "Hidden files" folder, select "Show hidden files and folders."

Uncheck "Hide protected operating system files."

Click Apply, and then click OK.

Vista Users

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.

Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.

When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:

Double-click on the Folder Options icon.

Click on the View tab.

If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.

Click on Show Hidden Files or Folders.

Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

Remove the checkmark from the checkbox labeled Hide extensions for known file types.

Remove the checkmark from the checkbox labeled Hide protected operating system files.

Please do not delete anything unless instructed to.

I've been seeing some Java infections lately.

Go here and follow the instructions to clear your Java Cache

http://www.java.com/en/download/help/plugin_cache.xml

Next:

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

[LDTate]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!