DHL Virus

ionine · Oct 27, 2009

Hi All.
My father recently mistakenly opened this bogus DHL mail and ran the executable. It kept blocking the network connection and powering off the PC amongst other things.
Having followed the advice on your forums I thought I had it beat but it seems the av scanner has found a couple of trojans still lurking around, which keep popping up in different folders.
I followed all the instructions and include all the logs but was unable to run Root Repeal. It would say Initializing and then just hang.
The only other thing of note was that he was using AVG 7 that was out of date at time of infection but this has now been upgraded.
Whilst it isnt as bad as it used to be it would be nice to cleanse these once and for all. I also toggled System Restore as I thought I had it licked so perhaps its still lurking around in here??

Any help would be extremely greatfully appreciated.
Cheers
Simon

chaslang · Oct 30, 2009

Welcome to Major Geeks!

You did not follow the instructions for ComboFix. You need to delete the copy on drive E and download the current version of ComboFix to the Desktop as requested otherwise later instructions will not be able to run. But DO NOT run ComboFix again unless I ask you to do so later.

Also you had some kind of problem with MGtools as your log is totally incomplete. Next time shut down your protection software before downloading and running it. We will run it again at the end of the below fix.

Is Family Toolbar something you knowingly installed?

Do you still have ewido anti-malware installed? If yes, uninstall it as it is years out of date.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Now we need to use ComboFix

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!

If it is not on your Desktop, the below will not work.

Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.

If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.

Open Notepad and copy/paste the text in the below quote box into it:

KILLALL::
Driver:
krdpdre

File::
c:\windows\guse.dat
c:\program files\Common Files\ukuzuf.dat
c:\windows\system32\izoqigumo.dat
c:\program files\Common Files\favugudic.lib
c:\program files\Common Files\yruj.db
c:\docume~1\Simon\LOCALS~1\Temp\krdpdre.sys

Folder::
c:\documents and settings\Ion\Application Data\lowsec
Click to expand...

Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

At this point, you MUST EXIT ALL BROWSERS NOW before continuing!

You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.

Now use your mouse to drag CFscript.txt on top of ComboFix.exe

Follow the prompts.

When it finishes, a log will be produced named c:\combofix.txt

I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

C:\ComboFix.txt

C:\MGlogs.zip

Make sure you tell me how things are working now!

Log in or Sign up

DHL Virus

ionine Private E-2

Attached Files:

mbam-log-2009-10-21 (22-55-52).txt

MGlogs.zip

SASlog.txt

ComboFix.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member