Register   Welcome!   Status   Virus Scan   Downloads   Staff   Archive   Donate!
Karl`s PC Help Forums Last active: Never
Not logged in [Login ]
Search the forums Search   Frequently Asked Questions FAQ   Today's Posts Today's Posts   Forum Stats Stats   Forum Rules Rules  Activity   Contact  Home Karl`s PC Help Forums
Karl`s PC Help Forums » Virus help and InfoSec » Trojan Horse Generic 16.CFEV Go To Bottom

In memory of Karl Davis, founder of this board, who made his final journey 12th June 2007

Printable Version | Subscribe | Add to Favourites   Post new thread Poll:
Author: Subject: Trojan Horse Generic 16.CFEV
SRD
rantipole
*******

Avatar


Posts: 1928
Registered: 12-1-2008
Location: Wiltshire, UK
Theme: Calm
Member Is Offline

Mood: No Mood

[*] Post 405145 posted on 5-3-2010 at 16:30 Reply With Quote
Trojan Horse Generic 16.CFEV

I clicked on a download link from an email which was purporting to be a missed delivery notification.
Windows AV went loopy (despite my not using it) telling me I was infected with 16 different problems and suggesting I register for the Windows AV in order to remove the infections. I killed the pop up windows telling me about the infections etc and ran AVG scan (updated yesterday 4th March) which told me I was infected with the Trojan Horse Generic 16.CFEV in two places, the temp folder and somewhere in the registry (I think, I didn't take a note of the full addresses). I allowed AVG to deal with the infections. I then used the keyboard to close the wireless connection between my computer and the wireless router. The Windows AV was still firing off so I tried to run Malwarebytes' Anti-Malware (also updated yesterday) however I couldn't get it to run, just pop up window asking me what app I wanted to use to open the .exe file.
I exited and closed down the computer, re-booting in Safe Mode which enabled me to run Malwarebytes' Anti-Malware.
The following log was taken:
Malwarebytes Anti-Malware 1.44
'Database version: 3825
Windows 5.1.2600 Servce Pack 3 (Safe Mode)
Internet Explorer 8.0.6001 18902

05/03/200 13.31.41
mbam-log-2010-03-05 (13-31-41).txt

Scan type: Full Scan (C:/|)
Objects scanned: 209524
Time elapsed: 2 hour(s), 1 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\nynw.wmo (Backdoor.Bot) -> Delete on reboot.

Registry Keys Infected:
HKEY-CLASSES-ROOT\idid (Trojan Sasfix) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY-LOCAL-MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\Shell

(HijackShell) -> Bad: (Explorer.exe rundll32.exe nynw.wmo mynleeq) Good: (Explorer.exe) ->

Quarantined and deleted successfully.
HKEY-LOCAL-MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify

(Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY-LOCAL-MACHINE\SOFTWARE\Microsoft\Security Center\FireWallDisableNotify

(Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY-LOCAL-MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify

(Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\nynw.wmo (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and settings\Simon\Local Settings\Application Data\av.exe

(RogueWIN7Antispyware2010) -> Quarantined and deleted successfully.

Being loth to reconnect to the household wireless network I tried to save the file to CD but, having loaded the disc, was unable to access the CD-RW drive to save anything to it.

I then tried to reconnect to the internet but failed receiving the same 'which app do you wish to use to run this file' message.

I also tried to do a system restore but received an error message asking me to try again later.

I closed my computer down and down loaded HiJackThis from CNET onto another computer and saved it to a CD-RW disc and tried to run it from the disc drive on the infected computer. Only the terms and conditions file opens, there are no 'Accept' buttons etc.
View User's Profile View All Posts By User
John_Little
Chads-r-us...
*******

Avatar


Posts: 11055
Registered: 20-12-2007
Location: Sarf East Lundun
Theme: KF Blue (Default)
Member Is Offline

Mood: Confused

[*] Post 405166 posted on 5-3-2010 at 19:24 Reply With Quote


Have a look here Simon and see if it helps:-

http://www.precisesecurity.com/trojan/trojan-horse-generic-14dyj/
View User's Profile View All Posts By User
John_Little
Chads-r-us...
*******

Avatar


Posts: 11055
Registered: 20-12-2007
Location: Sarf East Lundun
Theme: KF Blue (Default)
Member Is Offline

Mood: Confused

[*] Post 405167 posted on 5-3-2010 at 19:34 Reply With Quote


Or this:-

http://answers.yahoo.com/question/index?qid=20080417173014AAnFw7m
View User's Profile View All Posts By User
Post new thread Poll:

Guest Notice
You are a guest, as a guest you can only see a maximum of 3 posts per thread.

If you want to see the rest, please click here to register.