Forum Moderators: phranque
Multi-loader Trojan, no real destructive payload, mostly random financial and few porns.
For some reason I was not able to run most of my tools in safe mode
Finally made it, PCC does not see it, HijackThis does find it, SSD does not find it
Made a restore reg to a known safe point to no avail
Finally tried something new (to me)
D-loaded a tool named: a-Squared HijackFree that one scan resulted in pointing to a “bad file” not supposed to be found: mcntqlwb
Did a search found it and deleted in sys32 (has a nice file icon)
Did a regedit/search; found it in three different places and deleted them
Reboot and … it’s back again
Next: Another great new tool (to me) ComboFix
That did a great job
And again look all over sys 32 and the reg
Killed a few more… (in safe mode – reboot & F8 on XP)
Reboot.. works fine BUT
Tried to empty the trash .. no way
Windows is not that stupid :) if I may not empty the garbage then more of it is live and somehow active in the background somewhere, fortunately as is it lost most of it powers but has a strong will and come back again without is loader capability (any del from reg let it be reborn, but as mentioned with limited powers)
So I tried successfully something else, renaming it in the reg and sys 32
That did it totally; it does not mutate or come back again
However this does not allow eradicating it, but the machine is “clean” and functionality is 100% back
The big surprise is that I found after many searches only two sites that mentioned it
One is from a thread on geektogo board and another from a site that triggered an alarm from Finjan
I searched the principal AV vendor’s sites, none of those have heard about that one.
Is it a brand new one?
Hope the above could help you in case…
20 questions ... ;)
the strange thing is that it came through a VPN
but when she called the IT DPT, they denied having anything wrong going through hmmmm?
