Please Help With Generic.sdbot.e025eab7& Generic.malware.fwx!g.d8f33684

bit_user1

Hello,

first i'd describe how i got these virus, i installed a plugin called Gizmo for Gizmo call project ,then my computer started being slow & slow!i uninstalled it as i heard that may contain a virus on forum then i installed my BD and i got this( i quote whats shown on log file)

Summary:

<System>=>C:\WINDOWS\system32\dfzhems.exe (memory dump) Infected: Generic.Malware.FWX!g.D8F33684

<System>=>C:\WINDOWS\system32\dfzhems.exe (memory dump) Disinfection failed

<System>=>C:\WINDOWS\system32\dfzhems.exe (memory dump) Move failed

<System>=>C:\WINDOWS\system32\dfzhems.exe (full dump) Infected: Generic.Sdbot.E025EAB7

<System>=>C:\WINDOWS\system32\dfzhems.exe (full dump) Deleted

<System> Update

as i think the first virus wasnt deleted, no?if so , how i could delete it?

till now when i run some aplications like skype,firefox it's so slow to open them and sometimes block!

i don't know what's dfzhems.exe, what i remember that i denied this file to connect as my firewall asked me to accept or no!

i made a search for this dfzhems.exe on google but no result!

could someone tell me what i should do, because my pc still freezes & it s slow!

waiting for your help!

Thanks

AndreiASM

Please view this topic, on how to scan your PC in safe mode with BD.

Andrei

Niels

Hello viva bit

I also recommend that you download this program

Update it reboot your pc into safe mode by rebooting your pc and press several times on the F8 button before the windows loadingscreen. Log in with your account. Start superantispyware and perform a complete scan.

Regards

Niels

bit_user1

Hello,

Thnx Andrei & Niels ,,

but no result, so i followed your howto (Andrei) also installed superantispyware but it didnt detect this malware.

but after each sacn when rebooting my pc i run Deep system scan or Scan Memory i find the both virus!

what i should do?

Is it what on the pic ,correct?

result

AndreiASM

According to the scanning results, no threats were detected during the scan. Though, your computer should be clean. However, reboot once again your PC in safe mode, and try to delete the file manually. If you can't find the file, please store the file in an archive with the password infected, and upload it on this forum, VR's will take a look at it. iT may be a file created by other threats.

Andrei

bit_user1

Hi again!

really its making me Crazy!

i formatted the windows partition and i install the WIn xp again but i got same malwares but in different file in windows>system32

-------------------------------------------------------------------------------------------------------------------------

Virus Statistics

Scan path : C:\

\

Folders : 870

Files : 31078

Memory processes scanned : 8

Archives : 380

Runtime packers : 2048

Identified viruses : 2

Infected files : 1

Memory processes infected : 1

Suspect files : 0

Warnings : 0

Disinfected files : 0

Deleted files : 1

Moved files : 0

I/O errors : 28

Scan time : 00:06:53

Scan speed (files/sec) : 75

Spyware Statistics

Registry keys scanned : 1485

Registry keys infected : 0

Cookies scanned : 0

Cookies infected : 0

Spyware files infected : 0

Spyware threats detected : 0

Virus definitions : 721738

Scan plugins : 16

Archive plugins : 40

Unpack plugins : 6

Mail plugins : 6

System plugins : 5

Virus scan options

Detection

[X] Scan boot sectors

[X] Memory Processes

[X] Scan archives

[X] Scan runtime packers

[X] Scan email

File mask

[ ] Programs

[X] All files

[ ] User defined extensions:

[ ] Exclude extensions: ;

Action

Infected objects

[ ] Ignore

[X] Disinfect

[ ] Delete

[ ] Move to quarantine

[ ] Prompt user

Second action

[ ] Ignore

[ ] Delete

[X] Move to quarantine

[ ] Prompt user

Virus scan options

[X] Enable warnings

[X] Enable heuristics

[ ] Show all files in log

[X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1187113846.log

Spyware scan options

[X] Scan for riskware

[ ] Skip dial and applications from scan

[X] Registry keys

[X] Cookies

Summary:

<System>=>C:\WINDOWS\system32\lnjhrmj.exe (memory dump) Infected: Generic.Malware.FWX!g.D8F33684

<System>=>C:\WINDOWS\system32\lnjhrmj.exe (memory dump) Disinfection failed

<System>=>C:\WINDOWS\system32\lnjhrmj.exe (memory dump) Move failed

<System>=>C:\WINDOWS\system32\lnjhrmj.exe (full dump) Infected: Generic.Sdbot.E025EAB7

<System>=>C:\WINDOWS\system32\lnjhrmj.exe (full dump) Deleted

<System> Update

------------------------------------------------------------------------------------------------------------------------------

how it stayed despite i formatted the C Win partition!?

i found this file in prefetch and i attached it! (no caps for the password:lnjhrm)

in safe mode i followed your tuto Andrei! but it didnt detect this Virus but i did something ,hope you tell me if what i did its right! so i searched in the registry for the infected file (lnjhrmj.exe) start>run>regedit then i deleted everything related to this file ,then when i reboot my pc ,i made a scan and it didnt detect any virus!so does that mean the problem is solved?

PS:* Should i remove the Gizmocall pluging(setup) from my downloads files (a folder that i gather all my download files in it)

* i upload the Gizmo pluging that i'm sure its the reponsible of this problem!beacuse after instaling it my pc started to be slow and suffering from lack of memory could you test it or check for the virus ? (pass:gizmocall)

* should i remove the infected file in prefetch?

finally ,excuse me if i did some mistakes as i'm newbie and maybe i said something wrong in IT science:) !

waiting for your reply !

Thanks

/applications/core/interface/file/attachment.php?id=433" data-fileid="433" rel="">gizmocall.rar

/applications/core/interface/file/attachment.php?id=434" data-fileid="434" rel="">LNJHRMJ.EXE_0A67FC51.rar

Niels

Hello viva bit

Formatting doesn't erase your files so they are still there. If you really wanted a clean disc you have to use a tool of your hard disc manufacturer. That writes garbage (writes zeros) to to your hard disc. Then you are sure that everything is deleted. How did you format? Did you use the windows cd-rom?

You should delete both the entry in the prefetch folder as in your download folder.

Regards

Niels

bit_user1

Hi Niels

yeah i did format from the Cd Win installation! so could you tell me how i could format it correctly (erase all files) !

note that now it didnt detect this malware?what's that mean is it deleted?or its invisible?

Thanks

Niels

Hello viva bit

First you should format as you did.

But the files are still there and they are hidden when write zeros then you can't recover the files. You can use a tool that as I mentioned before you can download from the site of your hard disc vendor. Otherwise you can recover the files.

It's deleted because you removed it also from prefetch. All these programs are automatically started before windows is started. Also when I take a look at your scan report BitDefender deleted the executable file.

Regards

Niels

Cd-MaN

A few things:

- The Gizmo setup is clean. It might be buggy, I don't know , but it's clean

- The prefetch file is actually a data file which tells Windows what parts of the executable to keep in memory so that they can start faster. It doesn't include the actual code from the executable.

- While it's true that quick-format doesn't entirely erase the contents of the hard-drive it resets the "file catalog", so even though there might be malicious code on the hard-disk, it's inaccessible and for all intents and purposes harmless (except for particular types of malware, like MBR infectors, which are very rare these days)

Most probably what's happing is that somebody is scanning your IP range for vulnerable computers and as soon as you reinstall your system (before you get any chance to apply the updates for example), you get exploited remotely. What you should do:

1. reinstall the OS with the network cable unplugged

2. apply service pack 2 (with the network cable still unplugged). you can download it on a separate computer or order a CD with it from Microsoft

3. after SP2 is installed (and all the restarts have finished), plug in the network cable, setup your connection, and go to windows update and apply all the patches (this will require some time and several restarts)

Best regards.

bit_user1

Hello,

First i d like to thank you all!

i did DBN 'Darik's Boot and Nuke' disk option to erase all my hard drives !

yeah i think it's not Gizmo , it's a zip file when i unzipped this file and clicking on the execution ,its coming all these problems!and thanks to bitdefender because i ve niticed each time i run this zipped file its asked me that

dfzhems.exe would change the registery (first time)

then lnjhrmj.exe same question till yesterday i got same alert from bitdefender asking me to change the registery but its straneg because each time its asking me this, i did deny (remember my answer) ,so why it made all these problems if i stopped it by bitdefender?

before making DBN 'Darik's Boot and Nuke' disk option to erase all my hard drives.i saved some softwares in my flash disk as bitdefender,firefox ,etc and this zipped file(wich contain teh virus as i think) too so may i get some risk now?or till i unzipp it?becasue i don't know how its working this virus, after double click on the execution?or after unzipping it?so can i use my flash disk wihout risk as i won't open this file because i need some sofwtares on my flash disk!

waiting for your answers

thanks again

Niels

Hello viva bit

You can unzip the archive the virus will only be active if you double click on the executable. But just delete that particular zip file. You stopped only the possibility to add something to the registry. The infected file was already dropped on your hard disc. But Cd-MaN can tell you more information.

Regards

Niels