Removal tool for Mal/FakeAV-CO, Downloader-CEW (Vvavia.exe, Vdl.exe, Vdk.exe, Vdj.exe) Malware
March 26, 2010 by admin
Filed under Removal Tips,Tools and Videos
3,411 views Leave a Comment
Submited By Diego
Severity Level : 6/10
Alias:
- Mal/FakeAV-CO [Sophos]
- Downloader-CEW [McAfee]
- NOT Detected [Kaspersky Lab]
- NOT Detected [Microsoft]
Vdk.exe VirusTotal Report : (Click Here)
File System Modifications
The following files were created in the system:
- %userprofile%\Local Settings\Temp\ Perflib_Perfdata_714.dat
- %userprofile%\Local Settings\Temp\ Vdj.exe
- %userprofile%\Local Settings\Temp\ Vdk.exe
- %userprofile%\Local Settings\Temp\Vdl.exe
- %userprofile%\Local Settings\Temp\ sshnas21.dll
- %systemroot%\ Vvavia.exe
- %systemroot%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
- %systemroot%\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
- %system%\sshnas21.dll
Note:
- %system% is a variable that refers to the System folder. By default, this is “C:\Windows\System” (Windows 95/98/Me), “C:\Winnt\System32″ (Windows NT/2000), or “C:\Windows\System32″ (Windows XP).
- ? = Random file name.
Memory Modifications
There were new processes created in the system:
Process Name |
Process Filename |
| Vvavia.exe | %systemroot%\ Vvavia.exe |
| Vdl.exe | %userprofile%\Local Settings\Temp\Vdl.exe |
The following Internet action was started (the retrieved bits are saved into the local file):
URL to be downloaded |
Filename for the downloaded bits |
| www.chinaontv.com |
- |
| smtp.yfc.logicalprocesses.com |
- |
| install.netwaq.com |
- |
| 69.10.35.253 |
- |
Registry Modifications
The newly created or modified Registry Value is:
[HKEY_CURRENT_USER\Software\WEK9EMDHI9]
[HKEY_CURRENT_USER\Software\XML]
[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
“Vj2″=”xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P”
[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
“Vj0″=”tSLPLpWL7R22spR48AI743bz2Kge8sEdwEqmsT37hAhii9o56M45qdHEQLL59eutSfWczpoAJiFx”
[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
“Vj1″=”tSbFNJuL/h22spR48AI743bz2Kge8sEew1WeZUbE98hA0Rzkp3/l/FrHIYr5A4wiCO8Dph4h9+dbFwok9MptNDjCbOrr45GVFpV/sTDwF5BZNgDlPbNVQVn9lMwfvCcG4=”
[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
“Vz4″=dword:00015180
[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
“Vz5″=dword:00000002
[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
“Vz2″=dword:01cacd45
[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
“Vz3″=dword:e2940770
[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
“Vz6″=dword:00000001
[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
“Vz0″=dword:01cacc7f
[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
“Vz1″=dword:123c6020
[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
“Vj4″=”7SDUIc7NyUn+3vMc=”
[HKEY_CURRENT_USER\Software\Microsoft\Handle]
[HKEY_CURRENT_USER\Software\Microsoft\Handle]
“3″=”z+XaaugyuuSvEib0Hft72iB+UUk006BXeWC43zHlD+=”
[HKEY_CURRENT_USER\Software\Microsoft\Handle]
“7″=”z/Taa/pl0NCrJEynBu9+nW4ctjyqwoD34SzQye9W6i8cdZ5R0prC0V28U=”
[HKEY_CURRENT_USER\Software\Microsoft\Handle]
“5″=”z/DcO5EGvtLTXCm7FPhmgDwcNWID0/R+VgSJ5APKWrFlEp37TcOkOwzpj7qKzmXTMoC1URSbRM=”
[HKEY_CURRENT_USER\Software\Microsoft\Handle]
“8″=dword:ffffffff
[HKEY_CURRENT_USER\Software\Microsoft\Handle]
“6″=dword:ffffffff
[HKEY_CURRENT_USER\Software\Microsoft\Handle]
“4″=dword:00000005
[HKEY_CURRENT_USER\Software\Microsoft\Handle]
“12″=dword:01bc9309
[HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3]
[HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\
12D4872,00,,732,30,30,39,2d,32,20,43,6,c9,5e,8,21,95,e4,d1,9c,50,435,3b,1e27,b0,e1,4d,34,7f,]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count]
“HRZR_EHACNGU:P:\\Qbphzragf naq Frggvatf\\Nqzvavfgengbe\\Qrfxgbc\\ivqrb-cyhtva.45158.rkr”=hex:01,00,00,00,06,00,00,00,50,94,91,a6,7c,cc,ca,01,
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“YVIBBBHA8C”=”C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\Vdl.exe”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\Documents and Settings\\Administrator\\Desktop\\video-plugin.45158.exe”=”video-plugin.45158″
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\WINDOWS\\system32\\cmd.exe”=”Windows Command Processor”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
“SystemComponent”=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
“Installer”=”MSICD”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\AvailableVersion]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\AvailableVersion]
“Precache”=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\AvailableVersion]
@=”7,0,19,0″
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\DownloadInformation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\DownloadInformation]
“CODEBASE”=”http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab“
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters]
“TrapPollTimeMilliSecs”=dword:00003a98
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
“Type”=dword:00000020
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
“Start”=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
“ErrorControl”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
“ImagePath”=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,63,68,6f,73,745,20,2d,6]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
“DisplayName”=”SSHNAS”
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
“ObjectName”=”LocalSystem”
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
“ServiceDll”=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,73,2e,64,6c,6c,00,
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
“Security”=hex:01,00,14,80,90,0,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,0,00,05,20,00,]
Removal Tools :
Download Mal/FakeAV-CO, Downloader-CEW Malware removal tool that provided by VirusExperts.org from Here.
%Temp%\cvasds1.dll
%Temp%\cvasds2.dll
Related posts:
- Removal tool for Suspect-1B!E4800A5BF6F6, Mal/FakeAV-BW (ave.exe) Malware
- Removal tool for Win32.Genome.aocx (outlook.exe, brazilian.exe, sysinternals.exe) Trojan-Downloader
- Removal tool for Mal/FakeAV-BW, Generic FakeAlert!hr, Packed.Win32.Krap.an (winupdate.exe, exec.exe, ppal.exe, MSe5ad.exe) Malware
- Removal tool for Troj/DwnLdr-ICI, Win32.Genome.aodo (windowsupdate.exe, updt.exe) Trojan
- Removal tool for W32/VBSAuto-C, VBS/Slogod.X (Startup.scr, winxp.exe, winjpg.jpg, M.p.jpg) WORM
