Hacked by D.v.G. , Welcome to D.v.G. World

Viruses and worms
1

Hello all:

On January 11th I opened an executable for a keygen after a scan that returned no results. I had already updated both Windows and the Avast virus definitions. My security settings in Avast where all set to high security. I even uploaded the file to the online file scan from Kapersky since the icon for the app looked exactly as the icon for forms in VBasic and that seemed strange to me. All antivirus engines returned no results for the file so I executed it.

Results:
1- Task Manager won’t open either by using “Run” on the Start Menu, nor by accessing it directly from it’s folder in C:\windows, nor by hitting CTRL + ALT + DEL.
2- The memory overloaded displaying lots of message boxes indicating the overload.
3- A message box displayed in the center of the screen in Windows with the message “W€Lc0me 2 THe D.v.G W0RlD”. The message box title says “:. Dr D.v.G. .:”
4- Avast won’t start when windows is booted in any mode
5- Windows Restore doesn’t appear as a tab in Control Panel\System
6- Windows Security Center is shut down without the chance of turning it back on (it is still available as an icon in Control Panel, but when opened there’s no option in it and only a paragraph that says that it has been turned off).
7- Not able to run Regedit
8- Found files that are being rewritten after deletion in C:\Documents and Settings[my profile]\Local Settings\Temp, Named: “XxX.xXx” and “UuU.uUu” (1kb each)
9- Found some files on the system32 folder: msvdll.exe, win.exe. The prefetch Folder had a lot of files created at the same time as the infection which I deleted but later on came back on a restart. There’s a strange file named “dlling.exe” that the VStudio debugger keeps making reference to but I can’t find it anywhere (though the file DLLing*.pf appears in the prefetch folder).
10- I use my mobile phone to tether and the connection is established but NO internet. When I open Internet Explorer, cannot see the Internet. The browser title says “Hacked by Dr D.v.G.”. Also, when going to Internet Options, the first home page set is “http://www.dvg-world.tk”. I haven’t had the courage to go there using another computer, for obvious reasons.

Does anyone know about this problem? Please help! :cry: Thanks…

2

Hi,

  1. You can create .bat file with below script :

ECHO Enable TaskManager and Regedit and Folder Option

ECHO FIX Task Manager
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v “DisableTaskMgr” /f

ECHO FIX Regedit
reg delete HKCU\Software\Microsoft\Windows\currentVersion\Policies\System\ /v “DisableRegistryTools” /f

ECHO FIX Folder Options
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ /v “NoFolderOptions” /t REG_DWORD /d 00000000 /f

  1. If you have a source file, please compress that file .zip rename with : Virus and give it password : virus. Then submit to : virus @ avast . com

Good luck for you

3

Thank you, I will try it out and inform of the results…:slight_smile:

4
I opened an executable for a keygen
Well that is asking for trouble as that is how the new malware and rootkits are distributed
5

Parece que es algo bastante complicado. Si es Windows Vista puedes intentar atraves de los permisos especiales, siempre y cuando lo intentes desconectado del Internet. Trata de eliminar todos los archivos relacionados al nombre, y tan pronto tengas el chance de utilizar Task Manager, usalo para buscar procesos y aplicaciones extrañas. Los componentes que encuentres envialos a analisis. Tanto como a Avast como a Microsoft por si se necesitas parchos o actualizaciones para el sistema operativo. Gracias

6

If you are still having problems I can try to help as this looks to be a new infection to me

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:
[*]Reg - Shell Spawning
[*]File - Lop Check
[*]File - Purity Scan
[*]Evnt - EvtViewer (last 10)
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:
[*]Click Add Reply
[*]Under the reply panel is the Attachments Panel
[*]Browse for the attachment file you want to upload, then click the green Upload button
[*]Once it has uploaded, click the Manage Current Attachments drop down box
[*]Click on
http://www.geekstogo.com/forum/style_images/11168623649/folder_attach_images/attach_add.png
to insert the attachment into your post

7

Thank you so much for your help. Unfortunately since I’m not able to use Internet on my computer I’m using my mobile w/Opera Mobile 10 and those attachment tools don’t show, only a simple attachment option. I was able to copy/paste the TXT file to my storage card via SD port so I’m attaching it.

Please let me know what you find…

There’s a file named Virus Infection.jpg which is a print screen I made of Avast’s Chest on the first scan, it’s not part of the infection. You may see some other txt files on the desktop related to that scan (txt files).

Thanks! :slight_smile:

8

whoops I see i mispelled the md5start and stop…
reuping the log…
This one includes md5 scan…

9

OK that was a biggie a lot of things were re-routed through win.exe (bad) via the IFEO registry key

Due to the size of the fix I would like you to download the latest version of OTS , this will allow us to drag and drop the fix.txt onto the tool rather than copy and paste it

Start OTS. Drag the attached fix.txt file into the pane where it says “Paste fix here” and then click the Run Fix button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

10

Ok so I managed to install the new version and moving the fix file and running the fix.

It started off by killing all processes leaving the desktop completely clean of icons displaying only the OTS window…BUT, got stuck (still is after a few minutes) “Fixing registry item: PicNotify…” says OTS’ status bar.

Is it ok to be afraid that something went wrong? :-\

11

OTS kills all running processes so that nothing will hinder it

Has it finished ? It should take no more than ten minutes max, if it hasn’t then reboot

12

Nope, it hung…after an hour I just turned off manuall, booted gain, ran it again with same results… it hangs while fixing what I posted earlier…any ideas?

13

Yep there is probably a rootkit preventing it from running the cleanup, time for the big boy

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

14

I have no avast icon on the tray since the infection and am using home version…cant find option to turn off real time scan, is there a way via CMD?

  • Cant use task manager and services via start\run wont run either
15

Run it wthout turning Avast off - combofix will complain but ignore it

16

here it goes…

17

plus another OTS scan…

18

Looks to be mostly gone now, did you turn off system restore ?

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.


[Unregister Dlls]
[Registry - Safe List]
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YN -> "{1799460C-0BC8-4865-B9DF-4A36CD703FF0}" [HKLM] -> Reg Error: Key error. [IconPackager Repair]
[Files/Folders - Created Within 30 Days]
NY ->  win.com -> C:\WINDOWS\System32\win.com
[Files/Folders - Modified Within 30 Days]
NY ->  mera.bat -> C:\mera.bat
[Custom Scans]
NY ->  1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

19

Ok here’s the log.

The mera.bat file is actually the bat file I created as suggested by the first person that replied so I deleted it.

I still cant connect to the internet though…:cry:
Still, Im so ha,py, everything seems to b working ok…i would have to keep doing stuff around the system to check more deeply and if if I find anything unusual other than my internet problem ill post it…

THANKS A WHOLE LOT FOR YOUR HELP AND PATIENCE!

20

When you try to connect what is the error that you get ?