8/22/11

How to Remove the Mabezat Virus



Mabezat is a virus for the Windows platform that spreads by copying itself to network shares and removable media.

Mabezat copies itself to removable media and fixed with one or more of the following filenames:



 - Adjust Time.exe         
 - AmericanOnLine.exe         
 - Antenna2Net.exe         
 - BrowseAllUsers.exe         
 - CD Burner.exe         
 - Crack_GoogleEarthPro.exe         
 - Disk Defragmenter.exe         
 - FaxSend.exe.exe         
 - FloppyDiskPartion.exe         
 - GoogleToolbarNotifier.exe         
 - HP_LaserJetAllInOneConfig.exe         
 - IDE Conector P2P.exe         
 - InstallMSN11Ar.exe         
 - InstallMSN11En.exe         
 - Audio dump.exe         
 - Lock Folder.exe         
 - LockWindowsPartition.exe         
 - Make Windows Original.exe         
 - MakeUrOwnFamilyTree.exe         
 - Microsoft MSN.exe         
 - Microsoft Windows Network.exe         
 - Msjavx86.exe         
 - NokiaN73Tools.exe         
 - Office2007 Serial.exe         
 - PanasonicDVD_DigitalCam.exe         
 - RadioTV.exe         
 - Recycle Bin.exe         
 - RecycleBinProtect.exe         
 - ShowDesktop.exe         
 - Sony Erikson DigitalCam.exe         
 - Win98compatibleXP.exe         
 - Windows Keys Secrets.exe         
 - Windows XP StartMenu Settings.exe         
 - WinrRarSerialInstall.exe 


Mabezat created on removable media and fixed files. Rar with the following file names:
 - Backup.rar         
 - Documents_backup.rar         
 - Imp_data.rar         
 - MyDocuments.rar         
 - Office_crack.rar         
 - Passwords.rar         
 - Serials.rar         
 - Source.rar         
 - Windows.rar         
 - Windows_secrets.rar 


This archive contains a file drop: Readme.doc. Exe

W32/Mabezat-B When installed, the following files are created:
 % Profile% \ hook.dl_         
 % Profile% \ tazebama.dl_         
 % Profile% \ tazebama.dll         
 % SystemDrive% \ 1.taz         
 % SystemDrive% \ autorun.inf         
 % SystemDrive% \ zPharaoh.exe         
 % AppData% \ Microsoft \ CD Burning \ 1.taz         
 % AppData% \ Microsoft \ CD Burning \ autorun.inf         
 % AppData% \ Microsoft \ CD Burning \ zPharaoh.exe         
 % Appdata% \ tazebama \ zPharaoh.dat         
 % Appdata% \ tazebama \ zPharaoh.exe         
 % Appdata% \ tazebama \ zPharaoh.log         
 % Appdata% \ tazebama 


This infection is spread by:

=> Removable storage devices
=> Network shares
=> Infected files

Example in a ratio HijackThis infected Mabezat:
 C: \ Documents and Settings \ tazebama.dl_ 


Example of infection Mabezat found:
 C: \ DOCUME ~ 1 \ PROPERTIES ~ 1 \ APPLIC ~ 1 \ tazebama C: \ Documents and Settings \ tazebama.dll C: \ Documents and Settings \ Jarod \ Application Data \ tazebama \ zPharaoh.dat C: \ Documents and Settings \ hook.dl_ C: \ Documents and Settings \ tazebama.dl_ C: \ zPharaoh.exe (the drive letter can change because all media can be affected) C: \ zPharaoh.inf (the drive letter can change because all media may be affected) C: \ Program Files \ Microsoft Works \ WkDStore.exe [RESULT] Contains the worm WORM/Mabezat.B.91 C: \ Start Menu \ Programs \ Startup \ zPharoh.exe C: \ Documents and Settings \ [User Name] \ Application \ Data \ tazebama \ zPharaoh.dat C: \ Documents and Settings \ My Documents \ readme.doc.exe 


Of such messages may appear:
  • "The application or DLL c: \ documents and settings \ tazebama.dll is not a valid windows image"

Preliminaries

  • The infection is transmitted from PC to PC, disconnect the network and all pc clean before putting your network. And also connect all your removable media likely to be infected (usb stick, memory card, external hard drive ...)
  • An important, if you have Vista or 7:
  • 2 Important: If you have TeaTimer (Spybot resident), disable it because it may impede disinfection:
    • Start Spybot, click Mode, select Advanced Mode.
    • On the left, click Tools, then Resident.
    • Uncheck the box to Resident "TeaTimer" then exit Spybot:


Disinfection methods

This infection is very persistent!

Several solutions are possible:

First method: UsbFix



A-Scan Option for UsbFix (search)
  • Download UsbFix (of El desaparecido & C_XX) on the desktop.
  • Important: connect external data sources to the PC (USB, external hard drive, SD card, etc ...) without opening them.
  • Double-click on the program UsbFix.exe on the desktop, the installation is automatic.
  • / \ Disable custody of the virus to avoid conflicts when using the tool.
  • Click the Search button.
  • Let them work the tool.
  • Post the report obtained UsbFix.txt if you created a topic on the forum Viruses / security .
  • Note: UsbFix.txt the report is saved in the root drive (C: \ UsbFix.txt).



Option B-Deleting UsbFix (cleaning)

/ \ Before the Delete option, you should seek advice on the forum Viruses / security . / \
  • Important: connect external data sources to the PC (USB, external hard drive, SD card, etc ...) without opening them.
  • Double-click on the program UsbFix on the desktop.
  • Click on Remove.
  • The Office will disappear and reappear at the end of the disinfection.
  • Then post the report UsbFix.txt will appear with the Office if you created a subject.
  • Note: UsbFix.txt the report is saved in the root drive (C: \ UsbFix.txt).


Tutorial UsbFix.

Q: UsbFix delete all infected files found, if one of these files there is one you want to keep using the software of preference for AVG and Dr Web.

Second method: Dr Web

  • Download DR. Web CureIt
  • Double-click Launch.exe (black spider icon)
  • On the page that appears, select "Start scan".
  • Confirm, the message which asks for confirmation for the analysis.
  • The analysis starts, if he finds things, quarantine and / or disinfect.


This may take a little while.
  • Post the report that will appear or will be created next (text file) if you were asked on the forum ..
  • In closing, do not click to buy the full version.

Third method: MalwareBytes' Anti-Malware


  • Install the software.
  • COMCTL32.OCX missing file, you can download it here
  • Make updates (Click on Updates and search for updates).
  • Start in safe mode .
  • Important: connect external data sources to the PC (USB, external hard drive, SD card, etc ...) without opening them.
  • Run MalwareBytes' Anti-Malware , click Run a full review then locate and select your hard drives and external drives.
  • Once the scan is finished, click the result and delete what was detected (If you are asked to reboot the PC, accept!)

Fourth method: Software Removal Softpedia


Fifth method: Removal of AVG Software


Sixth method: Super antispyware

  • Download SUPERAntiSpyware (SAS) and install it and update it.
    • To scan your computer with SUPERAntiSpyware, click: Scan your Computer.
    • In the new window, you can choose the left to scan items (disks, directories, etc. ..).
    • In the right part, the type of scan. You can use the Perform quick scan.


Seventh Method: Combofix

To all readers:
- This software is for use as prescribed by a qualified and trained helper to the tool.
- Do not use outside of this scenario: dangerous!
  • Right click here .
    • Choose: Save target as
    • Choose the Desktop as the destination.
    • In the "File Name", rename ComboFix.exe to CCM.exe for example, then save.
    • Warning! The renaming stage is mandatory under penalty of displaying the message "ComboFix.exe is not a valid win32 application" and thus make it totally ineffective.
    • Disconnect from the Internet, disable all your defenses (antivirus, firewall, antispyware) and close all applications and programs.
    • Double-click CCM.exe to start the fix (Vista, you must right-click CCM.exe and choose "Run as administrator").
    • For XP: accept the warning and accept the installation of the Recovery Console (in XP).
    • Double-click CCM.exe to start the fix (Vista, you must right-click CCM.exe and choose "Run as administrator").
    • Accept the warning message and accept the installation of the Recovery Console (in XP).
    • The report will be created under the root: C: \ Combofix.txt


After cleaning

  • To verify that nothing remains, it is preferable to an online antivirus (<= here) on his computer.

0 التعليقات:

Post a Comment

Related Posts Plugin for WordPress, Blogger...