locked
FCS does not fix malware PASUFIZI.dll !!! RRS feed

  • Question

  • My PC is windows XP w. SP2 and most recent security update. Start yesterday, Security Tool start pop up and said my PC was heavily infected with Virus. FCS did Quarantined one Trojan: Win32/Winwebsec. I tried remove malware as the following steps:

    1) Unplug NIC cable and then restart into Save mode
    2) Removed Security Tool starting point in RUN key and their folders in All User profile\Application Data.
    3) Search and remove all occurrences of PASUFIZI.dll and ROMARETE.dll in windows registry. Rename both files in Windows\system32 and then delete them after reboot into save mode again.  
     4) After reboot into save mode again, PASUFIZI.dll keep come back in RUN key and in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs. I delete then again.
    5) After reboot into save mode. PASUFIZI.dll come back again in RUN key. and Heyehita.dll appeared in HKLM\Soft..\Windows NT\Curr.\Windows\AppInit_DLL. I delete them again

    But after reboot into save mode,  Heyehita.dll is come back in Registry HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs. How to remove it?

     

    Friday, October 9, 2009 5:01 PM

Answers

  • After remove Romarete.dll, Pasufizi.dll, and Meyehita.dll from registry and C:\Windows\system32\ in save mode. Meyehita.dll always comes back in the registry HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs. When I connect to network, it opened hole and bring in many Spywares.

    Then I found out, my Windows Update service was disabled even FCS definition was updated. I cannot start this service. Because this only happen on one PC. I don't want waist more time to clean it. Finally I just reformatted hard drive and reinstalled OS and Apps.

    So the hard lesson is learned to secure prevent Spywares, both Windows Update and FCS are required.


    Thursday, October 15, 2009 9:09 PM

All replies

  • Hi,

     

    Thank you for your post.

     

    According to your description, I understand that FCS not remove the malware efficiently.

     

    As I am not sure whether this threat is part of our FCS signature or not. if you have a sample of this threat, please submit the malicious file to: https://www.microsoft.com/security/portal/Submission/Submit.aspx

     

    Once get the sample file, our antivirus team will analysis this. If the analysis is that the software is malicious, they can then add detection for this threat.

     

    Regards,


    Nick Gu - MSFT
    • Proposed as answer by Nick Gu - MSFT Monday, October 12, 2009 6:16 AM
    Monday, October 12, 2009 6:14 AM
  • After remove Romarete.dll, Pasufizi.dll, and Meyehita.dll from registry and C:\Windows\system32\ in save mode. Meyehita.dll always comes back in the registry HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs. When I connect to network, it opened hole and bring in many Spywares.

    Then I found out, my Windows Update service was disabled even FCS definition was updated. I cannot start this service. Because this only happen on one PC. I don't want waist more time to clean it. Finally I just reformatted hard drive and reinstalled OS and Apps.

    So the hard lesson is learned to secure prevent Spywares, both Windows Update and FCS are required.


    Thursday, October 15, 2009 9:09 PM