PDA

View Full Version : type of malware S&D is not detecting or removing



nanotechexec
2015-12-19, 20:05
What type of malware inserts over 250,000 bogus domains into P3P History and ZoneMap under the subfolders Domains, EscDomains, and Ranges? Have tried every known means of detecting and deleting it and nothing works except complete overwrite of the hard drive. S&D was crashing every time when it hit something but could not resolve it. Can delete them from regedit but always show up again 2 or 3 days later.

shelf life
2015-12-19, 21:45
hi

Those registry entries are to help control privacy/security settings in IE. Probably installed by some software your using. Maybe Spybots immunization feature?

see link
https://support.microsoft.com/en-us/kb/182569

nanotechexec
2015-12-20, 08:11
are all completely bogus domains and ranges, so would offer no protection whatsoever from what does not exist. like alitali6a.it done in many different ways, misspelling, numbers, etc. has now hit other machines I communicate with with the same p3p and zonemap entries, suddenly unstable computers that were doing just fine.

nanotechexec
2015-12-20, 12:02
Has anyone come across this temp file: Temp0516A252-3C23-906D-72AB-6955A6CB993E-Signature Only have open mozilla and skype, shows this is running, too and is 61mb file according to checking its permissions and origin. Top permission is CREATOR OWNER with special permissions, cannot be removed due to sharing

nanotechexec
2015-12-21, 14:18
the malware was DarkComet RAT, system getting back to normal again for the most part. Seems to be a remnant to find and delete. What it was doing to P3P, ZoneMap and DOMStorage has been eliminated.

Dakeyras
2016-01-10, 00:46
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh set of both awsMBR and FRST logs plus a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.