How to remove 8DF1484C.dll, 8DF1484C.dat, SysInfo1.dll virus

[1982June]

I use Dell Pentium 3, Microsoft Windows XP.
When I run Micro Trend House Call virus scanner online,
it show I have virus at:

c:\program files\common files\microsoft shared\MSInfo\8DF1484C.dll
c:\program files\common files\microsoft shared\MSInfo\8DF1484C.dat
c:\program files\common files\microsoft shared\MSInfo\SysInfo1.dall
The 8DF1484C files are hidden files.

Micro Trend virus scan online were not able to remove these files.

I am unable to delete it. Even after I deleted it, it will come back after
boot.
Can you please tell me have to manually remove this?

Thank you.

(Please do not recommend those delete exe program or script.
We used it once, and we need to reload our office computer.
Our manager do not allow use these virus removal programs.)

 

[1982June]

c:\program files\common files\microsoft shared\MSInfo\SysInfo1.dall

OK. This is the Troj/QQPass-JDD password stealing virus.
But follow the Sophos' Advance write up. I am unable to follow and find
exactly what to remove.
In HKLM\....\Explorer\ShellExecuteHooks
I cannot find what to remove in this? Should I remove this entire entry?

Thank you.

 

[David H. Lipman]

|
| OK. This is the Troj/QQPass-JDD password stealing virus.
| But follow the Sophos' Advance write up. I am unable to follow and find
| exactly what to remove.
| In HKLM\....\Explorer\ShellExecuteHooks
| I cannot find what to remove in this? Should I remove this entire entry?
|
| Thank you.
|

What did Trend Micro call this infector ?
BTW: It is a Trojan, not a virus.

Start with the Trend Micro module of the following Multi AV Scanning Tool.


Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[1982June]

Start with the Trend Micro module of the following Multi AV Scanning Tool.


Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to
go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in
Normal Mode.
This way all the components can be downloaded from each AV vendor's web
site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and
Reboot the PC.

You can choose to go to each menu item and just download the needed files
or you can
download the files and perform a scan in Normal Mode. Once you have
downloaded the files
needed for each scanner you want to use, you should reboot the PC into
Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want
to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm

Our company had already insist nobody can use any of these register
modifying and system software changing unknown programs.
We are only allow to manually run regedit to clean the systems.
We then, have to write down exactly what we did and make report in detail.

 

[David H. Lipman]

From: "1982June" <[email protected]>


| Our company had already insist nobody can use any of these register
| modifying and system software changing unknown programs.
| We are only allow to manually run regedit to clean the systems.
| We then, have to write down exactly what we did and make report in detail.
|

Your company is taking the WRONG approach.
A Trojan can have many variants and each can make different changes to the Registry.
Each anti virus can call the same infector differently. Given the same infector Trend Micro
and Sophos can call two different names.
Any file can be namesd anything. Just becuase a file has a name used and is found in one
virus encyclopedia doen't mean the file YOU have is that same file mentioned in that
encyclopedia.

That's why you need to use an anti virus application that will use a combination of
signature and heuristic based detection to find, remove, clean and restore teh system to
pre-infected state.

I asked early on...
What did Trend Micro call this infector ?

I also want you to note that the Trend Micro Houscall utility uses the SANME engine and
signatures as the Trend Micro Sysclean utility used in the core of my Multi AV Scanning
Tool.

If you can't use the Multi AV, you can still use the Trend Micro Sysclean utility.

Otherwise if your company insists "...nobody can use any of these register modifying and
system software changing unknown programs" then I suggest you back up the system (such as
Symantec Ghost) and then wipe the system and re-image the system with a known clean image.

I strongly do NOT suggest manually editing the Registry as you are attempting to do.

 

[1982June]

From: "1982June" <[email protected]>

I asked early on...
What did Trend Micro call this infector ?

I also want you to note that the Trend Micro Houscall utility uses the
SANME engine and
signatures as the Trend Micro Sysclean utility used in the core of my
Multi AV Scanning
Tool.

If you can't use the Multi AV, you can still use the Trend Micro Sysclean
utility.

Otherwise if your company insists "...nobody can use any of these register
modifying and
system software changing unknown programs" then I suggest you back up the
system (such as
Symantec Ghost) and then wipe the system and re-image the system with a
known clean image.

I strongly do NOT suggest manually editing the Registry as you are
attempting to do.

Our company and my boss is doing the right thing to keep our work
environment
safe and orderly for employees.

MicroTrend did not have any name for this, neither are McAfee & Norton has
name for this either.
Sophos called this Troj/QQPass-JDD. They do list the manual removal steps.
But did not say what to remove.

 

[David H. Lipman]

From: "1982June" <[email protected]>


| Our company and my boss is doing the right thing to keep our work
| environment
| safe and orderly for employees.

| MicroTrend did not have any name for this, neither are McAfee & Norton has
| name for this either.
| Sophos called this Troj/QQPass-JDD. They do list the manual removal steps.
| But did not say what to remove.

Not really. If this is a "Troj/QQPass-JDD" Trojan then you have a password Stealing
Trojan and your "work environment" is not "safe".

McAfee and Norton names *all* detected files.

Did you scan with; McAfee, Norton and Sophos ?

 

[Adam Leinss]

I use Dell Pentium 3, Microsoft Windows XP.
When I run Micro Trend House Call virus scanner online,
it show I have virus at:

c:\program files\common files\microsoft shared\MSInfo\8DF1484C.dll
c:\program files\common files\microsoft shared\MSInfo\8DF1484C.dat
c:\program files\common files\microsoft
shared\MSInfo\SysInfo1.dall The 8DF1484C files are hidden files.

Micro Trend virus scan online were not able to remove these files.

Use system restore to restore the PC to a state before the infection.
I had user with this same infection, PITA to clean off.

Adam