Discussion:
How to remove 8DF1484C.dll, 8DF1484C.dat, SysInfo1.dll virus
(too old to reply)
1982June
2007-04-26 16:42:28 UTC
Permalink
I use Dell Pentium 3, Microsoft Windows XP.
When I run Micro Trend House Call virus scanner online,
it show I have virus at:

c:\program files\common files\microsoft shared\MSInfo\8DF1484C.dll
c:\program files\common files\microsoft shared\MSInfo\8DF1484C.dat
c:\program files\common files\microsoft shared\MSInfo\SysInfo1.dall
The 8DF1484C files are hidden files.

Micro Trend virus scan online were not able to remove these files.

I am unable to delete it. Even after I deleted it, it will come back after
boot.
Can you please tell me have to manually remove this?

Thank you.

(Please do not recommend those delete exe program or script.
We used it once, and we need to reload our office computer.
Our manager do not allow use these virus removal programs.)
1982June
2007-04-26 17:23:33 UTC
Permalink
Post by 1982June
c:\program files\common files\microsoft shared\MSInfo\SysInfo1.dall
OK. This is the Troj/QQPass-JDD password stealing virus.
But follow the Sophos' Advance write up. I am unable to follow and find
exactly what to remove.
In HKLM\....\Explorer\ShellExecuteHooks
I cannot find what to remove in this? Should I remove this entire entry?

Thank you.
David H. Lipman
2007-04-26 20:52:27 UTC
Permalink
Post by 1982June
c:\program files\common files\microsoft shared\MSInfo\SysInfo1.dall
|
| OK. This is the Troj/QQPass-JDD password stealing virus.
| But follow the Sophos' Advance write up. I am unable to follow and find
| exactly what to remove.
| In HKLM\....\Explorer\ShellExecuteHooks
| I cannot find what to remove in this? Should I remove this entire entry?
|
| Thank you.
|

What did Trend Micro call this infector ?
BTW: It is a Trojan, not a virus.

Start with the Trend Micro module of the following Multi AV Scanning Tool.


Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
1982June
2007-04-27 02:01:09 UTC
Permalink
Post by David H. Lipman
Post by 1982June
c:\program files\common files\microsoft shared\MSInfo\SysInfo1.dall
Start with the Trend Micro module of the following Multi AV Scanning Tool.
Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.
http://pcdid.com/Multi_AV.htm
Our company had already insist nobody can use any of these register
modifying and system software changing unknown programs.
We are only allow to manually run regedit to clean the systems.
We then, have to write down exactly what we did and make report in detail.
David H. Lipman
2007-04-27 02:25:46 UTC
Permalink
From: "1982June" <***@spam.yahoo.com>


| Our company had already insist nobody can use any of these register
| modifying and system software changing unknown programs.
| We are only allow to manually run regedit to clean the systems.
| We then, have to write down exactly what we did and make report in detail.
|

Your company is taking the WRONG approach.
A Trojan can have many variants and each can make different changes to the Registry.
Each anti virus can call the same infector differently. Given the same infector Trend Micro
and Sophos can call two different names.
Any file can be namesd anything. Just becuase a file has a name used and is found in one
virus encyclopedia doen't mean the file YOU have is that same file mentioned in that
encyclopedia.

That's why you need to use an anti virus application that will use a combination of
signature and heuristic based detection to find, remove, clean and restore teh system to
pre-infected state.

I asked early on...
What did Trend Micro call this infector ?

I also want you to note that the Trend Micro Houscall utility uses the SANME engine and
signatures as the Trend Micro Sysclean utility used in the core of my Multi AV Scanning
Tool.

If you can't use the Multi AV, you can still use the Trend Micro Sysclean utility.

Otherwise if your company insists "...nobody can use any of these register modifying and
system software changing unknown programs" then I suggest you back up the system (such as
Symantec Ghost) and then wipe the system and re-image the system with a known clean image.

I strongly do NOT suggest manually editing the Registry as you are attempting to do.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
1982June
2007-04-27 05:04:31 UTC
Permalink
Post by David H. Lipman
I asked early on...
What did Trend Micro call this infector ?
I also want you to note that the Trend Micro Houscall utility uses the SANME engine and
signatures as the Trend Micro Sysclean utility used in the core of my Multi AV Scanning
Tool.
If you can't use the Multi AV, you can still use the Trend Micro Sysclean utility.
Otherwise if your company insists "...nobody can use any of these register modifying and
system software changing unknown programs" then I suggest you back up the system (such as
Symantec Ghost) and then wipe the system and re-image the system with a known clean image.
I strongly do NOT suggest manually editing the Registry as you are attempting to do.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Our company and my boss is doing the right thing to keep our work
environment
safe and orderly for employees.

MicroTrend did not have any name for this, neither are McAfee & Norton has
name for this either.
Sophos called this Troj/QQPass-JDD. They do list the manual removal steps.
But did not say what to remove.
David H. Lipman
2007-04-27 11:42:27 UTC
Permalink
From: "1982June" <***@spam.yahoo.com>


| Our company and my boss is doing the right thing to keep our work
| environment
| safe and orderly for employees.

| MicroTrend did not have any name for this, neither are McAfee & Norton has
| name for this either.
| Sophos called this Troj/QQPass-JDD. They do list the manual removal steps.
| But did not say what to remove.

Not really. If this is a "Troj/QQPass-JDD" Trojan then you have a password Stealing
Trojan and your "work environment" is not "safe".

McAfee and Norton names *all* detected files.

Did you scan with; McAfee, Norton and Sophos ?
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Adam Leinss
2007-05-21 16:30:29 UTC
Permalink
Post by 1982June
I use Dell Pentium 3, Microsoft Windows XP.
When I run Micro Trend House Call virus scanner online,
c:\program files\common files\microsoft shared\MSInfo\8DF1484C.dll
c:\program files\common files\microsoft shared\MSInfo\8DF1484C.dat
c:\program files\common files\microsoft
shared\MSInfo\SysInfo1.dall The 8DF1484C files are hidden files.
Micro Trend virus scan online were not able to remove these files.
Use system restore to restore the PC to a state before the infection.
I had user with this same infection, PITA to clean off.

Adam
--
Visit my PC Tech blog at www.leinss.com/blog
Loading...