The Miniport_mp.exe Virus - Jan 2005 - Internet Explorer Back Button disabled

  Miniport_mp.exe Virus


PROBLEM: Internet Explorer Back Button disabled.
         Other problems may appear - this is a new, undocumented virus.

EXPLANATION: Virus installs itself and runs as Miniport_mp.exe
         If you have the Virus, you will see miniport_mp.exe in your Running Tasks List.
         The Virus modifies the Registry to re-install himself during a restart.
         The Virus installs the following bad files in your Windows System (or System32) folder.
    MINIPORT_MP.EXE       40,448 bytes  (hidden file) - You can only delete this file after you
                                                        Terminate this Task (using Task Manager).
    MSASMC18.DLL          37,376 bytes  (hidden file)
    CDIMGDEV.DLL          36,864 bytes  (hidden file)
    NSCOMPAT.TLB          23,392 bytes
    AMCOMPAT.TLB          16,832 bytes
    MPSCH~1.XML           19,012 bytes
    MINIPORT.EXE               0 bytes
    MINIPORT.$@!               0 bytes
    MINIPORT.BAK               0 bytes
The Virus adds the following entries to your Windows Registry.
    HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/Run/MiniPortRt

    HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{F2674532-0B22-4C87-9D3D-0B1BB326739D}\InprocServer32
    @="C:\\WINDOWS\\SYSTEM\\MSASMC18.DLL"
    "ThreadingModel"="Apartment"

    HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib\{066D44DC-858C-40C7-AEA8-FEED77126121}\1.0\0\win32
    @="C:\\WINDOWS\\SYSTEM\\MSASMC18.DLL"

    HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib\{2179C5D0-EBFF-11cf-B6FD-00AA00B4E220}\1.0\0
    HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib\{2179C5D0-EBFF-11cf-B6FD-00AA00B4E220}\1.0\0\win32
    @="D:\\WIN98\\SYSTEM\\nscompat.tlb"

    HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib\{05589fa0-c356-11ce-bf01-00aa0055595a}\2.0\0\win32
    HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib\{05589fa0-c356-11ce-bf01-00aa0055595a}\2.0\0\win32
    @="C:\\WINDOWS\\SYSTEM\\amcompat.tlb"

         I will publish new information as it becomes available. -- Rocky Patterson MrETS@xmission.com


TO FIX:
     1 - Use Windows Task Manager to terminate the process Miniport_mp.exe
     2 - Run Regedit to prevent Miniport_mp.exe from restarting after reboots.
         Delete the Key: HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/Run/MiniPortRt.
         Close Regedit.
     3 - Delete the System Files created by Miniport_mp.exe.
         Open your DOS PROMPT.
         Navigate to your C:\Windows\System -or- \System32 folder.
         Type the following to remove the hidden attributes of the following files.
         attrib -h miniport_mp.exe.
         attrib -h msasmc18.dll.
         attrib -h cdimgdev.dll.
         Delete all bad files created by this virus:
         del MINIPO~1.EXE
         del MSASMC18.DLL
         del CDIMGDEV.DLL
         del NSCOMPAT.TLB
         del AMCOMPAT.TLB
         del WMPSCH~1.XML
         del MINIPORT.EXE
         del MINIPORT.$@!
         del MINIPORT.BAK