Author Topic: Er......this really sucks. Help, please?  (Read 67822 times)

0 Members and 1 Guest are viewing this topic.

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Er......this really sucks. Help, please?
« Reply #15 on: October 19, 2007, 10:19:29 PM »
hello guys.. i'm collecting undetected Virtumonde variants now, so you can expect a detection to be done soon... ;)

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88791
  • No support PMs thanks
Re: Er......this really sucks. Help, please?
« Reply #16 on: October 19, 2007, 10:26:10 PM »
If you didn't fix that
O4 - HKLM\..\RunOnce: [RunOnceEx] rundll32.exe D:\WINDOWS\system32\iernonce.dll,RunOnceExProcess

I don't know what it does I thought wrongly it start, but from some google hits it doesn't seem to be a required start/run item, I would check if it is in the startup tab of msconfig (windows start, run type msconfig) if there is an entry there uncheck it (don't delete the entry) and see if there is any negative impact. If so it can always be checked again, which is why I said not to delete the entry.

I would also upload the new probable Vundo file to VT and send to avast if confirmed infected.

If you haven't downloaded the new firewall I would suggest you get on it with urgency as it is often difficult to get your system clean without an effective firewall.

Since this is back there may be something hidden that is restoring this.
Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip.
- AVG Anti-Rootkit http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

mauserme

  • Guest
Re: Er......this really sucks. Help, please?
« Reply #17 on: October 19, 2007, 11:10:11 PM »
hello guys.. i'm collecting undetected Virtumonde variants now, so you can expect a detection to be done soon... ;)
8)

Good to hear - lots of tough ones out there right now.

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Er......this really sucks. Help, please?
« Reply #18 on: October 19, 2007, 11:23:07 PM »
yep.. vundo and autorun are current points of pain for many users.. we'll target on them in next few days..

alex1234

  • Guest
Re: Er......this really sucks. Help, please?
« Reply #19 on: October 20, 2007, 12:25:56 AM »
Quote
If you didn't fix that
O4 - HKLM\..\RunOnce: [RunOnceEx] rundll32.exe D:\WINDOWS\system32\iernonce.dll,RunOnceExProcess

I don't know what it does I thought wrongly it start,
Actually you might not be wrong, I just installed Comodo and it told me that iexplorer.exe was trying to make a connection right after I restarted and without me running anything that wasn't already running with the bootup. Out of curiousity I allowed it but no IE windows opened, ie. nothing that I could see happened.

Then I ran msconfig as you said and looked at the Startup Tab and found something that's obviously related to the problem (screenshot provided as attachment--edit---sorry my PC is starting to mess up now and I can't attach anything, will do it with next post after restart). Should I uncheck that box then? I can see it spawning itself again regardless. *sigh

The Panda Rootkit Cleaner found nothing. AVG Anti-Rootkit does not seem to want to run.

And yes I have sent the ixnnajpv.dll file to avast. :P
« Last Edit: October 20, 2007, 12:29:34 AM by alex1234 »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88791
  • No support PMs thanks
Re: Er......this really sucks. Help, please?
« Reply #20 on: October 20, 2007, 12:34:52 AM »
yep.. vundo and autorun are current points of pain for many users.. we'll target on them in next few days..

It is nice to see some guided targeting on issues which are more prevalent to users, as seen in the forums.

I wonder if there is any mileage in checking for autorun.inf on fixed drives, if found is it possible to check the files listed in the commands within the autorun.inf ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88791
  • No support PMs thanks
Re: Er......this really sucks. Help, please?
« Reply #21 on: October 20, 2007, 12:42:42 AM »
Quote
If you didn't fix that
O4 - HKLM\..\RunOnce: [RunOnceEx] rundll32.exe D:\WINDOWS\system32\iernonce.dll,RunOnceExProcess

I don't know what it does I thought wrongly it start,
Actually you might not be wrong, I just installed Comodo and it told me that iexplorer.exe was trying to make a connection right after I restarted and without me running anything that wasn't already running with the bootup. Out of curiousity I allowed it but no IE windows opened, ie. nothing that I could see happened.

Then I ran msconfig as you said and looked at the Startup Tab and found something that's obviously related to the problem (screenshot provided as attachment--edit---sorry my PC is starting to mess up now and I can't attach anything, will do it with next post after restart). Should I uncheck that box then? I can see it spawning itself again regardless. *sigh

The Panda Rootkit Cleaner found nothing. AVG Anti-Rootkit does not seem to want to run.

And yes I have sent the ixnnajpv.dll file to avast. :P

You could try fixing it in HJT and see if that stops it running and making any connection attempt. When you fix something in HJT the default is to backup the fix, so if need be your can restore it later.

I would also suggest that you find the entry for iexplorer.exe in comodo that would force the same challenge if it were to do it again. Lets see if that stops it spawning again.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Er......this really sucks. Help, please?
« Reply #22 on: October 20, 2007, 02:28:00 AM »
@ DavidR

In the last week or so superantispyware has added a bunch of vundo detections. Might be worth a try with the following settings. Update first.

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked
- Close browsers before scanning
- Scan for tracking cookies
- Terminate memory threats before quaranine.

 leave the others unchecked.

Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

When the scan is done, quaretine everthing found . Reboot if asked.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88791
  • No support PMs thanks
Re: Er......this really sucks. Help, please?
« Reply #23 on: October 20, 2007, 03:40:41 AM »
alex1234 has SuperAntiSpyware and ran it earlier in this topic, reply #4, you suggested it and ewido in reply #2.

The runonce entry is just something that isn't required and may be starting IE.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

alex1234

  • Guest
Re: Er......this really sucks. Help, please?
« Reply #24 on: October 20, 2007, 04:58:09 AM »
Attached is the screenshot I said I'd post a few posts back.

Quote
You could try fixing it in HJT
Did, ran HJT again and it was still there. Repeated fix, still there.

Also I ran vundofix.exe again and it found two files. It removed one but could not remove the other which was the same ixnnajpv.dll file I sent to avast so you can be sure it's an infected file. After a reboot, it again was not able to remove it.

Quote
alex1234 has SuperAntiSpyware and ran it earlier in this topic,
I did but I only ran a Quick scan. Now I ran a complete scan as oldman suggested and it found 406 threats which I have quarantined, including the ixnnajpv.dll file which was picked up. But I have not restarted yet since I have tremendous difficulty getting Windows to boot up, safemode or normal mode, and I want to report this before I make the 50 or so attempts that are necessary before a successful boot.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Er......this really sucks. Help, please?
« Reply #25 on: October 20, 2007, 11:24:49 AM »
I found a lot of cases of this. The dll is a random name and the key to the search was sitypnow. All are vundo with a smitfraud case thrown in.

Could you post the SAS log of the last scan, there may be some clues in it as to what it picked up? At any rate some garbage may be gone.

Rename highjack.exe to highjackalex.exe  or whatever you want. Vundo is capable of hiding from hijackthis. Post the log.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88791
  • No support PMs thanks
Re: Er......this really sucks. Help, please?
« Reply #26 on: October 20, 2007, 02:58:34 PM »
Quote from: alex1234
Also I ran vundofix.exe again and it found two files. It removed one but could not remove the other which was the same ixnnajpv.dll file I sent to avast so you can be sure it's an infected file. After a reboot, it again was not able to remove it.

some tools for stubborn file removal.
- MoveOnBoot http://www.snapfiles.com/get/moveonboot.html
- Unlocker http://ccollomb.free.fr/unlocker/ is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Er......this really sucks. Help, please?
« Reply #27 on: October 20, 2007, 03:55:36 PM »
DavidR: we don't want to check autoruns at fixed drives and flag them as malware or suspicious... ~95% of autorun viruses are written in VB (that's quite lame.. ehm, using VB generally isn't coding in its real sense imho) and sometimes repacked with an supported packer.. there are more ways to catch VB programs effectively (i can't tell you more), so the only thing to do is to make some order between samples from users and samples from other sources and the detection is then a question of a few hours..

about Virtumonde/Vundo.. authors of this spyware/adware using a batch creation of new variants... that's good for them, because they are able to produce new variant each five hours e.g. (the same, but more frequented update technique is used by Tibs/Zhelatin).. fortunately - all the variants have the same basics and could be detected..

mauserme

  • Guest
Re: Er......this really sucks. Help, please?
« Reply #28 on: October 20, 2007, 04:30:58 PM »
Having a look at recent file creations and some additional reg entries might prove usefull here.

Download Deckard's System Scanner (DSS) to your Desktop.
  • Close all applications and windows.
  • Double-click on DSS.exe to run it, and follow the prompts.
  • The scan may take a minute. When the scan is complete, a text file will open - Main.txt
Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the  Deckard's System Scanner  to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the  main.txt from the C:\Deckard\System Scanner folder into your next reply.

mauserme

  • Guest
Re: Er......this really sucks. Help, please?
« Reply #29 on: October 20, 2007, 04:59:22 PM »
fortunately - all the variants (of Virtumondo) have the same basics and could be detected..
Is it my imagination or are these recent variants better protected - very good at hiding from the traditional tools and harder to delete when found?