Er......this really sucks. Help, please?

[Maxx_original]

hello guys.. i'm collecting undetected Virtumonde variants now, so you can expect a detection to be done soon...

[DavidR]

If you didn't fix that
O4 - HKLM\..\RunOnce: [RunOnceEx] rundll32.exe D:\WINDOWS\system32\iernonce.dll,RunOnceExProcess

I don't know what it does I thought wrongly it start, but from some google hits it doesn't seem to be a required start/run item, I would check if it is in the startup tab of msconfig (windows start, run type msconfig) if there is an entry there uncheck it (don't delete the entry) and see if there is any negative impact. If so it can always be checked again, which is why I said not to delete the entry.

I would also upload the new probable Vundo file to VT and send to avast if confirmed infected.

If you haven't downloaded the new firewall I would suggest you get on it with urgency as it is often difficult to get your system clean without an effective firewall.

Since this is back there may be something hidden that is restoring this.
Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip.
- AVG Anti-Rootkit http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5.

[mauserme]

hello guys.. i'm collecting undetected Virtumonde variants now, so you can expect a detection to be done soon...

Good to hear - lots of tough ones out there right now.

[Maxx_original]

yep.. vundo and autorun are current points of pain for many users.. we'll target on them in next few days..

[alex1234]

If you didn't fix that
O4 - HKLM\..\RunOnce: [RunOnceEx] rundll32.exe D:\WINDOWS\system32\iernonce.dll,RunOnceExProcess

I don't know what it does I thought wrongly it start,

Actually you might not be wrong, I just installed Comodo and it told me that iexplorer.exe was trying to make a connection right after I restarted and without me running anything that wasn't already running with the bootup. Out of curiousity I allowed it but no IE windows opened, ie. nothing that I could see happened.

Then I ran msconfig as you said and looked at the Startup Tab and found something that's obviously related to the problem (screenshot provided as attachment--edit---sorry my PC is starting to mess up now and I can't attach anything, will do it with next post after restart). Should I uncheck that box then? I can see it spawning itself again regardless. *sigh

The Panda Rootkit Cleaner found nothing. AVG Anti-Rootkit does not seem to want to run.

And yes I have sent the ixnnajpv.dll file to avast.

[DavidR]

yep.. vundo and autorun are current points of pain for many users.. we'll target on them in next few days..

It is nice to see some guided targeting on issues which are more prevalent to users, as seen in the forums.

I wonder if there is any mileage in checking for autorun.inf on fixed drives, if found is it possible to check the files listed in the commands within the autorun.inf ?

[DavidR]

If you didn't fix that
O4 - HKLM\..\RunOnce: [RunOnceEx] rundll32.exe D:\WINDOWS\system32\iernonce.dll,RunOnceExProcess

I don't know what it does I thought wrongly it start,

Actually you might not be wrong, I just installed Comodo and it told me that iexplorer.exe was trying to make a connection right after I restarted and without me running anything that wasn't already running with the bootup. Out of curiousity I allowed it but no IE windows opened, ie. nothing that I could see happened.

Then I ran msconfig as you said and looked at the Startup Tab and found something that's obviously related to the problem (screenshot provided as attachment--edit---sorry my PC is starting to mess up now and I can't attach anything, will do it with next post after restart). Should I uncheck that box then? I can see it spawning itself again regardless. *sigh

The Panda Rootkit Cleaner found nothing. AVG Anti-Rootkit does not seem to want to run.

And yes I have sent the ixnnajpv.dll file to avast.

You could try fixing it in HJT and see if that stops it running and making any connection attempt. When you fix something in HJT the default is to backup the fix, so if need be your can restore it later.

I would also suggest that you find the entry for iexplorer.exe in comodo that would force the same challenge if it were to do it again. Lets see if that stops it spawning again.

[oldman]

@ DavidR

In the last week or so superantispyware has added a bunch of vundo detections. Might be worth a try with the following settings. Update first.

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked
- Close browsers before scanning
- Scan for tracking cookies
- Terminate memory threats before quaranine.

 leave the others unchecked.

Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

When the scan is done, quaretine everthing found . Reboot if asked.

[DavidR]

alex1234 has SuperAntiSpyware and ran it earlier in this topic, reply #4, you suggested it and ewido in reply #2.

The runonce entry is just something that isn't required and may be starting IE.

[alex1234]

Attached is the screenshot I said I'd post a few posts back.

You could try fixing it in HJT

Did, ran HJT again and it was still there. Repeated fix, still there.

Also I ran vundofix.exe again and it found two files. It removed one but could not remove the other which was the same ixnnajpv.dll file I sent to avast so you can be sure it's an infected file. After a reboot, it again was not able to remove it.

alex1234 has SuperAntiSpyware and ran it earlier in this topic,

I did but I only ran a Quick scan. Now I ran a complete scan as oldman suggested and it found 406 threats which I have quarantined, including the ixnnajpv.dll file which was picked up. But I have not restarted yet since I have tremendous difficulty getting Windows to boot up, safemode or normal mode, and I want to report this before I make the 50 or so attempts that are necessary before a successful boot.

[oldman]

I found a lot of cases of this. The dll is a random name and the key to the search was sitypnow. All are vundo with a smitfraud case thrown in.

Could you post the SAS log of the last scan, there may be some clues in it as to what it picked up? At any rate some garbage may be gone.

Rename highjack.exe to highjackalex.exe  or whatever you want. Vundo is capable of hiding from hijackthis. Post the log.

[DavidR]

Also I ran vundofix.exe again and it found two files. It removed one but could not remove the other which was the same ixnnajpv.dll file I sent to avast so you can be sure it's an infected file. After a reboot, it again was not able to remove it.

some tools for stubborn file removal.
- MoveOnBoot http://www.snapfiles.com/get/moveonboot.html
- Unlocker http://ccollomb.free.fr/unlocker/ is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.

[Maxx_original]

DavidR: we don't want to check autoruns at fixed drives and flag them as malware or suspicious... ~95% of autorun viruses are written in VB (that's quite lame.. ehm, using VB generally isn't coding in its real sense imho) and sometimes repacked with an supported packer.. there are more ways to catch VB programs effectively (i can't tell you more), so the only thing to do is to make some order between samples from users and samples from other sources and the detection is then a question of a few hours..

about Virtumonde/Vundo.. authors of this spyware/adware using a batch creation of new variants... that's good for them, because they are able to produce new variant each five hours e.g. (the same, but more frequented update technique is used by Tibs/Zhelatin).. fortunately - all the variants have the same basics and could be detected..

[mauserme]

Having a look at recent file creations and some additional reg entries might prove usefull here.

Download Deckard's System Scanner (DSS) to your Desktop.

• Close all applications and windows.
  
• Double-click on DSS.exe to run it, and follow the prompts.
  
• The scan may take a minute. When the scan is complete, a text file will open - Main.txt
  

Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the  Deckard's System Scanner  to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the  main.txt from the C:\Deckard\System Scanner folder into your next reply.

[mauserme]

fortunately - all the variants (of Virtumondo) have the same basics and could be detected..

Is it my imagination or are these recent variants better protected - very good at hiding from the traditional tools and harder to delete when found?