Screwed by Win32:Siveras [Expl]

[joeni]

Hi joeni,

Removal instructions,

The malcode will then create the following registry entry so that its dropped copy will be executed upon system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft DNSx = “%System%\mdnex.exe"

 1. Terminate the following malcode process:

      mdnex.exe

      Note: Since the malcode also attempts to terminate the task manager, the task manager program (%System%\taskmgr.exe) can be copied to a different file-name and then executed. Also, several process management tools are available from the Internet: An example is Process Explorer from Sysinternals: http://www.sysinternals.com/Utilities/ProcessExplorer.html

There is no file called mdnex.exe in drive c: also in windows. I've search all over the place including hidden files.

   2. Delete the following malcode file:

      %System%\mdnex.exe

      (Where %System% refers to the Windows system folder. On Windows XP and 2003, the Windows system folder is usually C:\Windows\System32, on Windows 2000 it is usually C:\WINNT\System32)

If found also Delete the following file: %systemdir%\winsvcx.exe
Delete the following registry value: stoner

polonus

there is no winsvcx.exe, same as above.
Searching the registry 10 times there is no entry stoner.

by the way thank you very much for the help and for anyone in this forum... maybe I should wait untill the cure for this virus founded.

[polonus]

Hi joeni,

You might have another variety of the malcode then. Is your taskmanager working properly and does that come up when you press Ctrl + Alt + Del,
can you run this tool and give the contents of the result file txt as an attached txt file:
http://www.niksoft.at/download/startdreck.htm

polonus

[DavidK]

I have seen a very similar program: goxp.exe... It claims to be part of the product "   Rising AntiVirus 2009" although i've never heard or used that product. I ran it on a virtual pc and logged what it did and i'm pretty certain it's a virus although avast doesn't detect it. It moves itself to c:\windows\system32\goxp.exe and starts itself from a self created service. It then reads registry keys and sends packets to some server in china. to top it off, this sucker eats 100% cpu after a while.

if someone wants to investigate it then I can upload it somewhere.

Result: 8/20 (40%)

A-Squared  Found Packed.Win32.Krap!IK 
AntiVir  Found TR/Crypt.XPACK.Gen 
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found Win32/Heur 
BitDefender  Found Packer.Malware.Pohernah.H 
ClamAV  Found nothing
CPsecure  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
F-Secure Anti-Virus  Found Packed.Win32.Krap.c 
Ikarus  Found Packed.Win32.Krap 
Kaspersky Anti-Virus  Found Packed.Win32.Krap.c 
NOD32  Found nothing
Norman Virus Control  Found nothing
Panda Antivirus  Found nothing
Quick Heal  Found nothing
Sophos Antivirus  Found Mal/EncPk-GT 
VirusBuster  Found nothing
VBA32  Found nothing

File goxp.zip received on 05.03.2009 11:39:19 (CET)
Result: 20/40 (50%)

a-squared   4.0.0.101   2009.05.03   Packed.Win32.Krap!IK
AhnLab-V3   5.0.0.2   2009.05.01   -
AntiVir   7.9.0.160   2009.05.02   TR/Crypt.XPACK.Gen
Antiy-AVL   2.0.3.1   2009.04.30   -
Authentium   5.1.2.4   2009.05.02   -
Avast   4.8.1335.0   2009.05.02   -
AVG   8.5.0.327   2009.05.02   Win32/Heur
BitDefender   7.2   2009.05.03   Packer.Malware.Pohernah.H
CAT-QuickHeal   10.00   2009.05.02   Trojan.Krap.c
ClamAV   0.94.1   2009.05.03   -
Comodo   1147   2009.05.02   -
DrWeb   4.44.0.09170   2009.05.03   -
eSafe   7.0.17.0   2009.04.30   Win32.TRCrypt.XPACK
eTrust-Vet   31.6.6487   2009.05.02   -
F-Prot   4.4.4.56   2009.05.02   -
F-Secure   8.0.14470.0   2009.05.02   Packed.Win32.Krap.c
Fortinet   3.117.0.0   2009.05.02   W32/Krap.C
GData   19   2009.05.03   Packer.Malware.Pohernah.H
Ikarus   T3.1.1.49.0   2009.05.03   Packed.Win32.Krap
K7AntiVirus   7.10.722   2009.05.02   Packed.Win32.Krap.c
Kaspersky   7.0.0.125   2009.05.03   Packed.Win32.Krap.c
McAfee   5603   2009.05.02   Generic.dx!be
McAfee+Artemis   5603   2009.05.02   Generic.dx!be
McAfee-GW-Edition   6.7.6   2009.05.02   Trojan.Crypt.XPACK.Gen
Microsoft   1.4602   2009.05.03   Trojan:Win32/SystemHijack.gen!C
NOD32   4049   2009.05.01   -
Norman   6.01.05   2009.04.30   -
nProtect   2009.1.8.0   2009.05.03   -
Panda   10.0.0.14   2009.05.02   Trj/CI.A
PCTools   4.4.2.0   2009.05.02   -
Prevx1   3.0   2009.05.03   -
Rising   21.27.41.00   2009.05.01   Packer.Win32.UnkPacker.c [Suspicious]
Sophos   4.41.0   2009.05.03   Mal/EncPk-GT
Sunbelt   3.2.1858.2   2009.05.02   Packed.Win32.Krap.c
Symantec   1.4.4.12   2009.05.03   -
TheHacker   6.3.4.1.317   2009.05.02   -
TrendMicro   8.950.0.1092   2009.05.01   -
VBA32   3.12.10.4   2009.05.03   -
ViRobot   2009.5.1.1717   2009.05.01   -
VirusBuster   4.6.5.0   2009.05.02   -

Scanner results :       42% Scanner(16/38) found malware!

a-squared     4.0.0.32     20090503080126    2009-05-03     Packed.Win32.Krap!IK   5.301
AhnLab V3    2009.05.01.01    2009.05.01    2009-05-01     - 1.676
AntiVir    7.9.0.160    7.1.3.141    2009-05-02    TR/Crypt.XPACK.Gen   2.216
Antiy    2.0.18    20090503.2333071    2009-05-03     - 0.120
Arcavir    2009    200905021130    2009-05-02     - 3.005
Authentium    5.1.1    200905021543    2009-05-02     - 1.222
AVAST!    3.0.1    090502-0    2009-05-02     - 0.931
AVG    7.5.52.442    270.12.11/2089    2009-04-30     - 2.114
BitDefender    7.81008.2901615    7.25166    2009-05-03    Packer.Malware.Pohernah.H 2.694
CA (VET)    9.0.0.143    31.6.6486    2009-05-02     - 19.516
ClamAV    0.95    9319    2009-05-03     - 0.013
Comodo    3.8    1147    2009-05-02     - 1.882
CP Secure    1.1.0.715    2009.05.03    2009-05-03     - 8.890
Dr.Web    4.44.0.9170    2009.05.03    2009-05-03     - 4.707
F-Prot    4.4.4.56    20090502    2009-05-02     - 1.264
F-Secure    5.51.6100    2009.05.02.01    2009-05-02     Packed.Win32.Krap.c [AVP] 0.062
Fortinet    2.81-3.117    10.345    2009-05-02    W32/Krap.C 0.915
GData    19.4991/19.317    20090503    2009-05-03     Packed.Win32.Krap.c [Engine:A] 14.893
Ikarus    T3.1.01.49    2009.05.03.72663    2009-05-03     Packed.Win32.Krap 2.809
JiangMin    11.0.706    2009.05.03    2009-05-03    Packed.Krap.lvu 2.781
Kaspersky    5.5.10    2009.05.03    2009-05-03    Packed.Win32.Krap.c   0.047
KingSoft    2009.2.5.15    2009.5.2.21    2009-05-02     - 0.521
McAfee    5.3.00    5603    2009-05-02    Generic.dx!be   3.246
Microsoft    1.4602    2009.05.03    2009-05-03    Trojan:Win32/SystemHijack.gen!C   17.485
mks_vir    2.01    2009.05.02    2009-05-02     - 2.773
Norman    6.00.06    6.00.00    2009-04-28     - 10.011
nProtect    20090501.01    3562396    2009-05-01    Packer.Malware.Pohernah.H   28.398
Panda    9.05.01    2009.05.02    2009-05-02     - 22.673
Quick Heal    10.00    2009.05.02    2009-05-02    Trojan.Krap.c   2.721
Rising    20.0    21.27.41.00    2009-05-01    Packer.Win32.UnkPacker.c [Suspicious]   2.984
Sophos    2.86.0    4.41    2009-05-03    Mal/EncPk-GT   2.260
Sunbelt    5118    5118    2009-05-02    Packed.Win32.Krap.c   1.675
Symantec    1.3.0.24    20090502.002    2009-05-02     - 0.093
The Hacker    6.3.4.1    v00317    2009-05-01     - 1.648
Trend Micro    8.700-1004    6.104.35    2009-05-02     - 0.034
VBA32    3.12.10.4    20090502.1751    2009-05-02     - 1.932
ViRobot    20090501    2009.05.01    2009-05-01     - 1.980
VirusBuster    4.5.11.10    10.105.13/1315160    2009-05-02     - 1.627

[micky77]

I believe risining AV is a legit AV from China

[DavidK]

I believe risining AV is a legit AV from China

Yes, the antivirus is legitimate however I don't believe that file is. I also don't have Rising AV, so I don't know why I would have a file claiming to be part of it. Also, Rising AntiVirus also found the file to be "suspicious", which I don't think it would do if it were one of the scanners components.

[joeni]

Hi i'm sorry for taking too long to answer the questions i'm kinda busy.

Ok here is my problem solver.. I use other anti virus b** d*f**d*r and this av delete all the virus. And by the way I use the trial 30 days version and working well. here is my new hijackthislog

Code: [Select]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:32, on 04/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP3 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe
C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\ShowNetworkActivity.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sierra Wireless Inc\3G Watcher\Watcher.exe
C:\Program Files\Sierra Wireless Inc\3G Watcher\SwiApiMux.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
D:\Master\squid\sbin\squid.exe
c:\squid\libexec\unlinkd.exe
C:\WINDOWS\system32\ping.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Master\avast antivirus\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:3128
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [SmartRAM] C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe /m
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpeedConnectStartUp] C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe -run
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: fhds soft Service (fhds Service) - Unknown owner - C:\WINDOWS\system32\fvOoJMUy\J001.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Program Compatibility Assistan (PctaSvc) - Unknown owner - C:\Program Files\R_Server\Slsvc.exe (file missing)
O23 - Service: Desktop Configuration (SesEnv) - Unknown owner - C:\WINDOWS\system32\Desktop\smss.exe (file missing)
O23 - Service: SptSvc (SpSvc.exe) - Unknown owner - C:\WINDOWS\system32\svchost -k SpSvc.exe (file missing)
O23 - Service: Squid - SQUID Web Proxy Cache - http://www.squid-cache.org/ - D:\Master\squid\sbin\squid.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: svchost (svchosts) - Unknown owner - C:\Program Files\PROGRAM\sver.com.cn.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 7305 bytes

all the files that stated as virus is now file missing.

[micky77]

Thanks for the feedback,glad BitDefender sorted your problem