Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

explorer.exe loading virus

Posted on 2009-03-30
31
Medium Priority
?
721 Views
Last Modified: 2012-05-06
Hi,
One of my workstations seems to have caught a virus that Malwarebytes will not detect. The virus created a registry key called unokukowo and then it loads a dll that has a randomly generated name, IE: uwodaribiy.dll . When I run hijack this is the entry it creates:

O4 - HKLM\..\Run: [Unokukowo] rundll32.exe "C:\WINDOWS\uwodaribiy.dll",e

When I delete this DLL it comes back on reboot using a different name. using process explorer the file seems to be getting created by explorer.exe. Is there some way for me to see what explorer.exe is set up to load? Does anyone have an idea how to remove this virus short of reformatting the drive? It seems to spawn random pop ups while using internet explorer. Thanks.
0
Comment
Question by:Pawel_Kowalski
  • 12
  • 5
  • 4
  • +6
31 Comments
 
LVL 17

Expert Comment

by:houssam_ballout
ID: 24020215
Go to start>msconfig>and clear all programs except the antivirus
and also download the combofix:

www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 10

Expert Comment

by:Kechka
ID: 24020258
You can also try with smitfraudfix in safe mode. http://siri.geekstogo.com/SmitfraudFix.php
0
 
LVL 30

Expert Comment

by:flubbster
ID: 24020905
Do a search for explorer.exe. Where is it found? There should only be one file obviously. many times a virus will create a rogue copy and place it somewhere other than  in the c:\windows folder, where it belongs.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:Pawel_Kowalski
ID: 24021295
Combo fix did not fix the problem, neither did smit fraud fix. The log file for combo fix is attached. Flubbster, I have explorer.exe under C:\Windows and one under C:\Windows\ServicePackFiles\i386 as well as a file called EXPLORER.EXE-082F38A9.pf under C:\Windows\Prefetch.

Any help would be appreciated. When I delete the dll it seems to come back a few minutes after reboot and I can see using process explorer that explorer.exe is creating it.
log.txt
0
 
LVL 17

Expert Comment

by:houssam_ballout
ID: 24021951
had you try to do system restore?
0
 

Author Comment

by:Pawel_Kowalski
ID: 24021981
System restore was disabled by this virus.
0
 
LVL 30

Expert Comment

by:flubbster
ID: 24022004
Does that mean you can't run a restore, or that there are no restore points?
0
 

Author Comment

by:Pawel_Kowalski
ID: 24022017
There are no restore points.
0
 
LVL 17

Expert Comment

by:houssam_ballout
ID: 24022074
had you try restore via safe mode?
0
 

Author Comment

by:Pawel_Kowalski
ID: 24022079
Same thing, no restore points.
0
 
LVL 3

Expert Comment

by:stlbridge
ID: 24022221
One question:

Would you be confident to use this computer even if you did find a way to remove the virus from showing up?

If so, use Spybot S&D on it.  I removed the exact virus using Spybot, and haven't seen it in a few weeks.  I still will not do anything involving a password on this computer.  The computer that was infected was basically a "sacrificial lamb".
0
 

Expert Comment

by:dragonfirez
ID: 24022607
Two tools:

autoruns:
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

process explorer:
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

First use autoruns to see if you can find the other file that causes the file that you delete to come back each time you restart the computer.  What I do is I go to the menu bar and click hide all microsoft entries, an this helps to see things better.  Then I look for files / apps  that are unsigned and have weird / random filenames.  Once you get an idea of which files are the infections, restart into safe mode. Once in safe mode, open up cmd. and then ctl-alt-del and end explorer.exe (this is because the infection has a tie-in to explorer, and ending it will allow you to delete the files you found earlier).  Then go back to your command line and delete the files you found previously.  

Process explorer might allow you to see what file is tying into explorer.exe so you can be better assisted in removing it.
0
 

Author Comment

by:Pawel_Kowalski
ID: 24023010
houssam, I tried your suggestions, they didnt work.

stlbridge, spybo search and destroy didnt find anything.

dragonfirez I have been using process explorer, I have not used autoruns before. Thank you for this awesome program. However, I can not find any suspecious files listed under it. Any ideas? The virus is still loading.
0
 
LVL 3

Expert Comment

by:stlbridge
ID: 24023259
Pawel, it's time to nuke it before the infected spread throughout all of Europe.  Bad joke, I suppose, but honestly, I'd say it's time to wipe this one clean.  You may have more behind the curtains that you realize.  A single .dll could do this, but I suspect there is far more going on.
0
 

Author Comment

by:Pawel_Kowalski
ID: 24023366
Saying nuke it as a lot easier said than done :). If I have to do this I will, but I would like to try and find a solution to this first for economical reasons. Having to format this perticular system would be a big problem, and I am yet to come across a virus that I am unable to clean off; I would hate to have to start now.
0
 
LVL 3

Expert Comment

by:stlbridge
ID: 24023440
What is on this system, if you don't mind me asking?
0
 

Expert Comment

by:eblkheart
ID: 24023701
I'm having the same issue as well with this. This came out of no where and I cannot figure out where it came from as well to get rid of it. Bad thing is that this is on my company presidents computer.
0
 
LVL 3

Expert Comment

by:stlbridge
ID: 24023900
Run a viri scan while the drive is setup on as a slave on a separate box.  This works well with Norton AV 2008, custom scan, specific drive.

>>"Economical reasons"

How much time have you spent on this?  Worst case scenario, you could have done an "over the top" restore, and hoped that the registry was purged of the cancer, and been finished by lunch.

I highly suggest creating a master image for the user's workstation, where all programs are installed and configured to the fullest.  Then, I would simply reimage the computer each time the silly user has made a boo boo.  All data such as images, music, documents, videos, etc. could easily be backed up to a thumb drive before you nuke it.  Then just put all of the data back into the user's "My Documents" folder.  You could even hit their favorites.  If they need updates, so be it.  That's just my .02, and I realize every situation is unique, so please do not think I am telling you how to do your job.  I simply am sharing my methods.  
0
 

Author Comment

by:Pawel_Kowalski
ID: 24024189
I will not get in to much detail about what is on this computer but it involves proprietary software that there isn't much documentation on. Restoring it is an option but it is an option I would like to save as a last resort. These viruses are not magical, they have to start up somewhere. All I need to do is identify where this virus starts up and eliminate it as I have done countless other times in my career.
0
 
LVL 3

Expert Comment

by:stlbridge
ID: 24024252
"I will not get in to much detail about what is on this computer"
Then I suspect you won't be posting a Hijack This log.

Good Luck.
0
 

Author Comment

by:Pawel_Kowalski
ID: 24024581
I'll be happy to post a hijack this log, I already posted a combofix log.
0
 

Author Comment

by:Pawel_Kowalski
ID: 24024585
With that said, there really is only one entry in hijackthis that is related to this virus and thats the one I posted in the original post.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 24026788
I have had some success in similar situations using a program called Unhackme:

http://www.greatis.com/unhackme/download.htm

Download and install the trial version. Click on "Check me now!" - if it says no Trojan is found, click OK, then select "Test Windows boot process". Agree the reboot. The pc will reboot.
The program will now load and run before your desktop loads. Then it will say "You have a number of suspicious programs." Click on "Fix Programs".
It will set a restore point, then give you a list of boot processes. For each one, you can select "Get it out!", "False positive" or "I'm not sure..." which gives you a report on how bad/good the program may be.
I usually terminate anything assessed to be over 30% "bad".
The app. will then need to reboot.
Once the pc is clean, you should uninstall Unhackme - it is a very intrusive program.

Good luck!!!

0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 2000 total points
ID: 24028063
Hi,

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
KillAll::
File::
c:\windows\ihakacega.dll
c:\windows\dpshuiz.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Unokukowo"=-
------------------------------------------------------------------------
3. Save the above as CFScript.txt on the same location as Combofix.exe which is in your --> C:\
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


If combofix script function won't take care of it, then we'll need to run another tool to check for any hidden drivers, you have many drivers/services there that I haven't checked but they look legit.
0
 

Author Comment

by:Pawel_Kowalski
ID: 24028496
rpggamergirl, that might have fixed it. I will browse around the internet for a while to make sure it doesn't come back and then I'll post back, fingers crossed.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24028536
Sounds good.... fingers crossed yeah.

If it comes back can you please attach the latest Combofix log?
0
 

Author Comment

by:Pawel_Kowalski
ID: 24029356
Looks like it is good. I checked to make sure the registry wasn't changing, made sure those files weren't coming back and monitored traffic from my nic, seems to be fine. Thanks for your help.
0
 

Expert Comment

by:eblkheart
ID: 24029392
I'm going to try this fix as well. Does anyone have an idea how this may have been installed or what it does?
0
 

Author Comment

by:Pawel_Kowalski
ID: 24029686
I'm pretty sure the way this installed on my system was due to a image exploit. When I went to a site a new window popped up with a broken image at which point the memory usage for ie exploded. I have the latest updates so I don't know why this happened unless there is a new GD exploit out there that hasn't been annouced yet.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24035040
Glad to know it's resolved.

To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u
The above will remove combofix and its files, will remove the created backup and reset System Restore.


If you're not aware, you can also award points to more than one expert by clicking the "Accept Multiple Solutions" button.

Thank you!
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Loops Section Overview
Suggested Courses

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question