Solved

explorer.exe loading virus

Posted on 2009-03-30
31
677 Views
Last Modified: 2012-05-06
Hi,
One of my workstations seems to have caught a virus that Malwarebytes will not detect. The virus created a registry key called unokukowo and then it loads a dll that has a randomly generated name, IE: uwodaribiy.dll . When I run hijack this is the entry it creates:

O4 - HKLM\..\Run: [Unokukowo] rundll32.exe "C:\WINDOWS\uwodaribiy.dll",e

When I delete this DLL it comes back on reboot using a different name. using process explorer the file seems to be getting created by explorer.exe. Is there some way for me to see what explorer.exe is set up to load? Does anyone have an idea how to remove this virus short of reformatting the drive? It seems to spawn random pop ups while using internet explorer. Thanks.
0
Comment
Question by:Pawel_Kowalski
  • 12
  • 5
  • 4
  • +6
31 Comments
 
LVL 17

Expert Comment

by:houssam_ballout
Comment Utility
Go to start>msconfig>and clear all programs except the antivirus
and also download the combofix:

www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 10

Expert Comment

by:Kechka
Comment Utility
You can also try with smitfraudfix in safe mode. http://siri.geekstogo.com/SmitfraudFix.php
0
 
LVL 30

Expert Comment

by:flubbster
Comment Utility
Do a search for explorer.exe. Where is it found? There should only be one file obviously. many times a virus will create a rogue copy and place it somewhere other than  in the c:\windows folder, where it belongs.
0
 

Author Comment

by:Pawel_Kowalski
Comment Utility
Combo fix did not fix the problem, neither did smit fraud fix. The log file for combo fix is attached. Flubbster, I have explorer.exe under C:\Windows and one under C:\Windows\ServicePackFiles\i386 as well as a file called EXPLORER.EXE-082F38A9.pf under C:\Windows\Prefetch.

Any help would be appreciated. When I delete the dll it seems to come back a few minutes after reboot and I can see using process explorer that explorer.exe is creating it.
log.txt
0
 
LVL 17

Expert Comment

by:houssam_ballout
Comment Utility
had you try to do system restore?
0
 

Author Comment

by:Pawel_Kowalski
Comment Utility
System restore was disabled by this virus.
0
 
LVL 30

Expert Comment

by:flubbster
Comment Utility
Does that mean you can't run a restore, or that there are no restore points?
0
 

Author Comment

by:Pawel_Kowalski
Comment Utility
There are no restore points.
0
 
LVL 17

Expert Comment

by:houssam_ballout
Comment Utility
had you try restore via safe mode?
0
 

Author Comment

by:Pawel_Kowalski
Comment Utility
Same thing, no restore points.
0
 
LVL 17

Expert Comment

by:houssam_ballout
Comment Utility
0
 
LVL 3

Expert Comment

by:stlbridge
Comment Utility
One question:

Would you be confident to use this computer even if you did find a way to remove the virus from showing up?

If so, use Spybot S&D on it.  I removed the exact virus using Spybot, and haven't seen it in a few weeks.  I still will not do anything involving a password on this computer.  The computer that was infected was basically a "sacrificial lamb".
0
 

Expert Comment

by:dragonfirez
Comment Utility
Two tools:

autoruns:
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

process explorer:
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

First use autoruns to see if you can find the other file that causes the file that you delete to come back each time you restart the computer.  What I do is I go to the menu bar and click hide all microsoft entries, an this helps to see things better.  Then I look for files / apps  that are unsigned and have weird / random filenames.  Once you get an idea of which files are the infections, restart into safe mode. Once in safe mode, open up cmd. and then ctl-alt-del and end explorer.exe (this is because the infection has a tie-in to explorer, and ending it will allow you to delete the files you found earlier).  Then go back to your command line and delete the files you found previously.  

Process explorer might allow you to see what file is tying into explorer.exe so you can be better assisted in removing it.
0
 

Author Comment

by:Pawel_Kowalski
Comment Utility
houssam, I tried your suggestions, they didnt work.

stlbridge, spybo search and destroy didnt find anything.

dragonfirez I have been using process explorer, I have not used autoruns before. Thank you for this awesome program. However, I can not find any suspecious files listed under it. Any ideas? The virus is still loading.
0
 
LVL 3

Expert Comment

by:stlbridge
Comment Utility
Pawel, it's time to nuke it before the infected spread throughout all of Europe.  Bad joke, I suppose, but honestly, I'd say it's time to wipe this one clean.  You may have more behind the curtains that you realize.  A single .dll could do this, but I suspect there is far more going on.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:Pawel_Kowalski
Comment Utility
Saying nuke it as a lot easier said than done :). If I have to do this I will, but I would like to try and find a solution to this first for economical reasons. Having to format this perticular system would be a big problem, and I am yet to come across a virus that I am unable to clean off; I would hate to have to start now.
0
 
LVL 3

Expert Comment

by:stlbridge
Comment Utility
What is on this system, if you don't mind me asking?
0
 

Expert Comment

by:eblkheart
Comment Utility
I'm having the same issue as well with this. This came out of no where and I cannot figure out where it came from as well to get rid of it. Bad thing is that this is on my company presidents computer.
0
 
LVL 3

Expert Comment

by:stlbridge
Comment Utility
Run a viri scan while the drive is setup on as a slave on a separate box.  This works well with Norton AV 2008, custom scan, specific drive.

>>"Economical reasons"

How much time have you spent on this?  Worst case scenario, you could have done an "over the top" restore, and hoped that the registry was purged of the cancer, and been finished by lunch.

I highly suggest creating a master image for the user's workstation, where all programs are installed and configured to the fullest.  Then, I would simply reimage the computer each time the silly user has made a boo boo.  All data such as images, music, documents, videos, etc. could easily be backed up to a thumb drive before you nuke it.  Then just put all of the data back into the user's "My Documents" folder.  You could even hit their favorites.  If they need updates, so be it.  That's just my .02, and I realize every situation is unique, so please do not think I am telling you how to do your job.  I simply am sharing my methods.  
0
 

Author Comment

by:Pawel_Kowalski
Comment Utility
I will not get in to much detail about what is on this computer but it involves proprietary software that there isn't much documentation on. Restoring it is an option but it is an option I would like to save as a last resort. These viruses are not magical, they have to start up somewhere. All I need to do is identify where this virus starts up and eliminate it as I have done countless other times in my career.
0
 
LVL 3

Expert Comment

by:stlbridge
Comment Utility
"I will not get in to much detail about what is on this computer"
Then I suspect you won't be posting a Hijack This log.

Good Luck.
0
 

Author Comment

by:Pawel_Kowalski
Comment Utility
I'll be happy to post a hijack this log, I already posted a combofix log.
0
 

Author Comment

by:Pawel_Kowalski
Comment Utility
With that said, there really is only one entry in hijackthis that is related to this virus and thats the one I posted in the original post.
0
 
LVL 23

Expert Comment

by:phototropic
Comment Utility
I have had some success in similar situations using a program called Unhackme:

http://www.greatis.com/unhackme/download.htm

Download and install the trial version. Click on "Check me now!" - if it says no Trojan is found, click OK, then select "Test Windows boot process". Agree the reboot. The pc will reboot.
The program will now load and run before your desktop loads. Then it will say "You have a number of suspicious programs." Click on "Fix Programs".
It will set a restore point, then give you a list of boot processes. For each one, you can select "Get it out!", "False positive" or "I'm not sure..." which gives you a report on how bad/good the program may be.
I usually terminate anything assessed to be over 30% "bad".
The app. will then need to reboot.
Once the pc is clean, you should uninstall Unhackme - it is a very intrusive program.

Good luck!!!

0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
Comment Utility
Hi,

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
KillAll::
File::
c:\windows\ihakacega.dll
c:\windows\dpshuiz.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Unokukowo"=-
------------------------------------------------------------------------
3. Save the above as CFScript.txt on the same location as Combofix.exe which is in your --> C:\
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


If combofix script function won't take care of it, then we'll need to run another tool to check for any hidden drivers, you have many drivers/services there that I haven't checked but they look legit.
0
 

Author Comment

by:Pawel_Kowalski
Comment Utility
rpggamergirl, that might have fixed it. I will browse around the internet for a while to make sure it doesn't come back and then I'll post back, fingers crossed.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Sounds good.... fingers crossed yeah.

If it comes back can you please attach the latest Combofix log?
0
 

Author Comment

by:Pawel_Kowalski
Comment Utility
Looks like it is good. I checked to make sure the registry wasn't changing, made sure those files weren't coming back and monitored traffic from my nic, seems to be fine. Thanks for your help.
0
 

Expert Comment

by:eblkheart
Comment Utility
I'm going to try this fix as well. Does anyone have an idea how this may have been installed or what it does?
0
 

Author Comment

by:Pawel_Kowalski
Comment Utility
I'm pretty sure the way this installed on my system was due to a image exploit. When I went to a site a new window popped up with a broken image at which point the memory usage for ie exploded. I have the latest updates so I don't know why this happened unless there is a new GD exploit out there that hasn't been annouced yet.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Glad to know it's resolved.

To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u
The above will remove combofix and its files, will remove the created backup and reset System Restore.


If you're not aware, you can also award points to more than one expert by clicking the "Accept Multiple Solutions" button.

Thank you!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Are you unable to synchronize your OST (Offline Storage Table) file with Microsoft Exchange Server? Is your OST file exceeding 2 GB size limit? In Microsoft Outlook 2002 and earlier versions, there is a 2 GB size limit for the OST file. If the file …
Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now