Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

antinul.vbe malware


  • Please log in to reply
14 replies to this topic

#1 lost in africa

lost in africa

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 21 June 2009 - 08:34 AM

I recently discovered the virus/malware "antinul.vbe" on my flashdrive and computer. I removed it, but now I cannot open Registry Editor or view "hidden files" in Windows Explorer.

I am currently running Windows XP.

Background: The "antinul.vbe" file is described in a previous post '"Mabraze" or "Travail" malware'.
I ran spybot and avg, but it did not detect it. So I opened Command Prompt under safe mode and entered the following commands (which has worked well with other malware I've encountered):

C:\WINDOWS\system32> attrib -s -h -r /s /d antinul.vbe
C:\WINDOWS\system32> del /s antinul.vbe

I had to stop one process that was running before i could delete the file. I also removed the files from my flashdrive with similar commands (along with autorun.inf).

When I rebooted the computer, i receive a warning that the registry entry for antinul.vbe could not be found. I've also verified that the antinul.vbe file is deleted.

Now when i try to run the registry editor, I get a warning that it can only be run by the administrator. Also I cannot view hidden files in Windows Explorer. Under the Tools menu, there is no longer the "Folder Options..." choice.

Is there something I can do to fix this?

BC AdBot (Login to Remove)

 


#2 Zllio

Zllio

  • Members
  • 1,107 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 24 June 2009 - 02:49 PM

Hi lost in africa,

You may need stronger tools, but let's do some scans first that you will have to do in any case. See if you can get the following to run. If not, tell me.

Step 1: ATF Cleaner



If you're running XP, please run ATF cleaner according to the following instructions. If you're using Vista, please skip this step and continue with step 2.


Please download ATF Cleaner by Atribune & save it to your desktop.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".



Step 2: MalwareBytes


Please download Malwarebytes Anti-Malware and save it to your desktop.
MalwareBytes

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable security programs or permit them to allow the changes.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Step 3: Then perform an onlinescan with Panda Active Scan 2.0
(please use this scanner instead of any other scanner!)


Panda Online- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button
- Save Report and save it to a convenient location.
Post the contents of the Panda scan report together with a new hijackthislog.



Step 4: If the two scans find anything, please post the logs:ActiveScan
MalwareBytes


Let me know how this went?
Zllio


#3 lost in africa

lost in africa
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 29 June 2009 - 04:07 PM

thanks for your help. Here is the log from the MBAM scan:


Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 2

6/29/2009 11:44:29 PM
mbam-log-2009-06-29 (23-44-29).txt

Scan type: Full Scan (C:\|)
Objects scanned: 144650
Time elapsed: 21 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Client (Worm.AutoRun) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
c:\RECYCLER\s-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.

#4 Zllio

Zllio

  • Members
  • 1,107 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 29 June 2009 - 11:44 PM

Hi lost in africa,

Did Panda find anything?

You wrote, " I recently discovered the virus/malware "antinul.vbe" on my flashdrive and computer. I removed it, but now I cannot open Registry Editor or view "hidden files" in Windows Explorer."

WhenMalwareBytes fixed the registry and hidden files problems in your computer, did it fix them or is the problem still there?

Zllio

#5 lost in africa

lost in africa
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 30 June 2009 - 02:10 PM

MBAM did fix those problems:
1. viewing "folder options" in windows explorer
2. opening Registry Editor

But I still get the error when I open windows that it cannot start C:\WINDOWS\system32.antinul.vbe

I wonder if it is safe to delete this command in the Registry Editor. Under the Directory:

My Computer\HKEY_LOCAL_MACINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

There is a line for:
Name: Userinit
Type: REG_SZ
Data: C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\antinul.vbe,

Can I delete this line safely?

#6 Zllio

Zllio

  • Members
  • 1,107 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 01 July 2009 - 02:00 AM

Hi lost in africa,

Without a log showing your Winlogon keys, I don't know if deleting that would delete your userinit file, which you don't want to do. Let me ask. I'll get back to you.

Thanks.
Zllio

#7 Zllio

Zllio

  • Members
  • 1,107 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 01 July 2009 - 03:55 PM

Hi lost in africa,

I'm not sure which antivirus program you're using. Avast picks up this virus file and will quarantine it for you, but you cannot have two antivirus programs on your computer at once. If you don't have an antivirus program, then I can definitely recommend Avast!

Please go to C:\WINDOWS\system32\antinul.vbe and right click on antinul.vbe and select rename.
Rename it to antinul.vbe.zzz and see if when you reboot, the warning quits.

Zllio

#8 lost in africa

lost in africa
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 05 July 2009 - 02:50 AM

Hi Zllio,
Thanks for all your help. I have AVG, spybot, ad-aware, and now MBAM my computer. For whatever reason, the computer automatically freezes after being on-line for too long (old problem), so i try not to download programs from that computer if i don't have to. I do most of my internet work from another computer - which has a super slow internet connection.

Before i started this post, I already deleted "C:\windows\system32\antinul.vbe" I tried to make a new file called "C:\windows\system32\antinul.vbe.zzz" but it didn't change anything. The exact warning i get is this:

Windows Script Host
Can not find script file "C:\WINDOWS\system32\antinul.vbe".

Otherwise, everything else seems to be working fine.

#9 Zllio

Zllio

  • Members
  • 1,107 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 05 July 2009 - 06:27 AM

Hi lost in africa,

AdAware is a program you can remove. Anything AdAware can find, MalwareBytes can find. AdAware has not kept current. ATF Cleaner will allow you to clean out all your temporary and temporary internet files and this is a place where malware hides out so it can get going. I highly recommend going ahead with that. The computer freezing after being online too long could be related to it not being able to handle all the internet files coming in. Also, be sure your history is set very low and that you use bookmarks instead.

As for the registry entry which includes antinul.vbe, I want to make sure I'm advising you correctly about this. Thanks for being patient.

Zllio

#10 Zllio

Zllio

  • Members
  • 1,107 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 08 July 2009 - 04:30 AM

Hi lost in africa,

Sorry it took me some time to get back to you.

Do you have both of the following entries in your registry, or only the one you mentioned
I'll show you how to check:



Go to Start > Run and type in regedit and then click on ok.
In the window that opens up, navigate to the following key:

HKEY_LOCAL_MACINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Click on Winlogon and look at the right side of the window.

See if both of the following occur or only one:




C:\WINDOWS\system32\userinit.exe,

C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\antinul.vbe,



Zllio

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:32 AM

Posted 08 July 2009 - 08:43 PM

Hello lost in africa.

If you are still with us, please follow the directions below for removing that error.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.

Do not use the NTREGOPT that comes with the installation package.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. If you are using Windows Vista, right click the icon and select "Run As Administrator." Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes only if you are using Windows XP. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished, you may, remove ERUNT using Add/Remove Programs.

Apply Registry Script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    REGEDIT4
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.reg
  • Hit OK.
When done properly, the icon should look like Posted Image.

Double click fix.reg and answer Yes to the prompts. You should recieve the message that the entries have been successfully merged. If not, post back with the error message.

Delete fix.reg after use.

With Regards,
The Panda

#12 lost in africa

lost in africa
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 09 July 2009 - 03:43 PM

Thanks all
I did what you said and now that error message is gone!

thanks for all the advice!

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:32 AM

Posted 09 July 2009 - 08:13 PM

Hello lost in africa.

Glad that was fixed. Credit for the registry fix goes to Zillo.

I would still suggest running an online scan to check for anything left. There were directions for Panda scan in this post. I'll leave that up to you though.

Enough of me around. Back to you Zillo.

With Regards,
The Panda

#14 Zimbo

Zimbo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 31 August 2009 - 02:42 AM

I am working through these instructions for the same problem on my wife's laptop. Thank you for your comprehensive instructions.

In the process of going through these steps, I ran ATF and the ActiveScan on my machine, just for interest. I use ESET NOD32 on my machine (Windows XP) and have done so from when I got it new. Although the process is still running as I type this, the ActiveScan has already detected 2 infected files, 1 suspicious file and 10 vulnerabilities. My question is this, how come the Active Scan has detected infected files?? When my ESET updates itself regularly during the day over the internet and has been installed from when I first got the machine.

I don't feel as if my machine has a virus on it in the sense that there is no unusual activity. With absolutely no disrespect for PandaSecurity I am always suspicious when the next step in a process involves paying money as is the case with the disinfection advice from ActiveScan. I am sure that the process is legitimate, but in theory I have already shelled out for antivirus software.


Many thanks
Zimbo

#15 Zimbo

Zimbo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 31 August 2009 - 06:31 AM

Ok, after the ActiveScan finished I looked at the results and am not so worried after all. The two threats were ad-ware opposed to viruses and the vulnerabilities were update patched for IE which I do not use anyway. So much happier.

By the way the antinul.vbe problem has been sorted out on my wife's machine. Thank you very much for the help.

Zimbo




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users