Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with virus hosted in task scheduler : rundll32 (...)


  • This topic is locked This topic is locked
6 replies to this topic

#1 xterz

xterz

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 16 January 2017 - 11:38 AM

Hello  i've recently found out im infected. 

At start i started to find my ping fluctuating in games ( my upload rate is low as my bandwidth ) 

so i decided to take a look at my running process and found rundll32.exe running with a suspicious command line "C:\Windows\system32\rundll32.exe "C:\ProgramData\8a2y8r0\8a2y8r0.dll",ayreb" ( directing to an hidden folder with an random dll ) and a temp file runming  ( ex : g988.temp.exe ) what shock me was that malwarebytes didn't accuse of nothing despite being updated.

I took a deeper look using ProcessExplorer and confirmed by submitting the suspicious dll to virus total that was in fact an trojan ( ProcessExplorer allows to see running network activity of .exe -> dll ) downloading and uploading stuff.

I downloaded nod32 that in fact detected it and deleted it ( some temp files and the dll ) but left behind the hidden folder with an non executable temp file ( i deleted all of it ) , i took a look at task scheduler and there it was 8a2y8r0 ( probly the reason i see rundll32 runing every reboot )

Booted eset sysrescue live with an usb and did let it run overnight, but rundll32 is still here.

Fired up ComboFix but didnt found nothing so i booted FRST64 that found traces of it and firewall rules.

PS: There seems to be also Zam guard stuff and i have no idea what they are but as i remember i never have installed it.

 

I apologize for any grammar error english not my main xd

Attached Files


Edited by xterz, 16 January 2017 - 11:39 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:13 AM

Posted 17 January 2017 - 09:34 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2661263523-112610016-3866790350-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
CHR Extension: (Pagamentos via Chrome Web Store) - C:\Users\Sblck\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-09-27]
CHR Extension: (Chrome Media Router) - C:\Users\Sblck\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-17]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
Task: {2E34D76F-2F8A-4EA5-96D9-C90EBBAF23D8} - System32\Tasks\8a2y8r0 => Rundll32.exe "C:\ProgramData\8a2y8r0\8a2y8r0.dll",ayreb <==== ATTENTION
HKU\S-1-5-21-2661263523-112610016-3866790350-1000\Software\Classes\regfile: regedit.exe "%1" <===== ATTENTION
C:\ProgramData\8a2y8r0

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs > Programs and Features.
Java 8 Update 101 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180101F0}) (Version: 8.0.1010.13 - Oracle Corporation)
===

Please let me know if the problem persists with this computer.

#3 xterz

xterz
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 18 January 2017 - 05:10 PM

Hello and thank you nasdaq for your response ! 

I've done everything you said is there any more steps to verify im 100 % clear of any virus after this ?

Btw here's the log:

 

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:13 AM

Posted 19 January 2017 - 09:43 AM

I see clean logs. Lets find out if anything is hiding.

Please download Sophos Virus Removal Tool and save it to your computer's Desktop.
  • Right-click the icon and select Run as administrator.
  • Click Yes to accept any security warnings that may appear.
  • Click the Next button.
  • Select 'I accept the terms in the license agreement', then click Next twice.
  • Click the Install button and wait until the installation is complete.
  • Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.
  • Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • After it updates and a "Start Scanning" button appears in the lower right:
    • Disconnect from the Internet or physically unplug your Internet cable connection.
    • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
    • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • Click the "Start Scanning" button in the lower right to start the scan.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, if it detected anything there will be a "Start Clean-up" button, click it and allow it to finish.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • If any threats are found click Details, then View Log file (bottom left-hand corner).
  • Copy and paste its contents in your next reply and note any errors encountered.
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup.
  • Click Exit to close the program.
  • If no threats were found, please confirm that result.
Note: Whenever necessary, the log will be in the following location:

Windows Vista and above:
C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
 
Windows XP:
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
 
Please post the contents of the log in your next reply and note any errors encountered.

#5 xterz

xterz
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 19 January 2017 - 07:48 PM

Thanks once again. Some couple erros opening volumes information besides that found and trojan ( i think it might be a false positive but im taking no risks ).

The log follows as an attachment.

 

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:13 AM

Posted 20 January 2017 - 09:13 AM

Download Delfix from this site.
https://www.bleepingcomputer.com/download/delfix/

DelFix is a tool developed by Xplode, the makers of AdwCleaner, which can remove all portable virus cleaning and disinfection tools youve ever used. It will also reset the restore points of your computer systems making it even safer.

The program makes some other adjustments to your PC too which include:

Activate UAC: It activates the user account control after cleaning the log files and the unnecessary clutter in your PC.
Remove disinfection tools: Removes the tool youve ever used to disinfect your PC.
Create registry backup: The program creates a registry backup and stores it under % windir% \ ERUNT \ DelFix.
Purge system restore: Deletes all your older restore points and creates a fresh one.
Reset system settings: It resets the system settings after the removal process is completed.


Just download the program and run it on your computer system. There is a default check-mark on feature Remove disinfection tools and you need to check other feature manually before running the program should you wish to. Wait for a few minutes and your computer system will be free of all unnecessary files.

#7 xterz

xterz
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 22 January 2017 - 07:46 PM

OK everything is done, i guess we can close this thread ?

Thank you for everything you've been very kind and helpful.

Best regards.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users