Hi everyone,
Noob here... ;)
http://www.megafileupload.com/en/file/2 ... e-zip.html
Hope that is allowed. I ran GMER on my system and found iexplore.exe running on it as a hidden process. I believe this is the version that got infected. Will try again tomorrow with a fresh copy and will see if the result is the same. I am 99% sure it will be. Only "but" is that I was (am) very tired and might have ffed up in the copying last week... ;)
Anyway, I found hidden iexplore.exe processes on my system (multiple) and when I took a good look at the .exe the IE icon was gone from this one, while other copies still have the icon shown even as a standalone exe (I assume its embedded within). The size on disk for both is shown as 624kb but differ a tiny bit when compared closely. When uploaded to jotti the results are:
http://virusscan.jotti.org/en/scanresul ... a035a41598
That one is an iexplore.exe file which is 624kb on disk BUT has its embedded IE icon missing when shown in explorer (the iexplore.exe that is infected presumably)
http://virusscan.jotti.org/en/scanresul ... ed8fc06a6a
And that one is ALSO 624kb on disk BUT has its IE icon like it should.
When I run AVZ I get a ridiculous amount of fake processes which have no name. No security software is installed ATM on that system. It was running Spybot S&D and MSE and SAS (bought and paid for so resident protection). It passed them all. Spybot S&D was not resident... so does not count I guess. Vista 32bit.
Only reason I found out is because I heard an incredibly stupid "farm" tune (as in.... hmz... a commercial for farmville or some rip-off) while listening to a podcast. I thought someone at the PC was messing around so after a basic running process check I thought all was ok. Later on I noticed the stupid song again. Ran gmer: hidden IE processes. When I try to end them they just pop up again and again, even more then before. Also, but I need to recreate and write down, a "GoogleUpda" process (in red) was shown all of a sudden when refreshing the process tab in rootrepeal. So maybe it also interacts with that as a fall back mechanism?
I read on this forum (TDSS topic) about attaching a debugger to a process, but I am such a noob still that it doesn't really get me anywhere, although I do find the process fascinating, so I am reading up and trying out stuff (I am no programmer, I could not focus when I was younger and did some basic and pascal, and regret not going upwards to c or assembler by now. Have regreted it on multiple occasions by now, so I think I'll at least try and stick with a bit of fooling around with a debugger).
Apart from the hiddenie process, what makes me focus on this file is the missing icon, its filesize and the fact that it is not even recognized as a valid win32 executable anymore. Which, to my unexperienced mind, can only mean three things: the file got corrupted during the copying of it, which seems highly unlikely since I only moved it from dir to dir (I did this on reboot, in hopes of crippling the infection, which worked cause now I CAN run OTL and GMER and Rootrepeal and AVZ without the system rebooting, when iexplore.exe is in place I cannot, the screen corrupts for a short second and then the system reboots). Or the file is 600 and a bit of IE code and a small bit of redirection code somehow? Or the whole file is just 624kb of virus which also behaves as a true IE since I could run IE normally as far as I could tell.
The download link for the infected or defective IE file is in this post, tomorrow I will put a clean copy back on the system and see what happens to it. Then I will post that one and the clean copy also. If any of could take a look at it... I am very curious, but seem (not yet) be able to. I was not able to make anything strange up out of dumping the text strings in the file.
Whichever virusscanner I try (MBAM, ESET, BD, SAS, MSSE, AVZ, TDSS scanners etc) on my system, nothing comes up. I have ran OTL and the problem is still there. And although no hidden IE process is shown in GMER (processID could be found in PXplorer but came up empty/error on the process itself) AVZ DOES show a whole buckload of hidden/false "noname" -> "" processes. I'll post a log when I wake up.
If anyone knows what is going on, maybe this is a new infection of some kind.... Although I do not know how it has entered the system. Possibly via java since I was not totally up to date on that one. I'd appreciate it if some of you would take a look. I mean... reinstalling the system is easy enough and by far much quicker than the time that has gone into this already. But this is more of a challenge, more interesting. But I appear not to be able to do this myself yet.
Thanks and best regards,
Every1is=
edit: scanning was also done via linux live cd's and via sata2usb adapter and ran under windows as an external drive, indepth. I am truly at a loss. It must be getting or giving or redirecting some calls somehow, right?
Noob here... ;)
http://www.megafileupload.com/en/file/2 ... e-zip.html
Hope that is allowed. I ran GMER on my system and found iexplore.exe running on it as a hidden process. I believe this is the version that got infected. Will try again tomorrow with a fresh copy and will see if the result is the same. I am 99% sure it will be. Only "but" is that I was (am) very tired and might have ffed up in the copying last week... ;)
Anyway, I found hidden iexplore.exe processes on my system (multiple) and when I took a good look at the .exe the IE icon was gone from this one, while other copies still have the icon shown even as a standalone exe (I assume its embedded within). The size on disk for both is shown as 624kb but differ a tiny bit when compared closely. When uploaded to jotti the results are:
http://virusscan.jotti.org/en/scanresul ... a035a41598
That one is an iexplore.exe file which is 624kb on disk BUT has its embedded IE icon missing when shown in explorer (the iexplore.exe that is infected presumably)
http://virusscan.jotti.org/en/scanresul ... ed8fc06a6a
And that one is ALSO 624kb on disk BUT has its IE icon like it should.
When I run AVZ I get a ridiculous amount of fake processes which have no name. No security software is installed ATM on that system. It was running Spybot S&D and MSE and SAS (bought and paid for so resident protection). It passed them all. Spybot S&D was not resident... so does not count I guess. Vista 32bit.
Only reason I found out is because I heard an incredibly stupid "farm" tune (as in.... hmz... a commercial for farmville or some rip-off) while listening to a podcast. I thought someone at the PC was messing around so after a basic running process check I thought all was ok. Later on I noticed the stupid song again. Ran gmer: hidden IE processes. When I try to end them they just pop up again and again, even more then before. Also, but I need to recreate and write down, a "GoogleUpda" process (in red) was shown all of a sudden when refreshing the process tab in rootrepeal. So maybe it also interacts with that as a fall back mechanism?
I read on this forum (TDSS topic) about attaching a debugger to a process, but I am such a noob still that it doesn't really get me anywhere, although I do find the process fascinating, so I am reading up and trying out stuff (I am no programmer, I could not focus when I was younger and did some basic and pascal, and regret not going upwards to c or assembler by now. Have regreted it on multiple occasions by now, so I think I'll at least try and stick with a bit of fooling around with a debugger).
Apart from the hiddenie process, what makes me focus on this file is the missing icon, its filesize and the fact that it is not even recognized as a valid win32 executable anymore. Which, to my unexperienced mind, can only mean three things: the file got corrupted during the copying of it, which seems highly unlikely since I only moved it from dir to dir (I did this on reboot, in hopes of crippling the infection, which worked cause now I CAN run OTL and GMER and Rootrepeal and AVZ without the system rebooting, when iexplore.exe is in place I cannot, the screen corrupts for a short second and then the system reboots). Or the file is 600 and a bit of IE code and a small bit of redirection code somehow? Or the whole file is just 624kb of virus which also behaves as a true IE since I could run IE normally as far as I could tell.
The download link for the infected or defective IE file is in this post, tomorrow I will put a clean copy back on the system and see what happens to it. Then I will post that one and the clean copy also. If any of could take a look at it... I am very curious, but seem (not yet) be able to. I was not able to make anything strange up out of dumping the text strings in the file.
Whichever virusscanner I try (MBAM, ESET, BD, SAS, MSSE, AVZ, TDSS scanners etc) on my system, nothing comes up. I have ran OTL and the problem is still there. And although no hidden IE process is shown in GMER (processID could be found in PXplorer but came up empty/error on the process itself) AVZ DOES show a whole buckload of hidden/false "noname" -> "" processes. I'll post a log when I wake up.
If anyone knows what is going on, maybe this is a new infection of some kind.... Although I do not know how it has entered the system. Possibly via java since I was not totally up to date on that one. I'd appreciate it if some of you would take a look. I mean... reinstalling the system is easy enough and by far much quicker than the time that has gone into this already. But this is more of a challenge, more interesting. But I appear not to be able to do this myself yet.
Thanks and best regards,
Every1is=
edit: scanning was also done via linux live cd's and via sata2usb adapter and ran under windows as an external drive, indepth. I am truly at a loss. It must be getting or giving or redirecting some calls somehow, right?
