Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

need urgent help. win32.exe virus?


  • Please log in to reply

#16
shinakuma9

shinakuma9

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 165 posts
Ok here is the processor file.

There is a folder in kernels that has a bunch more files.
Screenshot here:

http://imgur.com/DHi7A

Attached Files


  • 0

Advertisements


#17
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,888 posts
  • MVP
OK this one calls win32.exe and apparently has it contact an address in the Czech Republic. It also talks to deepbit.net which has something to do with BitCoins so possibly this is trying to steal any BitCoins you may have. I think the files you show are written in Python so it's possible you can read them if you rename them to .txt and then read them in notepad. Or you could just delete the whole folder.


I also found this write up on a similar infection:

http://www.extermina...emove-poisonivy

At least it uses the same vbs file. You might check and see if you have any of the same files.


Combofix deleted a bunch of Python files (which came back) but they appear to be part of Google Drive.
  • 0

#18
shinakuma9

shinakuma9

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 165 posts
So I can delete the whole kernels folder?

Also what do you mean that these python files are part of google drive? Does google drive have something to do with the problem at all?
  • 0

#19
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,888 posts
  • MVP
Sorry for the delay. Had to go off-island to pick up my wife from the Seattle airport.

These are all Python files:

MOD - [2012/11/26 22:51:53 | 001,024,024 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\windows._cacheinvalidation.pyd
MOD - [2012/11/26 22:51:53 | 000,792,576 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\wx._gdi_.pyd
MOD - [2012/11/26 22:51:53 | 000,731,136 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\wx._misc_.pyd
MOD - [2012/11/26 22:51:53 | 000,645,120 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\_ssl.pyd
MOD - [2012/11/26 22:51:53 | 000,571,392 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\pysqlite2._sqlite.pyd
MOD - [2012/11/26 22:51:53 | 000,354,304 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\pythoncom26.dll
MOD - [2012/11/26 22:51:53 | 000,263,168 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\win32com.shell.shell.pyd
MOD - [2012/11/26 22:51:53 | 000,110,592 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\win32security.pyd
MOD - [2012/11/26 22:51:53 | 000,110,592 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\PyWinTypes26.dll
MOD - [2012/11/26 22:51:53 | 000,096,256 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\win32api.pyd
MOD - [2012/11/26 22:51:53 | 000,086,016 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\_elementtree.pyd
MOD - [2012/11/26 22:51:53 | 000,073,728 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\_ctypes.pyd
MOD - [2012/11/26 22:51:53 | 000,070,656 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\wx._html2.pyd
MOD - [2012/11/26 22:51:53 | 000,040,448 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\_socket.pyd
MOD - [2012/11/26 22:51:53 | 000,023,040 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\win32ts.pyd
MOD - [2012/11/26 22:51:53 | 000,017,920 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\win32profile.pyd
MOD - [2012/11/26 22:51:53 | 000,011,776 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\win32crypt.pyd
MOD - [2012/11/26 22:51:49 | 000,022,528 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\win32pdh.pyd
MOD - [2012/11/26 22:51:47 | 001,169,408 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\wx._core_.pyd
MOD - [2012/11/26 22:51:47 | 000,036,352 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\win32process.pyd
MOD - [2012/11/26 22:51:46 | 000,807,424 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\wx._windows_.pyd
MOD - [2012/11/26 22:51:46 | 000,311,808 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\_hashlib.pyd
MOD - [2012/11/26 22:51:46 | 000,121,856 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\wx._wizard.pyd
MOD - [2012/11/26 22:51:44 | 000,111,104 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\win32file.pyd
MOD - [2012/11/26 22:51:43 | 000,039,424 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\win32inet.pyd
MOD - [2012/11/26 22:51:41 | 001,056,256 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\wx._controls_.pyd
MOD - [2012/11/26 22:51:41 | 000,585,728 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\unicodedata.pyd
MOD - [2012/11/26 22:51:41 | 000,153,088 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\pyexpat.pyd
MOD - [2012/11/26 22:51:41 | 000,017,920 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\win32event.pyd
MOD - [2012/11/26 22:51:41 | 000,011,776 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\select.pyd

Supposedly part of Google Drive.

Python is just a programing language and not inherently evil. It appears that the files in kernels are also written in Python but I think it's just a coincidence.

All files in C:\kernels are part of the malware so they and the folder itself can all be deleted.

That should remove the last of the infection that we can see.
Unless you see other problems I think we are done and can clean up

Copy the following:

:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]

Right click on OTL and Run As Administrator. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

That will get the last of the malware off the system.



You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, All Programs, Accessories then right click on Command Prompt and Run As Administrator.
then right click, Paste, then hit Enter.

OTL has a cleanup tab but DO NOT USE IT!. There are reports that it leaves the PC unbootable. Instead just delete OTL.exe and the folder c:\_OTL.

To hide hidden files again:

Vista or Win7

# Open the Control Panel menu and click Folder Options.
# After the new window appears select the View tab.
# Remove the check in the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the radio button labeled Do not Show hidden files and folders.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. Exception is MSN messenger which appears to be part of Windows.)
If you get a blocked program notice after installing updatechecker then change it to not run at start then manually run it once a week.
Seems to work best if Firefox is the default browser. You can also try Secunia PSI http://secunia.com/v...l/download_psi/ Same kind of info. You don't need both.
If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: http://simple-adblock.com/
The free version only blocks 200 ads a day so another reason to use Firefox or Chrome.

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.


If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Special note on Java. If you have Java installed it must be 7 update 9 or newer. All old versions must be removed.
These may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE.

Make sure Windows Updates is turned and that it works. Go to Control panel, Windows Updates and see if it works. http://support.microsoft.com/kb/294871

You definitely need to have KB2744842. This patches a major flaw in IE.

My help is free but if you wish to show your appreciation, please donate to Kwiaht instead of me. It's a local environmental organization that I volunteer with: http://www.kwiaht.org/donate.htm
(The name means something like "clean place" in one of the local native-American dialects)

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP