Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Does anyone recognize these three infections? Google doesn't

27 Aug 2011   #1
RknRusty

Windows 7 Home Premium - always up to date
 
 
Does anyone recognize these three infections? Google doesn't

c:\users\rusty\appdata\local\ojimocin.dll

c:\users\rusty\appdata\local\ehevurijanoxoz.dll

c:\users\rusty\appdata\local\ayimeqaguvi.dll

The last one got caught by NIS when I booted this morning. The other two got caught together a week ago. After the first incident I did full scans with Malwarebytes and Super Antispyware. Only one non threatening tracking cookie was picked up by Super. Norton has run full scans since the first incident and come up clean too.

The usual 54 services are listed in Process explorer.


My System SpecsSystem Spec
.
27 Aug 2011   #2
Golden
Microsoft MVP

Windows 7 Ult. x64
 
 

Hi,

What size are these files? If less than 20MB, upload them here for a more comprehensive scan:

VirusTotal - Free Online Virus, Malware and URL Scanner

This is another newer one just come online too:

http://www.metascan-online.com/index.cgi

Regards,
Golden
My System SpecsSystem Spec
27 Aug 2011   #3
GEWB

Linux (Mint is primary) / XP, Win7 Home / Win7 Pro, Ultimate / Win8.1 / Win10 archived VM
 
 

My best guess is a polymorphic virus. These can be very difficult to identify and stubborn to eradicate. I would try using a live Linux disk (or USB) such as Puppy Linux then install one of many AV programs and run it against your hard disk.

Regards,
GEWB
My System SpecsSystem Spec
.

27 Aug 2011   #4
Bill2

Windows 7 x64 pro/ Windows 7 x86 Pro/ XP SP3 x86
 
 

I agree with Golden on what you should do. Having said that appdata\local is one of the folders where applications store their local machine only settings. Appdata\Roaming is used by default by most apps, Local only stores settings that are volatile or easily regenerated, AFAIK. So theoretically it should be safe to delete anything under Appdata\local. You can try backup these dlls to external media, then delete them from the hard disk and wait for a disaster to happen. If it does, you can restore the files.
My System SpecsSystem Spec
27 Aug 2011   #5
Golden
Microsoft MVP

Windows 7 Ult. x64
 
 

I did a search here for the .dll's:

ThreatExpert - Automated Threat Analysis

but didn't find anything. It would be useful to know what family NIS flagged them as....might help us narrow it down a bit more.

Can you elaborate on where you suspect you might have picked these up from?

Regards,
Golden
My System SpecsSystem Spec
27 Aug 2011   #6
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Quote   Quote: Originally Posted by GEWB View Post
My best guess is a polymorphic virus. These can be very difficult to identify and stubborn to eradicate. I would try using a live Linux disk (or USB) such as Puppy Linux then install one of many AV programs and run it against your hard disk.

Regards,
GEWB
Good guess! Definitely bad malware.
My System SpecsSystem Spec
27 Aug 2011   #7
RknRusty

Windows 7 Home Premium - always up to date
 
 

Thanks everybody. I'll investigate it more this evening. If i get too worried about it I have a two week old Acronis image of the whole system ready to go. That's probably the most sure fire fix. If I format my drive before I run the backup, is there anything else I can do to make sure the bugs are vaporized? I remember back in the old days, I used to power down in the middle of a format to make sure they weren't hiding im RAM waiting to jump back on after the format was done. Any reason to do that these days?

I'm very vigilant against this kind of thing, but I moderate a forum and sometimes I have to click links I wouldn't otherwise follow. Right after I opened one is when the first of these showed up. Since then the other two have been caught. I'll post back if I turn up any useful information.
My System SpecsSystem Spec
27 Aug 2011   #8
GEWB

Linux (Mint is primary) / XP, Win7 Home / Win7 Pro, Ultimate / Win8.1 / Win10 archived VM
 
 

Sounds like it could be Conflicker, varient C, D or E (associated with the Waledac family of malware and its Storm botnet). "E" was discovered the beginning of this month whereas "C" and "D" have been around for a while.

Also note that a new tool to rewrite viruses as polymorphic (and running in memory) has been in the wild for several months. This has made it fairly easy to recyle older code into new threats very quickly.


Symantec published this in their July analysis:
This month’s analysis reveals a significant increase in activity related to what may be described as a aggressive and rapidly changing form of generic polymorphic1 malware. With one in 280.9 emails identified as malicious in July, the rise accounted for 23.7 percent of all email-borne malware intercepted in July; more than double the same figure six months ago, indicating a much more aggressive strategy on the part of the cyber criminals responsible.

The report shows that the malware is frequently contained inside an executable within the attached ZIP archive file, and often disguised as a PDF file or an office document, for example. “This new aggressive approach to distributing generic polymorphic malware on such a scale should be concerning for many businesses, particularly for those who rely solely on more traditional security countermeasures, which this type of malware is designed to evade. One example of this technique involves changing the startup code in almost every version of the malware; subtly changing the structure of the code and making it harder for emulators built-in to many anti-virus products to identify the code as malicious.”

“Polymorphic malware is a way for malware writers to write their malware so that each particular malware is different from the last. So, although the malicious code does the same thing – infect your computer – each program that the malware writer is producing is acting in a slightly different way”, explained Lee, senior software engineer at Symantec.cloud.
For example, when varient C is executed, the worm will copy itself as a randomly named DLL and copies itself to:

[System]\randomname (preferred location) or

[Program Files]\Internet Explorer\randomname or
[Program Files]\Movie Maker\randomname (50% chance of each), or

[Application Data]\randomname, or

[Temp]\randomname

(Sounds familiar, doesn't it?)

Some GENERAL notes about current polymorphics:

> Can be memory resident (which is why I use a Live Linux disk for removal)
> New threats are created very quickly (i.e., zero-day exploits)
> P2P systems and email attachments are popular attack vectors

Regards,
GEWB
My System SpecsSystem Spec
27 Aug 2011   #9
GEWB

Linux (Mint is primary) / XP, Win7 Home / Win7 Pro, Ultimate / Win8.1 / Win10 archived VM
 
 

Quote   Quote: Originally Posted by RknRusty View Post
I'm very vigilant against this kind of thing, but I moderate a forum and sometimes I have to click links I wouldn't otherwise follow. Right after I opened one is when the first of these showed up.
Can you use a live bootable OS to moderate your forum or is a Microsoft OS required? Just a thought...

Regards,
GEWB
My System SpecsSystem Spec
27 Aug 2011   #10
RknRusty

Windows 7 Home Premium - always up to date
 
 

That's a good idea. I can use Ubuntu on a flash drive. It has Mozilla which will work fine. Never thought of it, thanks for the tip.
My System SpecsSystem Spec
Reply

 Does anyone recognize these three infections? Google doesn't




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
WG111 OS doesn't recognize driver
I know there are already other threads about the WG111 but none of the solutions there helped me. I can install the software perfectly in whatever compatibility mode or none at all but after installation it still says "unknown device" in the device manager. I have the WG111v1 but I also tried...
Network & Sharing
How do I reformat a HDD that W7 doesn't recognize?
I have an external 750GB HDD that I bought to to store programming from my Dish Network Receiver. The receiver software reformatted the virgin HDD to some proprietary system used by Dish. I think someone said it's a Linux based siystem. I now want to reformat it for use with my Windows 7...
Hardware & Devices
win 7 doesn't recognize NEC usb 3.0 driver
Hi! New to this forum and hope someone can help. Just installed WD My Book 3.0 (usb 2/3). Followed user guide, installed NEC usb 3.0 driver v.1.0.18 first from cd, then NEC usb 3.0 pci-e card in empty pci-e slot on Rampage Formula mobo - yes, I know this is not a usb 3.0 mobo, but according to...
Drivers
Repair doesn't Recognize my Win 7 OS
I recently came home and my computer was on the black start-up screen. It gave the error status: 0xc000000F, File:\boot\BCD. I tried to run the repair disk, but it doesn't recognize the Win 7 OS. It does see the old Vista OS. I believe this occurred after a recent Windows update (set to automatic)....
BSOD Help and Support
Seven doesn't recognize my microphone
I run a Compaq Presario with a built-in Conexant microphone. It worked fine in Windows Vista but when I tried to set up voice to text after I wiped to Seven, it didn't even recognize that I have a microphone. My laptop got smashed really badly a few months ago, (:eek:) and idk how to tell if this...
Sound & Audio
Windows 7 Doesn't recognize USB HD
This problem used to happen in Vista and just started popping up in my Windows 7 32 bit 7100.0.090421-1700. The drive is a 100gb Maxtor external usb drive. I've tried unplugging it and replugging it. Also I just rebooted with no luck. I'm going to boot to my 64 bit version to see if this problem...
Hardware & Devices


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 08:05.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App