locked
activexdebugger32.exe/NESNELER.EXE bug secretly shares HDDs over the 'net RRS feed

  • Question

  •  

    Have been fighting this bug for several days now:

     

    Run > CMD - "net share" shows both HDDs as shared 'unlimited' as "Patron1" and "Patron2" - 'Rockstar"

    Entered 'net share c:\ /delete' and 'net share d:\ /delete'

     

    Deleted following files:

    c:\windows\system32 - activexdebugger32.exe

    c:\Documents and Settings\Local Settings\Temp\ - NESNELER.EXE (meaning objects.exe in turkish)

    Delete all the files under C:\windows\system32\ named: Ijl11.dll, KMON.OCX, KTKBDHK3.DLL, MSWINSCK.OCX, PAC, scrrntr.dll, scrrun.dll

     

    Also cleared registry of any sign of these files (using F3 search/delete)

     

    Obviously there is another file somewhere on the machine that reloads this bug; haven't been abl to find it...

    had hoped that OneCare Antivirus would find and destroy it... it finds nothing... aven when I can find this stuff manually...

     

    any ideas??

     

    John

     

    Tuesday, April 22, 2008 9:41 AM

Answers

All replies

  • BTW... I have found this bug on several machines... mine is not normally connected to the 'net... I have to carry it to the internet cafe when doing major tuneups/downloads, etc.

    I have also found this on machines that I have never shared data with; i.e pendrives, cd/dvds, etc.

    Haven't yet found the common denominator... with the exception that all have had some kind of contact with the 'net Wink

    Avast! detects and stops it, but does not remove it... and i suspect allows transfer of the bug to other machines (again, via pendrive/memory stick, cdr, dvdr, etc.)

     

    Tuesday, April 22, 2008 9:57 AM
  •  

    I guess it's classified as a Trojan...

     

    Also deleted c:\windows\system - ACD.CMD and ACD2.CMD

     

    When deleting scrrun.dll (from \system32\)... scrrun.dll will popup in the same spot after about 20 seconds...

     

    hmmm...

     

    Not sure if any of this is relevant...

     

    RASACD.reg

    RasMan.reg

     

     

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{79F35C0F-1744-4E04-A18C-9EA4AE7BAB0A}

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{79F35C0F-1744-4E04-A18C-9EA4AE7BAB0A}\Ndi

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{79F35C0F-1744-4E04-A18C-9EA4AE7BAB0A}\Ndi\Interfaces

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{79F35C0F-1744-4E04-A18C-9EA4AE7BAB0A}\Ndi\Interfaces

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{79F35C0F-1744-4E04-A18C-9EA4AE7BAB0A}\Ndi\Interfaces

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{79F35C0F-1744-4E04-A18C-9EA4AE7BAB0A}\Ndi

    HKEY_USERS\S-1-5-21-796845957-789336058-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*

     

    This is from the CMD prompt:

     

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\John>net share

    Share name   Resource                        Remark

    -------------------------------------------------------------------------------
    IPC$                                         Remote IPC
    PATRON1      d:\                             RockStar
    PATRON2      c:\                             RockStar
    The command completed successfully.


    C:\Documents and Settings\John>net share c:\/delete
    The syntax of this command is:


    NET SHARE
    sharename
              sharename=driveStick out tongueath [/USERS:number | /UNLIMITED]
                                   [/REMARK:"text"]
                                   [/CACHE:Manual | Documents| Programs | None ]
              sharename [/USERS:number | /UNLIMITED]
                        [/REMARK:"text"]
                        [/CACHE:Manual | Documents | Programs | None]
              {sharename | devicename | driveStick out tongueath} /DELETE


    C:\Documents and Settings\John>net share d:\/delete
    The syntax of this command is:


    NET SHARE
    sharename
              sharename=driveStick out tongueath [/USERS:number | /UNLIMITED]
                                   [/REMARK:"text"]
                                   [/CACHE:Manual | Documents| Programs | None ]
              sharename [/USERS:number | /UNLIMITED]
                        [/REMARK:"text"]
                        [/CACHE:Manual | Documents | Programs | None]
              {sharename | devicename | driveStick out tongueath} /DELETE


    C:\Documents and Settings\John>net share

    Share name   Resource                        Remark

    -------------------------------------------------------------------------------
    IPC$                                         Remote IPC
    PATRON1      d:\                             RockStar
    PATRON2      c:\                             RockStar
    The command completed successfully.


    C:\Documents and Settings\John>

     

    ...for what it's worth

     

    may need different AntiVirus software Sad

     

    Tuesday, April 22, 2008 11:30 AM
  •  

    Microsoft Windows XP [Version 5.1.2600]

    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\John>net share

    Share name Resource Remark

    -------------------------------------------------------------------------------

    IPC$ Remote IPC

    PATRON1 d:\ RockStar

    PATRON2 c:\ RockStar

    The command completed successfully.

     

    C:\Documents and Settings\John>net share c:\ /delete

    PATRON2 was deleted successfully.

    c:\ was deleted successfully.

     

    C:\Documents and Settings\John>net share d:\ /delete

    PATRON1 was deleted successfully.

    d:\ was deleted successfully.

     

    C:\Documents and Settings\John>net share

    Share name Resource Remark

    -------------------------------------------------------------------------------

    IPC$ Remote IPC

    The command completed successfully.

     

    C:\Documents and Settings\John>

    Tuesday, April 22, 2008 12:08 PM
  • Follow the instructions in this post, http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=662566&SiteID=2, to report a virus that is not cleaned by OneCare and to get help in removal.

     

    -steve

    Tuesday, April 22, 2008 4:16 PM
    Moderator
  • ...think there may be more than 2 scenarios...

     

    True Negative(?) - OneCare does not detect a real/true infection detected by users and/or by third-party software...

    (assuming that a True Positive is OneCare detects and removes...)

     

    Discovered: June 28, 2007
    Updated: June 29, 2007 7:59:49 AM
    Also Known As: W32/Amca-A [Sophos]
    Type: Worm
    Infection Length: 376,832 bytes
    Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000

    Once executed, the worm creates the following files:
    • %Temp%\NESNELER.EXE
    • %System%\PAC.EXE
    • %System%\[ORIGINAL FILE NAME]
    • %System%\lil11.dll
    • %System%\MSWINSCK.OCX
    • %System%\scrrntr.dll
    • %System%\KMON.OCX
    • %System%\KTKBDHK3.DLL
    • %System%\ACD.CMD
    • %System%\ACD2.CMD


    The worm then modifies the following registry entry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe [ORIGINAL FILE NAME]"

    Next, the worm spreads through network shares protected by weak passwords.

    The worm then spreads through removable storage devices by creating the following file and setting the attributes to hidden:
    [DRIVE LETTER]\activexdebugger32.exe

    The worm also creates the following file so that it executes whenever the removable device is used on another computer:
    [DRIVE LETTER]\Autorun.inf

    The worm then opens a back door and allows a remote attacker to gain access to the compromised computer.

    It may attempt to steal sensitive information from the compromised computer and send it to a remote attacker via email.

    It may also attempt to download a file from an FTP site to the following location:
    %System%\RNSR.EX

     

    ++++++++++++++++++++++++++++++++++++++++

    (this is  copy/paste from Symantec's website); Avast!, along with several dozen other websites list this infection and some of the removal processes... last night, I removed this and 'AMVO.EXE' on a friends machine with a combination of running the free version of Avast and editing the registry (regedit > search"activexdebugger32" >F3 > delete, etc.)...

     

    However, when running cmd > net share, I still see the C: and D: drives as "shared", "unlimited" as "Patron1" and "Patron2" and an ID as 'Rockstar'

     

     

    Wednesday, April 23, 2008 8:53 AM
  •  Celticbrooder wrote:

    ...think there may be more than 2 scenarios...

     

    True Negative(?) - OneCare does not detect a real/true infection detected by users and/or by third-party software...

    (assuming that a True Positive is OneCare detects and removes...)

     

     

     

    If OneCare doesn't detect an infection, that's a false negative.

     

    Report it herehttp://support.microsoft.com/kb/921161/en-us

     

    Follow the instructions in this post, http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=662566&SiteID=2, to report a virus that is not cleaned by OneCare and to get help in removal.

     

    If you are in North America, you can call 866-727-2338 for help with virus and spyware infections. See http://www.microsoft.com/protect/support/default.mspx  for details.  For international information, see your local subsidiary Support site.

     

    -steve

    Wednesday, April 23, 2008 12:59 PM
    Moderator