NewHeur_PE virus Removal?

[Guest]

[Toggie]

Need some help here please. I am trying to clean a friends notebook (seems he likes collecting malware!!!!) and I've run into a brick wall. I removed nearly all nasties on his system bar one, that is the NewHeur_PE virus.

From what I can make out, this little sod is of Chinese origin and in the case of this notebook, manifests it's self as a file called sxs2.exe, which apparently is in the root directory, even though it can't be seen!

He has Symantec AV (eeek) installed and it doesn't see it. I've tried AVG, Avast, and Antivir, likewise they don't see it. I've also tried SuperAntiSpyware, Spyware Terminator,  and AVG AS. No joy.

Apparently NOD32 kind of recognises it but is a bit dubious.

As my Chinese is limited to only 20 or so words, reading the Chinese sites on how to remove this is beyond me. If anyone can help, it would be much appreaiated.

Toggie

[N.T.T.W.]

You have probably already seen these but they may help so here goes:

http://forums.spybot.info/archive/index.php/t-12192.html

http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://www.wangyx.com/%3Fp%3D14&sa=X&oi=translate&resnum=9&ct=result&prev=/search%3Fq%3Dsxs2.exe%26hl%3Den%26sa%3DG


The second link seems to have a batch file to aid removal - I have no idea if this is safe or not as the link is for a page translated by google.

 

[Toggie]

The second link seems to have a batch file to aid removal - I have no idea if this is safe or not as the link is for a page translated by google.

Thanks for the reply N.T.T.W, I've seen the first link, SBSD doesn't detect it either

The second link might be interesting, but the batch file has many entries in Chinese, which probably won't work on an non Chinese system.

It seems strange to me that all the so called 'best' AV programs can't detect a Chinese AV...

[N.T.T.W.]

It seems strange to me that all the so called 'best' AV programs can't detect a Chinese AV...

I know what you mean, you would think these well known products would be up to date for viruses wordlwide.

Perhaps if you use Autoruns to find any iffy startup entries it may give you ideas how to remove various components of the nasty or at least disable them.

I will keep looking for an answer.

 

[Toggie]

Perhaps if you use Autoruns to find any iffy startup entries it may give you ideas how to remove various components of the nasty or at least disable them.

I tried that, both autoruns and process explorer show the same information, C:\sxs2.exe but nothing can find it in that location. It's supposed to be associated with autorun.exe or autorun.inf, but again these files don't appear to exist. The sxs2.exe process still shows in process explorer, twice!!

[N.T.T.W.]

http://www.f-secure.com/blacklight/

Always worth a try...

[~cat~]

"NewHeur" indicates heuristic (behavioral) detection which means it could be a little bit of anything to everything.

Can or did you already send samples to bocleansubmissions@comodo.com & malwaresubmit@avlab.comodo.com ?

Honestly, once you're backdoored the best practice is to nuke and reinstall. There's no telling what doors have been opened within the OS. 
As we all know, prevention is the only real cure.

[eXPerience]

Hey

I've checked some post in the NOD32 forum and as far as they know it's a false positive but the're still analyzing it.

If you want to be sure you can upload the file to Virustotal http://www.virustotal.com/ and see if any other antivirus finds it. (if you know were it is of course)

Hope I could help ya a bit 
Xan

[Toggie]

http://www.f-secure.com/blacklight/

Always worth a try...

I haven't tried Blacklight, but I have been through the system with gmer and Icesword, neither of which were able to detect it

"NewHeur" indicates heuristic (behavioral) detection which means it could be a little bit of anything to everything.

Can or did you already send samples to bocleansubmissions [ at ] comodo.com & malwaresubmit [ at ] avlab.comodo.com ?

Hi ~cat~ If I could actually find the files that are loading the proceess I would submit them, but that's half the problem

Honestly, once you're backdoored the best practice is to nuke and reinstall. There's no telling what doors have been opened within the OS. 
As we all know, prevention is the only real cure.

Agreed, and if it was my system I would. It may well come to that in the end, but I said  I'd try  to clean first, if only to preserve his game data!

Hey

I've checked some post in the NOD32 forum and as far as they know it's a false positive but the're still analyzing it.

Hi alaertsxan, I saw that info, and it seems a bit vague to me. Something is definately loading sxs2.exe in to memory, what it's doing once loaded, however, is another matter

If you want to be sure you can upload the file to Virustotal http://www.virustotal.com/ and see if any other antivirus finds it. (if you know were it is of course)

Hope I could help ya a bit 
Xan

As I said to ~cat~, I can't actually find how the file is being loaded. Everything points to sxs2.exe existing in C:\ (root) but it doesn't. I've got show hidden files turned on as well as show system files. I've also searched the entire disk, but I can't find it. I even tried searching ADS!

[~cat~]

Have you tried using the command prompt to browse to and list the file directory?

[Toggie]

Have you tried using the command prompt to browse to and list the file directory?

I did, both Normal and safe mode. I even added the recovery console and tried that way too.

[eXPerience]

Perhaps we should try it otherwise, please send a hijackthis! log so we can see if indeed something is wrong 

Xan

[pandlouk]

Hi Toggie,

download a-squared Free 3.0.

I would also advise you to use a bartPe cd. It will help you see what is going on outside the os.

[Toggie]

Thanks for the replies everyone, I believe I finally managed to eliminate this particular nasty.

Thanks pandlouk for reminding me about a-squared, I'd forgotten about that program. It was with this I made some progress. After downloading the command line version and running a scan, a variant of the Trojan-Downloader.win32.Agent was detected in sxs2.exe. A-squared also allowed me to quarantine the file. Interestingly, it wasn't able to remove a number of associated files and registry entries.

From what I have discovered, in addition to the sxs2.exe there are a number of 'autorun.*' files located in the root and %winroot%\system32. These files perform a number os tasks including, creating an autorun enrty in userinit.exe,  changing the attributes on all the related files to hidden, system, and read only and also changing the value in:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" so that it's impossible to choose the show hidden and system files in explorer.

The 'autorun.*' files, by the way, are:

autorun.inf
autorun.bat
autorun.reg
autorun.bin
autorun.exe
autorun.vbs
autorun.wsh
autorun.fcb
autorun.srm
autorun.txt
autorun.ini
autorun.ico

Thanks again all

Toggie

   

[pandlouk]

Glad to see that you nailed that little $%^#. 

ps. tell you friend to instal CFP3. At least he will get an alert when he add another "bad guy" in his personal collection.

Panagiotis

[Tags:]