Author Topic: negative detection  (Read 832 times)

Offline rcorkum

  • Newbie
  • *
  • Posts: 12
negative detection
« on: March 01, 2016, 11:49:55 PM »
I know I have or a version of VBS.Dunihi

trendmicro portable found it but I can't find the source. it called it vbs.dubihi

let me explain. I been using cis and comodo for years and trust it 100% so I spotted something funny in some folders in usb sticks i tried deleteding it and low and behold its right back and repeat. comodo updated and scanned nothing found so I tried

panda online
trendmicrohousecall (it found it but only on the usb and deleted and they immediately came back it couldn't find the source on the pc)
mailware bytes
emisoftemergencykit and a few more and nothing.

has me scratching my head.

anyway thats what trendmicro called it so what i am going by I know I got someting (by over 30 years of It work) but nothing is seeing it. I am seeing .vbs pop up on usb sticks inserted to my pc I delete the .vbs and they are right back and seeing sub folders start to develop them on my pc so its like what i can I trust. I'd like to back up this pc but right now I want to clean or resolve this issue. safe mode comodo is not seeing a thing even on the obvious ubs stick with the issues. anyone got some ideas?

Offline fatih.orhan

  • Global Moderator
  • Comodo Loves me
  • *****
  • Posts: 154
Re: negative detection
« Reply #1 on: March 01, 2016, 11:53:12 PM »
Do you use killswitch to identify unknown process and analyze them?

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 23710
Re: negative detection
« Reply #2 on: March 02, 2016, 01:01:34 PM »
When you insert the USB stick in your PC the malware will also install its self on the PC? Does the same thing happen when you try to delete it from the USB drive?

Try Hitman Pro and Zemana Antimalware Free to see if they can get the malware.

Can you check Task Scheduler for suspicious entries? You can use Task Scheduler's interface, Sysinternals Autoruns or Comodo Autoruns for that purpose.

To get rid of the malware on the USB stick you could format it. If it persists on the PC then that's a next problem.
« Last Edit: March 02, 2016, 01:05:52 PM by EricJH »

Offline rcorkum

  • Newbie
  • *
  • Posts: 12
Re: negative detection
« Reply #3 on: March 03, 2016, 09:08:47 AM »
thanks sorry for the late reply being a grandparent had not an uber sick but not feeling grandson (5) staying with us for a few days needing extra cuddles.

hitman pro found it.

Code: [Select]
C:\Users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c8abcc749bf06e55d237bb58e035406.exe -> PendingDelete
      Size . . . . . . . : 12,288 bytes
      Age  . . . . . . . : 26.6 days (2016-02-05 08:29:35)
      Entropy  . . . . . : 5.3
      SHA-256  . . . . . : 220D1C7F2B3AFA3731E792EA3D7514386895A0457EAF9562FB296937C75D8174
      Product  . . . . . : Windows1
      Publisher
      Description  . . . : Windows1
      Version  . . . . . : 1.0.0.0
      LanguageID . . . . : 0
    > Kaspersky  . . . . : Trojan.MSIL.Zapchast.aeevu
      Fuzzy  . . . . . . : 109.0
      Startup
         C:\Users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c8abcc749bf06e55d237bb58e035406.exe

the usb sticks weren't the payload they were the target I could delete them and instantly (no need to reinsert) they be reloaded with exact same files. if you added a file to the usb then deleted it it would become part of the trojan process and a new file on the usb you couldn't get rid off.

now right now i can not format a usb I go to right click to format a usb and explorer dumps on me and restarts no errors. but  as long as I can verify clean.  I will just backup all data and restore windows 10 to new install and go from there.

I want to thanks everyone for their help. I am not saying its gone but for the first time in a few weeks I see a light at the end of the tunnel lol.

btw Zemana Antimalware Free  did not see it only some tracking cookies.

that's not a comment on any software only reporting. I miss combofix it was a great go to but alas not compatible with windows 10 and that's a shame. still any ideas why this blew past comodo?

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 23710
Re: negative detection
« Reply #4 on: March 03, 2016, 03:59:50 PM »
Just thinking out loud. May be the malware had also registered as a shell extension causing Explorer to crash. One of the Autoruns programs could point the finger. My guess would be that Task Scheduler is involved when a file gets written back immediately after deleting it..

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek