Address Blocking Notification

[Melmar 0]

I keep take notification every 25 sec about this url:hxxp:// differentia.ru/diff.php

and with ip:109.206.186.164 and i don't know what to do to delete the site.

 

my version is eset NOD32 8.1 home edition.

 

Thank you

[Marcos 5,070]

Probably your computer is infected and Wauchos malware is running. Please run ESET Log Collector on the infected computer(s) as per the instructions at hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3466 and email the output to ESET Research Lab as per the instructions in hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN141.

[khairulaizat92 9]

I keep take notification every 25 sec about this url:hxxp:// differentia.ru/diff.php

and with ip:109.206.186.164 and i don't know what to do to delete the site.

 

my version is eset NOD32 8.1 home edition.

 

Thank you

 

Probably your computer is infected and Wauchos malware is running. Please run ESET Log Collector on the infected computer(s) as per the instructions at hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3466 and email the output to ESET Research Lab as per the instructions in hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN141.

 

Its true its being infected by Wauchos, however sadly, ESET didnt found the source of infection. I have submitted the log still waiting for their reply.

 

Each time scanning the "Operating Memory" a malware will be found  As i scanned the infected PC using ESS and found the msiexec.exe (xxxxx) resides in the "Operating Memory" has been detected and deleted as Bundil Cs Worm. Even it has been deleted so many time by eset, yet after scanning it keep coming back but come with different unique number at the end of msiexec.exe (xxxxx) <---(this xxxxx number will be different for each restart) which suggest that the malware are still in the system and keep regenerate each time it being deleted.

 

After doing the full scan, ESET cant find the source of infection, instead keep deleting the Bundil Cs Worm at the "Operating Memory". And during my observation, i found out that there was something suspicious regarding the process "msiexe.exe". This file should and supposed located at "C:\Windows\System32\msiexec.exe" and only be launch during Installation. But this msiexec.exe are always in the process. And this msiexec.exe are launch from "C:\Windows\SysWOW64\msiexec.exe" where the place it doesnt supposed to be????

 

By using "Syntel Process explorer" i found out that this "msiexec.exe" that launch by it self along with other apps seems to get its order from <Unknown> (xxxxxx) <----this "xxxxx" thingy is the same number as the number after the msiexec.exe (xxxxx) discovered by ESET. And when i kill the process, and the whole infection process stopped.

About the infection: whenever i pluggin a thumbdrive, this "msiexec.exe" dropped a file into my thumbdrive, around 29MB, but ech time it succeeded on dropping the file, Eset will automatically detect it as "a variant bundpil.CT Worm" and deleted it. So that we conclude that the virus cannot spread through the thumbdrive if there has ESET installed on the PC. But still, the culprit are still left on the system. And again, it still on the system because it keep regenerating it self after being deleted by ESET. Maybe there was something that we missed. ANyway hoping that this will be solved ASAP.

 

 

[Maniac 2]

Hello Melmar and khairulaizat92,

I had a recent similar case here, so if you don't have fast answer, I could help to clean your systems and send the samples directly to the ESET lab. For this purpose I need the following information for a start:

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will produce a log called Main.Txt in the same directory the tool is run from.
• Please copy and paste log back here.
• The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the Main.Txt into your reply.

[khairulaizat92 9]

Hello Melmar and khairulaizat92,

I had a recent similar case here, so if you don't have fast answer, I could help to clean your systems and send the samples directly to the ESET lab. For this purpose I need the following information for a start:

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will produce a log called Main.Txt in the same directory the tool is run from.
• Please copy and paste log back here.
• The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the Main.Txt into your reply.

 

 

Will update you later, due to this lptp is my client PC. I believed if i force delete the msiexec.exe on SYSWOW, it will stop the whole process, but never tried it in order to let ESET find a solution into it first. 

[rzuber 0]

I have similar problems
 
FRST log:
 

frst_log.txt

Edited June 3, 2015 by Marcos
FRST log moved to the attached file

[Marcos 5,070]

Let me know when you are ready for a remote Team Viewer session and I'll check it out myself. Beforehand please collect logs using Log Collector as per the instructions at hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3466and drop me a pm with the output archive attached.

[Maniac 2]

I have similar problems

 

FRST log:

I need your Addition.txt content too.

[khairulaizat92 9]

Thanks @marcos for helping in detecting the malware. The malware has been extracted, and if it was the culprit, the signature will be updated in few days maybe. 

[Marcos 5,070]

Thanks @marcos for helping in detecting the malware. The malware has been extracted, and if it was the culprit, the signature will be updated in few days maybe. 

 

Not in a few days but immediately

[khairulaizat92 9]

 

Thanks @marcos for helping in detecting the malware. The malware has been extracted, and if it was the culprit, the signature will be updated in few days maybe. 

 

Not in a few days but immediately

 

 

Thanks marcos, anyway, how about my request to have it as my collection, can i have it? 

[TheHentaiBoy 0]

I have the same problem, I'm not a good speaker of english but i need assistance, iv'e already run the eset log collector, but i don't know what to do with the zip file, please give me assistance 

[Marcos 5,070]

I have the same problem, I'm not a good speaker of english but i need assistance, iv'e already run the eset log collector, but i don't know what to do with the zip file, please give me assistance 

 

Drop me a pm and attach the output zip file from Log Collector.

[khairulaizat92 9]

It seems the problem still continues, today i found a new customer that didnt use any av, Then i Install eset to clean the malware, but yet, ESET cannot found the culprit malware, its quite frustrating.

[Maniac 2]

I recommend you to follow my instructions above for FRST, to clean the system, to take samples and send them to ESET lab.

[mrcina 0]

Hi, I have the same problems as stated in 3rd post (however, notification is not appearing every 25sec but every few minutes and IP address is different, but host name is the same - differentia.ru/diff.php).

 

ESET Node detects this every time I scan system Operating memory » msiexec.exe(3096) - a variant of Win32/Bundpil.CS worm - cleaned by deleting [1]. Even though it says that it was cleaned by deleting, I think that it wasn't because it appears again and again.

 

I've collected logs as described in 2nd post, but in same post there is a dead link pointing to instruction how to send output to ESET Research Lab. I would really appreciate any help.

 

Few more things. Today when I power up my laptop, "Microsoft Command Prompt" asked for some permission (dimmed display), when I said I won't give them, it asked again and again. I immediately suspected that it was some virus, and found out that I have some unknown startup program (Cat Joy - same as described here) that has two items under - msiexec.exe and obnbfxeskm.exe. Latter was deleted by my first ESET Node scan [C:\Users\user-name\AppData\Roaming\obnbfxeskm.exe - a variant of Win32/Kryptik.DLZA trojan - cleaned by deleting - quarantined [1]]

 

Edit: I went to browser history to see that unknown startup program was Cat Joy.

 

Edit2: It seems that virus is completely deleted by system restart.

Edited June 24, 2015 by mrcina

[Tarakesh 0]

I had the same differential.ru pop up issue along with the symptoms mentioned in this post https://www.facebook.com/OnlineSKeeper/posts/231448683646280.

 

On my PC I also observed msiexec.exe (xxxxx) issue mentioned in the trail above. I managed to sort it all out by repairing the msiexec file and removing the other infections using HitmanPro.

[khairulaizat92 9]

Hi if you are an ESET User and you much concern on the malware and didnt care if some one can remote your PC, please dont hesitate trying PM Marcos, and ready with good internet connection along with Team Viewer. He will made everything for you, however, please do the full scanning first on your PC before contacting him.

[senel10 0]

hi  i have the same problem with the same URL address but with a different IP address how can i solve it?

thanks

[Borghildr 0]

Hello I've the same notification with also having "disorderstatus.ru/order.php, IP: 109.206.186.164.80"

 

As a newbie on these kind of things I don't know what can I do.

 

These are the pop up screens I'm getting;

[Marcos 5,070]

Hello I've the same notification with also having "disorderstatus.ru/order.php, IP: 109.206.186.164.80"

 

As a newbie on these kind of things I don't know what can I do.

 

These are the pop up screens I'm getting;

 

Your computer is likely infected with Wauchos. Also the screen shots you've posted indicate that you have an older version of ESET NOD32 Antivirus installed (v3 or v4). The latest version for home users is v8 that you can download from ESET's website www.eset.com.

 

Please run ESET Log Collector on the infected computer as per the instructions at hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3466 and send me the output via a personal message.

[David_24 0]

Hello I've had the same notifications "disorderstatus.ru/order.php" and "differentia.ru/diff.php". I wonder if you could help me with this malware, I don´t know how to delete it. I´m using NOD32 Antivirus 8.

Thankss

[Marcos 5,070]

 

Hello I've had the same notifications "disorderstatus.ru/order.php" and "differentia.ru/diff.php". I wonder if you could help me with this malware, I don´t know how to delete it. I´m using NOD32 Antivirus 8.

Thankss

 

 

If you are a registered user with a license purchased, feel free to drop me a pm with the output from Log Collector attached.

[Kerkoules 0]

@Marcos

 

I am experiencing the exact above issue. It happened after inserting a thumb drive in my system.

Eset was able to identify bundpil.cs worm as per attached picture.

 

I collected the Logs.zip file from the Log collector as per your suggestion in previous posts, however i am not able to upload it because the file is 2,5MB and your system allows maximum 2MB.

Please advise how can I send it over.

 

On a second note, what are the appropriate actions to take in order to clean the thumb drive?

 

Thank you

K

[Marcos 5,070]

I am experiencing the exact above issue. It happened after inserting a thumb drive in my system.

Eset was able to identify bundpil.cs worm as per attached picture.

 

I collected the Logs.zip file from the Log collector as per your suggestion in previous posts, however i am not able to upload it because the file is 2,5MB and your system allows maximum 2MB.

Please advise how can I send it over.

 

On a second note, what are the appropriate actions to take in order to clean the thumb drive?

 

You should be able to email the logs to samples[at]eset.com. Also enclose a link to this topic please. Once a signature detection has been added, it shouldn't be a problem to clean the thumb drive by running an on-demand scan.