Trojan and Malware Problem

Status
Not open for further replies.

kb15

Posts: 8   +0
It looks like I've got a problem with a Vundo. Malwarebytes spots it but it keeps coming up even though I clean and restart. I've followed the 8 step removal instructions and attached the requested logs.

I also get a whole list of errors when i open Outlook:

MCI command handling window: Wcescomm.exe-Bad Image. The application or dll c:\windows\system32\cbqnsbl.dll is not a valid Windows image. Please check this against your installation diskette.

LED Hotkey Keyboard: CNYHKey.exe-Bad Image. The application or dll c:\windows\system32\cbqnsbl.dll is not a valid Windows image. Please check this against your installation diskette.

ehtray.exe-Bad Image: The application or dll c:\windows\system32\cbqnsbl.dll is not a valid Windows image. Please check this against your installation diskette.

cftmon.exe-Bad Image:The application or dll c:\windows\system32\cbqnsbl.dll is not a valid Windows image. Please check this against your installation diskette.

SuperAntiSpyware: Superantispyware.exe-Bad Image:The application or dll c:\windows\system32\cbqnsbl.dll is not a valid Windows image. Please check this against your installation diskette.

HPGS2WND_WINDOW: hpgs2wnd.exe - Bad Image: The application or dll c:\windows\system32\cbqnsbl.dll is not a valid Windows image. Please check this against your installation diskette.

CCU Notify App: CCU_TrayIcon.exe-Bad Image: The application or dll c:\windows\system32\cbqnsbl.dll is not a valid Windows image. Please check this against your installation diskette.

ISUSPM.exe-Bad Image: The application or dll c:\windows\system32\cbqnsbl.dll is not a valid Windows image. Please check this against your installation diskette.

Card Reader Monitor For 9360 4.5 Slot: readericon45G.exe-Bad Image: The application or dll c:\windows\system32\cbqnsbl.dll is not a valid Windows image. Please check this against your installation diskette.

Wcescomm.exe - Bad Image: The application or dll c:\windows\system32\cbqnsbl.dll is not a valid Windows image. Please check this against your installation diskette.

Thanks in advance for any help you can provide!

kb15
 
Hello kb15

Are Trend Micro and Webroot Spy Sweeper updated, (it looks like Spy Sweeper also have antivirus) ?

Download HostsExpert: http://www.majorgeeks.com/Hoster_d4626.html

Choose one of the servers at Majorgeeks....save the file on your desktop

Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
Run HostsXpert 4.2 - Hosts File Manager from its new home
Click on "File Handling".
Click on "Restore MS Hosts File".
Click OK on the Confirmation box.
Click on "Make Read Only?"
Click the X to exit the program.

Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Please download Combofix:
http://subs.geekstogo.com/ComboFix.exe
And save to the desktop.

Open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::
Snapshot::
File::
C:\WINDOWS\system32\niwebazi.dll
C:\WINDOWS\system32\vivudoma.dll
C:\WINDOWS\SYSTEM32\jmgsbvz.dll
Folder::
C:\Program Files\AWS

http://www.fromsej.saknet.dk/billeder/cfscript.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
Re: Trojan and Malware Problem. Plz help

Hi Touch:

Thanks for the help on this. Both Trend Micro AntiVirus and SpySweeper are updated frequently and have the most recent updates running.

I've completed all of the steps requested and attached the ComboFix log.

Regards,
kb15
 
Ok ;)

Open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::
Snapshot::
File::
c:\windows\system32\dohososa.exe
c:\windows\system32\tavaseye.exe
c:\windows\system32\peheliba.exe
c:\windows\system32\jmgsbvz.dll
FileLook::
c:\windows\system32\drivers\gsjdynca.sys
AtJob::
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51CEB490-1708-41FD-8C87-5CC28378016A}]


http://www.fromsej.saknet.dk/billeder/cfscript.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
c:\windows\system32\jmgsbvz.dll is a stubborn one :(

Download The Avenger by Swandog46 from http://swandog46.geekstogo.com/avenger2/download.php.
Unzip/extract it to a folder on your desktop.
Double click on avenger.exe to run The Avenger.
Click OK.
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
Copy all of the text in the below quotebox to the clibpboard by highlighting it and then pressing Ctrl+C.

Files to delete:
c:\windows\system32\jmgsbvz.dll

In the avenger window, click the Paste Script from Clipboard icon, button.
Click the Execute button.
You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.

After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).

Please attach Avenger log, along with new hijackthis log.
 
@ touch.

It could be delf, a BHO with a hidden rootkit.

try

KillAll::

RootKit::
c:\windows\system32\drivers\gsjdynca.sys
c:\windows\system32\jmgsbvz.dll

Driver::
gsjdynca
 
Hi Touch:

Completed your next steps and attached the logs.

Kritius:

Should I copy and paste the quote into ComboFix or Avenger?

Regards
kb15
 
ComboFix,

Run CFScript
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word KillAll:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
KillAll::

Rootkit::
c:\windows\system32\drivers\gsjdynca.sys
c:\windows\system32\jmgsbvz.dll

Driver::
gsjdynca

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Please download ATF Cleaner by Atribune.

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
 
Fix entries using HiJackThis
  • Launch HiJackThis
  • Click the Do a system scan only button
  • Put a check next to the entries listed below
O4 - HKUS\S-1-5-21-287608296-964036408-3862943669-1007\..\Run: [wakirozawe] "Rundll32.exe" "C:\WINDOWS\system32\vivudoma.dll",s (User 'IUSR_NMPR')
O4 - HKUS\S-1-5-21-287608296-964036408-3862943669-1007\..\Run: [CPMa74dd569] "Rundll32.exe" "c:\windows\system32\nanehutu.dll",a (User 'IUSR_NMPR')

  • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
  • Click the Fix checked button and close HiJackThis

OTMoveit3 by OldTimer
Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes
    explorer.exe
    
    :Services
    GSJDYNCA
    
    :Reg
    
    
    :Files
    c:\windows\system32\nanehutu.dll
    C:\WINDOWS\system32\vivudoma.dll
    c:\windows\system32\drivers\UACqmrcvvqf.sys
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

f_Logo1m_7c1b64d.png
Run Kaspersky Online AV Scanner

In order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click on "My Computer"
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Attach the report into your next reply

If you are having trouble with the scan, please see this animated guide.

>>>Animated Guide<<<
 
  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:
:Processes
explorer.exe

:Services

:Reg

:Files
E:\i386\Apps\App00577\comps\toolbar\toolbr.exe
D:\setupxv.exe
C:\DriversApps\i386\APPS\APP00577\comps\toolbar\toolbr.exe

:commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3


Empty quarantine folder.

Delete files in the quarantine folder by doing the following:
  • Open PC-cillin Internet Security by double-clicking on the PC-cillin icon on the taskbar. You can also click Start >Programs >Trend Micro Antivirus >Trend Micro Antivirus.
  • Click on System > Quarantine.
  • Click on the file you want to delete and click the Delete button.
  • If you want to delete all files in the quarantine folder, click on Delete All.

If that doesn't work then delete the contents of this folder but not the folder itself,

C:\Program Files\Trend Micro\Internet Security\Quarantine

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
  • CF_Cleanup.png
  • When shown the disclaimer, Select "2"

  • Download OTCleanIt to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Disable and Enable System Restore.

You can find instructions on how to enable and re-enable system restore here:

You can re-enable system restore using the same tutorials as above

That should clear everything out.
 
Hi Kritius:

I've completed the steps you requested. When I went into the Trend Micro AntiVirus folder to clean out the quarantined files, I was able to delete all but the following files:
UACbldboppj.dll
UACghddwftg.dll
UACirbhewft.dll
UACrskdqqpc.dll
UACwcdeuyxu.dll

All 5 of these files come up "access denied".

I've attached the log you requested as well. Thanks for your help Kritius!

Cheers,
kb15
 
OTMoveit3 by OldTimer
Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes
    explorer.exe
    
    :Services
    
    :Reg
    
    :Files
    C:\Program Files\Trend Micro\Internet Security\Quarantine\UACbldboppj.dll
    C:\Program Files\Trend Micro\Internet Security\Quarantine\UACirbhewft.dll
    C:\Program Files\Trend Micro\Internet Security\Quarantine\UACrskdqqpc.dll
    C:\Program Files\Trend Micro\Internet Security\Quarantine\UACwcdeuyxu.dll
    C:\Program Files\Trend Micro\Internet Security\Quarantine\UACghddwftg.dll
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Double click OTMoveIt.exe again and click on the cleanup button.

That should take care of things,
 
Hi Kritius:

I was hoping that would do it but it looks as if those 5 .dll files are still in the Quarantine folder. I've attached the log you requested. Looks like this one's dug in deep.

Thanks Kritius!

kb15
 
Status
Not open for further replies.
Back