TechSpot

Trojan and Malware Problem

By kb15
May 14, 2009
Topic Status:
Not open for further replies.
  1. It looks like I've got a problem with a Vundo. Malwarebytes spots it but it keeps coming up even though I clean and restart. I've followed the 8 step removal instructions and attached the requested logs.

    I also get a whole list of errors when i open Outlook:

    MCI command handling window: Wcescomm.exe-Bad Image. The application or dll c:\windows\system32\cbqnsbl.dll is not a valid Windows image. Please check this against your installation diskette.

    LED Hotkey Keyboard: CNYHKey.exe-Bad Image. The application or dll c:\windows\system32\cbqnsbl.dll is not a valid Windows image. Please check this against your installation diskette.

    ehtray.exe-Bad Image: The application or dll c:\windows\system32\cbqnsbl.dll is not a valid Windows image. Please check this against your installation diskette.

    cftmon.exe-Bad Image:The application or dll c:\windows\system32\cbqnsbl.dll is not a valid Windows image. Please check this against your installation diskette.

    SuperAntiSpyware: Superantispyware.exe-Bad Image:The application or dll c:\windows\system32\cbqnsbl.dll is not a valid Windows image. Please check this against your installation diskette.

    HPGS2WND_WINDOW: hpgs2wnd.exe - Bad Image: The application or dll c:\windows\system32\cbqnsbl.dll is not a valid Windows image. Please check this against your installation diskette.

    CCU Notify App: CCU_TrayIcon.exe-Bad Image: The application or dll c:\windows\system32\cbqnsbl.dll is not a valid Windows image. Please check this against your installation diskette.

    ISUSPM.exe-Bad Image: The application or dll c:\windows\system32\cbqnsbl.dll is not a valid Windows image. Please check this against your installation diskette.

    Card Reader Monitor For 9360 4.5 Slot: readericon45G.exe-Bad Image: The application or dll c:\windows\system32\cbqnsbl.dll is not a valid Windows image. Please check this against your installation diskette.

    Wcescomm.exe - Bad Image: The application or dll c:\windows\system32\cbqnsbl.dll is not a valid Windows image. Please check this against your installation diskette.

    Thanks in advance for any help you can provide!

    kb15
     
  2. touch

    touch TS Rookie Posts: 978

    Hello kb15

    Are Trend Micro and Webroot Spy Sweeper updated, (it looks like Spy Sweeper also have antivirus) ?

    Download HostsExpert: http://www.majorgeeks.com/Hoster_d4626.html

    Choose one of the servers at Majorgeeks....save the file on your desktop

    Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
    Run HostsXpert 4.2 - Hosts File Manager from its new home
    Click on "File Handling".
    Click on "Restore MS Hosts File".
    Click OK on the Confirmation box.
    Click on "Make Read Only?"
    Click the X to exit the program.

    Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

    Please download Combofix:
    http://subs.geekstogo.com/ComboFix.exe
    And save to the desktop.

    Open notepad and copy/paste the text in the quotebox below into it:
    Name the file as CFScript
    and Save it on the desktop

    http://www.fromsej.saknet.dk/billeder/cfscript.gif

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
     
  3. kb15

    kb15 TS Rookie Topic Starter

    Re: Trojan and Malware Problem. Plz help

    Hi Touch:

    Thanks for the help on this. Both Trend Micro AntiVirus and SpySweeper are updated frequently and have the most recent updates running.

    I've completed all of the steps requested and attached the ComboFix log.

    Regards,
    kb15
     
  4. touch

    touch TS Rookie Posts: 978

    Ok ;)

    Open notepad and copy/paste the text in the quotebox below into it:
    Name the file as CFScript
    and Save it on the desktop


    http://www.fromsej.saknet.dk/billeder/cfscript.gif

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
     
  5. kb15

    kb15 TS Rookie Topic Starter

    Got it. Here's the next submission. Thanks again Touch!
     
  6. touch

    touch TS Rookie Posts: 978

    c:\windows\system32\jmgsbvz.dll is a stubborn one :(

    Download The Avenger by Swandog46 from http://swandog46.geekstogo.com/avenger2/download.php.
    Unzip/extract it to a folder on your desktop.
    Double click on avenger.exe to run The Avenger.
    Click OK.
    Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
    Copy all of the text in the below quotebox to the clibpboard by highlighting it and then pressing Ctrl+C.

    In the avenger window, click the Paste Script from Clipboard icon, button.
    Click the Execute button.
    You will be asked Are you sure you want to execute the current script?.
    Click Yes.
    You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
    Click Yes.
    Your PC will now be rebooted.

    After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).

    Please attach Avenger log, along with new hijackthis log.
     
  7. kritius

    kritius TS Guru Posts: 2,087

    @ touch.

    It could be delf, a BHO with a hidden rootkit.

    try

     
  8. kb15

    kb15 TS Rookie Topic Starter

    Hi Touch:

    Completed your next steps and attached the logs.

    Kritius:

    Should I copy and paste the quote into ComboFix or Avenger?

    Regards
    kb15
     
  9. kritius

    kritius TS Guru Posts: 2,087

    ComboFix,

    Run CFScript
    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word KillAll:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

    Please download ATF Cleaner by Atribune.

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.
     
  10. kb15

    kb15 TS Rookie Topic Starter

    Done. Here you go. Thanks Kritius!
     

    Attached Files:

  11. kritius

    kritius TS Guru Posts: 2,087

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    O4 - HKUS\S-1-5-21-287608296-964036408-3862943669-1007\..\Run: [wakirozawe] "Rundll32.exe" "C:\WINDOWS\system32\vivudoma.dll",s (User 'IUSR_NMPR')
    O4 - HKUS\S-1-5-21-287608296-964036408-3862943669-1007\..\Run: [CPMa74dd569] "Rundll32.exe" "c:\windows\system32\nanehutu.dll",a (User 'IUSR_NMPR')

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis

    OTMoveit3 by OldTimer
    Please download the OTMoveIt3 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes
      explorer.exe
      
      :Services
      GSJDYNCA
      
      :Reg
      
      
      :Files
      c:\windows\system32\nanehutu.dll
      C:\WINDOWS\system32\vivudoma.dll
      c:\windows\system32\drivers\UACqmrcvvqf.sys
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    [​IMG]Run Kaspersky Online AV Scanner

    In order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply

    If you are having trouble with the scan, please see this animated guide.

    >>>Animated Guide<<<
     
     
  12. kb15

    kb15 TS Rookie Topic Starter

    Ok, got it done.
     
  13. kritius

    kritius TS Guru Posts: 2,087

    • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes
    explorer.exe
    
    :Services
    
    :Reg
    
    :Files
    E:\i386\Apps\App00577\comps\toolbar\toolbr.exe
    D:\setupxv.exe
    C:\DriversApps\i386\APPS\APP00577\comps\toolbar\toolbr.exe
    
    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
    
    • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.
    • Close OTMoveIt3


    Empty quarantine folder.

    Delete files in the quarantine folder by doing the following:
    • Open PC-cillin Internet Security by double-clicking on the PC-cillin icon on the taskbar. You can also click Start >Programs >Trend Micro Antivirus >Trend Micro Antivirus.
    • Click on System > Quarantine.
    • Click on the file you want to delete and click the Delete button.
    • If you want to delete all files in the quarantine folder, click on Delete All.

    If that doesn't work then delete the contents of this folder but not the folder itself,

    C:\Program Files\Trend Micro\Internet Security\Quarantine

    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK
    • [​IMG]
    • When shown the disclaimer, Select "2"

    • Download OTCleanIt to your desktop and run it
    • Click Yes to beginning the Cleanup process and remove these components, including this application.
    • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

    Disable and Enable System Restore.

    You can find instructions on how to enable and re-enable system restore here:

    You can re-enable system restore using the same tutorials as above

    That should clear everything out.
     
  14. kb15

    kb15 TS Rookie Topic Starter

    Hi Kritius:

    I've completed the steps you requested. When I went into the Trend Micro AntiVirus folder to clean out the quarantined files, I was able to delete all but the following files:
    UACbldboppj.dll
    UACghddwftg.dll
    UACirbhewft.dll
    UACrskdqqpc.dll
    UACwcdeuyxu.dll

    All 5 of these files come up "access denied".

    I've attached the log you requested as well. Thanks for your help Kritius!

    Cheers,
    kb15
     
  15. kritius

    kritius TS Guru Posts: 2,087

    OTMoveit3 by OldTimer
    Please download the OTMoveIt3 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes
      explorer.exe
      
      :Services
      
      :Reg
      
      :Files
      C:\Program Files\Trend Micro\Internet Security\Quarantine\UACbldboppj.dll
      C:\Program Files\Trend Micro\Internet Security\Quarantine\UACirbhewft.dll
      C:\Program Files\Trend Micro\Internet Security\Quarantine\UACrskdqqpc.dll
      C:\Program Files\Trend Micro\Internet Security\Quarantine\UACwcdeuyxu.dll
      C:\Program Files\Trend Micro\Internet Security\Quarantine\UACghddwftg.dll
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    Double click OTMoveIt.exe again and click on the cleanup button.

    That should take care of things,
     
  16. kb15

    kb15 TS Rookie Topic Starter

    Hi Kritius:

    I was hoping that would do it but it looks as if those 5 .dll files are still in the Quarantine folder. I've attached the log you requested. Looks like this one's dug in deep.

    Thanks Kritius!

    kb15
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.