Very Dangerous Problem (Not previously addressed) : Trojan Vundo

[OKai]

REGEDIT claimed that all CnsHook files are deleted.

The CnsMin files below could not be deleted:

1)DeviceDesc REG_SZ CnsMinKP
2)Service REG_SZ CnsMinKP
3)ActiveService REG_SZ CnsMinKP

BTW: I noticed that some files in 3721 folder that everytime I try to delete them, they just pop up on the next time I click "find next".

Attached is fresh HJT logfile.

 

[howard_hopkinso]

This is proving to be very troublesome.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll (file missing)

O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32

O4 - HKLM\..\Run: [runeip] C:\Program Files\Rising\AntiSpyware\runiep.exe

O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - F:\QQ\AddEmotion.htm

O9 - Extra button: Yahoo 3.5G¦Ì?¨®¨º - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail (file missing)

O9 - Extra button: ???¡¤???? - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://adtaobao.allyes.com/main/adfclick?db=adtaobao&bid=138,140,18&cid=816,8,1& sid=5042&show=ignore&url=http://www.taobao.com/vertical/mall/pro.php?allyesPara= 816 (file missing)

O9 - Extra button: ???¡é?¨²¨º? - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)

O9 - Extra button: ???¡éWIDGET - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)

O9 - Extra button: ?¨¦?¡ã¨¢?¨¬¨¬ - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg (file missing)

O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)

O9 - Extra 'Tools' menuitem: DT?¡ä?¡¥¨¤¨¤?¡Â - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)

O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)

O9 - Extra 'Tools' menuitem: ??¨¤¨ª¨¦?¨ª????? - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)

O11 - Options group: [!CNS] ?D??¨¦?¨ª?

O16 - DPF: {9ADACAA6-533E-4383-AFA7-F0A66650B6D8} (VqqSpeedDlProxy Class) - http://dl_dir.qq.com/qqfile/p2p/vqqsdl.cab

O24 - Desktop Component 0: (no name) - http://ic1.deviantart.com/fs7/f/2005/248/8/3/collage_00120.jpg

O24 - Desktop Component 1: (no name) - http://ic1.deviantart.com/fs7/i/2005/245/4/2/Lex_Speaks___Wallpaper_by_MiniCow.j pg

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
C:\WINDOWS\DOWNLO~1\CnsHook.dll

Reboot into normal mode and rehide your protected OS files.

Download and install DrWebCureit:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
http://spywareinfo.dk/download/drweb-cureit.exe to your desktop.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it find, and when it says "done"
Click on the green screwdriver-
Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select -Delete
Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green arrow in lower right corner It will now scan your drive(s), say yes to all

After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.

Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

Attach the DrWeb.csv log as well as a fresh HJT log.

Regards Howard

This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[OKai]

I have deleted the files with HJT and also deleted the directories you posted for me by searching for them and deleting them.

However when I finished downloading drweb, it somehow stated that my liscense key has expired and asked me to buy it. What do I do now?

Please advice.

 

[howard_hopkinso]

I can`t understand why you`re having problems with DrwebCurit as it`s a free utility that doesn`t need installing. See HERE and try again.

Regards Howard

This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[OKai]

Sorry, I understand that this is a LONG thread and a bit of a hassle to deal with

I have poasted a HJT logfile.

I deleted the 3 incurable virus that DrWeb found.

I was unable to attach the DrWeb logfile "DrWeb.csv: Invalid File" so I just copy and pasted what's in it, not very long as you can see.

cnsmin.dll;c:\windows\downloaded program files;Adware.Cdn;;
cnsminkp.sys;c:\windows\system32\drivers;Adware.Cdn;;
ssprot.sys;c:\windows\system32\drivers;Adware.Tencent;;

Please advice.

 

[momok]

Hi,

You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

CnsMin

Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:



After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\MAX\Application Data\Mozilla\Profiles\default\8fxciu4j.slt\prefs.js)
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O11 - Options group: [!CNS] ?D??¨¦?¨ª?
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: msdaipp - (no CLSID) - (no file)

Close HJT.


Navigate in Windows Explorer and delete the following files and folders in bold.

C:\WINDOWS\DOWNLO~1\CnsMin.dll
C:\WINDOWS\DOWNLO~1\

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.


Regards,
Your friendly momok =)

This thread is for the use of OKai only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[OKai]

Combofix doesn't work for me. Attached are fresh HJT and AVG logfiles as requested.

I have deleted the files you advised me to, however I am sure there are still stubborn Cns files undeleted.

Please advice.

 

[momok]

Hi,

Please follow these instructions carefully.

1. Download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached "avengerscript.txt" (from my attachment) and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the attachment avengerscript.txt you have just downloaded, click on it and press open.
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Boot into safemode, unhide all your system files and run HijackThis and fix these entries, if found:

O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O11 - Options group: [!CNS] ?D??¨¦?¨ª?

6. Search for CNS and list down all files and full filepaths and save them in a notepad as cnsfiles.txt. Reboot into normal mode and rehide your system files.

7. Please attach the cnsfiles.txt, c:\avenger.txt, as well as a fresh HJT log from normal mode.


Regards,
Your friendly momok =)

This thread is for the use of OKai only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[OKai]

You did not attach any files.

Can you please attach the script? Thanks!

 

[momok]

Hi,

Sorry about that. Here it is.

Regards,
Your friendly momok =)

This thread is for the use of OKai only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[OKai]

I had trouble finding the CNS files and I think those CNS files are all in "C" Documents and Settings, temporary int. files.

There is this 3721 folder which refused to be deleted, it just pops up everytime you reboot thinking you have deleted it.

Attached are the requested logfiles.

Please advice.

Damn this thing IS taking a LONG time. :hotouch:

 

[momok]

Hi,

Apparently the cns.txt displays a blank file? Please check if its the right file attached.

It appears we do have a tricky infection on our hands. I've read through the previous posts in this thread, and realised that you have never once posted a ComboFix log and done your AVG anti-rootkit scan.

Please run AVG Anti Rootkit via Step 11 of the instructions HERE. Also download combofix from the link in my signature. Let me know the results of the scan.

It is highly likely that something else is running in the background and keeping the infection active.

Post the combofix log and the results of the anti-rootkit in your next reply.


Regards,
Your friendly momok =)

This thread is for the use of OKai only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[OKai]

There were not rootkits according to the AVG rootkit scan.

I have attached a new copy of cns.txt files (there were many entires, I just listed them all)

However combofix does not work for my computer. My computer is in a chinese version which includes a wierd type format different from English. I had trouble entering commands in the command prompt.

I'm wondering should I give it one more try, or can you give me some other solution?

 

[momok]

Hi,

Please download and run CCleaner via step 9 of the instructions HERE.

Some of your entries did not include file extensions. Could you edit that text file and include the full file path of the cns files?

Thanks. Also, please post a fresh HijackThis log in your next reply please.

Regards,
Your friendly momok =)

This thread is for the use of OKai only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[xjoesullix]

do you have a lot of stuff on your pc that you need, if so can you back it up, and if you can why not just clean install windows

 

[OKai]

Hi,

Please download and run CCleaner via step 9 of the instructions HERE.

Some of your entries did not include file extensions. Could you edit that text file and include the full file path of the cns files?

Thanks. Also, please post a fresh HijackThis log in your next reply please.

Regards,
Your friendly momok =)

This thread is for the use of OKai only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

\

When you mean file extensions, do they show what type of file it is or what? Please advice.

 

[momok]

Hi,

For example, your log shows "cns.dll___C:\WINDOWS\system32" which really means C:\WINDOWS\system32\cns.dll. The extension in this case is '.dll'.

Some of your entries show
cns___C:\WINDOWS\system32
CNSMIN___C:\Program Files\3721
CnsMinCgM___C:\Documents and Settings\max\Local Settings\Temporary Internet Files
CnsMinM___C:\Documents and Settings\max\Local Settings\Temporary Internet Files

Those do not incude the extentions, which I need so I can type out an avengerscript for you. Could you do a search for these files again and post a fresh list as well as a fresh HijackThis log?


Regards,
Your friendly momok =)

This thread is for the use of OKai only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.