Author Topic: Win32:BHO-KD [Trj] - Need help to remove (Read 8725 times)

firewater07 · « **on:** February 24, 2008, 06:39:11 AM »

I need help to remove the trojan, I've attached the Hijackthis log and combo fix log.

Will appreciate your help.

oldman · « **Reply #1 on:** February 29, 2008, 07:04:22 AM »

Hi

Unfortunately, you ran combofix more than once. I don't know what was removed.

But we can clean up the remnants.

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: (no name) - rsion - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

Close all other browsers/windows, click fix, close HJT.

Submit this file to virustotal.C:\EDNETW~1\wh_exec.exe

Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\EDNETW~1\wh_exec.exe
C:\EDNETW~1\wh_hook.dll

scroll down a bit and click "send file", wait for the results and post then in your next reply.

firewater07 · « **Reply #2 on:** February 29, 2008, 02:16:53 PM »

Thank you for taking the time in helping me, really appreciate it.

Additional info - it's found in C:\Windows\System32\capico.dll\[upx]
I forgot to save the log file for combofix the first time I run it. I hope I didn't do any damage.
Thanks again.

File wh_exec.exe received on 02.29.2008 13:38:57 (CET)
Current status: finished
Result: 0/32 (0%)

Antivirus    Version    Last Update    Result
AhnLab-V3   2008.2.29.1   2008.02.29   -
AntiVir   7.6.0.67   2008.02.29   -
Authentium   4.93.8   2008.02.29   -
Avast   4.7.1098.0   2008.02.28   -
AVG   7.5.0.516   2008.02.29   -
BitDefender   7.2   2008.02.29   -
CAT-QuickHeal   9.50   2008.02.28   -
ClamAV   0.92.1   2008.02.29   -
DrWeb   4.44.0.09170   2008.02.29   -
eSafe   7.0.15.0   2008.02.28   -
eTrust-Vet   31.3.5574   2008.02.29   -
Ewido   4.0   2008.02.29   -
FileAdvisor   1   2008.02.29   -
Fortinet   3.14.0.0   2008.02.29   -
F-Prot   4.4.2.54   2008.02.28   -
F-Secure   6.70.13260.0   2008.02.29   -
Ikarus   T3.1.1.20   2008.02.29   -
Kaspersky   7.0.0.125   2008.02.29   -
McAfee   5241   2008.02.28   -
Microsoft   1.3301   2008.02.29   -
NOD32v2   2911   2008.02.29   -
Norman   5.80.02   2008.02.28   -
Panda   9.0.0.4   2008.02.28   -
Prevx1   V2   2008.02.29   -
Rising   20.33.41.00   2008.02.29   -
Sophos   4.27.0   2008.02.29   -
Sunbelt   3.0.906.0   2008.02.28   -
Symantec   10   2008.02.29   -
TheHacker   6.2.9.229   2008.02.25   -
VBA32   3.12.6.2   2008.02.27   -
VirusBuster   4.3.26:9   2008.02.28   -
Webwasher-Gateway   6.6.2   2008.02.29   -
Additional information
File size: 81920 bytes
MD5: ad31f55cf96938b8d8665d76e2b89081
SHA1: 47560cf9a8c23b07ae50fdfa32551642330f65bc
PEiD: Armadillo v1.71

File wh_hook.dll_ received on 02.29.2008 13:55:55 (CET)
Current status: finished
Result: 0/32 (0%)

Antivirus    Version    Last Update    Result
AhnLab-V3   2008.2.29.1   2008.02.29   -
AntiVir   7.6.0.67   2008.02.29   -
Authentium   4.93.8   2008.02.29   -
Avast   4.7.1098.0   2008.02.28   -
AVG   7.5.0.516   2008.02.29   -
BitDefender   7.2   2008.02.29   -
CAT-QuickHeal   9.50   2008.02.28   -
ClamAV   0.92.1   2008.02.29   -
DrWeb   4.44.0.09170   2008.02.29   -
eSafe   7.0.15.0   2008.02.28   -
eTrust-Vet   31.3.5574   2008.02.29   -
Ewido   4.0   2008.02.29   -
FileAdvisor   1   2008.02.29   -
Fortinet   3.14.0.0   2008.02.29   -
F-Prot   4.4.2.54   2008.02.28   -
F-Secure   6.70.13260.0   2008.02.29   -
Ikarus   T3.1.1.20   2008.02.29   -
Kaspersky   7.0.0.125   2008.02.29   -
McAfee   5241   2008.02.28   -
Microsoft   1.3301   2008.02.29   -
NOD32v2   2911   2008.02.29   -
Norman   5.80.02   2008.02.28   -
Panda   9.0.0.4   2008.02.28   -
Prevx1   V2   2008.02.29   -
Rising   20.33.42.00   2008.02.29   -
Sophos   4.27.0   2008.02.29   -
Sunbelt   3.0.906.0   2008.02.28   -
Symantec   10   2008.02.29   -
TheHacker   6.2.9.229   2008.02.25   -
VBA32   3.12.6.2   2008.02.27   -
VirusBuster   4.3.26:9   2008.02.28   -
Webwasher-Gateway   6.6.2   2008.02.29   -
Additional information
File size: 36864 bytes
MD5: f4699625a0ec6b193584a2ff9702ea5e
SHA1: 7a1501abd9eca891e07890060b0d3045ea9cb2f1
PEiD: Armadillo v1.xx - v2.xx

oldman · « **Reply #3 on:** February 29, 2008, 03:02:16 PM »

No,no damage, it's just more difficult without knowing what combofix removed.

The only other thing I see are signs of an autorun infecion. Did you have one before?

The only place I see it is in a couple of reg keys. I don't see the associated file though.

I don't see the BHO either.

Can you see if there is a log of some sort here

ComboFix-quarantined-files.txt It would be on your C:\

Thanks

firewater07 · « **Reply #4 on:** February 29, 2008, 03:16:42 PM »

I found some files, see attachments.
Thanks.

oldman · « **Reply #5 on:** March 01, 2008, 05:01:07 AM »

Perfect, thank you, it was what I was looking for.

The BHO was removed by combofix as well as a couple of other files.

Do you have any type of usb devices, drives, phones pendrives, etc? As I mentioned there is evidence of an autorun innfection.

We can remove the mountpoints now, and the rest, if there is any, after you reply.

REGISTRY FIX

Quote

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{836c8104-3378-11db-8814-0008027f8d3c}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d95ea864-4980-11db-8866-0008027f8d3c}]

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg

Make sure the box at the top is set to Desktop Click save.

This will create a fix.reg file on your desktop

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

firewater07 · « **Reply #6 on:** March 01, 2008, 02:19:26 PM »

I've done the registry fix. What should I do next?
What do you mean by type of usb devices, drives, etc? Sorry I'm not certain, do you mean like our digicam is connected to usb?

Thanks.

oldman · « **Reply #7 on:** March 01, 2008, 04:29:14 PM »

Any type of storage device that can be connected via usb. Camera, phone, thumb drives, external hard drives, pen drives....

The mountpoints show something was attached with an autorun that points to a bad file.

firewater07 · « **Reply #8 on:** March 02, 2008, 03:57:37 AM »

Right now, devices that are connected to usb are camera, mouse, and printer.

oldman · « **Reply #9 on:** March 02, 2008, 04:11:48 AM »

Do you have any others? The only one in that group that could be infected is the camera. Now, someone could have plugged in an infected device and it would show up in your log, even if the device is no longer atteched.

firewater07 · « **Reply #10 on:** March 02, 2008, 05:19:35 AM »

The week it got infected, a friend used a diskette - but when I scan it for viruses - it said there's no virus. Could that be it because a few days after that a popup keeps appearing from trustedantivirus everytime I opened up the computer.

oldman · « **Reply #11 on:** March 02, 2008, 06:33:02 AM »

I don't believe the mountpoints would come from a floppy drive. We can protect your system some what with this program.

Download this program, Flash Drive Disinfector by sUBs from

http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

This utility will do a couple of things. First it will remove any autorun.inf it finds. There shouldn't be one on a fixed HD anyway. It will create a SYSTEM protected, read-only, and perfectly harmless Autorun.inf file on any hard drive or removable storage device it finds when run. This file will not only help prevent future autorun infections, it will disable any current Autorun infection its ability to restart.

Now then, on to the next problem. I don't see any thing related to trustedantivirus. You said it pops up when you start the computer? Is it still doing this? We can use a different scanner if the problem is still there.

firewater07 · « **Reply #12 on:** March 02, 2008, 07:23:00 AM »

I've used the Flash_disinfector.exe. The pop-ups from trustedantivirus doesn't appear anymore, I think it has been removed before when I downloaded those anti-spyware programs.

oldman · « **Reply #13 on:** March 02, 2008, 07:38:18 AM »

The antispyware programs where Super antispy, spybot and adaware?

We can do a quick run with combofix and see if the file from the auto run is there.

Please follow all previous instructions regarding security programs.

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
-----------------------------------------------------------

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

Quote

File::
C:\WINDOWS\system32\netsvcs.exe

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

firewater07 · « **Reply #14 on:** March 02, 2008, 11:24:40 AM »

Yes, all those spyware programs, but I've already uninstalled spybot and spyware doctor.
I've also used Smitfraudfix before and CCleaner.

Here are the attachments: log is the log before "CFscript.txt"
logafter is the log after "CFscript.txt".

Thanks.

Author Topic: Win32:BHO-KD [Trj] - Need help to remove (Read 8725 times)

firewater07

Win32:BHO-KD [Trj] - Need help to remove

oldman

Re: Win32:BHO-KD [Trj] - Need help to remove

firewater07

Re: Win32:BHO-KD [Trj] - Need help to remove

oldman

Re: Win32:BHO-KD [Trj] - Need help to remove

firewater07

Re: Win32:BHO-KD [Trj] - Need help to remove

oldman

Re: Win32:BHO-KD [Trj] - Need help to remove

firewater07

Re: Win32:BHO-KD [Trj] - Need help to remove

oldman

Re: Win32:BHO-KD [Trj] - Need help to remove

firewater07

Re: Win32:BHO-KD [Trj] - Need help to remove

oldman

Re: Win32:BHO-KD [Trj] - Need help to remove

firewater07

Re: Win32:BHO-KD [Trj] - Need help to remove

oldman

Re: Win32:BHO-KD [Trj] - Need help to remove

firewater07

Re: Win32:BHO-KD [Trj] - Need help to remove

oldman

Re: Win32:BHO-KD [Trj] - Need help to remove

firewater07

Re: Win32:BHO-KD [Trj] - Need help to remove