Blumblebee Virus after DrWeb-cureit scan

My comp is responding very slow when Azureus Vuze and Mozilla are simultaneous running. Often it freeze and I have to restart. Antivir detected so called W95/blumblebee 1738 virus. First time, it was localized in C:\WINDOWS\system32\ActiveScan\pskavs.dll. I deleted the file, but it reappeared as you can see.
I already reinstall Window so I hope you will help me fix the problem without reinstall. Thank you.

 

Hi Razbaul!!

Welcome to Major Geeks!

 

01. I downloaded and installed CCleaner, without any unnecessary baggage. I used CCleaner for cleaning my comp HDD and registry
02. I checked up startup items witc CCleaner and I did not find any unknown items, so I did not delete any of them.
03. I defragmented yhe hard drive using AusLogics Disk Defrag and it announced that defragmentation has increased the comp performance by 23%. When I pushed the "Display Report" button, comp freezed together with Zone Alarm and I had to restart.
04. I searched the list at Uninstall Malware via Add/Remove Programs, and there is no program from the list installed on my comp.
05. After reboot, comp is running in Normal Startup mode
06. I selected select Show hidden files and folders in Folder Options.
07. I am not using Multiple Antivirus Applications or Software Firewalls
08. I downloaded and extracted (not in Desktop) GetRunKey.Zip and ShowNew.Zip.
09. When trying to search for update for Spybot - Search & Destroy, comp. freezed together ZoneAlarm. I restarted, disabled firewall and followed the steps you are asking.
10. I ran CCleaner, Spybot and Counter Spy in safe mode, with internet cable unplugged.
11. SUN JAVA - last version is installed.
12. Run BitDefender and Panda. Only BD found something.
13. I disabled and enabled System Restore

 

Last attachement

 

Hi Razbaul!

Please do the following and then attach logs for both BitDefender and HijackThis:

 

Unforyunately, I lost the BD log. Must I do another scan?

 

Razbaul!
No. Don't redo it unless I ask you to. Did you have it fix everything it found?
abri

 

Yes, he found C:\WINDOWS\system32dbxDgrevCheck.dll and he deleted.

 

Yes, he found C:\WINDOWS\system32dbxDgrevCheck.dll and he deleted it.
Now, comp is running very slow. I have to wait 30 - 60 seconds to open a page in my browser. If I shut down Azureus, browser becomes faster. But same situation when I open Nero to burn a DVD.
If i try to work simultaneously with Mozilla, Azureus and Nero, comp is freezing.

 

Hi Razbaul,
I'm concerned about the slowness of your internet/browser, but I'm not finding much in your logs that would lead to this. I see in your newfiles log that you have gmer installed. Did you run this and did it find anything? I will post you a set of instructions after I've had a second opinion on them. If we're not able to determine malware, there may be something else going on like an incompatibility problem, corrupt files or a bad sector. Since you mention both Asureus and Nero, it seems possible there's a problem in your media software. Have you put a cap on your Asureus so that the download/upload is limited? Otherwise it will flood your internet connection and slow it down. I will get back to you as soon as possible with some final cleanup instructions and possibly one more scan for a rootkit. I appreciate your patience.

Thanks!
abri

 

Hi abri
Here is the gmer log. I did run it again ten minutes ago.
You can also see a warning he gave before scan and another one ge gave at the end.

 

Hi Razbaul!

We will try a rootkit removal tool first..

1) Please copy the bold text including the word REGEDIT4 below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it, double click it and allow it to merge with the registry.

2) Next, try running this:

Rustock.b - msguard, pe386, & lzx32 RootKit Removal

Please post these logs with the others you'll have.


3) Please go back and run Counterspy in Safe Mode and have it fix everything it finds!
NOTE: After you've finished this scan, please get the Counterspy log and store it somewhere on your computer where it is NOT in a Sundbelt folder!!

Once you finished Counterspy and have the log, please go to add/remove programs and uninstall:

-Sunbelt CounterSpy

Then delete the below folders which may be left behind by the uninstall:

C:\Documents and Settings\Raul\Application Data\Sunbelt Software
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software



4) Next, if you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


5) Now Run The AVENGER by Swandog46 by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it
yourself.
* A log file from Avenger will be produced at C:\avenger.txt


6) Next Reset Web Settings & Default Security Settings

For IE 6 users:
To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites. For IE 7 users, simply click the "Reset all zones to default level" button.

For IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.


7) Please download ATF Cleanerr by Atribune. This program does not require an installation.

The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.

If you use Firefox browser

* Click Firefox at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


8) After you complete the above, reboot once more and then attach the following logs.

Let me know how things are running.
abri

 

Hi abri
I followed your instructions and I have the logs. The only problem I was face with is I could not find any log created by Counterspy. Anyway, he didn't find anything. After I deleted Conterspy, I tried to delete manually C:\Documents and Settings\Raul\Application Data\Sunbelt Software and there it was a log inside. I don't know it is a good log, so I have attached it to this message.
But now I can not attach any file, because the line "Attach Files" is inactive !!!

 

Try again after awhile. There seems to be some attachment problems lately.
abri

 

First 3 attachements

 

Now my comp is running like Speedy Gonsales, but only in Azureus is closed. Somebody told me I must have 1024 MB RAM, otherwise Azureus will always generate deceleration of comp.
Anyway, there are still some little irritating problems, such as delay of opening for certain folder, or the infinite time my mail needs for complete opening.

 

Razbaul!

I'm happy to hear your computer is faster now. The software forum can probably give you more advice about your Azureus. In case you have a rootkit, as both gmer and that one file found by Bit suggest, please run the following:

If that doesn't find anything, I declare you clean and will post our final cleanup instructions!!

abri

 

Hi abri
fsbl found something.

 

Believe me or not, I didn't even heard about Drop N Lock. And there is no other person who use my comp! But I got a search and I found a little program which I am using for read .dnl files. (See attachement)

 

I think it is: http://www.ebook.com/eBooks/Education/Amusements_in_Mathematics
I got rid of Azureus and now I am using uTorent,
I don't know any reason for having a hidden iexplore.exe process running.

Edit: Now I see another page I put in favourites list: http://6-5-1-0.category.datapicks.com/ Here it was the source for free e-books. When trying to access that page, I got this message: Firefox can't find the server at 6-5-1-0.category.datapicks.com

 

None. Now I repeated she scan. I shutted down Mozilla and uTorrent, and I restarted my comp. I have set the firewall to "Block all" and I ran Blacklight.
He found again that iexplorer.exe is running hidden.
After I finished, I have set the security level to Custom and Comodo have instantly noyify thet IEXPLORER.EXE is trying to access the internet.

 

I am using FireFox, but when is slowing down, I use IE. This is very rare.
In that moment, SAR is scanning the registry, but it seems to be rather blocked, because I can not see any progress. I attach a Screen.
As regards iexplorer.exe, I found two locations where it appears. The main is C:\Program Files\Internet Explorer\iexplore.exe, but there is a file named IEXPLORER.EXE, located in C:\WINDOWS\Prefetch

 

Finished, after 4 ours of scanning!
Here is the log.
I did not fix anything.

 

There is only one file that begins with iexplore is iexplore.bak, the file which name I have changed.

 

After renaming I reboot for entering in normal mode, because renaming was made in safe mode, as indicated.
I did not use Registrar Lite, because I waited for Sophos to finish his job. Should I scan again after using Registrar?

 

I ran it and the result is in the attachement.

OK, Sophos did not find anything, but the scan time was very short: 2 min, 34 sec. First scan had taken 4 hours!
Anyway, Mozilla is running very slow.

 

No messages or problems durin renaming iexplore.exe.
Sophos did not find anything, as I said in my previous post (later edit).

 

I have renamed iexplore.bak back to iexplore.exe and rescan with BlackLight. He found again the hidden process iexplorer.exe (see attached log).

 

FixVundo says: Trojan.Vundo has not been found on your computer.
Regarding Silent Runner's, it must be a mistake somewhere, cause there is nothing to save to the desktop. I clicked the link you gave me, and a page containing a script was opening in my browser, ant that's all.

 

I see Silent Runner's taking you right into the program rather than running it.

Were you able to run Using Autonruns in post 39 and get a log?
abri

 

I ran Autoruns, and attached the log.
I don't know what I have to do with Silent Runner's.

 

Done

 

Regsearch created some problems. At the end of the scan, a notepad empty document appeared and comp started to not answer. After Ctrl+Alt+Del, into the notepad appeared some text, but comp still refused to answer, so I was forced to restart. This happened with both scans (bifrost and mdojtgmr).
Now I see a single log, so I attach it together with another one, called "History".

 

Looks like he found bifrost.
Windows Registry Editor Version 5.00
; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0
; Results at 27.08.2007 07:35:57 for strings:
; 'bifrost'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="bifrost"

; End Of The Log...

 

Logs for Filemon and Process Explorer.