Trojanhorsedownloader.Bho.c

Hı.
Recenty AVg picked the above on my XP machine tried your advice, still have c:\windows\system32\^>.exe cant shack it off. I have enclosed the log. Your help will be appreciated.
Thanks
Tahsin

 

Hi TS3
Welcome to Major Geeks!

Your computer is infected. I will post you some instructions in awhile. This takes some time, so thanks for being patient.

abri

 

Hi TS3,

I would like for you to do the following:

1) First I would like for you to disable a Service
Click Start > Run and type services.msc
Scroll down to Symantec Lic NetConnect service and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

2) Now we're going to delete the Service
Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis.
Click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type (CLTNetCnService) and press OK.
OK any prompts, close HijackThis. Do not restart your computer. We will do this later.


3) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {E92B076A-891B-43C8-984A-2DE9E26289E8} - c:\windows\system32\appmgmtsg.dll
O2 - BHO: (no name) - {EA2621B7-7605-482B-AE29-97034BE09F30} - C:\WINDOWS\system32\diactfrmq.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O20 - Winlogon Notify: ohigxvai - C:\WINDOWS\SYSTEM32\appmgmtsg.dll

Do the following belong to programs you know or want to keep? If not, please fix them as well.
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/SaltikT/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

After you click fix, just close hijackthis.



5) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

6) Now I would like for you to do the following and it will be important to do it correctly. You have the file you mentioned in your first post which you've been trying to get rid of but can't. If you look at the following two files in the box below, you will see that they are both the same size. This is important, because one is a valid file, the other is not. I want you to see if you can find the dll file from the 17th of February with the file size of 21504, but before you do that, I want you to look up the brpinfo.dll file first which has the date of 29 Aug 2002. This will allow you to see where the file size information is located. You may need to right-click on it and look at properties for this information. Do not delete this file called brpinfo.dll, because it is valid. Simply use it for information. Then go back and look up the one from the 17 Feb which is simply called ~.exe in our logs. You will have to do a search for this file and you will not be able to search for it by name, but rather by file size and date. You will need to highlight the directory Windows\System 32. Then click on search and for the file name, put in *.dll. Refine your search with the advanced options so it will look for the file in this directory with the date of 17 Feb 2008 and with the file size of 21504. If you find more than one file with this size and date in System 32, tell me.

After you've located this file, let me know and we will try to delete it with Avenger.

7) Now please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


8) And finally, I would like for you to run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Abri hello,

Thnks for the support. I ttried to follow the list. Did extensive searcy for the dll, cant find it I noticed brpinfo.dll changed its date after looking in to its props. ran the avenger twice.

I think its still out there.

Cheers

 

Hi TS3,

Do you know what this program is?

C:\Documents and Settings\SaltikT\Desktop\Somthing.exe


And now I would like for you to continue as follows:


1) Please download - Process Explorer

Extract it to its own folder somewhere that you will be able to locate it later.

Make sure you have rebooted in Normal Mode (do not open any other processes)

Make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.
appmgmtsg.dll
diactfrmq.dll

After you have killed all instances of any of the above DLLs under winlogon click ok.
(If you do not find these DLLS, just continue on.)

Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
appmgmtsg.dll
diactfrmq.dll

After you have killed all instances of any of the above DLLs under Explorer click ok.
(If you do not find these DLLS, just continue on.)

Next double click on iexplore.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
appmgmtsg.dll
diactfrmq.dll

After you have killed all instances of any of the above DLLs under iexplore click ok.
(If you do not find these DLLS, just continue on.)

Now just exit Process Explorer.

2) Next download RegistrarLite 2.00 build 200.30803

Run Registrar Lite navigate to the following key by copying and pasting it into the Address Bar of Registrar Lite and click Go

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Now take ownership of the BHO registry key by following the below steps.

• Click-on the above Registry Key
• Click-on Security in the Menu
• Select Take Ownership

Now locate the below subkeys under the Browser Helper Objects key and select it and right click on it and select delete:

{E92B076A-891B-43C8-984A-2DE9E26289E8}
{EA2621B7-7605-482B-AE29-97034BE09F30}

After deleting the subkeys exit Registrar Lite

3) Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {E92B076A-891B-43C8-984A-2DE9E26289E8} - c:\windows\system32\appmgmtsg.dll
O2 - BHO: (no name) - {EA2621B7-7605-482B-AE29-97034BE09F30} - C:\WINDOWS\system32\diactfrmq.dll
O20 - Winlogon Notify: ohigxvai - C:\WINDOWS\SYSTEM32\appmgmtsg.dll

After you click fix, just close hijackthis.

5) Now run Avenger again as you did in post 3, step 5 only this time use the contents of this box:

6) Now run CCleaner at the default setting with the Windows tab as the top one.

7) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

I have a problem, Thanks for the answer;

With process explorer, couldn't find the 2 dlls in winlogon.explorer and iexplorer.
Contiued with Registerarlite; took ownership found the
{E92B076A-891B-43C8-984A-2DE9E26289E8}
{EA2621B7-7605-482B-AE29-97034BE09F30}

wont let me delet it. "denied"

Wht should ı do.

TS3

 

Hi TS3,

When you ran the instructions I gave you, did you have any or all of your security software disabled? There are some instances where it's necessary to print out the instructions, turn your computer off and physically disconnect it from the internet and then disable all your security systems. Please try that. If one thing doesn't work in the instructions, please continue on with the next one until you've completed them all. Let me know if you have any success this way.

Your MGTools are out of date. Please go to the XP Cleaning Instructions and find the link called Running Combofix. Follow the instructions in that link for downloading and running Combofix. Then go back to the XP Cleaning Instructions and download the MGTools. If it asks if they should be installed over the existing ones, say yes. Then run them according to the instructions and attach both the Combofix log and the new MGlogs.zip.

abri

 

Thanks for the support: update on this evening

Down loaded and ran: Combofix and MGTools to use recent release, reports enclosed. I also down loaded GMER, followed the inst. scan ended with qoute"GMEr has found system modification caused by Rootkit activity" and stoped. Ran the same with safe mode, same result, I am enclosing report, dont know if succesful.

I will cotinue with the items on your previous post, will send results.

TS3

 

Abri hello,

followed your instructions of Sunday 17:58:
Run Process Explorer: only had winlogon and explorer, negative for the DLLS.

Unhooked the internet for Registrarlite with everything closed.
denied permission to delete the 2 lines present ;
{E92B076A-891B-43C8-984A-2DE9E26289E8}
{EA2621B7-7605-482B-AE29-97034BE09F30}

completed the list the logs are enclosed.

Kind regards

 

Hı
I had to reload Combofix.
Followed the steps.
I would like to get feed back.
Thanx

 

Hi TS3,
Your logs look good! I don't see any of the files left. If you aren't having any further malware symptoms, please go on with the final clean up instructions.

abri

 

I will be waiting for your instructions. My harddrive is partioned into 2 as C: and D:, I will run your instructions on both.

Thanks
T

 

Hi TS3,

Please do the following:


1) Download and install Erunt. Use it to create a backup of your registry.

2) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

3) Now run CCleaner at the default setting with the Windows tab as the top one.


4) And now, make sure your computer is set to show hidden files in all the drives. The instructions for this can be found under Step 2 of the READ & RUN ME FIRST.

Then please do a search of all your drives, including your external drives, for the following files. If you find them, delete them.


effeyoef
kjiywzzo
brpinfo.dll
zietvtgn.dat
appmgmtsg.dll
appmgmtsg.dll.bak
diactfrmq.dll
~.exe
kaplumbag.dwg
xn1i9x.com
antihost.exe

Let me know how this goes!
abri

 

Hi Abri,

Followed your instructions.
Did a file search for the list of files you gave;

located:
brpnfo.dll @ C.\windows\PCHealth\helpCtr\Binaries
deleted like 20 times and the file is still in the same location wont go away.

Located
zietvtgn.dat @ c:\QooBox\Quaranteen....
Will not let me delete.

What to do?

Tahsin

 

Hi TS3,

Your computer is fine. The brpnfo.dll is a legit file, so Windows keeps replacing it. I should not work when I get tired! The other file you're finding is in the Combofix quarantine That can be deleted as per the final cleanup instructions like this:

Delete the C:\QooBox folder and if you have the QooBox folder on any other drive, delete it there as well.

After you delete this folder, run CCleaner.

Let me know how things are running!
abri