c9hehpa - Trojan?

I search and found no info on this forum. On the internet, the consensus seems to be varied as on the nature of this.

At home, we have 3 PC's. One on Vista Home Premium, one on XP Pro SP2 (with McAfee + Zone Alarm Pro) and one with XP Home. Only the one with Antivirus and Firewall is used for internet connection (with both active), and the account for internet is non Admin.

I bought a WD Passport to be used for the Vista PC as storage of movies, etc. One day, several weeks ago, I start noticing a C9HEHPA.BAT error every time the WD Passport being inserted into the PC, with relation to Kernel32.dll. The WD is also used at the XP Pro SP2 PC with Antivirus, as sometime I work on copying the DVD movies using this PC. On reflection, on the Vista it gave error was due to the registry (found later, below) runs it whenever it's plugged in, but not on the XP with AV (as there's no registry entry requesting it to run on the XP with AV)

The info available on the net is very limited, and one of the answer in Yahoo! Answer is interesting so I did the following: checking and removing the files manually. Upon inspecting, I didn't find any of the KCVO.exe on either PC, but I did find the c9hehpa.bat on the WD and another USB drive. Scanning with McAfee result in the file removed from the USB, and I proceeded with cleaning up the Vista's registry that still looking for the file when inserted (resulting in file not found error).

I suspected it came from installing games I got from friends (usually trusted, so it should be unlikely), but unsure to which extend the propagation is, also where it got into the system at the first place, whether the PC with AV (always updated) is safe, or I need to perform an clean install, etc.

 

I've got help from *****. Will follow through that one.

Sorry for trouble and many thanks!

 

http://www.majorgeeks.com/images/grenade.gifWelcome to MajorGeeks.com!http://www.majorgeeks.com/images/grenade.gif

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

• READ & RUN ME FIRST. Malware Removal Guide

• If something does not run, write down the info to explain to us later but keep on going.

• Do not assume that because one step does not work that they all will not.

Notes:

1. If you run into problems trying to run theREAD & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

 

bjgarrick,

Thank you. I'll do that on all 3 PC's. I need to ask you something about the post edited, but can't send you PM. Can you PM me instead, so I can reply?

Sorry for the trouble.

 

If you have three different systems with Malware issues then I recommend starting a thread for each system. When you create the new thread specify that you are working on different systems so it will not cause confusion. We can work on one in this thread but for the other two create a thread for each system.

You can ask me here?

 

bjgarrick,

I couldn't start yet the clean up procedure as I need to allocate sufficient time (just got back to work today, after being sick last week). I'll update you on this thread soon.

I notice that my post got edited. Since I'm new and having read the forum rules, I need to know what I did wrong. I apologize if what I did was against the rule.

 

Understood but I would recommend running it soon.

We don't like to see other forums links, if someone were to search and find a thread with a link to another forum it wouldn't look good.

 

BJ,

Ok. Noted and understand. I'll do the clean up soonest possible.

I need to understand which one has to be on priority:
A. XP Pro with AV & FW, the only PC goes online when needed
B. XP Home without AV and offline always, mainly for gaming/video watching
C. Vista Home without AV and also always offline

All 3 sometimes get onto LAN (wired) for gaming, so propagation is possible, although from the description of this trojan, it's not likely (mainly through disk drive).

What I did previously (without using tools) were removing all c9hehpa.bat from B & C (never found one on A.), and all related files (such as ckvo.exe found the list from googling), and also all registry entry having this. Besides that, I also remove all autorun.inf from those USB drives that calls for this c9hehpa.bat.

Can it be because on PC A., the AV and FW prevents infection? I have 2 cellphones that only connects to PC A., and upon checking the memory card (connect as USB drive for music transfer) found no autorun.inf nor the c9hehpa.bat. If that's the case, is it safe to skip PC A.? Subsequently, I try again connecting USB drive to both B. and C., it's no longer getting any strange file (hidden, or system file) on it's root directory, after the clean up.

I know it's prudent to try to fix it and run the tools soonest possible, but since my resource is limited, I need to know the priority.

Thanks!

 

Anything is possible with malware; it's not likely anything is on the computers that do not connect to the internet however it is possible that thru USB drives and such it could have transferred to them.

I would however recommend every computer have an antivirus installed regardless of whether it connects to the internet or not.

 

BJ,

I have completed the XP Cleaning Process for PC A (the one with McAfee and Zone Alarm)

Please find the logs here (I zipped it for ease of uploading).

Only one note: during Sypbot scan, it noted that I have the Windows Security disabled -> This is done by me during initial setup of this PC, as I use ZA and McAfee, to avoid multiple warning.

Only Combofix detected the remaining C9HEHPA.BAT and the autorun.inf, while the other scan result in zero (except Spybot scan above). The other files found (oem.inf) might be the ATI Omega Driver that I got from notebook forum to enhance the default driver (both Toshiba & ATI won't issue any new drivers for this laptop)!

Thanks!

 

Before we begin, are you familiar with this file/directory below?

Pre-Instructions:

1. First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.
   
2. Print out these instructions or save them to a text file so that you can operate with All Browser Windows CLOSED.

Step 1:
Please look in Add/Remove Programs for the following and uninstall if found. If you get any errors just make a note and proceed.

Step 2:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Again, make sure ALL browser windows are closed when you click FIX.

Step 3:
Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Step 4:
Default Security Settings

To Default Security Settings:
For Internet Explorer 6 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up navigate to the Security Tab and click Default Level for the following:

• Internet
• Local Intranet
• Trusted Sites
• Restricted Sites.

Click OK to exit.

For Internet Explorer 7 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up, navigate to the Security Tab and simply click the "Reset all zones to default level" button. Click OK to exit.

Step 5:
Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Step 6:
Next I would like you to install the current version of Sun Java: Sun Java Runtime Environment

Step 7:
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

BJ,

Here's the latest report after I follow through the instruction.

1. c:\install\iptools.exe - yes, I use this for learning
2. Uninstall JRuntime: I only had version 6. Done
3. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank - Note: I did set this up manually as I dislike starting with any pages. However, it's run as per instruction, just a note to you
4. F:\c9hehpa.bat removed yesterday when ComboFix ran 1st time. I saw it's not coming back, even before running this CFscript.
5. Internet Security setting for IE: set to default. I rarely use IE, except to Microsoft's site that requires to use IE
6. ATF cleaner might not work for my Firefox, as I use portable version. I have done manual clean up from within Firefox though (Ctrl - Shift - Del, select all and clean) - BTW, currently I'm using Google's Chrome browser, which is not on ATF yet.
7. Latest SUN Java installed.

Attached is the log.

 

By the way, this time CF runs and rebooted the PC. However, I have done manual quit on Zone Alarm and Avira (decided to throw out McAfee and put Avira instead). Upon reboot, I'm afraid the two will hinder CF process, won't they? However, I did see the CF ran and completed as last time, after generating log.

Now the PC runs as smooth as it is .. I don't see any prompt or error

 

First, did you install the below, are you familiar with it?

Step 1:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Again, make sure ALL browser windows are closed when you click FIX.

Step 2:
Now we need to use ComboFix to remove a few more items.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Step 3:
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

BJ,

I was testing this apps from MajorGeeks: VistaPack

Should I just run the fix, or uninstall it first?

 

Ok. My apology. I shouldn't go and install anything until you give me a 'clear' sign.

I'll uninstall it properly and then re-run the tools as instructed.

BTW, why I can't edit my post (so I had to reply instead of adding info there)?

 

BJ,

Here's the log. I have uninstalled the VistaPack prior to running tools, so that analyse.exe didn't find the entry.

Thanks,

 

There is a timer for regular users on editing their posts. I think it's still five minutes.

 

Your logs are clean, if you are not having any other malware problems, it is time to do our final steps:

1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
4. If we had you run Avenger, you can delete all files related to Avenger now.
5. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
8. Go to add/remove programs and uninstall HijackThis.
9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
10. If you are running Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

BJ,

Thanks A LOT!

Have a nice weekend!

 

You're Welcome!:major

You too!