mysterious trojan

I am using e-machines WIN XP home SP2. McAfee Security Center, MS Antispyware and WinPatrol.

Two days ago WinPatrol alerted me to a file C:\WINDOWS\system32\req.dll wanting to plug in to Internet Explorer. I click "No" do not allow, and from then on it proceeded to repeat every 2 minutes. MS Anti Spyware is also alerting me to this blocked BHO very frequently.

CPU usage very high, Internet Explorer freezes then after a long time works again. Mostly using Opera and since yesterday Firefox now.

Google search indicates this is a new-ish trojan Win32.Chisyne.F or Downloader-ZM, i tried to delete req.dll even though it was not visible in exploring windows files and also an associated (according to forum posts) 1.exe.

No anti-virus or anti-spyware programme finds anything.

McAfee customer support was not helpful.

For the last 24 hours, same thing is happening except with C:\WINDOWS\Fonts\basmain.dll.

Task Manager shows 5 different files called svchost.exe are running. basmain.dll is disabled in BHO options, it is also called MS events.

I have tried KillBox but a strange message to do with "checking registry files" and renaming appears and I suspect the malicious file is successfully resisting attempts to be deleted. I suspect there are other files associated but don't know how to find them.

WinPatrol also has alerted me twice that my host files have been modified and there are regular attempts to change my browser homepage (this is new and it mentions HSremove, happened since I ran HSRemove, the last of the scans in safe mode).

I have run virus scans in DOS (first thing I tried, on advice from mcafee support), and this evening have just followed this site's "DO NOT POST UNTIL YOU HAVE" instructions.

Please help me. What next?

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

done - log attached.

Since starting up this morning WinPatrol has stopped telling me every 2 mins (in fact it seems to have stopped althogether) that basmain.dll is trying to plug in to IE. But I keep getting alerts from WinPatrol and McAfee Security service that my browser home page has been changed or that an attempt has been made to change my browser's home page and search page.

 

now email that I try to send is being rejected by my contacts' anti-spam system because my IP address is in RBL http://mail-abuse.org/rbl/

what's going on?!

 

Before we start this fix, please uninstall Microsoft AntiSpyware, Ad-Aware, Spybot or any other program that protects your computer. If you have something install that you have purchased and dont want to uninstall, disable and shut down beause it can block this fix.

Download Pocket KillBox
(Don't run it yet though)

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\Fonts\basmain.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O20 - Winlogon Notify: basmain - C:\WINDOWS\Fonts\basmain.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\Fonts\basmain.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Reboot into Safe Mode

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

I followed your instructions and have attached the new log file.

When I ran killbox to try and delete C:\WINDOWS\Fonts\basmain.dll it didn't quite happen as per the instructions. When I clicked "delete on reboot" and the red X, a message came up reading "Verifying Registry Entries - Plz wait..." and then a box popped up saying "PendingFileRename Operations Registry Data has benn Removed by External Process!"

I had to reboot manually, there was no "reboot now" option.

Seems C:\WINDOWS\Fonts\basmain.dll is still there the little pest.

Although I do not get alerts telling me that C:\WINDOWS\Fonts\basmain.dll is trying to plug into IE however maybe this is because I have uninstalled WinPatrol which is the programme which was alerting me most.

Internet Explorer opens with the correct homepage however MS Events Object basmain.dll is listed as a BHO (although it is still disabled).

CPU usage is very high for System Idle Process (up to 98%). Is this anything to be concerned about?

Also, do I need to worry about the changes to my host files (I was alerted to this twice)

Any advice appreciated.

many thanks

 

Download the following removal tools but don't run them yet!

• Trojan Vundo Removal Tool
• Trojan Vundo B Removal Tool

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\Fonts\basmain.dll

O20 - Winlogon Notify: basmain - C:\WINDOWS\Fonts\basmain.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\Fonts\basmain.dll

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


After doing ALL of the above,
Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

I had to go away for a few days and couldn't work on this.

I do appreciate your help very much.

Today seems to be the day.

McAfee Virus Scan finally detected the Vundo trojan in C:\WINDOWS\Fonts\basmain.dll. It found it in the Submit! folder so I guess Killbox must have eventually worked.

I followed your latest instructions and subsequently ran the Symantec Trojan .Vundo and Trojan.Vundo.B removal tools in safe mode while disconnected physically from the internet. The Trojan.Vundo.B removal tool detected and removed 2 threatening files.

I have rebooted, re-run Trojan.Vundo.B removal tool and all seems clear now.

Current HiJack this log is attached - would be grateful if you can confirm whether my PC is now in the clear.

Now I think I need to uninstall the myriad anti-virus, ant-spyware and anti-adware programmes I have downloaded over the past 7 days in my quest against the trojan.

Which ones are best to keep running? I have been using McAfee Security Center (always kept up to date) and I also had Microsoft Anti Spyware and WinPatrol (www.winpatrol.com) however still somehow got infected by Vundo.B.

thanks

 

Your log is now clean!

If your not having any further problems then I would recommend your following the thread below.

Browse Safely!

How to Protect yourself from malware!

 

THANK YOU.

 

Your Welcome!