Another Case of Unbeatable BHO

Viruses and worms
1

Hey. I’ve got a Win32:TratBHO that I can’t shake. I know, I know. I’m not the only one.

I tried VundoFix, but that doesn’t seem to work.

I didn’t think taking advice given to others because it seems like a case-specific thing.

The file that VundoFix keeps finding (but can’t remove) is C:\Windows\System32\jkkhigh.dll

I also keep getting a message on startup that a dll mentioned in the registry can’t be found, so I should either find it or remove it from the registry. I can’t remember the name of that one right now, but I’ll make a note of it next time. Suffice to say that it was one of the files infected that I quarantined.

Here’s my HijackThis logfile (attached). Please help me.

2

I should add that the file that I recieve a notice of on startup (it’s not there, find it or get rid of the registry entry that refers to it) is C:\Users\Fennell\AppData\Local\Temp\qomnl.exe.

This is a less urgent than getting rid of the virus, but something I felt might be important to mention.

3

Hi gospelcarwash,

This is questionable in your hijackthis log:
F3 - REG:win.ini: load=C:\Users\Fennell\AppData\Local\Temp\qomnl.exe - Fuzzy Algorithmcheck (2.97 / 5.00), Nasty
[?] O4 - HKLM..\Run: [MSServer] rundll32.exe C:\Windows\system32\jkkhigh.dll,#1 - Unknown application.
[?] O4 - HKCU..\Run: [Microsoft Update Machine] rBot.exe - Unknown application.
O4 - HKCU..\Run: [MSServer] rundll32.exe C:\Users\Fennell\AppData\Local\Temp\cbayw.dll,#1 - Fuzzy Algorithmcheck (2.97 / 5.00), Nasty
[?] O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe - Unknown service. (VundoFixSVC.exe)

Gonna look into this later,

polonus

PS In the meantime try to find and remove rBot traces from your computer, do this exactly as givenhere,
copy your registry first:
Find and remove registry values
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@^Local Security Authority Service
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@^Windows Logon Application
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run@^MSN MESSENGER 9.0
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentVersion\Run@^Advanced DHTML Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@^MSN MESSENGER 9.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices@^MSN MESSENGER 9.0
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentVersion\Run@^Local Security Authority Service
Find and remove registry keys
HKEY_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{75048700-EF1F-11D0-9888-006097DEACF9}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\microsoft update machine
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\video multimedia driver
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\win32 sound config
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\microsoft update machine
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\video multimedia driver
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\win32 sound config
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\microsoft it update32
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\microsoft update
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\microsoft update machine
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\video multimedia driver
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\win32 sound config
Find and remove files
%system%suge.exe
%system%navsvc.exe
%system%MSWDNS32.exe
%system%rtvcscan.exe
%system%bzdcypa.exe
%system%aql32.exe
%system%wuauclt11.exe
%system%wuauclt16.exe
%system%WinPTTP.exe
%system%winlogom.exe
%system%a.bat
%system%msql23.exe
%system%alg32.exe
%system%sxe.exe
%system%dl100359.exesuge.exe
Find and stop processes
navsvc.exe
MSWDNS32.exe
rtvcscan.exe
bzdcypa.exe
WinPTTP.exe
winlogom.exe
sxe.exe
dl100359.exe

Damian

4

Hi gospelcarwash,

Before we go further I like you to do the following:
Please download Ad-aware at http://www.lavasoftusa.com/ and install it if you don’t have it already. Make sure it’s the newest version and check for any updates before running it. Also go to http://www.lavasoftusa.com/software/...2cleaner.shtml to download the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it’s clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware at http://www.greyknight17.com/spyware.htm#adaware for better scan results. Run the scan and fix everything that it finds.

Download and install Spybot S&D http://security.kolla.de/. Run Spybot and click on the ‘Search for Updates’ button. Install any updates that are available.

Now click Mode menu and choose ‘Advanced Mode’. Next click on Immunize to your left. Click the Immunize button (green cross) on top to Immunize your computer - you should do this each time there is an update. Now go to Tools->Resident. Make sure you enable TeaTimer after we are done. Do NOT enable Spybot TeaTimer Resident protection at this time. What this will do is monitor any system/registry changes and will ask you for permission to change any of these settings. It may also hinder our fix at this point. You may enable it after the fix is complete.

Now click on the ‘Spybot-S&D’ option on the top left to go back to the main screen. Next click on the ‘Check for Problems’ button. Let it run the scan. If it finds something, check all those in RED and hit the ‘Fix Selected Problems’ button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix http://majorgeeks.com/download4392.html and install it over the current Spybot installation.

Post a new HijackThis log,

polonus