Dear Moderator,

I have followed the instructions provided to another person who requested assistance in removing the Win 32: BHO-KD [trj] and the logs from both combofix and hijack this are attached. The infection was identified by avast in my windows\system32\consol.dll file.

Am I correct in my understanding that combofix has deleted and restored all of my affected files?

Many thanks in advance for your assistance!

It will be good if you can send the file windows\system32\consol.dll for analysis to virus (at) avast.com
An on-line scanner, just to be sure, won’t be bad also.
For full computer on-line scanning, I suggest Kasperky and Bitdefender:

Kaspersky (very good detection rates)
ESET NOD32
Trendmicro housecall
AVGas (does not necessary if you have AVG antispyware installed)
F-Secure
BitDefender (free removal of the malware)
HitmanPro (multiply scanners)

It will be good if you can send the file windows\system32\consol.dll for analysis to virus (at) avast.com

Combofix removed it, so if you want to submit it, you will have to add it to the chest.

C:\goobox\C:\WINDOWS\system32\consol.dll.vir

@samsonwk

Can you rerun the scans, combofiz first, then HJT. Please post the new logs. Some of the combofix log didn’t come out.

Do you know anthing about this site?

ny.contentmatch.net

Your java is way out of date. It can be an entry point for malware. If you should install the current version by doing the following steps.

Open an Internet Explorer (only) window and go to http://www.java.com/en/download/manual.jsp > In the middle of the page, click on the Download button to the right of Java Runtime Environment (JRE) 6u3 > If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.

You do not have to install the Java Web Start ActiveX Control

Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u3-windows-i586-p.exe to your desktop; do not Run it.

When the download is complete, close all browser windows and double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar except Java TM 6 Update 3 which you just installed.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders except the subfolder jre1.6.0_03 which was just created by the installation above.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Dear Tech & Oldman,

Many thanks for the online scanning recommendations. I am conducting the BidDefender now. It seems to be finding new problems…When it is completed, I will re-run combofix & hijack & forward the logs.

As oldman pointed out, when I look in the windows\system32 folder, the file is no longer present. Thus, I don’t understand how to retrieve it or to move it to chest…

I am not familiar with the ny site that Oldman provided. Logs to follow.

Thank you again for your time & assistance,
samsonwk

Hi samsonwk,

I see that you have already updated your Sun Java and removed the older vulnerable versions.

You could fix the following with HJT, flag the entries en give enter.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm -
This entry should be fixed by HijackThis!

O2 - BHO: (no name) - {B6DD1CF8-B8E9-4AA9-9461-E24CA45C3409} - C:\WINDOWS\System32\consol.dll - Unknown application.
O4 - HKLM..\Run: [Sygate Personal Firewall Start] servic.exe - Must be fixed! Added by the RBOT-RY WORM!
O4 - HKLM..\Run: [Windows Compliant] suptnq.exe - Unknown application.

O4 - HKLM..\RunServices: [Sygate Personal Firewall Start] servic.exe - Must be fixed! Added by the RBOT-RY WORM!
O4 - HKLM..\RunServices: [Windows Compliant] suptnq.exe - Unknown application.

O4 - HKCU..\Run: [Sygate Personal Firewall Start] servic.exe - Must be fixed! Added by the RBOT-RY WORM!
O4 - HKCU..\Run: [Windows Compliant] suptnq.exe - Unknown application.
[X O4 - HKCU..\Run: [msrd3x40] C:\WINDOWS\System32\msrd3x40.exe - Unknown application.
O20 - AppInit_DLLs: ?????? , -

The two following could be fixed if they are not familiar to you, or they are not the name server
url´s of your provider.

O4 - HKCU..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot - Must be fixed! Spyware remover of somewhat dubious repute
[?] O17 - HKLM\System\CCS\Services\Tcpip..{B2CE954A-477F-4A64-A233-817FB620EFF1}: NameServer = 142.161.130.155 142.161.2.155 - Do you know the IP or Domain ‘142.161.130.155 142.161.2.155’? If not, fix this entry.
After fixing load a new hjt log please,

polonus

To move a file from the goobox

Right click the “a” icon, click start avast ant virus. Once the interface comes up, click on the chest, then the user section button.

Right click anywhere in the window and select add

Use the browse to navigate to the following folder

C:\QOOBOX\QUARANTINE\c\windows\system32

in the right hand panel a list of files should appear with the added .vir extention.

single click on consol.dll.vir ,

Back in the chest right click on the file and select “email to alwill software”

In the box that appears paste this line in

[b]ATTN: Maxx

http://forum.avast.com/index.php?topic=32405.0

sample from BHO[/b]

Make sure the box beside MAPI is checked. click send. You can send only one sample per mail.

Dear oldman,

Thank you for the detailed instructions. Unfortunately, the folder C:\QOOBOX\QUARANTINE\c\windows\system32 does not reveal and files. There are only 2 sub-folders, one called drivers and another called system. In the drivers sub-folder, the rppkafeb.dat.vir file appears and in the system subfolder, the mcafeepf.dll.vir file appears. The consol.dll.vir file does not appear in either of the subfolders or the system32 folder. Thus, I am unable to forward to alwill as requested.

May I also ask about the instructions you provided earlier about updating java? From the posting that followed, it appears that somehow my system was updated (but not knowingly by me…). Should I still continue with your java update instructions?

Many thanks once again for your time and assistance!
Best,
samsonwk

Go ahead with the java update, according to HJT you have an old version.

Then run combofix and HJT in that order.

Thanks

You said you ran Bit Defender after you ran combofix the first time. I’d bet my last dollar that BD nabbed it out of the Qoobox.

Dear oldman,

Attached are the most recent combofix and hijack this logs (without the java update done yet). Must go offline for a few hours but will perform the java update & email new logs afterwards a little later on.

Many thanks,
samsonwk

Alright, thanks, I’ll be off for awhile too.

It looks like this computer was infected before, the worms/files removed but some of the reg keys where left behind. So let’s clean this up a bit and take it from there.

Please submit these file(s)

To submit a file to virustotal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\patchw32.exe

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop. Don’t run it yet

Open HJT, run a system scan only, check mark these lines if present
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKLM..\Run: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM..\Run: [Windows Compliant] suptnq.exe
O4 - HKLM..\RunServices: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM..\Run: [Windows Compliant] suptnq.exe
O4 - HKCU..\Run: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM..\Run: [Windows Compliant] suptnq.exe
O4 - HKCU..\Run: [msrd3x40] C:\WINDOWS\System32\msrd3x40.exe
O4 - HKUS\S-1-5-18..\Run: [Sygate Personal Firewall Start] servic.exe (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\Run: [Windows Compliant] suptnq.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [RSPC Driver D] hwfsv.exe (User ‘Default user’)
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\System32\msrd3x40.exe

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMOVEIT results, a combofix log and a HJT log.

Also, I must warn you the worms where information stealers-key loggers.

Dear oldman,

You are too fast… Many thanks for the additional assistance. Unfortunately, I am unable to implement the latest instructions for another 8 days as I am flying away on holidays. I will resume upon my return & I greatly appreciate your assistance.

In the meantime, I have installed the java file as per your instructions. There were a couple of files in the c:\programfiles\java\jre1.6.0_03 folder that I was denied access to for deletion so they remain. The logs of combofix and hijack this are attached.

Once again thanks for your assistance & I’ll be in touch upon my return.

Best,
samsonwk

re:java

You misunderstood the instructions. You where to delete all the folders except jre1.6.0_03 . That was the one you just installed.

Please download the java again, if you have deleted it. Then uninstall the one you did earlier and reinstall . Your java will be good to go.

A few spare moments before my flight… I have reinstalled Java and kept all subfolders and files within the update 3 folder. I have re-run combofix & highjack this and attach the logs hereto.

I have also attempted to start on the additional instructions but could not locate a file C:\windows\patchw32.exe. There is a file c:\windows\patchw32.dll which I have send to virustotal per your instructions and it appears to me that there was no problems found with the .dll file. The results are below. Before I continue with the remainder of the instructions, could you kindly confirm if the name of the file is correct or if I need to search elsewhere please?

Many thanks once again,
samsonwk

File patchw32.dll received on 01.04.2008 17:43:24 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)
Loading server information…
Your file is queued in position: 1.
Estimated start time is between 38 and 54 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.1.4.11 2008.01.04 -
AntiVir 7.6.0.46 2008.01.04 -
Authentium 4.93.8 2008.01.04 -
Avast 4.7.1098.0 2008.01.03 -
AVG 7.5.0.516 2008.01.04 -
BitDefender 7.2 2008.01.04 -
CAT-QuickHeal 9.00 2008.01.04 -
ClamAV 0.91.2 2008.01.04 -
DrWeb 4.44.0.09170 2008.01.04 -
eSafe 7.0.15.0 2008.01.03 -
eTrust-Vet 31.3.5430 2008.01.04 -
Ewido 4.0 2008.01.04 -
FileAdvisor 1 2008.01.04 -
Fortinet 3.14.0.0 2008.01.04 -
F-Prot 4.4.2.54 2008.01.04 -
F-Secure 6.70.13030.0 2008.01.04 -
Ikarus T3.1.1.15 2008.01.04 -
Kaspersky 7.0.0.125 2008.01.04 -
McAfee 5200 2008.01.04 -
Microsoft 1.3109 2008.01.04 -
NOD32v2 2765 2008.01.04 -
Norman 5.80.02 2008.01.04 -
Panda 9.0.0.4 2008.01.03 -
Prevx1 V2 2008.01.04 -
Rising 20.25.42.00 2008.01.04 -
Sophos 4.24.0 2008.01.04 -
Sunbelt 2.2.907.0 2008.01.04 -
Symantec 10 2008.01.04 -
TheHacker 6.2.9.180 2008.01.04 -
VBA32 3.12.2.5 2008.01.02 -
VirusBuster 4.3.26:9 2008.01.04 -
Webwasher-Gateway 6.6.2 2008.01.04 -
Additional information
File size: 181760 bytes
MD5: 07555aaaf72b735c064ad8ec082cc43a
SHA1: f2f98fe9fff89a8aa02350801bf2665d6e697284
PEiD: -

I attempted to complete the rest of the instructions. All of the highjack this files that you asked me to check were present. It appears, however, that the C:\WINDOWS\System32\msrd3x40.exe is not present. I only have a file named C:\WINDOWS\System32\msrd3x40.dll. I tried to copy this file to the OTmoveit but am unable to.

Could you please advise whenever you have a spare moment? No rush, as I will be offline now for the next 8 days.

Your assistance & patience is greatly appreciated!!!

samsonwk

C:\WINDOWS\System32\msrd3x40.dll is a legimate file.

Please use copy and paste to copy and paste the lines I post, for both removing and submitting files. This way we won’t accidently remove the wrong file.

When I made my new canned HJT fix, I forgot a line. Here is the corrected procedure.

Open HJT, run a system scan only, check mark these lines if present

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKLM..\Run: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM..\Run: [Windows Compliant] suptnq.exe
O4 - HKLM..\RunServices: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM..\Run: [Windows Compliant] suptnq.exe
O4 - HKCU..\Run: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM..\Run: [Windows Compliant] suptnq.exe
O4 - HKCU..\Run: [msrd3x40] C:\WINDOWS\System32\msrd3x40.exe
O4 - HKUS\S-1-5-18..\Run: [Sygate Personal Firewall Start] servic.exe (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\Run: [Windows Compliant] suptnq.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [RSPC Driver D] hwfsv.exe (User ‘Default user’)
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

Close all browser/windows except HJT, click fix, close HJT.

Please do the above and post a new HJT log. Thanks

i have combofix and hijack this…

pls…anyone can help…10000 times thanks…thank you!!!