Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Downloader.gen.a Trojan


  • This topic is locked This topic is locked
41 replies to this topic

#16 CharlsFarls

CharlsFarls
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Oop North
  • Local time:12:50 AM

Posted 16 May 2008 - 09:39 AM

Darn good idea Steam! Ive popped them on on the end. You are officially my *saviour*! Lol

It has never done that repair thingy before too. I have been a big chicken and still not done the combofix because i am trying to read this stuff and make sure I am going to do it properly, but i have just given myself a big kick up the butt and am just about to do it.

Wish me luck.......




C:\Program Files\Internet Explorer\msimg32.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.cg skipped
C:\Program Files\MSN Messenger\msimg32.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.cg skipped
C:\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.cj skipped
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.cn skipped
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.cg skipped
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ch skipped
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch.bg skipped
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.cj skipped
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.cj skipped
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.cl skipped
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ba skipped
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ca skipped
C:\Users\Charli\svchost.exe Infected: Trojan-Downloader.Win32.VB.dck skipped

C:\Windows\dbrmdwb.exe Infected: IM-Worm.Win32.Pykse.h skipped
C:\Windows\System32\f3PSSavr.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch.bg skipped

BC AdBot (Login to Remove)

 


#17 CharlsFarls

CharlsFarls
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Oop North
  • Local time:12:50 AM

Posted 16 May 2008 - 11:33 AM

Oh no. It seems I have done it again. I have done everything (I think) as per instructions for the combofix, but unfortunately, it aint working! I double click on the icon on the desktop, and everything goes according to plan until the first combofix screen comes up. Instead of saying it is preparing to run, it says nothing, and doesnt load up! In the bar at the top where it is supposed to just have the c prompt symbol - it says administrator and a couple of dots!

I finally plucked up the courage and drat, it hasnt gone to plan. I shall await your most helpful advice!!

#18 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 16 May 2008 - 03:44 PM

Hi

Try this ...

Right-click Combofix.exe & then click Run as administrator.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#19 CharlsFarls

CharlsFarls
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Oop North
  • Local time:12:50 AM

Posted 16 May 2008 - 05:16 PM

Hey there!

I tried that but it still wont do it! :thumbsup: Alas, I think I am jinxed. Lol

I have disabled all the stuff in Mcafee (its slightly different on mine though, you cant just right click in the taskbar and exit, you have to deselect each bloomin thing in the security centre! Gone through the instructions again and am sure I am doing exactly what i am supposed to - even tried downloading combofix again but no!

Ay blimey.


Charli

#20 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 17 May 2008 - 05:52 PM

Hi

Please Try to run Combofix in safemode ...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#21 CharlsFarls

CharlsFarls
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Oop North
  • Local time:12:50 AM

Posted 18 May 2008 - 06:15 AM

Tried that and it now comes up with this error message:

Instead of saying administrator in the top bar, it now says c.bat, and in the window it says:

The system cannot find message text for message number 0x8 in the message f or file system.

Aaaaaargh! Lol

#22 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 18 May 2008 - 04:31 PM

HI

We're going to have to give up on Combofix, that last error you got, is one that Combofix throws up on probably one in a thousand Vista computers, & no-one seems to know why ...

So I'll read back through your thread & we'll use a different program to remove the files which I had hoped Combofix would remove ...

First .. do you see any C:\Combofix.txt files or C:\Combofix\Combofix.txt files ? of you do then please post them ...

Also run & post a new KASPERSKY ONLINE SCANNER REPORT (just the infected lines as before) + the header at the top of the report ..

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#23 CharlsFarls

CharlsFarls
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Oop North
  • Local time:12:50 AM

Posted 19 May 2008 - 04:35 PM

See - I told you I was a pain!! Lol

Ok here goes.........


------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 19, 2008 4:54:41 PM
Operating System: Microsoft Windows Vista Professional, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/05/2008
Kaspersky Anti-Virus database records: 784101
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 195081
Number of viruses found: 5
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 01:48:51



C:\Program Files\Internet Explorer\msimg32.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.cg skipped
C:\Program Files\MSN Messenger\msimg32.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.cg skipped
C:\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.cj skipped
C:\Users\Charli\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.17803 Infected: Trojan-Downloader.Win32.VB.dck skipped
C:\Windows\dbrmdwb.exe Infected: IM-Worm.Win32.Pykse.h skipped
C:\Windows\System32\f3PSSavr.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch.bg skipped


Do you want me to run that Mbam thingy whatsit again? Let me know and I will get on the case, ace.

Thanks so much :thumbsup: - i would have totally given up if it hadnt been for your help.

Charli

#24 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 19 May 2008 - 06:04 PM

HI Charli

Yes, you can run Malwarebytes again, especially as it removed so much last time ...but I expect (hope) to see it show a clean log this time ...

Please do this as well ...

Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK

Posted Image

let me know if you get another error message.

Then ....

Download avenger2 by swandog46 :-

http://swandog46.geekstogo.com/avenger2/download.php

1. Click the above link & save to your desktop ...

2. Right click on the Avenger.zip folder and select "Extract to Avenger...

You will now have an Avenger folder on your desktop.

We'll use this next ...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#25 CharlsFarls

CharlsFarls
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Oop North
  • Local time:12:50 AM

Posted 20 May 2008 - 02:06 AM

Oky coky, I have done it and the results will follow in a sec......now i tried the combofix thing and it is doing exactly the same thing as last time, so Im going to try and do it in safe mode and see if it works, and I shall let you know!

PS My computer was doing that startup repair thing again when it rebooted yesterday, but eventually started again fine. When I booted up this morning, again, did the startup repair and took a little bit longer to sort but worked eventually!!

Cheers Steam


Charli

-----------------------------------------------

Malwarebytes' Anti-Malware 1.12
Database version: 751

Scan type: Quick Scan
Objects scanned: 42265
Time elapsed: 5 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\ci.dll (Trojan.BHO) -> Delete on reboot.

#26 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 20 May 2008 - 08:21 AM

HI

It looks like Malwarebytes is causing your startup problems by removing an essential file ...

Your first Malwarebytes log showed this :-

C:\Windows\System32\ci.dll (Trojan.BHO) -> Quarantined and deleted successfully.

Then you had problems ...

Your new Malwarebytes log shows this :-

Files Infected: 1

C:\Windows\System32\ci.dll (Trojan.BHO) -> Delete on reboot.


once that file was removed again, your problem returned ...

Take a look here :-

http://www.programchecker.com/file/32563.aspx

under the heading "All Versions" ... the bottom one :-

ci.dll 6.0.6000.16386 Code Integrity Module Microsoft

Default Location: c:\windows\system32\ci.dll

-
http://blogs.zdnet.com/Bott/?p=154

Code Integrity (CI) protects Windows Vista by verifying that system binaries havenít been tampered with by malicious code and by ensuring that there are no unsigned drivers running in kernel mode on the system. CI starts as Windows starts up. The boot loader checks the integrity of the kernel, the Hardware Abstraction Layer (HAL), and the boot-start drivers. After these binaries have been verified, the system starts and the memory manager calls CI to verify any binaries that are loaded into the kernelís memory space. The binaries are verified by looking up their signatures in the system catalogs. Aside from the kernel memory space, CI verifies binaries loaded into a protected process and system installed dynamic libraries that implement core cryptographic functions.


The CI.DLL is made by the Microsoftís DRM team to ensure the whole machine is in a trusted state to play DRM-protected content. For that reason, CI.DLL also checks the integrity of user-mode processes that are handling DRM-protected content.


It goes without saying that removing that dll will cause problems ...

Windows file protection will have replaced the file ...

I need you to save a log in developer mode. This will allow us to figure out how the false positive came to be. Simply follow these directions.

This time if it finds the file, it will say No action taken. ... so it wont remove the file ...

1. Click the Start Menu.
2. Click Run.
3. Type in "mbam.exe /developer", without the quotes.
4. Run the same type of scan you did before and save the logfile and post it.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#27 CharlsFarls

CharlsFarls
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Oop North
  • Local time:12:50 AM

Posted 20 May 2008 - 10:09 AM

Hey! K, so here it is! Now it said that everything was all done and dusted but when i go to exit out of malwarebytes it says there is a scan still running and do i really, really want to exit? So I havent done as yet! Dont know if it is an error or what!

I have downloaded that avenger thingumy and extracted it to my desktop - do you want me to start it off or anything? Havent clicked as I darent without your instructions!

Thanks a lot

Charli

PS Does your previous message mean i have been given the all clear then? Apart from that ci.dll thing that is supposed to be there anyway (do i need to do anything else about that BTW? It says on that site something about allowing it or something :thumbsup: )?





------------------------------------------
Malwarebytes' Anti-Malware 1.12
Database version: 751

Scan type: Quick Scan
Objects scanned: 42254
Time elapsed: 7 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\ci.dll (Trojan.BHO) -> No action taken. [EXTRA=Trojan.BHO, C:\Windows\system32\CI.dll]

#28 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 20 May 2008 - 02:39 PM

Hi

Hey! K, so here it is! Now it said that everything was all done and dusted but when i go to exit out of malwarebytes it says there is a scan still running and do i really, really want to exit? So I havent done as yet! Dont know if it is an error or what!


My... you are getting them ... I don't know what that's all about, but you've posted the developer scan, which is what I wanted & Malwarebytes' Anti-Malware has nothing else to do ... so exit from it (if you haven't allready).

Now you've posted the scan, I can see that the file you have in system32 is still being tagged as malware by Malwarebytes' Anti-Malware ... so please go to C:\Windows\System32\ci.dll & upload the file here for me :-

http://www.thespykiller.co.uk/index.php?board=1.0

Start a new topic ...title ci.dll for steamwiz

put this in your post :-

for steamwiz ...

link :- http://www.bleepingcomputer.com/forums/topic146308-15.html

Files Infected:
C:\Windows\System32\ci.dll (Trojan.BHO) -> No action taken. [EXTRA=Trojan.BHO, C:\Windows\system32\CI.dll]



then please find the C:\Windows\system32\ci.dll file ...

... zip it & attach it to the post...

if you can't zip it, just attach it as it is ...

-

I have downloaded that avenger thingumy and extracted it to my desktop - do you want me to start it off or anything? Havent clicked as I darent without your instructions!


We are going to use Avenger to remove these last remaining infected file shown by the KASPERSKY ONLINE SCANNER REPORT

C:\Program Files\Internet Explorer\msimg32.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.cg skipped
C:\Program Files\MSN Messenger\msimg32.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.cg skipped
C:\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.cj skipped
C:\Users\Charli\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.17803 Infected: Trojan-Downloader.Win32.VB.dck skipped
C:\Windows\dbrmdwb.exe Infected: IM-Worm.Win32.Pykse.h skipped
C:\Windows\System32\f3PSSavr.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch.bg skipped

now you have an Avenger folder on your desktop.

3. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing Ctrl+C

Files to delete:
C:\Program Files\Internet Explorer\msimg32.dll
C:\Program Files\MSN Messenger\msimg32.dll
C:\Program Files\MSN Messenger\riched20.dll
C:\Windows\dbrmdwb.exe
C:\Windows\System32\f3PSSavr.scr


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


4. open the Avenger folder & doubleclick the Avenger.exe file (Right click/Run as Administrator if you have vista)

5. Right click on the window under Input script here:, and select Paste

6. make sure the Scan for rootkits is checked ...

& the Automatically disable any rootkits found is NOT checked ...

7. Click on Execute

8. Answer "Yes" twice when prompted.

The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
9. Please copy/paste the content of c:\avenger.txt into your reply

-
Run the Malwarebytes Anti-Malware from the icon on your desktop, select the quarantine tab, and delete all...

then run & post a new KASPERSKY ONLINE SCANNER REPORT (same as previously)

-

PS Does your previous message mean i have been given the all clear then? Apart from that ci.dll thing that is supposed to be there anyway (do i need to do anything else about that BTW? It says on that site something about allowing it or something )?


nearly done :thumbsup:

steam

Edited by steamwiz, 20 May 2008 - 02:41 PM.

MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#29 CharlsFarls

CharlsFarls
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Oop North
  • Local time:12:50 AM

Posted 20 May 2008 - 03:42 PM

Aaaargh! Another error message! This one says....

In the top bar - Windows - No disk

then it says (with a big red cross before it)

Exception Processing Message 0xc0000013 Parameters 0x7570023C 0x847639DC 0x7570023C 0x7570023C

then three boxes saying cancel, try again or continue - but which one do i press?? Crumbs this is a bit scary lol

and the other info you needed is......


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Program Files\Internet Explorer\msimg32.dll" deleted successfully.
File "C:\Program Files\MSN Messenger\msimg32.dll" deleted successfully.
File "C:\Program Files\MSN Messenger\riched20.dll" deleted successfully.
File "C:\Windows\dbrmdwb.exe" deleted successfully.
File "C:\Windows\System32\f3PSSavr.scr" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



BTW Thank you thank you thank you!

#30 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 20 May 2008 - 03:47 PM

HI

What prompted the new error message ?

what were you doing at the time ?

steam

Edited by steamwiz, 20 May 2008 - 03:47 PM.
spelling

MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users