Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bho.cvx


  • This topic is locked This topic is locked
20 replies to this topic

#1 F16GEA

F16GEA

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 14 December 2007 - 07:00 PM

Hi there!
I found this forum after having googled BHO.CVX as I seem to have the exact same problem as Nehal from the other thread about BHO.CVX.

I've tried rebooting on safe mode: no luck.
Then I tried downloading those 2 programmes and followed the procedure as you described it. After rebooting, AVG still gave me the usual threat popup.
This is what the AVG popup tells me:

Threat detected. d3dpmesho.dll
Virus identified as Packed.morphine.d


And from the beginning of when this whole thing started (2 days ago) I have been getting this AVG popup:

Threat detected. dmusico.dll
Trojan identified as BHO.CVX


Any suggestions? I know that I haven't submitted the summary log from SUPERAntispyware but I suppose there's no point since it didn't work out. Let me know if I should do it. In that case I'll switch on the infected PC but I'm trying to keep off as much as possible to avoid further spread...

By the way:
Those 2 dll files are both located at C:\WINDOWS\system32\
I tried to erase them manually but wasn't allowed.
I use XP SP1 and IE6 if that's of any help.

Looking forward to hearing from you.
Best regards
F16GEA

Edited by F16GEA, 14 December 2007 - 07:04 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,488 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:16 AM

Posted 15 December 2007 - 12:12 AM

Have you tried the scans in Normal mode?

Have you run a couple Online scans
BitDefender

ESET's Online Scanner

You may see a n Alert in the address bar to install an Actib=ve X component. Say YES to that if asked.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 F16GEA

F16GEA
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 15 December 2007 - 06:13 AM

Hey boopme.
Thanks for the reply. I only tried scanning with AVG and Adaware in normal mode...both failed to erase it. I'll try your suggestions and let you know how it went.
/F16GEA

#4 F16GEA

F16GEA
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 15 December 2007 - 07:47 AM

Hey again
Tried BitDefender and ESED online scans in safe mode + network. They didn't help much, unfotrunately. So now I'll try in Normal mode.
/F16GEA

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:16 AM

Posted 15 December 2007 - 07:48 AM

Go to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, click the "browse" button and locate the following file:
C:\WINDOWS\System32\d3dpmesho.dll <- this file
Click "Open", then click the "Submit" button.
Do the same for:
C:\WINDOWS\System32\dmusico.dll <- this file
Please copy the results and paste them in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 F16GEA

F16GEA
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 15 December 2007 - 07:58 AM

Hey quietman7
When I try to upload those 2 files into any of those 2 links that you gave me, I get this message:
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
I use Zona Alarm but I don't think that's what's stopping me from uploading. Any suggestions?
/F16GEA

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:16 AM

Posted 15 December 2007 - 08:06 AM

Download submit files packer.
Extract (unzip) the file to the desktop. (Click here for information on how to do this if not sure.)
  • Highlight the file to submit, right-click and select copy.
  • Double-click on sfp.exe to start the file packer program
  • Right-click in the white box and select paste to paste the copied file names in the field.
  • Press the Continue button.
  • It will create an archive with the files and a small log on your Desktop that starts with a name "requested-file[date].cab".
  • Rename this file to yourmembername.cab (for example grinler.cab).
  • Click on this link -> Submit Malware Sample to Bleeping Computer for analysis.[list]
  • Fill in the required fields and browse to this file on your desktop.
  • Click on the Send File button.
  • Repeat this for the other .dll file.
Please download OTMoveIt by OldTimer and save to your Desktop.
  • Double-click on OTMoveIt.exe to launch the program.
  • Copy the file(s)/folder(s) paths listed below - highlight everything in red and press CTRL+C or right-click and choose Copy.

C:\WINDOWS\System32\d3dpmesho.dll
C:\WINDOWS\System32\dmusico.dll

  • Then in OTMoveIt, right-click in the open text box labeled "Paste List of Files/Folders to be Moved" and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results for each line will be displayed in the right-hand pane.
  • Highlight everything in the Results window, press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTMoveIt\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
  • Please copy/paste the contents of that log in your next reply.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process.
If asked to reboot, choose Yes.


Caution: Be careful of what you copy and paste with this tool. OTMoveIt is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 F16GEA

F16GEA
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 15 December 2007 - 08:48 AM

Hey again.
This is damn resistant! I copied the infected files from \system32 and when I tried to paste them into the sfp window it's like I haven't copied anything. I tried both right-clicking and also the CTRL-V, nothing works. Grrrr.
/F16GEA

#9 F16GEA

F16GEA
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 15 December 2007 - 08:50 AM

Same with OTMoveIt. Will try the same in safe mode and see if that helps...

#10 F16GEA

F16GEA
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 15 December 2007 - 08:59 AM

No difference in Safe mode. Is this starting to look hopeless?
:thumbsup:

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:16 AM

Posted 15 December 2007 - 01:46 PM

Please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install HJT in the proper location.) If using Windows Vista, be sure to Run As Administrator.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 F16GEA

F16GEA
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 16 December 2007 - 08:41 AM

Wilco!
Thanks for your help.
Best regards
F16GEA

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:16 AM

Posted 16 December 2007 - 08:54 AM

I see you have not posted a log yet so lets try something else.

Download Killbox and save to your Desktop.
alternate download site 1
alternate download site 2
  • Double-click on Killbox.exe to start.
  • Select "Delete on Reboot" option and check the box "Unregister dll Before Deleting" (if available).
  • Highlight all the entries in the quote box below, right-click and copy them.

    C:\WINDOWS\System32\d3dpmesho.dll
    C:\WINDOWS\System32\dmusico.dll

  • Then in Killbox, go to the File menu, choose "Paste from Clipboard".
  • Click the "All Files" button.
  • Click the Red & White "Delete File" button (red circle with a white 'X') to delete the file(s).
  • Click "Yes" at the Delete on Reboot confirmation message prompt that will appear.
  • A second message will ask to Reboot now? You will need to click "Yes" to allow the reboot.
  • If your computer does not restart automatically then please restart it manually. If you get an error message "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
  • Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files.
  • After rebooting, open up Killbox again, click File -> Logs -> Actions History Log or go to Start > Run and type:
    notepad systemdrive%\!Killbox\Logs\kb.log
  • Copy and paste the contents of kb.log and post it in your next reply.
If that does not work, repeat the above but this time select "Replace on Reboot" and Use Dummy, then follow the rest of the instructions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 F16GEA

F16GEA
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 16 December 2007 - 11:58 AM

Hey again quietman7
We won a small battle, as Killbox managed to delete d3dpmesho.dll and d3dpmesho.dll.bak which I assume is connected to the dll file and therefore included it in the erasing list. Anyway, here's the log:

Pocket Killbox version 2.0.0.588
Running on Windows XP as Stephen(Administrator)
was started @ søndag, december 16, 2007, 5:37 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\System32\d3dpmesho.dll


# 2 [Delete on Reboot]
Path = C:\WINDOWS\System32\dmusico.dll


I Rebooted @ 5:39:52 PM
Killbox Closed(Exit) @ 5:39:53 PM
__________________________________________________

Pocket Killbox version 2.0.0.588
Running on Windows XP as Stephen(Administrator)
was started @ søndag, december 16, 2007, 5:44 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\System32\d3dpmesho.dll.bak


# 2 [Delete on Reboot]
Path = C:\WINDOWS\System32\dmusico.dll


I Rebooted @ 5:45:18 PM
Killbox Closed(Exit) @ 5:45:20 PM
__________________________________________________

Pocket Killbox version 2.0.0.588
Running on Windows XP as Stephen(Administrator)
was started @ søndag, december 16, 2007, 5:48 PM

# 1 [Replace on Delete]
Path = C:\WINDOWS\System32\dmusico.dll
*Replaced with C:\Documents and Settings\Stephen\Lokale indstillinger\Temp\kbdummy.0

I Rebooted @ 5:49:50 PM
Killbox Closed(Exit) @ 5:49:51 PM
__________________________________________________

Pocket Killbox version 2.0.0.588
Running on Windows XP as Stephen(Administrator)
was started @ søndag, december 16, 2007, 5:52 PM


Looking forward to hearing what the next step is.
/F16GEA

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:16 AM

Posted 16 December 2007 - 12:07 PM

Connect to the Internet and double-click on OTMoveIt.exe to launch the program again.
  • Click on the CleanUp! button.
  • When you do this a text file named cleanup.txt will be downloaded from the Internet.
  • If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the Internet you should allow it to do so.
  • After the text file has been downloaded, you will be asked if you want to Begin cleanup process?
  • Select Yes.
  • Doing this will remove the specialized tools I had you download/run. All other programs should be kept on your machine and updated/run on a regular basis.
Then scan again with AVG and see if it finds anything.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users