Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bho.cvx - Another Victim - Help Please


  • This topic is locked This topic is locked
17 replies to this topic

#1 94010

94010

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 15 December 2007 - 01:47 AM

I have a similar problem to other posters over the past 2 days (F16GEA and nehal).

starting a few days ago I got something called ttq that was a search hijacker. I got rid of that with the usual combination of AVG and AdAware. There were also 2 BHO's showing up in HJT that would not leave.

Since then, AVG was putting up repeated threat messages for BHO.CVX.

I ran a full AVG scan in safe mode, based on the guidance to Nehal. It was much slower than usual (maybe 5x as long). Since running that scan the computer cannot access the internet. It sees my other computers on my network, but no WAN. Also, it takes much longer to boot, and doesn't load any of the normal tray apps. I tried reinstalling windows networking but got no change. So I cannot directly download anything to the computer now.

I need help to get the internet connection working again.

Once I have that, I need help getting rid of the Trojan. The 2 dll's affected on my computer are

comsnapb.dll
dfshimb.dll

(I can see these in HJT).

I have XT with SP2. It is up to date with MS downloads as of last night.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:12 AM

Posted 15 December 2007 - 07:52 AM

Hello 94010

I'm helping someone else with the same issue but I am trying to gather some information on these files.

Please go to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, click the "browse" button and locate the following file:
C:\WINDOWS\System32\comsnapb.dll <- this file
Click "Open", then click the "Submit" button.
Do the same for:
C:\WINDOWS\System32\dfshimb.dll <- this file
Please copy the results and paste them in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:12 AM

Posted 15 December 2007 - 02:32 PM

Please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install HJT in the proper location.) If using Windows Vista, be sure to Run As Administrator.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 94010

94010
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 15 December 2007 - 03:10 PM

Quietman - thanks for the reply and for investing your time.

I have the same issue as F16GEA. I cannot copy the 2 dll's to either of the online scanners and SFP does not (yet) seem to get it to happen either. One of them is running after bootup (dfsminb) so it will not copy. The other (comsnapb) I can copy from one computer to another, but it will not submit to the online scan.

The infected machine will not go on the internet so I have to do all of this from one of the other machines in my house using the network. Oddly, the affected machine can see one of my other 2 computers but not the other.

I'll go the HJT route and keep checking here for other suggesstions.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:12 AM

Posted 15 December 2007 - 11:28 PM

I see you have not posted a log yet so lets try something else.

Download Killbox and save to your Desktop.
alternate download site 1
alternate download site 2
  • Double-click on Killbox.exe to start.
  • Select "Delete on Reboot" option and check the box "Unregister dll Before Deleting" (if available).
  • Highlight all the entries in the quote box below, right-click and copy them.

    C:\WINDOWS\System32\comsnapb.dll
    C:\WINDOWS\System32\dfshimb.dll

  • Then in Killbox, go to the File menu, choose "Paste from Clipboard".
  • Click the "All Files" button.
  • Click the Red & White "Delete File" button (red circle with a white 'X') to delete the file(s).
  • Click "Yes" at the Delete on Reboot confirmation message prompt that will appear.
  • A second message will ask to Reboot now? You will need to click "Yes" to allow the reboot.
  • If your computer does not restart automatically then please restart it manually. If you get an error message "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
  • Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files.
  • After rebooting, open up Killbox again, click File -> Logs -> Actions History Log or go to Start > Run and type:
    notepad systemdrive%\!Killbox\Logs\kb.log
  • Copy and paste the contents of kb.log and post it in your next reply.
If that does not work, repeat the above but this time select "Replace on Reboot" and Use Dummy, then follow the rest of the instructions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 94010

94010
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 15 December 2007 - 11:54 PM

thanks but I am still working through the prep guide foir HJT. Bit defender was a 3 hour scan. Now I am running stinger.

I think with hindsight it would have been much better not to run AVG in safe mode. Since doing that the computer cannot access the internet and I have to do everything through another computer, then transfer files across my home network.

Bit defender found a half dozen things but they were all in older files, so I am not so sure they had anything to do with this round of problems. I really wish I had not run the AVG scan in safe mode because now I cannot get to the internet on that machine (it is my primary computer).

I'll go through the HJT process, and then try Killbox.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:12 AM

Posted 16 December 2007 - 12:00 AM

You can complete the instructions in the Prep Guide but when you post a hijackthis log we will have to close this thread to avoid confusion.

Most Internet connectivity problems arise out of corrupt Winsock settings due to the installation of a networking software or Malware infestation. Check with your ISP provider first and if they insist that your connection is coming through, the problem must be at your end.

If your using Windows XP SP2, log on as an administrator.
Go to Start > Run and type: cmd
Press OK or Hit Enter. A dos Window will appear.
At the command prompt, type or copy/paste: netsh winsock reset
Hit Enter.
When the program is finished, you will receive the message: "Successfully reset the Winsock Catalog. You must restart the machine in order to complete the reset."
Close the command box and reboot your computer.

Go to Start > Run > type: cmd
Press OK or Hit Enter.
At the command prompt, type or copy/paste: ipconfig /flushdns
Hit Enter.
Close the command box.

Configure TCP/IP to use DNS. Go to Start > Control Panel, and choose Network Connections.
Right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and and choose Properties.
Double-click on the Internet Protocol (TCP/IP) item.
Select the radio button that says "Obtain DNS servers automatically".
Click OK twice to get out of the properties screen and restart your computer.

CAUTION: It is possible that your Internet Service Provider requires specific settings here. Make sure you know if you need specific DNS settings here or not before you make these changes or you may lose your internet connection. If you are sure you do not need a specific DNS address, you may proceed.

If you continue to connectivity problems, download and run WinSockFix.
Be sure to print out and follow the instructions provided in the Winsock Repair Tutorial.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 94010

94010
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 16 December 2007 - 08:11 AM

thanks for the winsock reset strategy. I am running another round of bitdefender right now (5 am) but will do this next. I copied the updated bitdefender libraries onto the affected computer from another box with internet connectivity, so now I can run the latest library to make sure I am getting full benefit.

I have 4 other computers in my house and all of them get to the internet without any problem, through the same router. This tells me the problem is in the affected computer. It does have working networking because I can use my home network to move files. It just has no internet/WAN access. When I run "repair" in network connections, it says it can't get the tcp/ip data and to contact my network admin. (thanks windows).

#9 94010

94010
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 16 December 2007 - 12:27 PM

I tried the winsock reset using cmd. I got an error message on ipconfig /flushdns:

Windows IP Configuration
An internal error occurred: The request is not supported.
Please contact Microsoft Product Support Services for further help.
Additional information: Unable to query host name.

#10 94010

94010
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 16 December 2007 - 12:40 PM

winsockfix was a dead end. The downloading file at SnapFiles is only 5.7k. It is not the .exe so it will not run. According to the summary of winsockfix, the file should be 1412k. Is there another freware product like that?

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:12 AM

Posted 16 December 2007 - 12:45 PM

Alternate download links:
http://www.majorgeeks.com/WinSock_XP_Fix_d4372.html
http://www.spychecker.com/program/winsockxpfix.html
http://www.softpedia.com/get/Tweak/Network...inSockFix.shtml
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 94010

94010
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 16 December 2007 - 01:15 PM

thanks. I got it now.

It wont backup the registry. It gives an error message. Should I run the fix without backing up the registry?

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:12 AM

Posted 16 December 2007 - 01:23 PM

Always back up your registry before making any changes. There are several ways listed in that link.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 94010

94010
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 16 December 2007 - 02:11 PM

backed up the registry.

Winsockfix didn't work. Tried it 3 times. Program gives its messages and beeps. But no change in status. I can see and move files with other computers on my network. But now WAN access.

Network connection shows no IP address, subnet or gatgeway. Repair gives a "failed to query TCP/IP settings of the connection"

any other ideas?

#15 94010

94010
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 16 December 2007 - 02:24 PM

I ran Killbox. Here is the log


Pocket Killbox version 2.0.0.648
Running on Windows XP as Compaq_Owner(Administrator)
was started @ Wednesday, December 12, 2007, 8:11 PM

Killbox Closed(Exit) @ 8:11:29 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Compaq_Owner(Administrator)
was started @ Sunday, December 16, 2007, 11:12 AM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\comsnapb.dll


# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\dfshimb.dll


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 11:16:45 AM
Killbox Closed(Exit) @ 11:17:16 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Compaq_Owner(Administrator)
was started @ Sunday, December 16, 2007, 11:22 AM




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users