Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bho.cvx And Packed.morphine.d (avg Antivirus, Win Xp And Ie)


  • Please log in to reply
1 reply to this topic

#1 AGBrown

AGBrown

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 20 February 2008 - 08:03 AM

I've been tasked with cleaning a friend's computer; situation:
Windows XP SP2
AVG antivirus - daily scan
Sunbelt personal firewall

AVG has been showing up the presence of BHO.CVX and packed.morphine.d since 22 dec 2007.
It has succesfully cleaned some files in C:\Windows\System32, but there are three that are rather more persistent, namely:
cnbjmonr.dll
cnbjmonr.dll.bak
cryptdlgr.dll
From what I can gather about this infection, the filenames are pretty much unique to each instance. AVG is unable to clean these remaining files, saying that it will delete/move them to the vault after a restart, but doesn't.

Internet Explorer (IE7) has two add-ins installed with GUIDs as their names. They correspond to entries in the registry under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

The add-ons were disabled through IE7's options panel yesterday, since then sunbelt personal firewall refuses to start, with the trojan add-ons enabled or disable, citing:
"Could not start DB server: bind() failed: (10050) A socket operation encountered a dead network.."

Similarly any commands such as ipconfig or tracert all fail, the network seems to be unresponsive and windows task manager says no active network adapters can be found, when looking at throughput under the networking tab.

There are also errors in the event log such as:
Event ID 7000
The TCP/IP Protocol Driver Service failed to start due to the following error: The specified driver is invalid.

Event ID 7001
The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver server which failed to start because of the following error:
The specified driver is invalid.

Event ID 4311
source: NetBT
Initialization failed because the driver device could not be created.

There are many more as well, most are new since yesterday when the add-ons were first disabled.

Given that the files cnbjmon.dll and cryptdlg.dll (note absence of the final "r" in the filename) also exist and are clean, I'm guessing the virus/trojan is hiding itself using existing filenames. Interestingly the files that could be cleaned by AVG didn't have genuine filenames similar to them in system32.

So: can anyone help start to unravel this problem? My first steps are to back up the files and post an HJT log in the HJT forum, but if anyone already has a foolproof method to get rid of this then I'm keen to hear it. I've read a few things and they all seem pretty instance-specific.

Thanks for your help.

Andy

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,994 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:15 AM

Posted 23 February 2008 - 12:42 AM

Hello AGBrown and welcome to BC :flowers:

Thanks for the clear descriptions. I don't see an AntiSpyware program. At this point, I'm going to suggest doing a scan with SUPERAntiSpyware in Safe Mode. You will, of course, install it in Normal Mode.

Download and install SUPERAntiSpyware free found here: SUPERAntiSpyware

Be sure to click on the download button to the left, not on the free trial download on the right.

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
Reboot into Safe Mode
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
Reboot into Normal Mode
To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users