Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Major Problem!


  • Please log in to reply
1 reply to this topic

#1 Angie (the Canadian)

Angie (the Canadian)

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 28 February 2008 - 07:52 AM

Not sure what is on my computer but know something keeps putting it right back on when I get it off!

2 different Antivirus programs (One from my main HDD and one from my Alternate HDD) found a total of 3 Trojans and 1 trojan Downloader. But nothing can find this other name I keep running into that I feel is the culprit behind the Trojans coming back. I can't find anythign on the net on it neither. Something called BMabe0b444. Has anyone heard of it??

It keeps writing registry files and placing ini files in my System32 dir and when I get rid of them something puts them right back and if I remove registry keys from my registry it puts them right back unless I do it in Safe mode. And then as soon as I load up normal they are right back there! No matter how many times antivirus says they got rid of them! Even running from my alternate HDD or from Safe mode!

I don't know what else to do short of reinstalling Windows and losing everything :flowers:

I ran HiJack This and this is what I found:

O4 - HKLM\..\Run: [BMabe0b444] Rundll32.exe "C:\WINDOWS\system32\oxionukq.dll",s


which is this in the registry:

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

BMabe0b444 = Rundll32.exe "C:\WINDOWS\system32\oxionukq.dll",s


and keeps going back in. Then I was able to get rid of it but then another one (seems to be random letters for names) goes in but is another dll again to start on start up :thumbsup:

I had huge suspicion of these files:
I listed the 5 dll's in question to be the following:


* pfrhutxl.dll
* nxagndrj.dll
* oxionukq.dll
* ljlheed.dll
* pmnon.dll

Which most of them proved to be bad files when eventually one or the other antivirus pegged them as associated with trojans or trojans themselves.

As you can see here:

Infection:
c:\windows\system32\pmnon.dll
Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}
HKEY_USERS\S-1-5-21-1292428093-706699826-1343024091-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44240BB5-B D7D-4D49-A1AA-8AB0F3D3CB44}
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}
HKEY_USERS\S-1-5-21-1292428093-706699826-1343024091-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44240BB5-BD 7D-4D49-A1AA-8AB0F3D3CB44}
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}
HKEY_USERS\S-1-5-21-1292428093-706699826-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44240BB5-B D7D-4D49-A1AA-8AB0F3D3CB44}
Browser Cache
Registry:
HKEY_CLASSES_ROOT\CLSID\{9465DBA5-F1F3-49D1-AFD2-25FA65A2106E}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9465DBA5-F1F3-49D1-AFD2-25FA65A2106E}


Then my friend gave me a copy of Nod32 and it found this:

File ********\Local Settings\Temp\removalfile.bat is infected with application Win32/Adware.Virtumonde. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed.


Then AVG (that is the one on the other HDD) found these 2 Trojans:

Trojan Horse Downloader.Zlob.SE

Trojan horse Generic9.BEWX

and got rid of some of the earlier files I had suspected:
Posted Image

and Norton Antivirus when I ran it again from Safde Mode on my main HDD:
Posted Image

I have been going through this for 4 days now .. I am exhausted .. so I thought I would ask anyone here if they have any suggestions ..

BC AdBot (Login to Remove)

 


#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:12:17 PM

Posted 28 February 2008 - 07:55 AM

Moved to a more appropriate forum.

Are you running both antiviruses at the same time? If so, please stop one of them - they will conflict and this opens up holes that the viruses can sneak through.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users