Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem With Removing Troj/dwnldr-hei


  • This topic is locked This topic is locked
4 replies to this topic

#1 Jussu_Undur

Jussu_Undur

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 04 September 2008 - 07:44 AM

Hi all,

I was infected by Troj/DwnLdr-HEI (also Antivirus Xp 2008 showed up ...) and used combofix to remove this.
Problem is that combix doesn't seem to be able to delete the file "winnt64.dll".

This is my combofix log:

ComboFix 08-09-03.03 - Pieter Huyge 2008-09-04 13:14:44.17 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Pieter Huyge\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
C:\Documents and Settings\Pieter Huyge\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
C:\Documents and Settings\Pieter Huyge\Application Data\rhcjw2j0ej6j
C:\Program Files\rhcjw2j0ej6j
C:\WINDOWS\system32\blphcnw2j0ej6j.scr
C:\WINDOWS\system32\config\systemprofile\Application Data\rhcjw2j0ej6j
C:\WINDOWS\system32\drivers\Djo27.sys
C:\WINDOWS\system32\pphcnw2j0ej6j.exe
C:\WINDOWS\system32\WinNt64.dll
.
---- Previous Run -------
.
C:\WINDOWS\system32\drivers\Yfk84.sys
C:\WINDOWS\system32\lphcnw2j0ej6j.exe
C:\WINDOWS\system32\phcnw2j0ej6j.bmp
C:\WINDOWS\system32\WinNt64.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TCPSR
-------\Legacy_YFK84
-------\Service_tcpsr
-------\Service_Yfk84
-------\Legacy_DJO27
-------\Legacy_TCPSR
-------\Service_Djo27


((((((((((((((((((((((((( Files Created from 2008-08-04 to 2008-09-04 )))))))))))))))))))))))))))))))
.

2008-09-04 13:19 . 2008-09-04 13:19 13,312 --------- C:\WINDOWS\system32\WinNt64.dll
2008-09-04 13:09 . 2008-09-04 13:09 21,504 --a------ C:\WINDOWS\system32\ybkvbyu32.dll
2008-09-04 13:01 . 2008-09-04 13:01 <DIR> dr-h----- C:\MSOCache
2008-09-04 13:00 . 2008-09-04 13:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-09-04 12:42 . 2008-09-04 12:42 <DIR> d-------- C:\WINDOWS\LastGood
2008-09-04 12:11 . 2008-09-04 12:11 21,504 --a------ C:\WINDOWS\system32\ybkvbyu.dll
2008-09-04 09:21 . 2008-09-04 09:21 850 --a------ C:\WINDOWS\system32\ProductTweaks.xml
2008-09-04 09:21 . 2008-09-04 09:21 385 --a------ C:\WINDOWS\system32\user_gensett.xml
2008-09-04 09:18 . 2008-09-04 09:18 <DIR> d-------- C:\WINDOWS\system32\logs
2008-09-04 09:16 . 2008-09-04 12:02 <DIR> d-------- C:\Program Files\BitDefender
2008-08-28 17:17 . 2008-08-28 17:17 401,720 --a------ C:\Temp\HiJackThis.exe
2008-08-20 10:54 . 2008-08-20 10:55 1,115,648 --a------ C:\WINDOWS\system32\sysdist.exe
2008-08-20 10:53 . 2008-08-20 10:53 1,821,192 --a------ C:\WINDOWS\system32\vcdist.exe
2008-08-20 10:53 . 2008-08-20 10:53 390,949 --a------ C:\WINDOWS\system32\winpcap.exe
2008-08-20 10:51 . 2008-08-20 10:51 815,753 --a------ C:\WINDOWS\system32\nmap-service-probes
2008-08-20 10:51 . 2008-08-20 10:51 110,811 --a------ C:\WINDOWS\system32\nmap-services
2008-08-20 10:50 . 2008-08-20 10:50 998,912 --a------ C:\WINDOWS\system32\libeay32.dll
2008-08-20 10:50 . 2008-08-20 10:50 188,928 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-08-20 10:50 . 2008-08-20 10:50 17,922 --a------ C:\WINDOWS\system32\nmap-rpc
2008-08-20 10:48 . 2008-08-20 10:49 188 --a------ C:\WINDOWS\system32\up_speed.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-01 14:02 --------- d-----w C:\Program Files\a-squared Free
2008-08-29 13:19 --------- d-----w C:\Program Files\Belkin
2008-08-29 09:00 --------- d-----w C:\Documents and Settings\Pieter Huyge\Application Data\.ABC
2008-08-25 12:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
1999-05-24 07:17 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 10:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 10:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 10:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 10:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 10:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

------- Sigcheck -------

2006-01-13 19:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 18:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 12:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 13:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 13:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2004-08-04 14:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-13 04:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 13:51 359808 021415ad071ef3944c27dc9597ed2214 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 19:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
2008-06-20 12:45 360320 1cc09561e21a48a7f649a40f18235860 C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 12:45 360320 1cc09561e21a48a7f649a40f18235860 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-25 94208]
"GBMPro7Agent"="C:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe" [2006-07-04 204800]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 114688]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2005-09-25 155648]
"GBMPro7Agent"="C:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe" [2006-07-04 204800]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-15 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe" [2007-11-21 218496]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Snelle start.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinNt64]
2008-09-04 13:19 13312 C:\WINDOWS\system32\WinNt64.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ybkvbyu]
2008-09-04 13:09 21504 C:\WINDOWS\system32\ybkvbyu32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Agl62.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sxd84.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\svchost.exe"=

R0 Sxd84;Sxd84;C:\WINDOWS\system32\Drivers\Sxd84.sys [2008-06-11 28416]
S1 necsopp;Kernel TCP Filtering protocol;C:\WINDOWS\system32\necsopp.sys [2007-12-05 8192]
S2 ISPMonitorSrv;ISP Monitor;C:\Program Files\ISP Monitor\ISPMonitorSrv.exe [ ]
S3 bdfm;BDFM;C:\WINDOWS\system32\drivers\bdfm.sys [ ]
S3 restore;restore;C:\WINDOWS\system32\drivers\restore.sys [ ]
S3 USB2_04;USB2_04 driver;C:\WINDOWS\system32\drivers\nkv2.sys [2008-05-15 60160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-lphcnw2j0ej6j - C:\WINDOWS\system32\lphcnw2j0ej6j.exe
HKLM-Run-SMrhcjw2j0ej6j - C:\Program Files\rhcjw2j0ej6j\rhcjw2j0ej6j.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
O8 -: E&xporteren naar Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-04 13:20:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\WinNt64.dll
-> C:\WINDOWS\system32\ybkvbyu32.dll
.
Completion time: 2008-09-04 13:30:00 - machine was rebooted [Pieter Huyge]
ComboFix-quarantined-files.txt 2008-09-04 11:29:04

Pre-Run: 70,619,791,360 bytes free
Post-Run: 70,604,746,752 bytes beschikbaar

173 --- E O F --- 2008-09-04 11:01:32


Can somebody help me ?
Big thanks in advance!!

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:15 AM

Posted 05 September 2008 - 07:47 AM

Hello Pieter,

You didn't install the Recovery Console prior to running ComboFix.
That's taking a risk !!
Please follow this tutorial to do so now :
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Then, let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/167369/problem-with-removing-trojdwnldr-hei/
Collect::[9]
C:\WINDOWS\system32\ybkvbyu32.dll
C:\WINDOWS\system32\Drivers\Sxd84.sys
File::
C:\WINDOWS\system32\WinNt64.dll
C:\WINDOWS\system32\ybkvbyu.dll
Driver::
Sxd84
bdfm
restore
Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=-
"NoDispScrSavPage"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinNt64]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ybkvbyu]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Agl62.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sxd84.sys]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

When CF finishes running, the ComboFix log will open along with a message box, --do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open.
Simply follow the instructions to copy/paste/send the requested file [9]-Submit_Date_Time.zip.

Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Jussu_Undur

Jussu_Undur
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 08 September 2008 - 09:20 AM

Thanks for the help.
I already had ran sdfix before I read your reply and was able to remove all dll's from my system32 folder ...
Anyway, I did what you said afterwards, with the next results: see logs combofix and hijackthis in attachment.
I think I'm clean again, right ?
Anyhow, big thanks already.

Attached Files



#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:15 AM

Posted 08 September 2008 - 09:53 AM

Hello Pieter,

Your logs do look fine now. :thumbsup:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:15 AM

Posted 07 October 2008 - 07:50 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users