Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CddbLangZHq.dll Torjan horse Agent


  • Please log in to reply
1 reply to this topic

#1 damo_k

damo_k

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 10 December 2008 - 07:13 AM

HI All,
I'm having a bit of an issue with a Trojan Horse that I just cannot get rid of!
Here's a quick synopsis of what happened.
I had an old version of Symantec Antivirus on my machine which I removed some time ago as it was causing me problems. Of course me being me I forgot to download somthing else and install it in the mean time ....
I kept getting a pop up message on my PC informing me that I must download AntiVirus 2009 ...blah blah blah ..you all know the Trojan I'm talking about.
I downloaded Malwarebytes which removed all except four registry values which hwill be in the attached log (i'm scanning at the moment, it takes a couple of hours). I searched the internet high and low but could not find anyway to emove these reg keys.
Of course now I have no protection so I downloaded AVG AntiVirus. This little beauty captured ttthe Trojan hiding in a dll CddbLangZHq.dll a warning of which appears every time I open internet explorer or windows explorer, prompting me to add it to the vault which I have done several times but to no avail as the dll is never deleted. Now when I run Malwarebytes it catches the dll and requires the 'remove on reboot' option. I have done this scan several times and rebooted (Doing the correct metod of selecting 'yes' after the scan) but to no avail. The dll remains and the trojan remains.
I will post Malwarebytes logs and combofix logs as soon as they are complete.. As AVG captures the trojan before it pops open the download page it's not that much of a probelm but I would like to get rid of it once and for all!

Any help would be appreciated.
Damo


Heres the Malwarwebytes Log (Please note the same entries appear after rescanning once rebooted)

Malwarebytes' Anti-Malware 1.31
Database version: 1475
Windows 5.1.2600 Service Pack 3

10/12/2008 14:45:30
mbam-log-2008-12-10 (14-45-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 148988
Time elapsed: 3 hour(s), 12 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30f834cc-8431-4b97-a94c-5e284bc95620} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{30f834cc-8431-4b97-a94c-5e284bc95620} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\CddbLangZHq.dll (Trojan.BHO.H) -> Delete on reboot

Edited by damo_k, 10 December 2008 - 10:12 AM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:11 AM

Posted 10 December 2008 - 09:44 AM

Moving to Am I Infected

Please DO NOT post a Combofix log
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users