Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't remove TR/BHO.msls trojan - please help


  • This topic is locked This topic is locked
14 replies to this topic

#1 mortod

mortod

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 22 February 2010 - 04:07 PM

Avast AntiVir is reporting an infected msls51.dll file as 'TR/BHO.msls trojan'. I can find very little information on the web on this.

I have already tried running a full MBAM scan (0 infections) in safe mode, and have also run ComboFix, but the problem persists.

I attach DDS and ComboFix logs, but note that the only way I could get these to run was by repeatedly telling AntiVir to ignore the msls message. I have been unable to run GMER which causes the PC to spontaneously crash/reboot half way through the scan (even in safe mode).

Have uploaded DDS, and Combofix logs.

Attached Files


Edited by mortod, 22 February 2010 - 04:12 PM.


BC AdBot (Login to Remove)

 


#2 mortod

mortod
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 24 February 2010 - 08:57 AM

I have made some progress, but I would still appreciate some help as I still appear to be infected (some webpage re-directions, and PC very slow - a full MBAM scan took 4 hours rather than 1.5).

I overcame the problem with the msls51.ddl by scanning that file explicitly with AntiVir, and letting it quarantine the file. The PC was not very usable after that, but I was able to bring up cmd window from the task manager, from which I ran SFC /scannow.

I then ran a full MBAM and AntiVir scan both of which found 1 or 2 infections:

Worm.Autorun.B
JAVA/Executer.A

I then ran Combofix, and MBAM and AntiVir scans continue to appear clean.

But I still am experiencing web redirections and a slow PC.

DDS files re-attached.
Unable to run GMER.


===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the Malware Response Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to more than a week, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Elise - forum moderator

Attached Files


Edited by elise025, 24 February 2010 - 02:19 PM.


#3 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:51 AM

Posted 24 February 2010 - 08:30 PM

Hello, and welcome.gif to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif
***************************************************

Please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

***************************************************

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."Disconnect from the Internet or physically unplug your Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • Extract RootRepeal.exe from the zip archive.
  • Open on your desktop.
  • At the top of the window, click Settings, then Options.
  • Click the Ssdt & Shadow Ssdt Tab.
  • Make sure the box next to "Only display hooked functions." is checked.
  • Click the "X" in the top right corner of the Settings window to close it.
  • Click the tab.
  • Click the button.
  • Check all seven boxes:
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

~Blade


In your next reply, please include the following:
RootRepeal log
DDS.txt
Attach.txt

Edited by Blade Zephon, 24 February 2010 - 08:32 PM.

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#4 mortod

mortod
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 27 February 2010 - 12:53 PM

Hi Blade, thanks for your help.

Have re-run DDS and appended logs.

Am unable to run RootRepeal. It starts up with a box saying 'initiating, please wait', but gets no further. It gradually uses more and more memory (it got up to 2.3Gb Commit Charge, in Task Manager, before levelling off and then becoming cpu bound and unresponsive). I had to increase the paging space to achieve that - it is a 500Mb machine and I have increased paging space to 3Gb. I also tried running it in safe mode, but the pc again became unresponsive.

I shall await your response.

Attached Files



#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:51 AM

Posted 02 March 2010 - 12:58 PM

Hello mortod

Sorry for the delay in my reply.
QUOTE
I then ran Combofix, and MBAM and AntiVir scans continue to appear clean.

Have you run ComboFix since you initially posted your ComboFix log? If you have, I need to see that updated log please. It should be located at C:\ComboFix.txt

Please paste it into your next reply, do not attach it unless the board software tells you that your post is too large.

If you have not run ComboFix since you initally posted your log, just let me know and we'll work from there.

Thanks!

~Blade

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#6 mortod

mortod
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 02 March 2010 - 03:54 PM

Yes I ran Combofix as per my second post, ie after removing the msls51.dll and running sfc /scannow. Log attached.

Attached Files



#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:51 AM

Posted 02 March 2010 - 04:44 PM

Hello mortod

Please download mbr.exe and save it to your root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe -t >"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.

~Blade

In your next reply, please include the following:
mbr.log

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#8 mortod

mortod
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 02 March 2010 - 05:16 PM

mbr.log pasted below:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK


#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:51 AM

Posted 03 March 2010 - 08:23 PM

1. Open notepad and copy/paste the text in the codebox below into it:

CODE
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-


Save this as CFScript.txt, in the same location as ComboFix.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

***************************************************

Please download HostsXpert 4.2
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File".
  • Click OK at the confirmation box.
  • Click "Make Read Only".
  • Click the X to exit the program.
-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

~Blade

In your next reply, please include the following:
ComboFix Log
How is the computer running now? Still getting redirects?

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#10 mortod

mortod
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 04 March 2010 - 12:29 PM

Combofix ran ok. Log attached.

But HostsXpert has problems - It first pops up a warning saying 'Your hosts file is marked as a system file and can NOT be manipulated, Press OK to remove the system file attribute, CANCEL to quit. ***HostsXpert will NOT reset these attributes.***'

I press OK, and then press 'Restore MS Hosts File' I get a popup 'Press OK to restore Microsofts original hosts file'. But I then get 'ERROR Can not create hosts file C:|WINDOWS\system32\Drivers\ETC\hosts'.

HostsXpert then exits.

Checking file attributes for the host file from a cmd prompt, they are A SHR. Access denied if I try to remove those attributes.

Attached Files


Edited by mortod, 04 March 2010 - 01:05 PM.


#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:51 AM

Posted 08 March 2010 - 12:48 PM

Hello mortod

Sorry for the delay in reply.

I got your PM about managing to clear the hosts file. Glad to hear that.

Well things are looking pretty good now but let's run one more scan to be sure. Please note that the following scan will take some time to run.

Please go to the Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply .

~Blade


In your next reply, please include the following:
Kaspersky Online Scan report
How is the computer running now?

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#12 mortod

mortod
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 09 March 2010 - 07:09 AM

Kaspersky log attached. Nothing significant found.

Pc seems to be running OK - no redirects, performance OK.

But, I am still unable to run GMER or RootRepeal - should that worry me?

MBAM scan is clear.

Thanks for all your help Blade.

Attached Files



#13 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:51 AM

Posted 09 March 2010 - 08:50 AM

Hello mortod

Good. . . those detections are not unexpected and we will deal with them shortly.

We should almost be done here. Please generate a new DDS.txt and Attach.txt for me so we can do one final check.

~Blade

In your next reply, please include the following:
DDS.txt
Attach.txt

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#14 mortod

mortod
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 09 March 2010 - 11:02 AM

Attached as requested.
Thanks.

Attached Files



#15 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:51 AM

Posted 09 March 2010 - 01:41 PM

Hello mortod

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 18.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

***************************************************
  • Click on Start>Run
  • Now type combofix /Uninstall in the runbox and click OK. Notice the space between the "x" and "/".
  • You will then recieve a message letting you know that Combofix was uninstalled Successfully.
This will remove files/folders assoicated with combofix and uninstall it.

***************************************************

Your machine appears to be clean!

You can re-enable emulation drivers now if you wish:

To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

***************************************************

I highly recommend that you read through the below set of very helpful suggestions and implement them; they will help protect you from reinfection
I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache!
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

For a nice list of freeware programs in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Another recommendation, is to download HostsMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  1. Double-click the Downloaded installer and install the tool to a location of your choice
  2. Via the Startmenu, navigate to HostsMan and run the program.
    1. Click "Hosts" in the menu
    2. Click "Manage Updates" in the submenu
    3. Out of the three, select at least one of them (I have MVPS Host as my main one)
    4. Click "Add Update." After that you will only need to click on the following button to retrieve updates:
  3. Click the X to exit the program.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

~Blade

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users