Author Topic: Trojan Horse BH0.JBZ & iehelper.dll (please help) (Read 5132 times)

MAANGO · « **Reply #15 on:** July 08, 2009, 11:55:10 PM »

Corinne

Thanks for the advice on the AVG search bar and the ask toolbar(that just popped up out of nowhere about a month back and every time I deleted it it kept coming back.). I ran ATF Cleaner and did the ESET scan. The computer is running a little faster now. Here's the log.>>>

~~~~~~~~~~~~~~~~~~~~~~~~~~~

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.5886
# api_version=3.0.2
# EOSSerial=467cfa063b2efe40a716eff49b1edb41
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-07-08 11:40:23
# local_time=2009-07-08 07:40:23 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1026 37 83 95 86879375000
# scanned=57686
# found=9
# cleaned=0
# scan_time=3351
C:\Documents and Settings\Owner\My Documents\My Music\Electronic & Other\Beck - Modern Guilt (2008)\06 - Walls.mp3   a variant of WMA/TrojanDownloader.GetCodec.gen trojan   00000000000000000000000000000000   I
C:\Qoobox\Quarantine\C\WINDOWS\system32\govsqxed.ini.vir   Win32/Adware.Virtumonde.NEO application   00000000000000000000000000000000   I
C:\Qoobox\Quarantine\C\WINDOWS\system32\KUtEOXbc.ini.vir   Win32/Adware.Virtumonde.NEO application   00000000000000000000000000000000   I
C:\Qoobox\Quarantine\C\WINDOWS\system32\KUtEOXbc.ini2.vir   Win32/Adware.Virtumonde.NEO application   00000000000000000000000000000000   I
C:\Qoobox\Quarantine\C\WINDOWS\system32\Process.exe.vir   Win32/PrcView application   00000000000000000000000000000000   I
C:\System Volume Information\_restore{7BD14670-00F6-49DB-8511-752BD8B67571}\RP1762\A0207446.ini   Win32/Adware.Virtumonde.NEO application   00000000000000000000000000000000   I
C:\System Volume Information\_restore{7BD14670-00F6-49DB-8511-752BD8B67571}\RP1762\A0207447.ini   Win32/Adware.Virtumonde.NEO application   00000000000000000000000000000000   I
C:\System Volume Information\_restore{7BD14670-00F6-49DB-8511-752BD8B67571}\RP1762\A0207448.exe   Win32/PrcView application   00000000000000000000000000000000   I
C:\WINDOWS\Sinking Island\uninstall.exe   MSIL/TrojanClicker.NAC virus   00000000000000000000000000000000   I

Corrine · « **Reply #16 on:** July 09, 2009, 12:22:08 AM »

That helps, Manny.

Please start by going to your music folder and deleting the following infected mp3:

C:\Documents and Settings\Owner\My Documents\My Music\Electronic & Other\Beck - Modern Guilt (2008)\06 - Walls.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan

If you have that mp3 stored on an mp3 player, you will want to remove it from there as well.

Since it appears "Sinking Island" is infected -- specifically referencing the uninstaller, I would rather you not attempt to uninstall the proram/game. Rather, please do the following:

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK). Copy/Paste all of the text present inside the code box below:

Code: [Select]

Folder::
C:\WINDOWS\Sinking Island

Save this as CFScript.txt and place it on your desktop.
Close any open browsers.
Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

MAANGO · « **Reply #17 on:** July 09, 2009, 01:35:40 AM »

Corrine

I deleted the Beck track and did the combofix scan. I wasn't aware of "sinking island" on my computer . . .

~~~~~~~~~~~~~~~~~~~~~~~~~

ComboFix 09-07-08.04 - Owner 07/08/2009 20:55.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.149 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AskSearch\bin\DefaultSearch.dll
c:\windows\Sinking Island
c:\windows\Sinking Island\uninstall.exe

.
((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-07-08 22:37 . 2009-07-08 22:37   --------   d-----w-   c:\program files\ESET
2009-07-08 21:15 . 2009-07-08 21:07   2052888   ----a-w-   c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-08 20:47 . 2009-07-08 20:47   --------   d-----w-   c:\documents and settings\Owner\Application Data\WinPatrol
2009-07-08 20:47 . 2005-01-11 07:17   0   ----a-w-   c:\documents and settings\Owner\Application Data\WinPatrol\Config.sys
2009-07-08 20:47 . 2005-01-11 07:17   0   ----a-w-   c:\documents and settings\Owner\Application Data\WinPatrol\Autoexec.bat
2009-07-08 20:47 . 2009-07-08 20:47   --------   d-----w-   c:\program files\BillP Studios
2009-07-08 02:30 . 2004-08-04 07:56   50176   -c--a-w-   c:\windows\system32\dllcache\proquota.exe
2009-07-08 02:30 . 2004-08-04 07:56   50176   ----a-w-   c:\windows\system32\proquota.exe
2009-07-08 01:58 . 2009-07-08 02:11   --------   d-----w-   c:\documents and settings\Owner\.SunDownloadManager
2009-07-08 00:25 . 2009-07-08 02:53   --------   d-----w-   c:\program files\trend micro
2009-07-08 00:25 . 2009-07-08 00:26   --------   d-----w-   C:\rsit
2009-07-07 22:13 . 2009-07-07 22:13   3561743   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-01 13:26 . 2009-07-01 13:25   832144   ----a-w-   c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 21:08 . 2009-05-22 13:49   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg8
2009-07-08 16:05 . 2005-01-16 20:34   --------   d-----w-   c:\program files\Java
2009-07-08 15:45 . 2006-02-26 07:24   --------   d-----w-   c:\documents and settings\Owner\Application Data\uTorrent
2009-07-08 15:42 . 2007-02-07 01:08   --------   d-----w-   c:\program files\Soulseek
2009-07-08 01:51 . 2005-01-11 09:25   --------   d-----w-   c:\program files\Common Files\Adobe
2009-07-07 22:14 . 2008-09-04 21:25   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-07-01 13:25 . 2009-05-22 13:49   11952   ----a-w-   c:\windows\system32\avgrsstx.dll
2009-07-01 13:25 . 2009-05-22 13:49   327688   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2009-07-01 13:25 . 2009-05-22 13:49   27784   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2009-06-19 20:57 . 2005-01-27 07:10   --------   d-----w-   c:\program files\Lexmark X74-X75
2009-06-17 15:27 . 2008-09-04 21:25   38160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2008-09-04 21:25   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-06-06 21:29 . 2009-05-24 03:32   --------   d-----w-   c:\program files\DOSBox-0.72
2009-05-29 03:51 . 2009-03-07 22:03   20   ---h--w-   c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2009-05-28 04:09 . 2005-01-11 08:23   --------   d-----w-   c:\program files\Trillian
2009-05-26 03:12 . 2009-05-26 03:12   2855   ----a-w-   c:\windows\PIF\INSTALL.PIF
2009-05-22 13:49 . 2009-05-22 13:49   108552   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2009-05-22 13:49 . 2009-05-22 13:49   --------   d-----w-   c:\program files\AVG
2009-05-13 03:49 . 2005-01-11 07:28   --------   d--h--w-   c:\program files\InstallShield Installation Information
2009-05-07 15:44 . 2002-06-25 21:40   344064   ----a-w-   c:\windows\system32\localspl.dll
2009-04-29 04:52 . 2004-01-08 23:23   659456   ----a-w-   c:\windows\system32\wininet.dll
2009-04-29 04:52 . 2009-04-14 00:23   81920   ----a-w-   c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2002-06-25 21:50   1846656   ----a-w-   c:\windows\system32\win32k.sys
2009-04-17 04:36 . 2009-04-17 04:36   0   ----a-w-   c:\windows\PowerReg.dat
2009-04-15 15:11 . 2005-01-11 08:14   584192   ----a-w-   c:\windows\system32\rpcrt4.dll
2005-10-07 01:54 . 2005-10-07 01:54   816782   ----a-w-   c:\program files\oggcodecs_0.69.8924.exe
2005-04-22 01:17 . 2005-04-22 01:17   491768   ----a-w-   c:\program files\ie6setup.exe
2005-01-24 08:25 . 2005-01-24 08:22   7741336   ----a-w-   c:\program files\DivX521XP2K.exe
2005-01-11 09:45 . 2005-01-11 07:23   767   ----a-w-   c:\program files\Internet Explorer.lnk
2005-01-11 08:50 . 2005-01-11 08:50   823296   ----a-w-   c:\program files\winmx353.exe
2005-01-11 08:20 . 2005-01-11 08:20   4918270   ----a-w-   c:\program files\Firefox+Setup+1.0.exe
2006-01-19 22:19 . 2006-01-19 22:19   10856   --sha-w-   c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-07-08_02.35.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-09 01:06 . 2009-07-09 01:06   40960 c:\windows\temp\rtdrvmon.exe
- 2009-07-08 02:34 . 2009-07-08 02:34   40960 c:\windows\temp\rtdrvmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-02-10 118784]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"YBrowser"="c:\program files\Yahoo!\browser\ybrwicon.exe" [2003-07-11 57344]
"IPInSightLAN 02"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 380928]
"IPInSightMonitor 02"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 122880]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-06-25 57344]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-02-06 180269]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-01 1948440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-06-01 341312]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-2-2 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-01 13:25   11952   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"blank"= blank:Yahoo! Messenger
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/22/2009 9:49 AM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/22/2009 9:49 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/22/2009 9:49 AM 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/22/2009 9:49 AM 298776]
S3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [3/11/2009 5:34 PM 23096]
S3 SndTVideo;SndTVideo;c:\windows\system32\drivers\SndTVideo.sys [3/11/2009 5:34 PM 3768]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
.
Contents of the 'Scheduled Tasks' folder

2009-07-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
BHO-{483B0FFD-E30E-4DB3-A57C-B19CB6FD8E1F} - (no file)

.
------- Supplementary Scan -------
.
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\z0djtchf.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101740&gct=&gc=1&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npff_gdm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-08 21:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1957994488-220523388-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:aa,60,23,8b,83,0a,0a,63,0d,26,ee,73,a9,5d,56,a4,c1,de,bd,2f,5c,
f0,3e,de,70,66,6d,d1,78,db,20,c5,bc,47,ff,18,d7,8a,b5,f5,64,82,68,4e,4b,6d,\
"rkeysecu"=hex:a5,34,7f,ea,32,71,61,b9,af,82,da,8d,b4,2f,df,98
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3512)
c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\browselc.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\program files\Lexmark X74-X75\lxbbbmon.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-09 21:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-09 01:16
ComboFix2.txt 2009-07-08 16:21
ComboFix3.txt 2009-07-08 02:46

Pre-Run: 16,550,703,104 bytes free
Post-Run: 16,545,652,736 bytes free

184   --- E O F ---   2009-06-15 10:07

Corrine · « **Reply #18 on:** July 09, 2009, 02:31:06 AM »

I'll take another look tomorrow and provide some final cleanup and (more) advice.

MAANGO · « **Reply #19 on:** July 09, 2009, 03:28:34 AM »

Corrine

Thanks, I really appreciate it.

- Manny

Corrine · « **Reply #20 on:** July 10, 2009, 01:24:48 AM »

Hi, Manny.

Please do the following to implement cleanup procedures and also to reset System Restore points:

Note: If you use AVG, please exit via System Tray. and then open the AVG 8 Control Center, by right-clicking on the AVG 8 icon on task bar.

Click on Tools.
Select Advanced Settings.
In the left hand pane, scroll down to "Resident Shield".
In the main pane, deselect the option to "Enable Resident Shield."
To re-enable AVG 8, please select "Enable Resident Shield" again.

Click Start > Run and Copy/Paste the following bolded text into the Run box and click OK: ComboFix /u

Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal.

I noticed you have my favorite security monitor installed on the computer -- WinPatrol. Since your original log showed your Hosts File had been changed, please launch WinPatrol and check that you have it monitoring the Hosts file. See WinPatrol Help: Monitoring Hosts and Critical Systems Files for information and for information on how to edit the Hosts File, see Hosts File: Editing/Restoring.

Having a firewall, anti-virus and anti-malware software are not enough. You also need to stay current with security updates. If you don't have your computer set to automatically install the Microsoft Security Updates, please check for updates now. For additional information, see my blog post Understanding Microsoft Updates

To check if your system is missing security updates or has insecure applications installed, visit http://secunia.com/software_inspector/ . The Secunia Software Inspector runs through your browser with no installation or download required and does the following:

Detects insecure versions of applications installed
Verifies that all Microsoft patches are applied
Assists you in updating your system and applications

Install and update SpywareBlaster to prevent the installation of spyware and other potentially unwanted software: http://www.javacoolsoftware.com/spywareblaster.html

Please let me know if you have any questions.

MAANGO · « **Reply #21 on:** July 13, 2009, 02:23:44 AM »

Corrine

Sorry, I've been busy these last few days and haven't been able to make time, but I'll follow the steps you listed sometime tomorrow. Thank you so much for your help, I never expected it to be this thorough and professional(or so quick).

- Manny

Corrine · « **Reply #22 on:** July 13, 2009, 03:52:13 PM »

You are very welcome, Manny. Thank you for your kind words.

LandzDown Forum

News:

Author Topic: Trojan Horse BH0.JBZ & iehelper.dll (please help) (Read 5132 times)

MAANGO

Re: Trojan Horse BH0.JBZ & iehelper.dll (please help)

Corrine

Re: Trojan Horse BH0.JBZ & iehelper.dll (please help)

MAANGO

Re: Trojan Horse BH0.JBZ & iehelper.dll (please help)

Corrine

Re: Trojan Horse BH0.JBZ & iehelper.dll (please help)

MAANGO

Re: Trojan Horse BH0.JBZ & iehelper.dll (please help)

Corrine

Re: Trojan Horse BH0.JBZ & iehelper.dll (please help)

MAANGO

Re: Trojan Horse BH0.JBZ & iehelper.dll (please help)

Corrine

Re: Trojan Horse BH0.JBZ & iehelper.dll (please help)