TheTechGuide Forum

General Category => Tech Clinic => Topic started by: BusyBear on April 01, 2006, 01:55:27 AM

Title: Trojan BHO.C
Post by: BusyBear on April 01, 2006, 01:55:27 AM

/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />  Hello again!

Seems I have a trojan on my pc Trojan BHO.C. I am getting alot of popups on sites that I have never got popups on before.

I have run Spyblaster ... Spybot ... Microsoft Antispyware and Ewido .. this is Ewido's scan report results..

---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:         5:09:28 PM, 1/04/2006
 + Report-Checksum:      8FF363CB

 + Scan result:

   [432] C:\WINDOWS\system32\mllmj.dll -> Adware.Virtumonde : Cleaned with backup
   [1860] C:\WINDOWS\system32\mllmj.dll -> Adware.Virtumonde : Cleaned with backup
   C:\WINDOWS\system32\mllji.dll -> Trojan.BHO.c : Cleaned with backup


::Report End

But alas its still there when I run it again!

And this is Hijack this report ...

Logfile of HijackThis v1.99.1
Scan saved at 5:43:49 PM, on 1/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT 2\hijackthis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINDOWS\system32\mllji.dll
O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\system32\mllmj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/...ivex/hcImpl.cab (http://\"http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{8845B2A9-AA04-465F-B8E0-943027B67ED9}: NameServer = 203.134.64.66 203.134.65.66
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: mllji - C:\WINDOWS\SYSTEM32\mllji.dll
O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: ptssvc - Unknown owner - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe

I am currently running Trend Housecall ... I have tried to run Lavasoft Adaware but it shuts my pc down while running thought Windows/system files

Any suggestions?
Thanks in advance for any help you can give me  /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Title: Trojan BHO.C
Post by: BusyBear on April 02, 2006, 01:11:02 AM

One of the popups tell me I am infected with the Blackworm virus and i should download something .. I think this is a setup and so I havent downloaded it. I had no luck with Trend either ... looks like the Trojan is preventing me from running it /sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />

Title: Trojan BHO.C
Post by: guestolo on April 02, 2006, 01:16:28 AM

Please download [color=\"red\"]VundoFix.exe[/color] (http://\"http://www.atribune.org/ccount/click.php?id=4\")[/url] to your desktop.

• Double-click VundoFix.exe to run it.
  
• Put a check next to Run VundoFix as a task.
  
• You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  
• When VundoFix re-opens, click the Scan for Vundo button.
  
• Once it's done scanning, click the Remove Vundo button.
  
• You will receive a prompt asking if you want to remove the files, click YES
  
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
  
• Turn your computer back on.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.
  

Title: Trojan BHO.C
Post by: BusyBear on April 03, 2006, 04:08:43 AM

Thanks you are my hero Guestolo! /wub.gif\' class=\'bbc_emoticon\' alt=\':wub:\' />

The Vundofix.txt showed this

VundoFix V4.2.43

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.3

Scan started at 6:50:04 PM 3/04/2006

Listing files found while scanning....

C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\jmllm.ini
C:\WINDOWS\system32\jmllm.bak1
C:\WINDOWS\system32\jmllm.bak2

C:\WINDOWS\system32\jmllm.bak1
C:\WINDOWS\system32\jmllm.bak2
C:\WINDOWS\system32\jmllm.ini
C:\WINDOWS\system32\mllmj.dll
 Attempting to delete C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\mllji.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\mllmj.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\jmllm.ini
C:\WINDOWS\system32\jmllm.ini Has been deleted!

 Attempting to delete C:\WINDOWS\system32\jmllm.bak1
C:\WINDOWS\system32\jmllm.bak1 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\jmllm.bak2
C:\WINDOWS\system32\jmllm.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V4.2.43

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.3

Scan started at 6:53:03 PM 3/04/2006

Listing files found while scanning....


No infected files were found.


VundoFix V4.2.43

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.3

Scan started at 6:55:56 PM 3/04/2006

Listing files found while scanning....


No infected files were found.

The Hihackthis log shows this

Logfile of HijackThis v1.99.1
Scan saved at 7:01:57 PM, on 3/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\HJT 2\hijackthis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab (http://\"http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{8845B2A9-AA04-465F-B8E0-943027B67ED9}: NameServer = 203.134.64.66 203.134.65.66
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: ptssvc - Unknown owner - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe

How do they look? /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Title: Trojan BHO.C
Post by: guestolo on April 03, 2006, 11:07:44 PM

Looks good
*If everything is running better
Final Cleanup
We should clear all your restore points to ensure you don't restore any nasties that may be sitting idle

Go to START>>RUN>>In the open field
Type in

msconfig
Click OK
Click the "Launch System Restore" button
On the Left hand side click on "System Restore Settings"
Put a Check in "Turn off System Restore"
Apply it and OK out of there>>Reboot your computer
[/list]                          
Back in Windows, Go back and take the check out of "Turn off system restore"
This will reenable the System Restore feature and creates a new restore point

                 In addition to the protections you have on your comptuer
*Install  SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")[/url]  

*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

After installation, Check for updates and then click the "Enable all protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
                   

+ *I noticed they have older versions of Java installed
You should access the following link
http://www.java.com/en/download/manual.jsp (http://\"http://www.java.com/en/download/manual.jsp\")
I find the
Windows (Offline Installation) the most reliable although it's a bigger download
Save the offline installer to desktop
Don't install it yet

Access the add/remove programs via control panel and remove
Java version  1.4.2.3
and
Java version  1.5.0.3

Then go ahead and install the latest version, which will include security updates

Stay safe  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Title: Trojan BHO.C
Post by: BusyBear on April 04, 2006, 01:30:38 PM

Thanks so much Guestolo /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

I have done everything you told me too *hugs*

Looks like everything is back on track!

Take care and keep smiling /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Title: Trojan BHO.C
Post by: guestolo on April 04, 2006, 04:48:26 PM

Thanks for posting back, I'll lock this topic as your problems appear resolved

Take care  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />