Jump to content
Sign in to follow this  
DK64_MASTER

Problems with Cn91x.exe, iexpl0re.exe, crasos.exe

Recommended Posts

Hey everyone,

 

I had a usb virus infection that has seemingly spiraled out of control.

 

Whenever I start windows, I get an dos dialog box saying:

 

16 bit MS-DOS Subsystem

C:\DOCUME~1\username\LOCALS~1\Temp\Cn911.exe

The NTVDM CPU has encountered an illegal instruction.

 

This has been documented here:

http://72.14.253.104/search?q=cache:JikZh8...;cd=2&gl=us

 

and here

 

http://www.theeldergeek.com/forum/index.php?showtopic=23573

 

However, I tried their fixes, and my computer keeps on restarting randomly in safe mode when I'm running the scans.

 

I was hoping I could get another opinion from people I know better.

 

I know I shouldn't post my HJT log here, but I'll do it for completeness's sake.

 

Right now I'm back to square 1 (except my usb drive has been formatted).

 

Important HJT items have been put in bold. The scans that I've tried have detected exes and dlls that are described in the O4 desctiption, and I have tried to remove them to no avail. I'm wondering what advice you guys have (it's been a few months since I've been here). Should I get ewido and scan? Panda active scan?

 

HJT:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 2:55:57 AM, on 4/3/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT\HiJackThis_v2.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\taskrgm.exe,

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"

O4 - HKLM\..\Run: [upxdnd] C:\DOCUME~1\Amar\LOCALS~1\Temp\Cn913.Exe

O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe

O4 - HKCU\..\Run: [rqs6xq2c] C:\DOCUME~1\Amar\LOCALS~1\Temp\crasos.exe

O4 - HKCU\..\Run: [kkwgigik] C:\DOCUME~1\Amar\LOCALS~1\Temp\iexpl0re.exe

O4 - Startup: [email protected] 5.03.lnk = C:\Program Files\[email protected]\winFAH.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)

O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: ActiveGS.cab - http://virtualapple.org/activegs.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120614987440

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136501044079

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

 

--

End of file - 4954 bytes

 

 

Thanks for your help!

Share this post


Link to post
Share on other sites

Hello DK64,

well, you DO have some trojans on your pc, they are in the 04 lines in hjt. First off you using the new beta version of hjt, the advisors in all forums will ask you to please use older version, since new one is still in beta. its on this page> http://radiosplace.com/ on the left.

One Trojan you have is sdbot trojan, among others, so I would re post hjt in hjt forum "using the older hjt version" You could try Avg antispyware, which was ewido, if you like, but it wont remove all this.

 

Here> ==Download, install, and update AVG Anti-Spyware 7.5 http://www.ewido.net/en/download/

Save the installer to desktop

Double click the installer, select your language, and then select OK

Click NEXT>>Do or don't read the "User License Agreement"

Select I Agree>>>NEXT>>>INSTALL

AVG will now install and afterwards click FINISH

AVG Anti-Spyware 7.5 should now Load

Click the Update tab at the top. Under Manual Update click Start update.

After the update finishes (the status bar at the bottom will display "Update successful")

Close AVG Anti-Spyware 7.5. Do not run it yet.

Reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode at the top, on the screen that appears.

Sign in with your normal user account

 

Once in safe mode

Then run AVG Anti-Spyware 7.5 and click on the Scanner tab at the top

Click the "Settings" tab and then change the recommended action to Quarantine and ensure that Automatically generate report after every scan is selected and

Uncheck "Only if Threats are found"

Click back to the "Scan" tab and then click on Complete System Scan.

This scan can take quite a while to run, so be prepared.

AVG Anti-Spyware 7.5 will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware 7.5 will display "All actions have been applied" on the right hand side.

Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).

You can add the log of avg to your hjt log in hjt forum. good luck there , as you know you be in good hands :)

Share this post


Link to post
Share on other sites

Hey wademan, thanks for you help (as always).

 

Unfortunately when I ran avg (ewido) in safe mode, my computer restarted randomly during the scan. This seems to happen with other scanners too. You said ewido wasn't necessary for this removal, so I will go ahead and post a HJT log, and hope for the best :).

 

Thanks again.

Share this post


Link to post
Share on other sites

Hey wademan, thanks for you help (as always).

 

Unfortunately when I ran avg (ewido) in safe mode, my computer restarted randomly during the scan. This seems to happen with other scanners too. You said ewido wasn't necessary for this removal, so I will go ahead and post a HJT log, and hope for the best :).

 

Thanks again.

 

you most welcome...the type of Trojans that are on your pc, can cause the ranodm reboot to prevent clean up... hjt foum get ya fixed up.. :)

Share this post


Link to post
Share on other sites

Another symptom:

 

I disabled crasos.exe in msconfig, and reboot, and it's still there (this was before I posted the HJT log in the HJT forums).

 

AVG has a startup item removal (so does spybot search and destroy), but I'd rather hold off on removing "bits and pieces" of crazy trojans, which might make removal easier. I'll wait for a HJT response.

 

Have I already shot myself in the foot that I've partially deleted some of the suspect exes and dll from my temp folder?

 

Edit 2: unable to scan in safe-mode, I scanned in my normal booting environment, and it found this trojan:

 

Trojan.OnlineGames.es. It was found in upxdnd.dll, and was also in my temp directory. Looking back in the temp directory, I find 2 more dlls:

Msxo0.dll and Msxo1.dll, which also seem to be related. However these have not been removed, and seem to be locked by windows processes (I'm not too surprised though).

 

My temp directory is breeding malware!!! :pullhair::pullhair:

Edited by DK64_MASTER

Share this post


Link to post
Share on other sites

This has been documented here:

http://72.14.253.104/search?q=cache:JikZh8...;cd=2&gl=us

 

and here

 

http://www.theeldergeek.com/forum/index.php?showtopic=23573

 

However, I tried their fixes, and my computer keeps on restarting randomly in safe mode when I'm running the scans.

Did you try the Prevx scan as recommended in the Elder Geek thread? Seems to recognise the majority of the filenames you mention...

Share this post


Link to post
Share on other sites

Hi Dk64,

I would relax, Juliet has taken your hjt, she does a fine job...you in good hands there. As I said above your pc has trojan's an other malware, but they get get you cleaned up. :)

Share this post


Link to post
Share on other sites

Hi Dk64,

I would relax, Juliet has taken your hjt, she does a fine job...you in good hands there. As I said above your pc has trojan's an other malware, but they get get you cleaned up. :)

 

Just an update to this topic: Most of the bugfixes have been done in the HJT topic here: http://forums.pcpitstop.com/index.php?showtopic=138386

 

I'm pretty sure I'm bug free (running 1 more scan).

 

Big thanks to Jacee, Juliet, Wademan, and the whole PCPitstop Crew!

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...