Win32:Small-BOQ

Hi everyone,

I'm new to this forum and am really hoping someone can help

My avast antivirus keeps blocking a connection which is automatically triggered each time I turn on my laptop. It says its infected with WIN32:Small-BOQ (trj)

I've tried many spyware/adware removal tools and also regisrty fixers but this thing keeps coming back. A full anti-virus (Avast) scan of my computer reveals no infection.

What's going on Any idea anyone

Thanks.

 

please give details about that connection. Does Avast mention any location in your computer?

Try to boot in safe mode and scan and clean there. Or try an online scanner as :Bit Defender.

 

Thanks pykko. Here follows details requested:-

Every time I switch on the computer and after Windows XP loads, as soon as network is connected and internet connection established, I see the JAVA symbol appear in the system tray. A few seconds later Avast window informs me that a connection is trying to be established, "http://dinet.info/p/us06/filename.exe" and it is infected with WIN32:Small-BOQ(trj) but Avast stopped it. It does not mention the location on my computer. Then it says Press ABORT CONNECTION, which I do. 2 seconds later it happens again and I repeat same action. Then nothing else happens all day! It only occurs upon switching on computer.

I looked into the JAVA Console and found the following entries in the "View Applets" window.

pRT.jar-64395656-29676295.zip Jar 16KB 01/01/70 01:00 AM 08/30/06 04:25 PM N/A http://dinet.info/p/us06/filename.jar

CInfo.class-1e4458d2-1e4e51f4.class Class 5KB 01/01/70 01:00 AM 08/30/06 04:25 PM N/A http://dinet.info/p/us06/filename.class

I deleted both the above files by searching them on my computer. I also scanned with Ad-Aware, Advanced Spyware Removal, Trojan-Kill, RegCur, and many other applications but none seem to be finding the kulprit.

I will try the Safe-Mode scan and see what happens but if this does not work either, what else can I do?

Please help!

Thanks.

 

Hi Massi,

The updating part may not be necessary in your case, but I posted it anyway.
Skip it if you already have version 08

Updating Java and Clearing Cache

1. Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
2. It will say "Java Plug-in" under the icon.
   Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
3. If you are unable to update you can manually update by going here:
   • 
     http://www.java.com/en/download/manual.jsp
4. After the reboot, go back into the Control Panel and double-click the Java Icon.
5. Under Temporary Internet Files, click the Delete Files button.
6. There are three options in the window to clear the cache - Leave ALL 3 Checked
   • 
     Downloaded Applets
     Downloaded Applications
     Other Files
7. Click OK on Delete Temporary Files Window
   Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
8. Click OK to leave the Java Control Panel.

Regards,

 

Oh. NOD32 identified the file you reported as being (tried to) download as
Win32/TrojanDropper.Oleloa.J trojan

Let us know if clearing your cache doesn't help.

Regards,

Pieter

 

That's right! NOD32 identifies it as a trojan.dropper. (I've tested in the sandbox). Perhaps Massi should try NOD32 to clean his computer if Avast fails.

 

Hi All and thanks for your replies.

I've already tried deleting the JAVA temp files various times before but after I reboot computer, from somewhere, the files are re-created and problem repeats itself.

Meanwhile, I tried logging in safe mode, and did a scan with online BITDEFENDER as advised by Pykko. Full scan took some 1.5 hrs and it found 1 infected file in the system/restore folder which it automatically deleted.

I rebooted and thought problem was solved as problem did not occur. However to make sure, I opened control panel of JAVA and in fact did not see the applets re-created so I said "finally solved"

SHORT LIVED as few seconds later it came back

Any more ideas please??

 

Can you try something?

Locate your hosts file.
The default location for Windows XP is C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
The file does not have an extension but you can rightclick it and Open with ... Notepad

Add this line
127.0.0.1 dinet.info
and save the altered file.

Then empty your cache again and reboot.
Let us know if it still comes back.

Regards,

Pieter

 

Hi Pieter,

OK. Tried what you told me and rebooted a couple of times. ALL SEEMS FINE NOW.

Just for curiosity, what did that entry in the HOST file do? Does it mean I got rid of the infected file from my pc or is it still hidden somewhere but we are cheating it?

Thanks a lot again.

 

For the moment we are cheating it.

What we have done is made sure that your computer can't reach the site where the trojan is trying to invite his friends from.
More information about the hosts file and what it does:
http://www.mvps.org/winhelp2002/hosts.htm

I would like to look a little deeper and see if we can find the evildoer.
If you are interested in doing so then

• Download this file - combofix.exe
• Double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Regards,

Pieter

 

OK Pieter,

Done as you advised and the following is the report as requested.

Awaiting for more instructions from you. Thanks in advance

 

Oh. that is not good
I suspect you have an RBot variant on your computer.

First, we need to backup your registry:
Please go to Start > Run
Paste in the following line:

• regedit /e c:\registrybackup.reg

Click OK.
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Then download the Killbox by Option^Explicit.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\system32\ntsystem.exe
  C:\WINDOWS\system32\ractrlkeyhook.dll
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Reboot and copy the part in bold below into notepad.
Save the file as stratuprem.reg
(Set filetype to "All")

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gwiz"=-

Doubleclick that file and confirm you want to merge it with the registry.

Run a full system scan with your AV or an online scanner once you are done.

Regards,

Pieter

 

Sounds BAD !!!

Is my data at risk? SHould I Backup before please?

 

No extra need for backups. If you have any important data stored like banking information and passwords, it will be advisable to change them as soon as possible once we are done.

Regards,

Pieter

 

OK Will do as you advise later tonight when I'm back home and post back in this thread the results.

Thanks a million for your help.

Regards,


Massi
(Malta)

 

No problem. That's what we're here for.

Later,

 

So,

Did as Pieter suggested:

1) When I ran Killbox it seemed to have deleted the files and did not ask to click OK at any PendingFileRenameOperations prompt.

2) Computer rebooted automatically and without reporting any errors.

3) Included stratuprem.reg file in registry succesfully.

4) Currently running FULL SYSTEM scan with my Anti-Virus " Avast! "


Question: Since I have already run the FULL SYSTEM scan many times since this problem started and it NEVER claimed to have found infected files, how sure can I be that the file has been removed even if Avast! reports again now that there is no infection? Probably the only way to check is to remove the entry posted in my HOST file (the cheat) and reboot to see if the file tries to connect again?

Any suggestions please?

Again thanks a million for your greatly appreciated help.

 

I'm sure you will but I would definetly suggest waiting till Pieter is able to respond in continuing with the assistance. As you may or may not know....you are in very capable hands with Pieter_Arntz and it will help him tremendously if you would able to wait till he responds so as not to tamper with the flow of troubleshooting this malware Please.

Regards,
Bubba

 

Hi Bubba,

Yes I agree with waiting for Pieter and strongly believe I am in very capable hands!!

In fact my last message was actually intended for him although I did not write his name!

Thanks.

Massi

 

Hi Massi,

I'm assuming Avast is fully updated. If your antivirus did not find anything, my conclusion would have to be, it does not know this threat.
The thing is, Killbox made backups and those should have been flagged.

ractrlkeyhook.dll is normally part of a legitimate program, so that could be a reason not to detect it, but I'm pretty sure ntsystem.exe is an RBot variant.

Can you surf to: http://www.kaspersky.com/virusscanner

First use the filescanner for the files in this folder C:\!Killbox\
and post the results

I would advise to also use the Online Scanner to check your entire computer for anything else that might be lurking.

Keep us posted,

Regards,

Pieter

 

Hi Pieter,

So Avast scanned all my computer but reported nothing and it is updated daily, so definitions are very uptodate.

Online scanner you suggested found the following when I checked Killbox directory ONLY (see attached .txt file)

So what next please?

Thanks a lot


Regards


Massi

 

Hi Massi,

Well done!

Can you surf to this forum:
http://www.thespykiller.co.uk/forum/index.php?topic=5.0
and upload that file there, following the instrcutions in that post.
As soon as you get a reply that it has been found you can delete the file to avoid any "accidents" in the future.

I will make sure that it is added for detections as soon as possible.

I would feel a bit better if you did a full system scan on the Kaspersky site.
If it is part of a set of files they will very likely also detect any others that might be there.
I don't expect to find any, but like I said, I'd feel better if you did the scan.
Then don't forget to change any information that might have been leaked by te trojan; passwords etc.

Regards,

Pieter

 

Hi Pieter,

Attached is report of FULL SCAN. There seem to be a number of other infected files/objects and also quite some others which were skipped as locked.

What should I do please?

Also I am trying to upload file on the site you gave me but although it says I need not register to upload file, without a login & password I can not go into the forum to upload file.

What should I do please? Register?

Thanks a lot

Massi

P.S. To avoid further future attacks I viewed your homepage and installed all the software you suggested. Can I do anything else to help avoid future problems? Thanks.

 

Nothing to worry about there.
The locked files are just files that are in use. The infected files are backups made by Windows.
To get rid of those we will just need to purge your Restore Points.
To do that, follow the instructions for Windows XP here:
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000092513515106

I don't understand your problem with TheSpyKiller. There are recent posts by non-registered members (Guests). If I PM you my email address, can you send the file to me?

I think the most important leak in this case was the absence of a well-configured firewall. The trojan should never have been allowed to call out.
You can get excellent help on this board to help you set up your firewall.
Lots of specialists and helpfull folk around.

Regards,

Pieter

 

Yes Pieter, please PM your e-mail and I will forward file immediately.

Thanks again.

Massi