BleepingComputer.com: (Trojan.BHO)

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Rules

When posting your problem, do not run and post a ComboFix log. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

If you have not received help after three days, please post a link to your topic HERE.
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

(Trojan.BHO)

#1 User is offline   Rossy4T 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 2
  • Joined: 24-June 09

Posted 24 June 2009 - 11:37 AM

Hi, ran a 'Quick' MBAM scan on new laptop in normal mode and it found: HKEY_CLASSES_ROOT\kt_bho.KettleBho (Trojan.BHO)

so then ran a full scan mediately after reboot (log below). I googled and found this topic very similar http://www.bleepingcomputer.com/forums/topic199967.html
so I followed boopme's instructions up to the SmitfraudFix 'clean'. Not sure if need to go ahead with Sff clean. So hoping for some advice/help.


Windows Vista Home Premium
Avg8.5
Firefox 3x


relevant logs posted below:


Malwarebytes' Anti-Malware 1.38
Database version: 2327
Windows 6.0.6001 Service Pack 1

24/06/2009 10:36:02
mbam-log-2009-06-24 (10-36-02).txt

Scan type: Full Scan (C:\|)
Objects scanned: 180800
Time elapsed: 1 hour(s), 6 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{86676e13-d6d8-4652-9fcf-f2047f1fb000} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partner service (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\partner service (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\partner service (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\Partner\partner.dll (Trojan.BHO) -> Quarantined and deleted successfully.
c:\programdata\Partner\partner.exe (Trojan.BHO) -> Quarantined and deleted successfully.


---------------------------------


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/24/2009 at 02:00 PM

Application Version : 4.26.1006

Core Rules Database Version : 3953
Trace Rules Database Version: 1895

Scan type : Complete Scan
Total Scan Time : 00:36:06

Memory items scanned : 289
Memory threats detected : 0
Registry items scanned : 5876
Registry threats detected : 0
File items scanned : 95613
File threats detected : 0


--------------------------


SmitFraudFix v2.422

Scan done at 15:45:21.68, 24/06/2009
Run from C:\Users\Craig\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6001] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Launch Manager\dsiwmis.exe
C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe
C:\Program Files\EgisTec\MyWinLocker 3\x86\MWLService.exe
C:\Program Files\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Acer\Acer VCM\RS_Service.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Windows\PLFSetI.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe
C:\Program Files\EgisTec Egis Software Update\EgisUpdate.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Acer\Acer VCM\AcerVCM.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Craig


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Craig\AppData\Local\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Craig\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Craig\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~1\\GOEC62~1.DLL,avgrsstx.dll"
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]




»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{9E5A1338-B3A5-40AF-80DB-0891CE3F9D92}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EECE5F9A-C338-4461-BB11-B7214408E11A}: DhcpNameServer=192.168.112.29
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9E5A1338-B3A5-40AF-80DB-0891CE3F9D92}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EECE5F9A-C338-4461-BB11-B7214408E11A}: DhcpNameServer=192.168.112.29
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9E5A1338-B3A5-40AF-80DB-0891CE3F9D92}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{EECE5F9A-C338-4461-BB11-B7214408E11A}: DhcpNameServer=192.168.112.29
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

-----------------------

Malwarebytes' Anti-Malware 1.38
Database version: 2329
Windows 6.0.6001 Service Pack 1

24/06/2009 17:22:22
mbam-log-2009-06-24 (17-22-22).txt

Scan type: Quick Scan
Objects scanned: 75100
Time elapsed: 2 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#2 User is offline   boopme 

  • To Insanity and Beyond
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Global Moderator
  • Posts: 46,295
  • Joined: 10-September 04
  • Gender:Male
  • Location:NJ USA

Posted 24 June 2009 - 12:14 PM

Hello, Yes run part 2 of S!Ri's SmitfraudFix. tell me how it's running after that.
You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook

#3 User is offline   Rossy4T 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 2
  • Joined: 24-June 09

Posted 26 June 2009 - 07:45 AM

Hi, thanks for replying.

Sorry for the delay! I can't now boot to safe mode, after crcdisk.sys the mouse changes to safemode apperence for few seconds, but then it reboots again (to normal mode no problem). Don't know if this is malware related.

Don't know if i should try force a safe boot via mscofig. Will run a chkdsk in the meantime.

Thanks again.

#4 User is offline   boopme 

  • To Insanity and Beyond
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Global Moderator
  • Posts: 46,295
  • Joined: 10-September 04
  • Gender:Male
  • Location:NJ USA

Posted 26 June 2009 - 09:43 AM

I think this is a Vista registry problem and running Start Up Repair may help. Ask any further questions on this in the VIsta forum at the top.

Startup Repair:
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook

#5 User is offline   gully786 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Members
  • Posts: 186
  • Joined: 15-May 09
  • Gender:Male

Posted 23 September 2009 - 05:12 PM

i got the same thing, exactly same files

i ran
-full scan mbam quarantined items
-restarted in safe mode ran the cleaner and super
-restarted normal removed items from quarantine (none needed to be deleted on bootup)
-ran a quick scan (nothing found) and then SmitfraudFix option 1
-restarted in safe mode ran SmitfraudFix option 2 (no need to replace wininet.dll)
Now there is no partner.dll or exe under program data does that mean it successfully been removed. If u need the logs ive still got them.

Sorry for using your topic but i thought this might be useful for u once u can boot in safe mode as well as assure me, If this is not welcome forgive me :thumbsup:

#6 User is offline   boopme 

  • To Insanity and Beyond
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Global Moderator
  • Posts: 46,295
  • Joined: 10-September 04
  • Gender:Male
  • Location:NJ USA

Posted 23 September 2009 - 08:00 PM

Hi, gully786.. In the future you should always make your own topic as sometimes there are differences among each PC, but anyway.
Where is you r PC at now. Do you have safe mode? Did you run the Vista ..Startup Repair?

This is unclear to me..

Quote

thought this might be useful for u once u can boot in safe mode as well as assure me.


Please post the 1st Smitfraud log,thanks.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook

#7 User is offline   gully786 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Members
  • Posts: 186
  • Joined: 15-May 09
  • Gender:Male

Posted 24 September 2009 - 07:13 AM

Im running Windows vista home premium
Yes it does have safe mode, no i havent run startup repair (available option)

I'm using mydesktop pc at the moment (not infected), once i get the chance i'll upload the log

#8 User is offline   gully786 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Members
  • Posts: 186
  • Joined: 15-May 09
  • Gender:Male

Posted 24 September 2009 - 08:17 AM

Sorry i think ive stupidly deleted the file :thumbsup:

but here are my other logs

First Quick Scan
_____________
Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 6.0.6002 Service Pack 2

21/09/2009 13:24:53
mbam-log-2009-09-21 (13-24-53).txt

Scan type: Quick Scan
Objects scanned: 83885
Time elapsed: 3 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\kt_bho.KettleBho (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Second Full Scan
______________
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 6.0.6002 Service Pack 2

23/09/2009 15:15:31
mbam-log-2009-09-23 (15-15-31).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 112490
Time elapsed: 1 hour(s), 26 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{86676e13-d6d8-4652-9fcf-f2047f1fb000} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partner service (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\partner service (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\partner service (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\ProgramData\Partner\partner.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\ProgramData\Partner\partner.exe (Trojan.BHO) -> Quarantined and deleted successfully.

Safe Mode Scan with Super
______________________
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/23/2009 at 06:43 PM

Application Version : 4.29.1002

Core Rules Database Version : 4102
Trace Rules Database Version: 1978

Scan type : Complete Scan
Total Scan Time : 00:59:56

Memory items scanned : 277
Memory threats detected : 0
Registry items scanned : 7919
Registry threats detected : 0
File items scanned : 139265
File threats detected : 0

Final MBAM Quick Scan
___________________
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 6.0.6002 Service Pack 2

23/09/2009 18:53:46
mbam-log-2009-09-23 (18-53-46).txt

Scan type: Quick Scan
Objects scanned: 86318
Time elapsed: 3 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SmitFraudFix option 2
__________________
SmitFraudFix v2.424

Scan done at 18:57:56.97, 23/09/2009
Run from C:\Users\GYounis\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6002] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost
::1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{C449FCDB-4E9F-4221-B471-73F283D8588C}: DhcpNameServer=10.255.52.245 10.255.52.241
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C449FCDB-4E9F-4221-B471-73F283D8588C}: DhcpNameServer=10.255.52.245 10.255.52.241
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C449FCDB-4E9F-4221-B471-73F283D8588C}: DhcpNameServer=10.255.52.245 10.255.52.241
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.255.52.245 10.255.52.241
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.255.52.245 10.255.52.241
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=10.255.52.245 10.255.52.241


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!



»»»»»»»»»»»»»»»»»»»»»»»» RK.2



»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Sorry bout the first log

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users