Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help needed with stubborn trojan.bho in registry and adware vundo variant


  • Please log in to reply
15 replies to this topic

#1 fraggle23

fraggle23

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 15 December 2008 - 12:59 PM

hi i need help in clearing a stubborn trojan in my registry i have ran superantispyware and malwarebytes anti-malware programs they found and cleared many infections but i rebooted the computer and ran a scan on malwarebytes again but it found 1 infection in the registry i have posted the log below. i also ran superantispyware again it found 22 infections mostly they were tracking cookies which are removed easily but the trojans keep coming back with each scan i have removed system restore and tried the scan in safe mode aswell, i have aslo rebooted the system after each scan on several occasions these are the most recent logs from each program i will reboot after posting this topic so the tracking cookies should be gone they have only appeared since being online looking for help. i would appreciate any help that you can offer thanks in advance.



Malwarebytes' Anti-Malware 1.31
Database version: 1501
Windows 5.1.2600 Service Pack 3

12/15/2008 4:49:57 PM
mbam-log-2008-12-15 (16-49-57).txt

Scan type: Quick Scan
Objects scanned: 69912
Time elapsed: 3 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/12/2008 at 09:57 PM

Application Version : 4.23.1006

Core Rules Database Version : 3669
Trace Rules Database Version: 1648

Scan type : Quick Scan
Total Scan Time : 00:42:17

Memory items scanned : 507
Memory threats detected : 0
Registry items scanned : 662
Registry threats detected : 6
File items scanned : 51024
File threats detected : 43

Trojan.Homepage
HKU\S-1-5-21-1956375906-1506864521-2008766821-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{686A161D-5BD1-4999-8832-6393F41E564C}

Trojan.Media-Codec
HKU\S-1-5-21-1956375906-1506864521-2008766821-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1AC752E-883F-4ED8-8828-B618C3A72152}
HKU\S-1-5-21-1956375906-1506864521-2008766821-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{D1AC752E-883F-4ED8-8828-B618C3A72152}

Adware.Tracking Cookie
C:\Documents and Settings\fraggles\Cookies\fraggles@advancedscanner[1].txt
C:\Documents and Settings\fraggles\Cookies\fraggles@exoclick[1].txt
C:\Documents and Settings\fraggles\Cookies\fraggles@serving-sys[1].txt
C:\Documents and Settings\fraggles\Cookies\fraggles@antivirus-pro-scanner[2].txt
C:\Documents and Settings\fraggles\Cookies\fraggles@media.adrevolver[2].txt
C:\Documents and Settings\fraggles\Cookies\fraggles@adtech[1].txt
C:\Documents and Settings\fraggles\Cookies\fraggles@ads.bleepingcomputer[1].txt
C:\Documents and Settings\fraggles\Cookies\fraggles@tribalfusion[1].txt
C:\Documents and Settings\fraggles\Cookies\fraggles@bs.serving-sys[1].txt
C:\Documents and Settings\fraggles\Cookies\fraggles@ads.ak.facebook[1].txt
C:\Documents and Settings\fraggles\Cookies\fraggles@uk.gamestracker[1].txt
.doubleclick.net [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
protected-clicks-system.com [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.bs.serving-sys.com [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.www.virginmedia.com [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.virginmedia.com [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
www.virginmedia.com [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.virginmedia.com [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.virginmedia.com [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.virginmedia.com [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.virginmedia.com [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.adviva.net [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.adviva.net [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.adopt.euroclick.com [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]
.adtech.de [ C:\Documents and Settings\fraggles\Application Data\Mozilla\Firefox\Profiles\4h7tsltt.default\cookies.txt ]

Adware.Vundo Variant
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32

Trojan.Fake-Alert/Trace
HKU\S-1-5-21-1956375906-1506864521-2008766821-1005\SOFTWARE\Microsoft\fias4013

Adware.Vundo/Variant-Trace
C:\WINDOWS\SYSTEM32\ISINOZOG.INI

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:04 PM

Posted 15 December 2008 - 04:10 PM

Let's see what SDFix may reaveal. Scan and post it's log.

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 fraggle23

fraggle23
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 15 December 2008 - 06:05 PM

ok i ran Sdfix the log is below the log didn't open when the computer rebooted so i went into the sdfix folder and opened report.txt file and copied that so hopefully i got the right file. I have also done another malwarebytes scan and the log is below the sdfix log.





SDFix: Version 1.240
Run by fraggles on Mon 12/15/2008 at 09:55 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File


Malwarebytese log:

Malwarebytes' Anti-Malware 1.31
Database version: 1501
Windows 5.1.2600 Service Pack 3

12/15/2008 10:42:37 PM
mbam-log-2008-12-15 (22-42-37).txt

Scan type: Quick Scan
Objects scanned: 67778
Time elapsed: 7 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



I also used spybot search and destroy between me starting this topic and your reply i'm not sure how to get logs for that but it did find some things below they have been qurantined i hope that this can give you some more clues to whats happening with my computer

Cassava
settings
HKEY_USERS\S-1-5-21-1956375906-1506864521-2008766821-1005\software\casinoonnet\casino
settings
HKEY_USERS\S-1-5-21-1956375906-1506864521-2008766821-1005\software\casinoonnet

Virtumonde.prx
Autorun settings (gotuwuyaka)
HKE_USERS\S-1-5-19\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run\gotuwuyaka
Autorun settings (gotuwuyaka)
HKE_USERS\S-1-5-20\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run\gotuwuyaka

Microsoft.WindowsSecurityCenter.FirewallBypass
Settings
HKEY_LOCAL_MACHINE\SYSTEM\Controlset001\Services\SharedAccess\parameters\FirewallPolicy\StandardProfile\AuthorizedApllications\List\C:\WINDOWS\explorer.exe
Settings
HKEY_LOCAL_MACHINE\SYSTEM\Controlset002\Services\SharedAccess\parameters\FirewallPolicy\StandardProfile\AuthorizedApllications\List\C:\WINDOWS\explorer.exe

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:04 PM

Posted 15 December 2008 - 10:06 PM

You look pretty good. How's the PC running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 fraggle23

fraggle23
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 16 December 2008 - 05:48 AM

hi, the pc seems to be running fine at the mo it never really slowed down. i had pop ups on internet explorer7 every 2-5 mins when clicking on links etc the pop ups directed me to pancolp then quickly went to different sites trying to get me to download anti virus programs which i didnt download thats when i realised i had a problem. i'm now using firefox as my browser now, i will try explorer7 again to see if i still get pop ups. My concern at the mo is the trojan.bho in my registry (see malwarebytes logs above) that malwarebytes keeps finding but can't get rid of also superantispyware finds it in the registry but calls it adware vundo variant. Is there anyway to clean them from the registry or do they not matter that they are still there?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:04 PM

Posted 16 December 2008 - 02:20 PM

Update MBam to its lates "database"1507 and rescan lets see if it finally gets it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 fraggle23

fraggle23
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 17 December 2008 - 09:09 AM

ok i updated MBam and rescanned it found the infection and said to fully remove it to reboot the computer so i did and rescanned again and it was still there just like before. Below is both the logs from the scans

Malwarebytes' Anti-Malware 1.31
Database version: 1511
Windows 5.1.2600 Service Pack 3

12/17/2008 1:04:56 PM
mbam-log-2008-12-17 (13-04-56).txt

Scan type: Quick Scan
Objects scanned: 68586
Time elapsed: 8 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





Malwarebytes' Anti-Malware 1.31
Database version: 1511
Windows 5.1.2600 Service Pack 3

12/17/2008 2:00:32 PM
mbam-log-2008-12-17 (14-00-32).txt

Scan type: Quick Scan
Objects scanned: 68455
Time elapsed: 7 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by fraggle23, 17 December 2008 - 09:11 AM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:04 PM

Posted 17 December 2008 - 10:57 AM

Let's take a quick look now and see what S!Ri's SmitfraudFix may reveal about that.

Run part 1...
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 fraggle23

fraggle23
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 17 December 2008 - 06:31 PM

ok i downloaded smitfraudfix and ran a search here are the results.


SmitFraudFix v2.387

Scan done at 23:24:04.51, Wed 12/17/2008
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\KService\KService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Oxigen\bin\Oxigen.exe
C:\Program Files\Oxigen\bin\OxiTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\fraggles


C:\DOCUME~1\fraggles\LOCALS~1\Temp


C:\Documents and Settings\fraggles\Application Data


Start Menu


C:\DOCUME~1\fraggles\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="c:\\windows\\system32\\hubahore.dll c:\\windows\\system32\\wavovozi.dll"
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK



DNS

Description: Intel® PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1F9971D1-388B-4BA5-8035-38D768E6D5FE}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1F9971D1-388B-4BA5-8035-38D768E6D5FE}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1F9971D1-388B-4BA5-8035-38D768E6D5FE}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


Scanning for wininet.dll infection


End

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:04 PM

Posted 17 December 2008 - 08:13 PM

You've got malware. Run Part 2,cleaning.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 fraggle23

fraggle23
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 17 December 2008 - 08:52 PM

i ran the cleaning process in safe mode here is the log


SmitFraudFix v2.385

Scan done at 1:34:05.40, Thu 12/18/2008
Run from C:\Documents and Settings\fraggles\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

HKLM\SYSTEM\CS2\Services\Tcpip\..\{1F9971D1-388B-4BA5-8035-38D768E6D5FE}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:04 PM

Posted 17 December 2008 - 09:32 PM

I think it's gone now. How are things?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Jeyaraj

Jeyaraj

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 29 December 2008 - 02:54 AM

Hi,

I need help to clear Trojan Virus from my registery. I had ran super anti spy ware and malware bytes software and it keeps telling me 3 objects infected. It removes the trojans. But the Trojan keeps appearing after rebooting. I would appreciate any help that you can offer for remove TROJAN BHO and Malware Trace

Here is the logs,

Malware Bytes:

Malwarebytes' Anti-Malware 1.31
Database version: 1565
Windows 5.1.2600 Service Pack 3

12/29/2008 2:35:22 AM
mbam-log-2008-12-29 (02-35-16).txt

Scan type: Quick Scan
Objects scanned: 60513
Time elapsed: 3 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Super Anti Spyware Logs:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/29/2008 at 02:39 AM

Application Version : 4.23.1006

Core Rules Database Version : 3687
Trace Rules Database Version: 1663

Scan type : Custom Scan
Total Scan Time : 00:03:20

Memory items scanned : 539
Memory threats detected : 0
Registry items scanned : 4695
Registry threats detected : 35
File items scanned : 0
File threats detected : 13

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\RORIJEYA.DLL
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}

Adware.Tracking Cookie
C:\Documents and Settings\ejloga.000\Cookies\ejloga@doubleclick[2].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@at.atwola[2].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@xiti[1].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@ads.bleepingcomputer[1].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@directtrack[2].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@tribalfusion[1].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@statcounter[1].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@tacoda[2].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@ad.yieldmanager[2].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@casalemedia[2].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@angleinteractive.directtrack[2].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@advertising[1].txt

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\MS Juan
HKLM\SOFTWARE\Microsoft\MS Juan#RID
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LBL
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#MN
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT
HKLM\SOFTWARE\Microsoft\MS Track System
HKLM\SOFTWARE\Microsoft\MS Track System#Uid


Thanks & Regards,
Jeyaraj

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:04 PM

Posted 29 December 2008 - 01:26 PM

Hi, in the MBAM scan the "No Action Taken" usually means the Remove Selected button wasn't clicked.

Next: Open MBAM and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan.
After scan click Remove Selected, Post new scan log and Reboot.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Jeyaraj

Jeyaraj

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 30 December 2008 - 02:00 PM

Hi ,

I did the complete scan of my laptop with the malware bytes and super anti spyware software and rebooted my machine after removal .Here is the logs

Malware Bytes Logs:

Malwarebytes' Anti-Malware 1.31
Database version: 1571
Windows 5.1.2600 Service Pack 3

12/30/2008 9:50:25 AM
mbam-log-2008-12-30 (09-50-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 361660
Time elapsed: 2 hour(s), 37 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Super Anti spyware Logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/30/2008 at 01:48 PM

Application Version : 4.23.1006

Core Rules Database Version : 3687
Trace Rules Database Version: 1663

Scan type : Custom Scan
Total Scan Time : 00:03:01

Memory items scanned : 529
Memory threats detected : 0
Registry items scanned : 4694
Registry threats detected : 5
File items scanned : 0
File threats detected : 29

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\RORIJEYA.DLL
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}

Adware.Tracking Cookie
C:\Documents and Settings\ejloga.000\Cookies\ejloga@1070100338[1].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@doubleclick[2].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@adrevolver[1].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@apmebf[1].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@richmedia.yahoo[1].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@stat.dealtime[2].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@statse.webtrendslive[2].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@hitbox[1].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@trafficmp[1].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@ads.bleepingcomputer[1].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@dynamic.media.adrevolver[2].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@fastclick[2].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@ehg-comcast.hitbox[1].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@revsci[2].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@interclick[2].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@questionmarket[2].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@tribalfusion[1].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@media.adrevolver[1].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@fls.doubleclick[1].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@adopt.euroclick[2].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@zedo[1].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@mediaplex[2].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@ad.yieldmanager[1].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@realmedia[1].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@1072461108[1].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@dealtime[2].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@atdmt[2].txt
C:\Documents and Settings\ejloga.000\Cookies\ejloga@advertising[2].txt


Thanks,
Jeyaraj




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users