Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse BHO.x


  • This topic is locked This topic is locked
11 replies to this topic

#1 battletank

battletank

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 02 January 2009 - 07:25 AM

Hi.

My computer runs AVG Free 8.0 and the resident shield component detects the following threat when I open IE.

File name: C:\WINDOWS\system32\blackbo.dll

Threat name: Trojan Horse BHO.x

I have selected 'Heal' and 'Move to vault' and this has not fixed the problem. The warning will flash up again within a minute. I have also downloaded, updated and run Malwarebytes' anti-malware, which upon scanning found the trojan horse and associated registry keys etc. But when I click 'remove' objects it says the following files could not be deleted and that they will be deleted at restart, which I immediately do, but the problem occurs again after restart.

Any ideas of how I can fix this problem, thanks.

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:33 PM

Posted 02 January 2009 - 11:51 AM

Hi battletank and welcome to BC

Let's start with a Malwarebytes log. Please follow this procedure:
Run Malwarebytes
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 battletank

battletank
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 02 January 2009 - 06:32 PM

Malwarebytes' Anti-Malware 1.31
Database version: 1593
Windows 5.1.2600 Service Pack 3

3/01/2009 12:19:13 p.m.
mbam-log-2009-01-03 (12-19-13).txt

Scan type: Quick Scan
Objects scanned: 56264
Time elapsed: 23 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{397bedc9-9e94-41c7-859c-1fe7ac91a901} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{397bedc9-9e94-41c7-859c-1fe7ac91a901} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{397bedc9-9e94-41c7-859c-1fe7ac91a901} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Andrew Mitchell\Application Data\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andrew Mitchell\Application Data\AdwareAlert\Log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andrew Mitchell\Application Data\AdwareAlert\Settings (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Andrew Mitchell\Application Data\AdwareAlert\rs.dat (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andrew Mitchell\Application Data\AdwareAlert\Settings\ScanResults.pie (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andrew Mitchell\Application Data\AdwareAlert\Log\2009 Jan 02 - 09_10_49 PM_109.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blackbo.dll (Trojan.BHO.H) -> Delete on reboot.
C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job (Trojan.Downloader) -> Quarantined and deleted successfully.

#4 battletank

battletank
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 02 January 2009 - 06:37 PM

By the way, during the scan AVG's resident shield popped up saying Threat detected - Trojan Horse BHO.x. I just clicked ignore on these occasions.

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:33 PM

Posted 02 January 2009 - 06:39 PM

Hello.

Let's see what we can do about that.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{397bedc9-9e94-41c7-859c-1fe7ac91a901}]
    [-HKEY_CLASSES_ROOT\CLSID\{397bedc9-9e94-41c7-859c-1fe7ac91a901}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu]
    :processes
    iexplore.exe
    
    :files
    C:\WINDOWS\system32\blackbo.dll
    
    :commands
    [Reboot]
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

Download and Run SmitFruadFix Scan
  • Please download SmitFraudFix by S!Ri to your desktop.
  • Double click the icon to run it.
  • Select Option 1 by typing 1 and hitting Enter.
  • When the scan is complete, a log file will appear. Please copy the contents of the log into your next post.

After, run a new scan with MalwareBytes as well.

With Regards,
The Panda

#6 battletank

battletank
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 02 January 2009 - 07:26 PM

========== REGISTRY ==========
Unable to delete registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{397bedc9-9e94-41c7-859c-1fe7ac91a901}\\ .
Unable to delete registry key HKEY_CLASSES_ROOT\CLSID\{397bedc9-9e94-41c7-859c-1fe7ac91a901}\\ .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu\\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf\\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk\\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu\\ not found.
========== PROCESSES ==========
Process iexplore.exe killed successfully.
========== FILES ==========
C:\WINDOWS\system32\blackbo.dll unregistered successfully.
File move failed. C:\WINDOWS\system32\blackbo.dll scheduled to be moved on reboot.
========== COMMANDS ==========

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 01032009_131756

Files moved on Reboot...
C:\WINDOWS\system32\blackbo.dll unregistered successfully.
File move failed. C:\WINDOWS\system32\blackbo.dll scheduled to be moved on reboot.




I am just going to run smartfraudfix. I will post that back when done. Thanks.

#7 battletank

battletank
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 02 January 2009 - 07:36 PM

========== REGISTRY ==========
Unable to delete registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{397bedc9-9e94-41c7-859c-1fe7ac91a901}\\ .
Unable to delete registry key HKEY_CLASSES_ROOT\CLSID\{397bedc9-9e94-41c7-859c-1fe7ac91a901}\\ .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu\\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf\\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk\\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu\\ not found.
========== PROCESSES ==========
Process iexplore.exe killed successfully.
========== FILES ==========
C:\WINDOWS\system32\blackbo.dll unregistered successfully.
File move failed. C:\WINDOWS\system32\blackbo.dll scheduled to be moved on reboot.
========== COMMANDS ==========

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 01032009_131756

Files moved on Reboot...
C:\WINDOWS\system32\blackbo.dll unregistered successfully.
File move failed. C:\WINDOWS\system32\blackbo.dll scheduled to be moved on reboot.


I will just run Malwarebytes then I will be right back!

SmitFraudFix v2.388

Scan done at 13:34:26.32, Sat 03/01/2009
Run from C:\Documents and Settings\Andrew Mitchell\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\ATKKBService.exe
E:\X1C4F8~1.SYS\01FF48~1.PRO\AVG\AVG8\avgwdsvc.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
E:\X1C4F8~1.SYS\01FF48~1.PRO\AVG\AVG8\avgrsx.exe
E:\X1C4F8~1.SYS\01FF48~1.PRO\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\TBLMOUSE.EXE
E:\X1C4F8~1.SYS\01FF48~1.PRO\AVG\AVG8\avgtray.exe
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Andrew Mitchell\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Andrew Mitchell


C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp


C:\Documents and Settings\Andrew Mitchell\Application Data


Start Menu


C:\DOCUME~1\ANDREW~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="avgrsstx.dll"
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK



DNS

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 203.96.16.35
DNS Server Search Order: 203.96.16.36

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3750FF5B-6446-4B9F-80D5-46986BE45E14}: NameServer=203.96.16.35 203.96.16.36
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9A631A5A-8436-461C-83AA-BB7464EEE121}: NameServer=10.1.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3750FF5B-6446-4B9F-80D5-46986BE45E14}: NameServer=203.96.16.35 203.96.16.36
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9A631A5A-8436-461C-83AA-BB7464EEE121}: NameServer=10.1.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9A631A5A-8436-461C-83AA-BB7464EEE121}: NameServer=10.1.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3750FF5B-6446-4B9F-80D5-46986BE45E14}: NameServer=203.96.16.35 203.96.16.36
HKLM\SYSTEM\CS3\Services\Tcpip\..\{9A631A5A-8436-461C-83AA-BB7464EEE121}: NameServer=10.1.1.1


Scanning for wininet.dll infection


End

#8 battletank

battletank
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 02 January 2009 - 08:07 PM

Hi, I have two files here, not to sure why so I'll post them both thanks.

Malwarebytes' Anti-Malware 1.31
Database version: 1593
Windows 5.1.2600 Service Pack 3

3/01/2009 2:01:49 p.m.
mbam-log-2009-01-03 (14-01-40).txt

Scan type: Quick Scan
Objects scanned: 56311
Time elapsed: 23 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{397bedc9-9e94-41c7-859c-1fe7ac91a901} (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{397bedc9-9e94-41c7-859c-1fe7ac91a901} (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{397bedc9-9e94-41c7-859c-1fe7ac91a901} (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\blackbo.dll (Trojan.Agent) -> No action taken.




Malwarebytes' Anti-Malware 1.31
Database version: 1593
Windows 5.1.2600 Service Pack 3

3/01/2009 2:01:57 p.m.
mbam-log-2009-01-03 (14-01-57).txt

Scan type: Quick Scan
Objects scanned: 56311
Time elapsed: 23 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{397bedc9-9e94-41c7-859c-1fe7ac91a901} (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{397bedc9-9e94-41c7-859c-1fe7ac91a901} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{397bedc9-9e94-41c7-859c-1fe7ac91a901} (Trojan.Agent) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\blackbo.dll (Trojan.Agent) -> Delete on reboot.

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:33 PM

Posted 03 January 2009 - 08:30 AM

Hello battletank.

This infection will likely require stronger tool than permitted in this forum.

Please follow the directions below to run two logging tools. Post the logs in the Malware Removal forum. Not here.

When that is done, please post back here with a link to your new topic.
-----
Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files before we run OTScanIt. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
  • If you use any other browsers, select them appropriately from the top and empty all items.
Download and Run OTScanIt
Download OTScanIt by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Check the Scan all users box at the top left.
  • Click the Extras button under "Additional Scans".
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.
Download and Run Scan with GMER
We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode
Important!:Please do not select the Show all checkbox during the scan..

In your new topic include:
-the OTScanIt log (attached)
-the GMER log (pasted directly into your reply)

With Regards,
The Panda

#10 battletank

battletank
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 03 January 2009 - 06:36 PM

Link to topic

Cheers

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:33 PM

Posted 03 January 2009 - 06:54 PM

Replied there.

Consider this topic closed.

#12 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:33 PM

Posted 03 January 2009 - 07:26 PM

Topic is closed :thumbsup:

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users