Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BHO.X - trojan


  • This topic is locked This topic is locked
56 replies to this topic

#1 battletank

battletank

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 03 January 2009 - 06:34 PM

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-04 12:22:49
Windows 5.1.2600 Service Pack 3


---- Kernel code sections - GMER 1.0.14 ----

PAGE ntoskrnl.exe!SeAuditingFileEventsWithContext + 3D 805683FA 7 Bytes JMP 8A8E6AC8

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs sisidex.sys (SISIDEX Driver/Windows ® 2000 DDK provider)

Device \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip6 \Device\Ip6 avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip6 \Device\RawIp6 avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip6 \Device\Tcp6 avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip6 \Device\Udp6 avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\IPMULTICAST avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.14 ----

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 03 January 2009 - 06:53 PM

Hello.

Let's see if OTScanIt can take out that file.

Please make sure AVG is disabled.

To disable AVG:
  • Please navigate to the system tray on the bottom right hand corner and look for this Posted Image sign.
  • Right click it-> select Quit Control Center.
  • A warning will pop up, click Yes
Run Fix with OTScanIt
We will run OTScanIt with directives. If you have lost your copy of OTScanIt, download it here and extract it like you did last time.
  • Double click the OTScanIt.exe icon in the OTScanIt folder on your desktop. If you are using Windows Vista, right click OTScanIt.exe and select Run as Administrator.
  • Copy the contents of the codebox below into the "Paste fix here" box.
    [Kill Explorer]
    [Registry - Safe List]
    < BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    YY -> {397BEDC9-9E94-41C7-859C-1FE7AC91A901} [HKLM] -> %SystemRoot%\system32\blackbo.dll [Reg Error: Value  does not exist or could not be read.]
    < Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
    YN -> ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> WebBrowser\\"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> WebBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    < Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-4025279379-3369531988-2320958936-1006\] > -> HKEY_USERS\S-1-5-21-4025279379-3369531988-2320958936-1006\Software\Microsoft\Internet Explorer\Toolbar\
    YN -> ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> WebBrowser\\"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> WebBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    < Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "MSI Live" -> %ProgramFiles%\MSI\MSI Live\SetWallpaper.exe [C:\Program Files\MSI\MSI Live\SetWallpaper.exe]
    [Empty Temp Folders]
    [Reboot]
  • Close all windows except OTScanIt.
  • Click it Run Fix button.
When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click OK and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix. Notepad will open with the final results at that time. Post that log back here in your next reply.

Please run a new scan with MalwareBytes and post that log.

Take a new OTScanIt scan as well. This time, leave the settings the way the are when OTScanIt opens.

With Regards,
The Panda

Edited by PropagandaPanda, 03 January 2009 - 06:53 PM.


#3 battletank

battletank
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 03 January 2009 - 07:13 PM

Hi.

I click on AVG tray icon and the only option I have other than 'Open AVG user interface', and 'Update now', is 'exit'. This brings up the warning 'avgtray icon is the main component of avg. By closing it you will no longer be able to manage and control all other components. Do you really want to close the tray icon.' Is that all I need to do to close it?

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 03 January 2009 - 07:36 PM

"Exit" should do fine.

The Panda

#5 battletank

battletank
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 03 January 2009 - 08:10 PM

OK, I ran OTScanit and have attached the log.

I ran Malwarebytes, with log below.

I will post the last OTscanit in the next post




Malwarebytes' Anti-Malware 1.31
Database version: 1593
Windows 5.1.2600 Service Pack 3

4/01/2009 1:52:21 p.m.
mbam-log-2009-01-04 (13-52-21).txt

Scan type: Quick Scan
Objects scanned: 54941
Time elapsed: 6 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{397bedc9-9e94-41c7-859c-1fe7ac91a901} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{397bedc9-9e94-41c7-859c-1fe7ac91a901} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{397bedc9-9e94-41c7-859c-1fe7ac91a901} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\blackbo.dll (Trojan.BHO.H) -> Delete on reboot.

#6 battletank

battletank
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 03 January 2009 - 08:12 PM

Attachment

Edited by battletank, 03 January 2009 - 11:08 PM.


#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 03 January 2009 - 08:20 PM

Hello battletank.

No problem. If you run out of attachment space, go to your Control Panel to remove your previous attachments to make room for new ones.

I haven't seen a Browser Helper Object that tough in awhile.

Let's use The Avenger.

Download The Avenger and Run Script
Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Right click and extract avenger.exe to your desktop
  • Start the Avenger by clicking on its icon on your desktop.
  • Copy all the text contained in the qoute box below to your Clipboard by highlighting it, right clicking and selecting Copy:
    Registry keys to delete:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{397bedc9-9e94-41c7-859c-1fe7ac91a901}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{397bedc9-9e94-41c7-859c-1fe7ac91a901}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu
    
    Files to move:
    C:\WINDOWS\system32\blackbo.dll | C:\WINDOWS\system32\blackbo.dll.vir
  • Click Posted Image to paste the script from the clipboard.
  • Click the Execute button
  • Answer Yes twice when prompted.
The process is completely automatic. Do not touch your computer until a log file opens.

The Avenger will do the following:
  • It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", the Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt (considering your operating drive is C:). Post back with it in your next reply.
---
Follow up with a new MalwareBytes scan please.

With Regards,
The Panda

#8 battletank

battletank
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 03 January 2009 - 08:41 PM

Hey Panda,

I'm on a different PC here.

I ran The Avenger and it restarted the PC, but when the notepad opened it was blank and over the top a popup announced ' the process cannot access the file bceause it is being used by another process -ok-'

I clicked OK and shall I close the empty notepad and then run Malwarebytes? Or do I need to uninstall another programme like OTScannit first? to get the logfile for avenger?

Thanks.

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 03 January 2009 - 09:01 PM

Hello.

Please go ahead with running MBAM on that computer again.

With Regards,
The Panda

#10 battletank

battletank
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 03 January 2009 - 10:33 PM

Malwarebytes' Anti-Malware 1.31
Database version: 1593
Windows 5.1.2600 Service Pack 3

4/01/2009 4:26:53 p.m.
mbam-log-2009-01-04 (16-26-53).txt

Scan type: Quick Scan
Objects scanned: 55090
Time elapsed: 7 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{397bedc9-9e94-41c7-859c-1fe7ac91a901} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{397bedc9-9e94-41c7-859c-1fe7ac91a901} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{397bedc9-9e94-41c7-859c-1fe7ac91a901} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\blackbo.dll (Trojan.BHO.H) -> Delete on reboot.

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 04 January 2009 - 10:07 AM

Hello.

Please make sure your protection is disabled.

Download and Run ComboFix with CFScript
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    KILLALL::
    
    ROOTKIT::
    C:\WINDOWS\system32\blackbo.dll
    
    Registry::
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{397bedc9-9e94-41c7-859c-1fe7ac91a901}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe

  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Please follow up with a new MBAM and GMER scan. Post those logs too.

With Regards,
The Panda

#12 battletank

battletank
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 05 January 2009 - 04:11 PM

Combo fix crashed my system - giving me the blue screen. Shall I run it again. Anyway, here's the follow up Malwarebytes log and I couldn't get Gmer to run after clicking on ok under settings. It wouldn't do anything.

Cheers.


Malwarebytes' Anti-Malware 1.31
Database version: 1593
Windows 5.1.2600 Service Pack 3

2009-01-05 14:45:09
mbam-log-2009-01-05 (14-45-09).txt

Scan type: Quick Scan
Objects scanned: 54344
Time elapsed: 6 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{397bedc9-9e94-41c7-859c-1fe7ac91a901} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{397bedc9-9e94-41c7-859c-1fe7ac91a901} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{397bedc9-9e94-41c7-859c-1fe7ac91a901} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\blackbo.dll (Trojan.BHO.H) -> Delete on reboot.

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 05 January 2009 - 04:42 PM

Hello.

That just won't go will it? Please keep the infected computer offline, if at all possible. We don't want new infections arriving.

Did ComboFix say it installed the Recovery Console? I want to try to rename that baddie file from there.

You have another computer that you could post to me from, correct? There is a chance that the infected computer will not boot after renaming the file. If it happens, we can easily change the name back.

Would you be comfortable doing this?

With Regards,
The Panda

#14 battletank

battletank
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 05 January 2009 - 05:05 PM

Yeah, let's do it

#15 battletank

battletank
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 05 January 2009 - 05:12 PM

Oh, and yeah the recovery console is installed I believe. At start up it offers a choice of two briefly.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users