Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to remove register key from Trojan.BHO


  • This topic is locked This topic is locked
11 replies to this topic

#1 mavado

mavado

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 10 March 2009 - 06:09 PM

Hi,

I'm calling here for help to get rid of a nasty key from a trojan infection.
My laptop was infected with a couple of viruses, Trojan.BHO being one.
I ran MBAM to remove it and that worked. Only a key entry in the windows registry remains. When I want to remove it manually I get an error message that the key is invalid. Last scans show no signs of an active virus, but the key still remains. I tried to assign all rights to this key and to delete it manually, but I simply can't.

I created a log with dds, which is included here.


==== DDS LOG====
DDS (Ver_09-02-01.01) - NTFSx86
Run by Marcel at 23:48:42.44 on 2009-03-10
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1043.18.502.166 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Marcel\virusvechter\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.nl/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {3e8108a0-3b4d-486a-b513-e61ad3d9fc1e}: {e1cf9d3d-a16e-315b-a684-d4b30a8018e3}
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mPolicies-explorer: NoSMBalloonTip = 1 (0x1)
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marcel\applic~1\mozilla\firefox\profiles\bj2cgnol.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-3-4 130424]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-28 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-28 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-28 107272]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-3-8 353680]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-5 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-5 298264]
R2 MarxDev1;MarxDev1;c:\windows\system32\drivers\MARXDEV1.SYS [2009-2-26 8864]
R2 MarxDev2;MarxDev2;c:\windows\system32\drivers\MARXDEV2.SYS [2009-2-26 8864]
R2 MarxDev3;MarxDev3;c:\windows\system32\drivers\MARXDEV3.SYS [2009-2-26 8864]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-17 99328]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-3-4 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-3-4 1095560]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

=============== Created Last 30 ================

2009-03-10 23:47 <DIR> --d----- c:\documents and settings\marcel\virusvechter
2009-03-08 18:51 1,221,008 a------- c:\windows\system32\zpeng25.dll
2009-03-08 18:51 <DIR> --d----- c:\program files\Zone Labs
2009-03-08 18:51 348,371 a------- c:\windows\system32\vsconfig.xml
2009-03-08 12:21 <DIR> a-dshr-- C:\cmdcons
2009-03-08 12:20 161,792 a------- c:\windows\SWREG.exe
2009-03-08 12:20 98,816 a------- c:\windows\sed.exe
2009-03-08 12:19 <DIR> --d----- C:\ComboFix
2009-03-08 12:19 399,872 a------- c:\windows\system32\CF22814.exe
2009-03-08 12:13 399,872 a------- c:\windows\system32\CF20662.exe
2009-03-08 00:57 <DIR> --d----- c:\docume~1\marcel\applic~1\Malwarebytes
2009-03-08 00:57 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-08 00:57 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-08 00:57 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-08 00:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-07 15:17 64 a------- c:\windows\wininit.ini
2009-03-04 00:06 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-03-04 00:05 130,424 a------- c:\windows\system32\drivers\PCTCore.sys
2009-03-04 00:05 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-04 00:05 <DIR> --d----- c:\program files\common files\PC Tools
2009-03-04 00:05 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-03-04 00:05 <DIR> --d----- c:\program files\Spyware Doctor
2009-03-04 00:05 <DIR> --d----- c:\docume~1\marcel\applic~1\PC Tools
2009-03-04 00:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-03-03 20:34 <DIR> --dshr-- C:\RESTORE
2009-02-26 21:59 <DIR> --d----- c:\program files\BPM-Studio Profi
2009-02-14 20:37 268 a---h--- C:\sqmdata01.sqm
2009-02-14 20:37 244 a---h--- C:\sqmnoopt01.sqm

==================== Find3M ====================

2009-03-08 18:51 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-01 16:44 47,104 a------- c:\windows\system32\KMVIDC32.DLL
2009-01-27 18:21 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-27 18:21 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-27 18:21 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2008-12-21 00:03 826,368 a------- c:\windows\system32\wininet.dll
2008-12-14 10:21 445,512 a------- c:\windows\system32\perfh013.dat
2008-12-14 10:21 70,858 a------- c:\windows\system32\perfc013.dat
2008-10-02 15:42 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\geschiedenis\history.ie5\mshist012008100220081003\index.dat

============= FINISH: 23:50:27.12 ===============

And this is the most recent MBAM log which contains the key I am talking about

=====MBAM LOG========

Malwarebytes' Anti-Malware 1.34
Database versie: 1826
Windows 5.1.2600 Service Pack 3

2009-03-08 20:03:47
mbam-log-2009-03-08 (20-03-47).txt

Scan type: Snelle Scan
Objecten gescand: 65291
Verstreken tijd: 5 minute(s), 59 second(s)

Geheugenprocessen ge´nfecteerd: 0
Geheugenmodulen ge´nfecteerd: 0
Registersleutels ge´nfecteerd: 1
Registerwaarden ge´nfecteerd: 0
Registerdata bestanden ge´nfecteerd: 0
Mappen ge´nfecteerd: 0
Bestanden ge´nfecteerd: 0

Geheugenprocessen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels ge´nfecteerd:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

Registerwaarden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registerdata bestanden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Mappen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden ge´nfecteerd:
(Geen kwaadaardige items gevonden)
======== end of MBAM LOG =======

It says the key will be deleted on reboot, but as I said, that doesn't happen and manual deletion is not possible.
I've searched on many places but I can't find out what I could do next. Attachment of this post includes the ATTACH report from DDS. Advice on how to proceed is very welcome.

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:04:11 AM

Posted 22 March 2009 - 01:01 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 mavado

mavado
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 25 March 2009 - 04:00 PM

Hi,

Thank you for taking the time for my problem.

My laptop was infected with Trojan.BHO.
I ran MBAM to remove it and that worked. Only a key entry in the windows registry remains. When I want to remove it manually I get an error message that the key is invalid. Last scans show no signs of an active virus, but the key still remains. I tried to assign all rights to this key and to delete it manually, but I simply can't.
So the virus scanner keeps reporting a virus on my system.

Here is the dds log I created today.
=====


DDS (Ver_09-03-16.01) - NTFSx86
Run by Marcel at 21:42:01.40 on 2009-03-25
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1043.18.502.219 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Marcel\Mijn documenten\downloads\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.nl/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {3e8108a0-3b4d-486a-b513-e61ad3d9fc1e}: {e1cf9d3d-a16e-315b-a684-d4b30a8018e3}
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mPolicies-explorer: NoSMBalloonTip = 1 (0x1)
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marcel\applic~1\mozilla\firefox\profiles\bj2cgnol.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-3-4 130424]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-28 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-28 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-28 107272]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-3-8 353680]
R2 MarxDev1;MarxDev1;c:\windows\system32\drivers\MARXDEV1.SYS [2009-2-26 8864]
R2 MarxDev2;MarxDev2;c:\windows\system32\drivers\MARXDEV2.SYS [2009-2-26 8864]
R2 MarxDev3;MarxDev3;c:\windows\system32\drivers\MARXDEV3.SYS [2009-2-26 8864]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-17 99328]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-5 903960]
S4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-5 298264]
S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-3-4 348752]
S4 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-3-4 1095560]

=============== Created Last 30 ================

2009-03-08 18:51 1,221,008 a------- c:\windows\system32\zpeng25.dll
2009-03-08 18:51 <DIR> --d----- c:\program files\Zone Labs
2009-03-08 18:51 348,371 a------- c:\windows\system32\vsconfig.xml
2009-03-08 12:21 <DIR> a-dshr-- C:\cmdcons
2009-03-08 12:20 161,792 a------- c:\windows\SWREG.exe
2009-03-08 12:20 98,816 a------- c:\windows\sed.exe
2009-03-08 12:19 <DIR> --d----- C:\ComboFix
2009-03-08 12:19 399,872 a------- c:\windows\system32\CF22814.exe
2009-03-08 12:13 399,872 a------- c:\windows\system32\CF20662.exe
2009-03-08 00:57 <DIR> --d----- c:\docume~1\marcel\applic~1\Malwarebytes
2009-03-08 00:57 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-08 00:57 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-08 00:57 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-08 00:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-07 15:17 64 a------- c:\windows\wininit.ini
2009-03-04 00:06 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-03-04 00:05 130,424 a------- c:\windows\system32\drivers\PCTCore.sys
2009-03-04 00:05 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-04 00:05 <DIR> --d----- c:\program files\common files\PC Tools
2009-03-04 00:05 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-03-04 00:05 <DIR> --d----- c:\program files\Spyware Doctor
2009-03-04 00:05 <DIR> --d----- c:\docume~1\marcel\applic~1\PC Tools
2009-03-04 00:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-03-03 20:34 <DIR> --dshr-- C:\RESTORE
2009-02-26 21:59 <DIR> --d----- c:\program files\BPM-Studio Profi

==================== Find3M ====================

2009-03-08 18:51 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-01 16:44 47,104 a------- c:\windows\system32\KMVIDC32.DLL
2009-02-09 15:08 1,846,912 a------- c:\windows\system32\win32k.sys
2009-01-27 18:21 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-27 18:21 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-27 18:21 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2008-10-02 15:42 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\geschiedenis\history.ie5\mshist012008100220081003\index.dat

============= FINISH: 21:42:44.84 ===============

Attached Files



#4 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:04:11 AM

Posted 25 March 2009 - 04:06 PM

Hang on. Another will come to help
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 25 March 2009 - 04:12 PM

Hello.

It seems Combofix was ran on this system. Do you still have the log? It should be located at C:\Combofix.txt

Let's try removing that key.

Backup Registry with ERUNT

This tool will create a complete backup of your registry. A backup is created to ensure we have backup so encase anything goes wrong we can deal with it. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

How to Restore from the ERUNT Backup

Only restore from the backups if instructed to, or you need to do so. You need it if after doing something, your computer will only boot in Safe Mode and you are unable to contact us (or anyone else) for help by other means, or if your computer will not boot into Windows at all.

To restore if you can boot, navigate to C:\WINDOWS\erdnt, choose the folder with the most recent date, and double click ERDNT.EXE. Check all boxes in the restoration options.

To restore from the Recovery Console using the Windows CD:
  • Turn on your machine with the disk in the drive.
  • Type in the number of the Windows installation you want to repair (usually 1), then press Enter.
  • Type in the Administrator password (leave blank if you are unsure what it is or if you do not have one) and press Enter.
  • Type without quotes "cd erdnt" followed by Enter.
  • Type without quotes "dir" followed by Enter. This will list out the available folders, whose names are the date on which the backup was taken in (M)M-DD-YYYY format. Try the most recent dates first.
  • Type without quotes "cd **name of the folder**" followed by Enter.
  • Type without quotes "batch erdnt.con" followed by Enter.
  • Type without quotes "exit" followed by Enter.
  • Remove your CD from the drive and reboot your computer into the restored registry. If you still cannot boot, try again with an earlier restore date.


Download and Run Script with Swreg.exe
  • Please download SWREG.exe, and save it to your C:\Windows Directory please.
In case you are using Firefox and it get's saved directly onto your desktop do the following:
  • Please copy and paste Swreg.exe to your C:\Windows directory.
  • After you have pasted Swreg.exe into your C:\Windows directory you may delete the other copy on you desktop
  • We need to execute a Batch File now
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the Code.
    swreg ACL HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} /OA
    swreg ACL HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} /P /GE:F
    swreg NULL DELETE HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}
    swreg DELETE HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}
    
    Reg Export "HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}" C:\export.txt
    Notepad export
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input Remove.bat.
  • Hit OK.
When done properly, the icon should look like Posted Image for the .bat file.

Double click on Remove.bat to run it. You may get a security warning, please select Run. A black window will open and then disappear this is normal. Then Notepad will open, post the contents of notepad in your next reply.

Note: If notepad was empty let me know.

Update MBAM and run MBAM again with a quick-scan. Let me know if that key is gone now.

Post back with:
-Combofix log (If available)
-MBAM log
-New DDS log
-How's your computer running? Was that the only problem you have?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 mavado

mavado
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 26 March 2009 - 04:23 PM

Hello again.

I've followed all the steps you provided.
After running SWREG a notepad document was opened but this was EMPTY.
In the dos box I noticed that there was a line of text saying that removal of the key failed.

You asked for the log of Combofix. Sorry, that is not on my computer.

--- MBAM log ---

Malwarebytes' Anti-Malware 1.34
Database versie: 1903
Windows 5.1.2600 Service Pack 3

2009-03-26 22:06:23
mbam-log-2009-03-26 (22-06-23).txt

Scan type: Snelle Scan
Objecten gescand: 68588
Verstreken tijd: 6 minute(s), 32 second(s)

Geheugenprocessen ge´nfecteerd: 0
Geheugenmodulen ge´nfecteerd: 0
Registersleutels ge´nfecteerd: 1
Registerwaarden ge´nfecteerd: 0
Registerdata bestanden ge´nfecteerd: 0
Mappen ge´nfecteerd: 0
Bestanden ge´nfecteerd: 0

Geheugenprocessen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels ge´nfecteerd:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

Registerwaarden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registerdata bestanden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Mappen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

--- end MBAM log ---

And here is the new DDS log

--- DDS log ---

DDS (Ver_09-03-16.01) - NTFSx86
Run by Marcel at 22:16:44.64 on 2009-03-26
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1043.18.502.205 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Marcel\Mijn documenten\Virusbestrijding (GEEN SPEL - INDRA AFBLIJVEN)\DDS\dds.pif
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.nl/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {3e8108a0-3b4d-486a-b513-e61ad3d9fc1e}: {e1cf9d3d-a16e-315b-a684-d4b30a8018e3}
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\marcel\menust~1\progra~1\opstar~1\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-explorer: NoSMBalloonTip = 1 (0x1)
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marcel\applic~1\mozilla\firefox\profiles\bj2cgnol.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-3-4 130424]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-28 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-28 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-28 107272]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-3-8 353680]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-5 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-5 298264]
R2 MarxDev1;MarxDev1;c:\windows\system32\drivers\MARXDEV1.SYS [2009-2-26 8864]
R2 MarxDev2;MarxDev2;c:\windows\system32\drivers\MARXDEV2.SYS [2009-2-26 8864]
R2 MarxDev3;MarxDev3;c:\windows\system32\drivers\MARXDEV3.SYS [2009-2-26 8864]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-17 99328]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-3-4 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-3-4 1095560]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

=============== Created Last 30 ================

2009-03-08 18:51 1,221,008 a------- c:\windows\system32\zpeng25.dll
2009-03-08 18:51 <DIR> --d----- c:\program files\Zone Labs
2009-03-08 18:51 348,371 a------- c:\windows\system32\vsconfig.xml
2009-03-08 12:21 <DIR> a-dshr-- C:\cmdcons
2009-03-08 12:20 286,720 a------- c:\windows\swreg.exe
2009-03-08 12:20 161,792 a------- c:\windows\SWREG.exe.old
2009-03-08 12:20 98,816 a------- c:\windows\sed.exe
2009-03-08 12:19 <DIR> --d----- C:\ComboFix
2009-03-08 12:19 399,872 a------- c:\windows\system32\CF22814.exe
2009-03-08 12:13 399,872 a------- c:\windows\system32\CF20662.exe
2009-03-08 00:57 <DIR> --d----- c:\docume~1\marcel\applic~1\Malwarebytes
2009-03-08 00:57 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-08 00:57 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-08 00:57 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-08 00:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-07 15:17 64 a------- c:\windows\wininit.ini
2009-03-04 00:06 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-03-04 00:05 130,424 a------- c:\windows\system32\drivers\PCTCore.sys
2009-03-04 00:05 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-04 00:05 <DIR> --d----- c:\program files\common files\PC Tools
2009-03-04 00:05 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-03-04 00:05 <DIR> --d----- c:\program files\Spyware Doctor
2009-03-04 00:05 <DIR> --d----- c:\docume~1\marcel\applic~1\PC Tools
2009-03-04 00:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-03-03 20:34 <DIR> --dshr-- C:\RESTORE
2009-02-26 21:59 <DIR> --d----- c:\program files\BPM-Studio Profi

==================== Find3M ====================

2009-03-08 18:51 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-01 16:44 47,104 a------- c:\windows\system32\KMVIDC32.DLL
2009-02-09 15:08 1,846,912 a------- c:\windows\system32\win32k.sys
2009-01-27 18:21 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-27 18:21 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-27 18:21 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2008-10-02 15:42 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\geschiedenis\history.ie5\mshist012008100220081003\index.dat

============= FINISH: 22:18:05.43 ===============

--- end of DDS log ---

How's my computer running?
Other than the virus key that cannot be removed, it's running fine. I am worried that the virus might reappear, but no signs at this moment.

Was that the only problem I have?
Yes it is. No other problems in running my pc.

Thank you.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 26 March 2009 - 04:32 PM

Hello.

Notepad was empty because I made an mistake on my part. I apologize. Let's try this again.

Download and Run Script with Swreg.exe
  • We need to execute a Batch File.
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word Code.
    swreg ACL "HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}" /OA
    swreg ACL "HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}" /P /GE:F
    swreg DELETE "HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}"
    pause 
    swreg NULL DELETE "HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}"
    pause
    cls
    Reg Export "HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}" C:\export.txt
    Notepad C:\export.txt
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input Remove2.bat.
  • Hit OK.
When done properly, the icon should look like Posted Image for the .bat file.

Double click on Remove2.bat to run it. You may get a security warning, please select Run.

A black window will open and then a message like "press any key to continue..." will appear, above it there should be some message, let me know the message that was in that window for each "press any key to continue...".

Then Notepad will open, post the contents of notepad in your next reply as well.

Note: If notepad was empty let me know.

I need to leave now, so I will look at this once I come back. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 mavado

mavado
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 26 March 2009 - 04:59 PM

Hello again, thanks for your quick reply!

I ran the new script and this is what happened.

The message in the line before ..press any key to continue...

Delete of 'hkey_classes_root\clsid\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}' failed

Then this message appeared

C:\Documents and Settings\Marcel\Bureaublad\swreg NULL DELETE "HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}"

Range check error

Then this line appeared
C:\Documents and Settings\Marcel\Bureaublad>Reg export "HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}"

Error: kan geen bestand maken dat al bestaat.
(translation: cannot create file that already exists).

Then notepad opened with export.txt
The contents of this file is the following

--- contents of export.txt ---

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}]
@=""

--- end of file ---

Thank you

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 26 March 2009 - 06:32 PM

Hello.

Let's use this tool below. Update your Java and also run an online scan.

Download and Run OTMoveIT3
  • Please download OTMoveIt3 by OldTimer and save it to your desktop. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :reg
    [-HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}]
    :commands
    [EmptyTemp]
    [Reboot]
  • Click the large Posted Image button.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
Note:If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Update Java to Version 6 Update 12

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
*If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
** If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
*** The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Post back with:
-OTMoveIT log
-Kaspersky log


That registry key may not be deleted so we will try something else next post :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 mavado

mavado
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 29 March 2009 - 06:15 AM

Hello,

It took a while to do this, but here are the results.

Here is the OTmoveIT.log

--- OTMOVEIT---

========== REGISTRY ==========
Unable to delete registry key HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}\\ .
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Marcel\LOCALS~1\Temp\etilqs_LM2RKG70lL5fh8uB2FfJ scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Marcel\LOCALS~1\Temp\~DF8A45.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\ZLT00f5c.TMP scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Marcel\Local Settings\Application Data\Mozilla\Firefox\Profiles\bj2cgnol.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marcel\Local Settings\Application Data\Mozilla\Firefox\Profiles\bj2cgnol.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marcel\Local Settings\Application Data\Mozilla\Firefox\Profiles\bj2cgnol.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marcel\Local Settings\Application Data\Mozilla\Firefox\Profiles\bj2cgnol.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marcel\Local Settings\Application Data\Mozilla\Firefox\Profiles\bj2cgnol.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marcel\Local Settings\Application Data\Mozilla\Firefox\Profiles\bj2cgnol.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03292009_001549

Files moved on Reboot...
File C:\DOCUME~1\Marcel\LOCALS~1\Temp\etilqs_LM2RKG70lL5fh8uB2FfJ not found!
C:\DOCUME~1\Marcel\LOCALS~1\Temp\~DF8A45.tmp moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\ZLT00f5c.TMP not found!
C:\Documents and Settings\Marcel\Local Settings\Application Data\Mozilla\Firefox\Profiles\bj2cgnol.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Marcel\Local Settings\Application Data\Mozilla\Firefox\Profiles\bj2cgnol.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Marcel\Local Settings\Application Data\Mozilla\Firefox\Profiles\bj2cgnol.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Marcel\Local Settings\Application Data\Mozilla\Firefox\Profiles\bj2cgnol.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Marcel\Local Settings\Application Data\Mozilla\Firefox\Profiles\bj2cgnol.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Marcel\Local Settings\Application Data\Mozilla\Firefox\Profiles\bj2cgnol.default\XUL.mfl moved successfully.

--- end OTMOVEIT log ---


And here is the log from Kasperski

--- KASPERSKI LOG ---
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, March 29, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, March 29, 2009 08:28:44
Records in database: 1983491
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 57232
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:31:34

No malware has been detected. The scan area is clean.

The selected area was scanned.

--- END OF KASPERSKI LOG ---

I also scanned again with MBAM.

This is the result

--- MBAB log ---
Malwarebytes' Anti-Malware 1.35
Database versie: 1915
Windows 5.1.2600 Service Pack 3

2009-03-29 15:09:47
mbam-log-2009-03-29 (15-09-47).txt

Scan type: Snelle Scan
Objecten gescand: 69902
Verstreken tijd: 9 minute(s), 11 second(s)

Geheugenprocessen ge´nfecteerd: 0
Geheugenmodulen ge´nfecteerd: 0
Registersleutels ge´nfecteerd: 0
Registerwaarden ge´nfecteerd: 0
Registerdata bestanden ge´nfecteerd: 0
Mappen ge´nfecteerd: 0
Bestanden ge´nfecteerd: 0

Geheugenprocessen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registerwaarden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registerdata bestanden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Mappen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

--- end of MBAM log ---

So this worked! Thank you very much; my pc is clean now :thumbup2:
Topic can be closed.

Again, thanks for your help.

Edited by mavado, 29 March 2009 - 08:13 AM.


#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 29 March 2009 - 10:54 AM

Hello.

You're welcome :step5:

Let's give you my prevention tips. I will close this topic after that.


Please follow/read the steps below to remove the tools we used, purge a system restore and for some more information. :)

Download and Run OTCleanIt

We will now remove the tools we used during this fix.
  • Download OTCleanIt by OldTimer to your desktop.
  • Double click OTCleanIt.exe to start the program.
  • Click the big CleanUp! button.
  • When asked if you want to proceed witht the cleanup process, click Yes. Restart your computer when prompted.
Create a New System Restore Point<- Very Important

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.


Congratulations! You now appear clean! :step1: :) :thumbup2:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a sm÷rgňsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :step4:

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 29 March 2009 - 10:56 AM

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad I could help :thumbup2:
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users