Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

YAY! Another Comp Infected with Trojan Dropper.Generic.BHHB


  • This topic is locked This topic is locked
2 replies to this topic

#1 DeaconF

DeaconF

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 06 December 2009 - 11:39 PM

Hello,

I have recently been infected with Trojan Dropper.Generic.BHHB. My OS is Windows 7 Ultimate and my AV is AVG 9.0. I also use Spybot S&D. The symptoms are thus: use of an internet browser results in random hijackings that take me to rogue sites; and every 2-5 minutes AVG 9.0 catches a spawned file and banishes it to the virus vault. These spawn files are found in the Windows/Temp folder and are usually followed by .svchost in their names. I saw some people have luck with Combofix but apparently the Windows 7 build is still in beta and I can't use it. I am posting and uploading my DDS logs below. Strangely, I am unable to run RootRepeal. I am given the error FOPS-DeviceIoError! Error Code = 0xc0000024 Extended Info (0x000000f8). Anywho, here is my DDS log:



DDS (Ver_09-12-01.01) - NTFSx86
Run by Logan at 23:14:38.47 on Sun 12/06/2009
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2047.1208 [GMT -5:00]

SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Logan\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ntlgjr] RUNDLL32.EXE c:\windows\system32\mslfxawr.dll,w
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: pxod13 - pxod13.dll
Notify: __c00E1A44 - c:\windows\system32\__c00E1A44.dat
AppInit_DLLs: avgrsstx.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\logan\appdata\roaming\mozilla\firefox\profiles\ejexx4hz.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-30 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-30 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-30 360584]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2009-11-20 18816]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-30 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-30 285392]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-11-26 1153368]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2009-10-29 1021256]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
S2 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-11-23 25832]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

=============== Created Last 30 ================

2009-12-04 21:35:50 7088 ------w- C:\bootsqm.dat
2009-12-03 21:05:56 30206 ----a-w- C:\siuhb.exe
2009-12-03 21:05:50 32256 ----a-w- c:\windows\system32\__c00E1A44.dat
2009-11-30 19:16:06 0 d--h--w- C:\$AVG
2009-11-30 19:16:05 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-30 19:16:05 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-30 19:16:01 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-30 19:16:00 0 d-----w- c:\windows\system32\drivers\Avg
2009-11-30 19:15:59 0 d-----w- c:\programdata\AVG Security Toolbar
2009-11-30 19:15:47 0 d-----w- c:\program files\AVG
2009-11-30 19:15:46 0 d-----w- c:\programdata\avg9
2009-11-26 21:21:07 5136 ----a-w- c:\windows\system32\pxod13.dll
2009-11-26 21:15:39 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-26 21:15:39 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-26 18:19:14 53248 ----a-w- c:\windows\system32\caonima2.exe
2009-11-26 18:19:14 32768 ----a-w- c:\windows\system32\mslfxawr.dll
2009-11-25 08:00:24 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-25 02:28:19 0 d-----w- c:\windows\system32\directx
2009-11-23 18:52:33 0 d-----w- c:\programdata\BioWare
2009-11-23 18:40:00 0 d-----w- c:\windows\system32\AGEIA
2009-11-23 18:39:36 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-23 18:39:33 0 d-----w- c:\programdata\Media Center Programs
2009-11-23 18:22:56 0 d-----w- c:\program files\Dragon Age
2009-11-23 18:22:56 0 d-----w- c:\program files\common files\BioWare
2009-11-23 04:31:33 0 d-----w- c:\program files\Steam
2009-11-23 04:08:37 0 d-----w- c:\program files\common files\Steam
2009-11-20 07:29:10 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2009-11-20 07:02:00 0 d-----w- c:\program files\Sophos
2009-11-20 05:52:27 0 d-----w- c:\program files\Windows Imaging
2009-11-20 05:51:30 0 d-----w- c:\program files\Windows AIK
2009-11-19 04:00:36 29512 ----a-w- c:\windows\system32\TURegOpt.exe
2009-11-19 04:00:35 30024 ----a-w- c:\windows\system32\uxtuneup.dll
2009-11-19 04:00:35 21320 ----a-w- c:\windows\system32\authuitu.dll
2009-11-19 04:00:29 0 d-----w- c:\users\logan\appdata\roaming\TuneUp Software
2009-11-19 04:00:28 0 d-----w- c:\program files\TuneUp Utilities 2010
2009-11-19 04:00:13 0 d-----w- c:\programdata\TuneUp Software
2009-11-19 04:00:10 0 d-sh--w- c:\windows\Installer
2009-11-19 03:55:43 0 d-----w- c:\windows\Panther
2009-11-19 03:51:25 0 d-----w- C:\Windows.old
2009-11-19 01:33:58 0 d-sh--w- c:\programdata\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2009-11-19 01:22:27 257024 ----a-w- c:\windows\system32\msv1_0.dll
2009-11-19 01:22:22 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-19 01:21:11 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-11-19 01:21:11 71168 ----a-w- c:\windows\system32\fontsub.dll
2009-11-19 01:21:11 507568 ----a-w- c:\windows\system32\winload.exe
2009-11-19 01:21:11 442920 ----a-w- c:\windows\system32\winresume.exe
2009-11-19 01:21:11 293888 ----a-w- c:\windows\system32\atmfd.dll
2009-11-19 01:21:11 2613248 ----a-w- c:\windows\explorer.exe
2009-11-19 01:21:11 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2009-11-19 01:21:11 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2009-11-19 01:21:11 108544 ----a-w- c:\windows\system32\t2embed.dll
2009-11-19 01:20:56 34816 ----a-w- c:\windows\system32\msasn1.dll
2009-11-19 01:15:11 3 ----a-w- C:\7Loader.TAG
2009-11-19 01:15:07 713888 ----a-w- c:\windows\system32\PerfStringBackup.INI
2009-11-19 01:14:57 0 d-----w- c:\windows\system32\wbem\Performance
2009-11-19 01:14:01 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-11-19 01:11:23 171136 --sha-r- C:\grldr
2009-11-19 01:11:23 171136 ----a-w- C:\grldr.bak
2009-11-19 01:10:51 0 d-sh--w- C:\Recovery
2009-11-19 00:45:50 8192 --sha-r- C:\BOOTSECT.BAK
2009-11-19 00:45:46 383562 --sha-r- C:\bootmgr
2009-11-19 00:45:45 0 d-sh--w- C:\Boot

==================== Find3M ====================

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 23:15:44.50 ===============

Hmmm...now that I look at this, I'm not too sure my whole HD was scanned. I have it partitioned into 2 drives. The C drive holds my OS and some recent apps, while the D drive was my storage drive ( upgrading to Windows 7 has kinda screwed my partitioning up). I'm not too sure the D drive was scanned, but I'm also unsure as to how to gain true access to it (I can browse it and listen to music, but all apps are unusable) so that it can be scanned.

Thanks for the future help. I know you guys are being hit by a LOT of requests on this one since it's so new, so I understand if it takes a bit to get to me.

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 19 December 2009 - 08:51 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems just let me know in your next reply or simply post a Hijackthis log.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 24 December 2009 - 12:10 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users