Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan BHO.H


  • Please log in to reply
2 replies to this topic

#1 corb

corb

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:19 PM

Posted 25 July 2010 - 04:20 PM

A friend asked me to look at his computer which is running XP Home. MalwareBytes finds, but does not remove, 6 infections. They seem to center around HKEY_CLASSES_ROOT\CLSID\{8c556d49-494f-4e26-b0e2-4}. Some research on the net indicates that this is Trojan BHO.H??? Whatever it is, I have not been able to remove it. Help!

DDS.txt


DDS (Ver_10-03-17.01) - NTFSx86
Run by Gray at 14:01:28.96 on Sun 07/25/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.144 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Gray\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {8c556d49-494f-4e26-b0e2-40684da6f84e} - c:\windows\system32\dplayu.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 ygctdeet;ygctdeet;c:\windows\system32\drivers\elaennjb.sys --> c:\windows\system32\drivers\elaennjb.sys [?]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-7-23 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-7-23 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-7-23 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-23 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-23 308136]
S0 Oqau54;Oqau54; [x]

=============== Created Last 30 ================

2010-07-24 22:04:47 0 d-sha-r- C:\cmdcons
2010-07-24 22:00:44 98816 ----a-w- c:\windows\sed.exe
2010-07-24 22:00:44 77312 ----a-w- c:\windows\MBR.exe
2010-07-24 22:00:44 256512 ----a-w- c:\windows\PEV.exe
2010-07-24 22:00:44 161792 ----a-w- c:\windows\SWREG.exe
2010-07-24 21:23:24 24576 ---ha-w- C:\SZKGFS.dat
2010-07-24 21:21:29 1968 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-07-24 21:19:00 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-07-24 21:17:47 0 d-----w- c:\program files\common files\iS3
2010-07-24 21:17:46 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-07-24 03:07:07 0 d-----w- c:\program files\FileASSASSIN
2010-07-24 02:17:17 0 d-----w- c:\docume~1\gray\applic~1\Malwarebytes
2010-07-24 02:17:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-24 02:17:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-24 02:17:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-24 02:17:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-23 22:08:43 0 d-----w- C:\$AVG
2010-07-23 22:06:29 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-23 22:06:21 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-23 22:06:11 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-23 22:05:38 0 d-----w- c:\windows\system32\drivers\Avg
2010-07-23 22:01:18 0 d-----w- c:\program files\AVG
2010-07-23 22:00:50 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-07-23 21:50:26 0 d-----w- c:\docume~1\gray\applic~1\WinPatrol
2010-07-23 21:50:10 0 d-----w- c:\program files\BillP Studios
2010-07-23 21:37:37 135168 ----a-w- c:\windows\system32\igfxres.dll
2010-07-23 19:36:19 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2010-07-23 19:36:19 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2010-07-23 19:35:18 353792 ------w- c:\windows\system32\dllcache\srv.sys
2010-07-23 19:34:42 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-07-23 19:34:35 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-07-23 19:33:43 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-23 19:31:57 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-07-23 19:23:50 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2010-07-23 19:23:25 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-07-23 19:23:22 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-07-23 19:09:05 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2010-07-23 19:09:05 0 d-----w- c:\program files\Belarc
2010-07-22 03:10:28 417792 --s---r- c:\windows\system32\guard.tmp

==================== Find3M ====================

2010-07-24 20:21:10 28256 ----a-w- c:\windows\system32\drivers\MxlW2k.sys
2010-07-23 16:22:05 90112 ----a-w- c:\windows\DUMP46fb.tmp
2010-07-22 22:07:25 90112 ----a-w- c:\windows\DUMP35f4.tmp
2010-07-22 22:06:31 90112 ----a-w- c:\windows\DUMP34cb.tmp
2010-07-22 22:05:51 90112 ----a-w- c:\windows\DUMP33e2.tmp
2010-07-22 21:55:36 90112 ----a-w- c:\windows\DUMP35b6.tmp
2010-07-22 21:54:29 90112 ----a-w- c:\windows\DUMP3690.tmp
2010-07-22 21:50:50 90112 ----a-w- c:\windows\DUMP34ea.tmp
2010-07-22 21:43:53 90112 ----a-w- c:\windows\DUMP4d83.tmp
2010-07-21 22:37:11 90112 ----a-w- c:\windows\DUMP33e1.tmp
2010-07-21 22:25:16 90112 ----a-w- c:\windows\DUMP3519.tmp
2010-07-21 22:24:20 90112 ----a-w- c:\windows\DUMP343f.tmp
2010-07-21 22:12:55 90112 ----a-w- c:\windows\DUMP3596.tmp
2010-07-21 22:11:33 90112 ----a-w- c:\windows\DUMP48e0.tmp
2010-05-04 12:39:27 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-04 12:39:27 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys

============= FINISH: 14:01:51.79 ===============


Thanks, corb.

Attached Files



BC AdBot (Login to Remove)

 


#2 corb

corb
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:19 PM

Posted 31 July 2010 - 04:28 PM

A week ago a Malwarebytes scan indicated, but did not remove, 6 infected items, and identified them as Trojan BHO.H. Today I ran a program called SUPERAntiSpyware which found and removed 17 items including the 6 MalwareBytes ones. I suspect they were not actually removed, but quarantined. I no longer have the computer so it is a moot issue, but I am curious - is quarantine good enough? Thanks, corb.

#3 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:19 PM

Posted 03 August 2010 - 03:22 PM

hi,

QUOTE
but I am curious - is quarantine good enough


Files in quarantine can do no harm. In fact you can delete or empty whats in quarantine.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users