Jump to content

knalty

Members
 View Profile  See their activity

  • Posts

    7

  • Joined

  • Last visited

 Content Type 

Posts posted by knalty

    vundo.h and BHO.Trojan twofer

    in Resolved Malware Removal Logs

    Posted

    Whoops, yes. It is gone. ComboFix took care of it, and just before I returned the computer Monday, I ran MBAM one last time. It reported no further infections on the computer, so I'm likely to believe that ComboFix took care of it.

    I would have posted the logs then, but *I* personally still don't trust the computer enough to enter my passwords in on it, even if it is to the MalwareByes forums, and I had forgotten to post once I got home on Monday. The thing had several keyloggers, and even though it might be "clean"... well, you know the rest.

    I can't seem to find the flash drive that I saved the logs to... might have left it at work. Sorry. =T

    vundo.h and BHO.Trojan twofer

    in Resolved Malware Removal Logs

    Posted

    Malwarebytes' Anti-Malware 1.37

    Database version: 2191

    Windows 5.1.2600 Service Pack 3

    5/28/2009 6:31:25 PM

    mbam-log-2009-05-28 (18-31-20).txt

    Scan type: Quick Scan

    Objects scanned: 107329

    Time elapsed: 16 minute(s), 47 second(s)

    Memory Processes Infected: 0

    Memory Modules Infected: 0

    Registry Keys Infected: 2

    Registry Values Infected: 4

    Registry Data Items Infected: 0

    Folders Infected: 0

    Files Infected: 2

    Memory Processes Infected:

    (No malicious items detected)

    Memory Modules Infected:

    (No malicious items detected)

    Registry Keys Infected:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5fc796e6-43f3-43ee-b2f0-5cbdb1c1b48f} (Trojan.BHO.H) -> No action taken.

    HKEY_CLASSES_ROOT\CLSID\{5fc796e6-43f3-43ee-b2f0-5cbdb1c1b48f} (Trojan.BHO.H) -> No action taken.

    Registry Values Infected:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

    Registry Data Items Infected:

    (No malicious items detected)

    Folders Infected:

    (No malicious items detected)

    Files Infected:

    C:\WINDOWS\system32\bidisp.dll (Trojan.BHO.H) -> No action taken.

    c:\documents and settings\joe\local settings\temp\wmmahdks.dat (Rootkit.Agent) -> No action taken.

    vundo.h and BHO.Trojan twofer

    in Resolved Malware Removal Logs

    Posted

    Needed to make some money on the side, so I'm upgrading/cleaning a laptop for someone. After removing the RapidAntivirus that they thought was their real antivirus, and removing the traces of Norton still gunking up the system, and swapping out one of the 256 for a 512 so that the onboard video wasn't slowing the computer to a crawl, I come across these two.

    I'm told that BHO.Trojan is a particularly nasty bugger to get rid of. HJT first, Anti-Malware log coming as soon as it finishes scanning. (Rerunning to see if it clears up, since there was a new update since I started posting.)

    Note to self: No, starting a topic on the clean computer does not automatically allow you to post the logs from the infected one. Duh.

    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 6:09:07 PM, on 5/28/2009

    Platform: Windows XP SP3 (WinNT 5.01.2600)

    MSIE: Internet Explorer v8.00 (8.00.6001.18702)

    Boot mode: Normal

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

    C:\Program Files\Common Files\LightScribe\LSSrvc.exe

    C:\PROGRA~1\AVG\AVG8\avgrsx.exe

    C:\PROGRA~1\AVG\AVG8\avgnsx.exe

    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\Explorer.EXE

    C:\WINDOWS\system32\ctfmon.exe

    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

    C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

    C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

    C:\Program Files\HP\QuickPlay\QPService.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    C:\Program Files\Microsoft IntelliPoint\ipoint.exe

    C:\WINDOWS\system32\wuauclt.exe

    C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE

    C:\PROGRA~1\AVG\AVG8\avgtray.exe

    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

    C:\Documents and Settings\Joe\Desktop\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

    O2 - BHO: (no name) - {5FC796E6-43F3-43EE-B2F0-5CBDB1C1B48F} - C:\WINDOWS\system32\bidisp.dll

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

    O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

    O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

    O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

    O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"

    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

    O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe

    O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

    O4 - HKLM\..\Run: [synTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop

    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155575669406

    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155575662953

    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

    O20 - AppInit_DLLs: C:\WINDOWS\System32\ftsrch32.dll

    O20 - Winlogon Notify: 13410791509 - C:\WINDOWS\System32\ftsrch32.dll (file missing)

    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

    O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe

    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

    O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Joe/LOCALS~1/Temp/msohtml1/04/clip_image002.jpg

    --

    End of file - 6745 bytes

    vundo.h and BHO.Trojan twofer

    in Resolved Malware Removal Logs

    Posted

    Needed to make some money on the side, so I'm upgrading/cleaning a laptop for someone. After removing the RapidAntivirus that they thought was their real antivirus, and removing the traces of Norton still gunking up the system, and swapping out one of the 256 for a 512 so that the onboard video wasn't slowing the computer to a crawl, I come across these two.

    I'm told that BHO.Trojan is a particularly nasty bugger to get rid of. HJT first, Anti-Malware log coming as soon as it finishes scanning. (Rerunning to see if it clears up, since there was a new update since I started posting.)

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.