Jump to content

Trojan.bho & hkey_local_machine files


Recommended Posts

Hello.

It seems I have been infected with the .bho virus and I'd like to get rid of it. The Malware sweeper will remove it but it seems to be permanently located in the registry keys. It will pop up on every reboot - even when not connected to the internet. When it's cleaned out, I will usually get a buffer overload from McAfee that will stop the internet. Any help would be appreciated.

Here is the hijack this log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:57:24 PM, on 3/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.mcafee.com

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab

O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u1...=javadl.sun.com

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Filter hijack: text/html - {acf251a4-6ac3-402f-a7ca-a452e4a0b6aa} - C:\WINDOWS\system32\mst123.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--

End of file - 10309 bytes

Link to post
Share on other sites

Thanks! Here is my latest scan after I upgraded the anti-malware.

Malwarebytes' Anti-Malware 1.34

Database version: 1838

Windows 5.1.2600 Service Pack 3

3/11/2009 9:11:32 PM

mbam-log-2009-03-11 (21-11-30).txt

Scan type: Quick Scan

Objects scanned: 125787

Time elapsed: 14 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\Common\helper.sig (Trojan.Agent) -> No action taken.

Link to post
Share on other sites

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply

Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

Link to post
Share on other sites

Thanks! That was cool to watch.

Here is the report. Am I bug free yet?

ComboFix 09-03-13.01 - Robert 2009-03-13 20:42:09.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1379 [GMT -5:00]

Running from: c:\documents and settings\Robert.DEANCO-CY0UBQPI\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated)

FW: McAfee Personal Firewall *enabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\program files\Common\helper.sig

----- BITS: Possible infected sites -----

hxxp://download.esd.intuit.com

.

((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))

.

2009-03-11 19:44 . 2009-03-11 19:44 <DIR> d-------- c:\program files\Trend Micro

2009-03-08 14:07 . 2009-03-08 14:07 <DIR> d-------- c:\program files\Microsoft

2009-03-08 14:05 . 2009-03-08 14:05 <DIR> d-------- c:\windows\Sun

2009-03-08 14:05 . 2009-03-08 14:04 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll

2009-03-08 14:05 . 2009-03-08 14:04 73,728 --a------ c:\windows\SYSTEM32\javacpl.cpl

2009-03-08 14:04 . 2009-03-08 14:04 <DIR> d-------- c:\program files\Java

2009-03-07 22:42 . 2009-03-13 19:28 17,441 --a------ c:\windows\SYSTEM32\Config.MPF

2009-03-07 22:39 . 2008-10-23 14:08 120,136 --a------ c:\windows\SYSTEM32\DRIVERS\Mpfp.sys

2009-03-07 22:39 . 2009-01-09 13:03 79,304 --a------ c:\windows\SYSTEM32\DRIVERS\mfeavfk.sys

2009-03-07 22:39 . 2009-01-09 13:03 40,552 --a------ c:\windows\SYSTEM32\DRIVERS\mfesmfk.sys

2009-03-07 22:39 . 2009-01-09 13:03 35,272 --a------ c:\windows\SYSTEM32\DRIVERS\mfebopk.sys

2009-03-07 22:38 . 2009-03-07 22:39 <DIR> d-------- c:\program files\Common Files\McAfee

2009-03-07 22:16 . 2009-01-09 13:03 34,216 --a------ c:\windows\SYSTEM32\DRIVERS\mferkdk.sys

2009-03-06 23:29 . 2008-12-11 09:38 159,600 --a------ c:\windows\SYSTEM32\DRIVERS\pctgntdi.sys

2009-03-06 23:28 . 2009-03-06 23:32 <DIR> d-------- c:\program files\Common Files\PC Tools

2009-03-06 23:28 . 2009-02-23 11:11 130,424 --a------ c:\windows\SYSTEM32\DRIVERS\PCTCore.sys

2009-03-06 23:28 . 2008-12-18 13:16 73,840 --a------ c:\windows\SYSTEM32\DRIVERS\PCTAppEvent.sys

2009-03-06 23:28 . 2008-12-10 13:36 64,392 --a------ c:\windows\SYSTEM32\DRIVERS\pctplsg.sys

2009-03-06 23:05 . 2009-03-06 23:05 108 --a------ c:\windows\SYSTEM32\ikhcore.cfg

2009-02-24 21:48 . 2009-02-24 21:48 207,943 --a------ C:\Marathon stainless steel bracelet HELP!! - The Military Watch Resource - Community Fora.mht

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-14 01:42 --------- d-----w c:\program files\Common

2009-03-12 23:49 --------- d-----w c:\documents and settings\LocalService.NT AUTHORITY.002\Application Data\SACore

2009-03-10 01:58 --------- d-----w c:\program files\McAfee

2009-03-10 01:56 --------- d---a-w c:\documents and settings\All Users.WINDOWS\Application Data\TEMP

2009-03-10 01:53 --------- d-----w c:\program files\Spyware Doctor

2009-03-09 00:09 --------- d-----w c:\program files\Enigma Software Group

2009-03-08 21:46 --------- d-----w c:\program files\ItsDeductible2005

2009-03-08 19:35 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-03-08 19:31 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy

2009-03-08 04:48 --------- d-----w c:\program files\SpywareBlaster

2009-03-08 04:44 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-03-08 03:42 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\McAfee

2009-03-08 03:38 --------- d-----w c:\program files\McAfee.com

2009-03-07 03:36 --------- d-----w c:\documents and settings\Robert.DEANCO-CY0UBQPI\Application Data\McAfee

2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-09 11:13 1,846,784 ----a-w c:\windows\SYSTEM32\win32k.sys

2009-01-23 02:06 --------- d-----w c:\program files\Common Files\AnswerWorks 5.0

2009-01-23 02:03 --------- d-----w c:\program files\Common Files\Intuit

2009-01-23 02:03 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Intuit

2009-01-23 02:01 --------- d-----w c:\program files\TurboTax

2008-12-20 23:15 826,368 ----a-w c:\windows\SYSTEM32\wininet.dll

2007-02-25 02:57 64,432 ----a-w c:\documents and settings\Robert.DEANCO-CY0UBQPI\Application Data\GDIPFONTCACHEV1.DAT

2006-07-23 13:38 99,072 ----a-w c:\program files\MF

2008-10-01 01:56 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008093020081001\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SB Audigy 2 Startup Menu"="/L:ENG" [X]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-30 1829712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-02-20 315392]

"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-17 135168]

"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]

"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]

"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2006-01-17 53248]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 148888]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]

"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]

"CTHelper"="CTHELPER.EXE" [2007-04-09 c:\windows\SYSTEM32\CtHelper.exe]

"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 c:\windows\SYSTEM32\Ctxfihlp.exe]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=

"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=

"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=

"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\NeverwinterNights\\NWN\\nwmain.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [2009-03-06 130424]

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-03-07 206096]

R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-08-16 348752]

.

Contents of the 'Scheduled Tasks' folder

2009-03-08 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 11:53]

2009-03-08 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 11:53]

2005-05-31 c:\windows\Tasks\XoftSpy.job

- c:\program files\XoftSpy\XoftSpy.exe [2006-05-09 17:23]

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

.

------- Supplementary Scan -------

.

uStart Page = www.google.com

uDefault_Search_URL = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/

mSearch Bar = hxxp://www.google.com/

mSearchMigratedDefaultURL = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = wmplayer.exe

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

mSearchURL = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: turbotax.com

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-13 20:45:09

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTHelper = CTHELPER.EXE?

CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1935655697-412668190-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:d0,94,44,c0,80,65,16,3c,6b,ab,c5,bd,6a,e1,f3,4f,2d,bb,91,82,2f,45,83,

37,4c,18,1c,0e,ce,0d,f0,36,45,ec,ab,8e,68,82,fd,63,c6,92,92,38,d0,1d,74,06,\

"??"=hex:31,b8,bc,13,5a,55,e3,ef,16,6b,fb,d3,25,4f,5b,cc

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{18D6E519-4C27-E4AD-074C5D1F171B40FB}\{8D7A772B-93EE-6905-4C751BA1B544AFC9}\{7029C73E-0020-BA9C-F3FADF03D99AF0E6}*]

"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,bf,fb,12,

37,9c,d7,a4,a7,f7,42,ba,b9,01,be,e2,e3,ea,d2,02,ad,f2,ab,2d,3c,8c,11,dc,41,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AD212F18-226F-19C5-6836DC0F322A8CD1}\{165CDB28-57BC-2FFB-C17032E84F1598CE}\{1D773DA2-1E07-1A59-CFCCE9D8E9744932}*]

"3Q5CZAUWPALGGK4BAVY5LNWISA1"=hex:01,00,01,00,00,00,00,00,ea,4f,a2,f2,4e,ab,07,

75,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\XP*]

"DisplayName"="?\13?\13"

"DeviceDesc"="?\13?\13"

"ProviderName"=""

"MFG"="???\\"

"ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\?\13\\DriverFiles\\.INF"

"DeviceInstanceIds"=multi:"xp_inf\\cx_08883.inf\00"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2009-03-13 20:47:51

ComboFix-quarantined-files.txt 2009-03-14 01:47:48

Pre-Run: 68,369,514,496 bytes free

Post-Run: 68,625,616,896 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

197 --- E O F --- 2009-03-12 01:23:20

Link to post
Share on other sites

Thanks for your help! I think the bug is dead.

I removed combofix today and did a rescan. The anti-malware program keeps finding the bho.trojan in two spots...HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE\. However, if you tell anti-malware to remove it I don't get an internet explorer buffer overload anymore. Is that's what it's supposed to do? If not, that's good enough for me as my machine runs.

Link to post
Share on other sites

Hello! I updated Malwarebytes and this is what I have now after a quick scan.

Malwarebytes' Anti-Malware 1.34

Database version: 1853

Windows 5.1.2600 Service Pack 3

3/15/2009 6:58:52 PM

mbam-log-2009-03-15 (18-58-52).txt

Scan type: Quick Scan

Objects scanned: 121864

Time elapsed: 16 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{acf251a4-6ac3-402f-a7ca-a452e4a0b6aa} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\SYSTEM32\mst123.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.