Jump to content

Trojan.BHO registry key, can't remove


Recommended Posts

I've learned so much here and never had to post as I've always figured it out from here.

However, I'm having issues deleting some nasties today. I'm not a pro, so please bear with me.

Started as a Vundo trojan it seems... I've seen so many things pop up and get removed in the last few days, I'm losing track.

I'm running:

Spybot

Winpatrol

Kaspersky antivirus (was running NOD32 when infected) Decided to change over.

Superantispyware Pro (paid lifetime)

Malwarebytes' free version

I've ran Icesword and see no obvious hidden processes

Combofix, vundofix isn't showing anything at all

But, both Malwarebytes and SUPERAntispyware are finding things tho. Both want to be rebooted to fix issue, neither fix the issue upon reboot though.

Any ideas?

Thank you very much for you time and consideration. This forum is amazingly helpful.

________________________________________________________________

Malwarebytes' Anti-Malware 1.31

Database version: 1515

Windows 5.1.2600 Service Pack 3

12/18/2008 2:49:08 PM

mbam-log-2008-12-18 (14-49-08).txt

Scan type: Full Scan (C:\|)

Objects scanned: 108299

Time elapsed: 20 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

__________________________________________________________________

SUPERAntispyware is finding what it "was" calling "Adware.vundo variant. Now, today it is calling it:

Unclassified.Unknown origin

Link to post
Share on other sites

Thank you sir! Here you go...

Much appreciation for your time sir.

Hmmm... Suddenly PsExec has been asking permission to run... That's new.... Interesting?

__________________________________________________

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:40:38 PM, on 12/18/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

C:\WINDOWS\system32\hphmon03.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\HPHipm09.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\Program Files\Microsoft Hardware\Mouse\POINT32.EXE

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Admin\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll

O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"

O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll

O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 10276 bytes

________________________________________________________________________________

________________

Malwarebytes' Anti-Malware 1.31

Database version: 1519

Windows 5.1.2600 Service Pack 3

12/18/2008 11:03:02 PM

mbam-log-2008-12-18 (23-02-56).txt

Scan type: Full Scan (C:\|)

Objects scanned: 96250

Time elapsed: 19 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

__________________________________________________________________________

Thanks again :)

Link to post
Share on other sites

Ok... Ran with MBAM with teatimer unchecked, so I think that I disabledit, still had the key there afterwards.

I uninstalled Spyboty... I don't see teatimer now at all and ran MWAB, still seeing key...

Running SUPERAntispywarel, I still seeing 4 registry issues and 1 File item listed "Unclassified.Unknown Origon. However if I run SAS in Safe mode, it recognizes this as Adware.Vundo Variant...

I also notice that add remove programs now looks different with less programs than before and many programs icons are generic... Wow... This is interesting...

Thank you :)

Link to post
Share on other sites

  • Staff

{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} <- this is without question the CLSID of the new vundo , I see it hundreds of times a day .

The new vundo will do one of two things . One , use pending file rename to take a backup and bring it to life on reboot or two , use LSA load points to hide from HijackThis .

Now here is the problem , you HJT log does not show the empty load points filled by pending file rename on reboot and your LSA keys are MS install standard (no malware added) .

I am out of malware type ideas (for now) and think this might actually be an OS problem .

I need to know what happens to that key if you tell MBAM to remove it . Does MBAM say its gone or does it say that its stuck and needs to be removed on reboot ?

Link to post
Share on other sites

Well, it does say that it has to be rebooted to remove the issue. The log you saw was before I clicked remove, and atthat point the log will indicate "remove upon reboot"

Operating system problem? For back ground, it's been up since early october, running well. About amonth ago, I had gottten some antivirus 2009 thing, and was able to remove, it ran well till a couple days ago, when a pop up asked for permission on a site, and I thought it was an incoming IM from the site, nothing happened, then later this all started. I probably Ok'd it. :)

Thank you for your tine looking this over, I do apreciate it.

If you wish to take it to another day for further thoughts, that would be fine, I don't wish to keep you so late.

Link to post
Share on other sites

Scan completed succesfully, no malicious items were detected! Yay! Hope SAS will agree with this as well, havent ran that.

:) You're amazing! Awesome!

I probably wouldn't understand it, but I am certainly wondering what you did/found!

Minimally, what to do to prevent me managing to do this again? haha. I run Winpatrol, Spybot, Superantispyware, Kaspersky, and I guess I should get the real time MBAM?

On a side note, seeing that my Control panel add/remove programs is looking VERY different (icons are most all generic, and many programs are MIA) than it did a couple days ago, think a system restore would be a bad idea? And thouhts?

Nonetheless, I seriously have to thank you very much. I'm just amazed. :)

I genuinely and SERIOUSLY appreciate you taking time with me and thank you for your consideration in dealing with this for me. Thank you very much.

Link to post
Share on other sites

  • Staff

Glad to hear it :)

I probably wouldn't understand it, but I am certainly wondering what you did/found!

The file subinacl is a MS file that allows the changing of permissions of files and reg keys . The second file was a script I wrote to correct all possible permission problems on that key , all of its sub keys and then delete that key tree .

SAS was seeing that key and the keys under it but for the exact same reason was unable to delete it . Both MBAM and SAS have permission correction but this one must have had some odd new variation neither of us have seen before .

On a side note, seeing that my Control panel add/remove programs is looking VERY different (icons are most all generic, and many programs are MIA) than it did a couple days ago, think a system restore would be a bad idea? And thouhts?

This is completely unrelated to this and system restore will undo all of what we just did .

I am working on a fix for this .

Link to post
Share on other sites

I see. Logical. Not that I'd understand how you deduced and dealt with it :) Hehe...

Of course "I" would find some odd new variation neither of you have seen before, that's umm, sort of special. :) SAS scan came back clean as well :) Very nice.

Again, thank you so much for your trouble in solving this. Saved me minimally about 5-8 hours of re-installing and customizing...

As for the add/remove thing, the newer programs installed the last day or so, seem normal in it. It's older software that's gone, or looking odd. You might find a fix for that? That's impressive. I'll keep an eye out here.

Kindest regards man, thanks!

John

Link to post
Share on other sites

  • Staff

Download and unzip the attached file .

Run cp_fix first and reboot . Now run TweakUiPowertoySetup . Once installed find "Powertoys for Windows XP/TweakUI.exe" in your start menu and run it .

You want to run the repair option , make sure that "Rebuild Icons" is selected and then click "Repair Now" .

Reboot and check your control panel again .

cp_fix.zip

cp_fix.zip

Link to post
Share on other sites

Done.

Didn't seem to affect the add/remove window issues. Although elsewhere, a couple icons did reapear.

Add/remove programs is just missing most of the programs that were there before this all started (excel, word, office, etc). Some older programs that "are" still there just have a generic icon and "Last used" remarks and "size" remarks are MIA on most stuff.

Particularly interesting is that it seems to have broken a several adobe products down to a bunch of smaller sections that were never displayed before! haha.. Adobe Fonts, Type supports etc

Always something huh? Not particularly worried about it. Just happy to have the other stuff resolved. :)

The system seems otherwise fine and stable. Much joy.

Thanks again!

Link to post
Share on other sites

  • Staff

What did not make it back from that might have serious registry issues as in half installed .

If any of them can be reinstalled I would do the uninstall/reinstall trick , it fixes a surprising number of problems .

It is good to see that we have the rest of this sorted , it was fun to do some IT like work for a change like the old days . Most of my time is spent kicking malware butt nowadays .

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.