Members
Stats
  • Total Posts: 28530
  • Total Topics: 8241
  • Online Today: 890
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: Strange registry entries "Trojan horse BackDoor.Ircbot.BBO"  (Read 9383 times)

0 Members and 1 Guest are viewing this topic.

SiberLynx

  • SCF Member
  • **
  • Posts: 13
  • KARMA: 1
Strange registry entries "Trojan horse BackDoor.Ircbot.BBO"
« on: 09. September 2007., 10:40:52 »
Hi Guys,
Please correct me if I’m posting to the wrong place – It's 1st time I'm visiting this forum. Thanks. 
{XP Pro, SP2
Latest versions of Comdo (Firewall Pro, BOClean, Memory Guardian, Verification Engine)
AVG 7.5 free Antivirus and Antispyware
Spyboat S&D and Teatimer
a-squared free antimalware
SuperAntiSpyware
}

System is working fine.
Today I was looking at the registry to check the permission settings for HKEY_CURRENT_USER, HKEY_CLASSES_ROOT, HKEY_LOCAL_MACHINE
And accidentally found some strange entries (see 1 and 2)
I am submitting just an extraction (top part) of Export. Please tell me if I need to pass whole exports
I have current hijackThis report but I'm not sure if it is appropriate to send it now. I can submit it if necessary.
After surprising findings I rescanned my box with numerous current off-line scanners I have here and on-line Kaspersky, Panda. Nothing suspicious was found
I performed full reg search for "üÁ®" and “Trojan horse BackDoor.Ircbot.BBO” using  RegScanner 1.51 (NirSoft) and RegSeeker 1.55. Only those 2 entries were found.
Any ideas what are those “spooky” reg entries?
Thanks in advance for your time and advices
   
1)
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER]
"üÁ®"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
  ff,ff,ff,ff,ff,04,00,00,00,19,00,00,00,b0,02,00,00,68,01,00,00
"Trojan horse BackDoor.Ircbot.BBO"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,\
  ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,04,00,00,00,19,00,00,00,b0,02,\
  00,00,68,01,00,00

2)
Windows Registry Editor Version 5.00

[HKEY_USERS\S-1-5-21-507921405-113007714-839522115-1003]
"üÁ®"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
  ff,ff,ff,ff,ff,04,00,00,00,19,00,00,00,b0,02,00,00,68,01,00,00
"Trojan horse BackDoor.Ircbot.BBO"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,\
  ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,04,00,00,00,19,00,00,00,b0,02,\
  00,00,68,01,00,00


Samker's Computer Forum - SCforum.info

Strange registry entries "Trojan horse BackDoor.Ircbot.BBO"
« on: 09. September 2007., 10:40:52 »




Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: Strange registry entries "Trojan horse BackDoor.Ircbot.BBO"
« Reply #1 on: 09. September 2007., 11:29:01 »
Hi SiberLynx and Welcome to SCF Community!

We are here to help you and will do our best to resolve this problem.

For resolving this we will need more information's from your system provided by HijackThis. 

Please provide us that log here, it's important to before running HJT turn of all possible programs.

After that we will have a loot of helpfully information from your PC about that problem.

I'll be here and wait your answer (HJT log).

Samker

SiberLynx

  • SCF Member
  • **
  • Posts: 13
  • KARMA: 1
Re: Strange registry entries "Trojan horse BackDoor.Ircbot.BBO"
« Reply #2 on: 09. September 2007., 12:12:12 »
Hi Samker,
Thanks a lot for reply
The report I've mentioned is ready to be posted.
A the same time I want to be sure so I don't create some unneeded obstacles
So "it's important to before running HJT turn of all possible programs"
Only mentioned security residents were running during creating my report.
Do you need my to disconnect, shut them down and recreate report?
Regards

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: Strange registry entries "Trojan horse BackDoor.Ircbot.BBO"
« Reply #3 on: 09. September 2007., 12:33:40 »
Hi Samker,
Thanks a lot for reply
The report I've mentioned is ready to be posted.
A the same time I want to be sure so I don't create some unneeded obstacles
So "it's important to before running HJT turn of all possible programs"
Only mentioned security residents were running during creating my report.
Do you need my to disconnect, shut them down and recreate report?
Regards

No, just turn of programs like players, messengers etc. (also turn of Spybot, SuperAnti ...)


Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: Strange registry entries "Trojan horse BackDoor.Ircbot.BBO"
« Reply #4 on: 09. September 2007., 13:14:11 »
Hi Samker,
Thanks a lot for reply
The report I've mentioned is ready to be posted.
A the same time I want to be sure so I don't create some unneeded obstacles
So "it's important to before running HJT turn of all possible programs"
Only mentioned security residents were running during creating my report.
Do you need my to disconnect, shut them down and recreate report?
Regards

No, just turn of programs like players, messengers etc. (also turn of Spybot, SuperAnti ...)



Did you understand last instruction?

Just restart PC, after that close startup programs like Skype, Yahoo messengers etc.

Run HijackThis and provide us your log here.

That's all.

SiberLynx

  • SCF Member
  • **
  • Posts: 13
  • KARMA: 1
Re: Strange registry entries "Trojan horse BackDoor.Ircbot.BBO"
« Reply #5 on: 09. September 2007., 13:35:54 »
Samker,
This is the one with SBot Teatimer Resident shut down.
I did understand, but I kinda was in a shower, which takes some time ;D Sorry...
Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:27 PM, on 9/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\ABBYY Lingvo 12\Lvagent.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\COMODO\Memory Guardian\cmg.exe
C:\Program Files\Comodo\VEngine\VEngine.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\COMODO\Memory Guardian\cmgs32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\ABBYY Lingvo 12\Lingvo.exe
D:\ProgCore\SysUtils\hijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = It's better to use FireFox :-)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: run=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Comodo VerificationEngine Browser Helper - {A968A4B4-C492-4834-B651-17602C3885C8} - C:\Program Files\Comodo\VEngine\ESigil.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Lingvo Launcher] "C:\Program Files\ABBYY Lingvo 12\Lvagent.exe" /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [Comodo Memory Guardian] "C:\Program Files\COMODO\Memory Guardian\cmg.exe"
O4 - HKLM\..\Run: [VEngine] C:\Program Files\Comodo\VEngine\VEngine.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Global Startup: AutorunsDisabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Scan link by Dr.Web - http://www.drweb.com/online/drweb-online-en.html
O8 - Extra context menu item: Translate with ABBYY &Lingvo... - res://C:\Program Files\ABBYY Lingvo 12\Lingvo.exe/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187997598046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd/boardid/BoardID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O20 - Winlogon Notify: !SASWinLogon - D:\ProgCore\SysUtils\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Comodo Memory Guardian injector 32bit - Unknown owner - C:\Program Files\COMODO\Memory Guardian\cmgs32.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 8399 bytes

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: Strange registry entries "Trojan horse BackDoor.Ircbot.BBO"
« Reply #6 on: 09. September 2007., 13:42:32 »
Ok Siber  :D

We will now analize this log (in the next few hours) and provide you next instruction.

In between of that where you are from?

SiberLynx

  • SCF Member
  • **
  • Posts: 13
  • KARMA: 1
Re: Strange registry entries "Trojan horse BackDoor.Ircbot.BBO"
« Reply #7 on: 09. September 2007., 14:11:20 »
Originally or where I am sitting now?
My mic is switched Off so how could you possibly hear an accent  ::) Damn!
Originally - from Ukraine
Presently - in Australia
...in between ... as far as I remember the aircraft landed in Dubai and then in Singapore ;D
Ok, I am clean after taking a shower. I hope my comp is clean too and will not require a lot of sprinkling.
Cheers   

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: Strange registry entries "Trojan horse BackDoor.Ircbot.BBO"
« Reply #8 on: 09. September 2007., 16:07:04 »
It's look like your PC is also clean.  ;D

Probably this registry log is from the past, did you have some "infection" in the past time?  ??? That would be one of possibly reasons for this.

Anyway, since you doesn't have any problems with your PC and you also make on-line scan with Kaspersky AV which is (as you said) clean, now we are going to check & fix your registers.

Please download & install Trial version of TuneUp Utilities 2007 http://www.tune-up.com/

After that start TuneUp and go to: Clean & Repair section, 1. run TuneUp Disc Cleaner 2. run TuneUp Registry Cleaner.

Finally, provide us here details what they find & fix.


SiberLynx

  • SCF Member
  • **
  • Posts: 13
  • KARMA: 1
Re: Strange registry entries "Trojan horse BackDoor.Ircbot.BBO"
« Reply #9 on: 09. September 2007., 16:40:52 »
Samker,
Thanks. I was almost sure that hjT report is Ok.
I need to restart my computer and b back in a few minutes.
Funny thing that I looked in registry now
and HKEY_USERS does not have those values at the main nod ??? they are gone!
===
Windows Registry Editor Version 5.00

[HKEY_USERS]
===
It has a correct entry (Default) REZ_SZ (value not set)
which as I understant should look the same in HKEY_CURRENT_USER
The latter still have those two bloody additional entries
Shouldn't I just remove them or you think I need to run tun-up anyway?
Thnks
BRB


 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising