| Other > Viruses and worms |
| Win32:BHO-KD--cant figure out past post |
| << < (2/2) |
| mike1wings:
Hey, Just FYI. ComboFix repaired my Win:BHO-KD(trj).... Tkx The file that was infected, C:\Windows\system32\fdeplo.dll(upx) is gone. I must have tried to repair,clean, eradicate this trojan for over 12 hours, the last 3 days. |
| padownload:
Thanks for offering your help. Here's my new Combofix log and HJT Log. FILE C:\Documents and Settings\doben\Application Data\Anti-Virus-Pro.com C:\WINDOWS\system32\bahsnadkrqh.bmp C:\WINDOWS\system32\balgfqd.bmp C:\WINDOWS\system32\cbipgbel.bmp C:\WINDOWS\system32\cfqdkfitcn.bmp C:\WINDOWS\system32\cjadofmt.bmp C:\WINDOWS\system32\CSpool\lass.exe C:\WINDOWS\system32\dcnmh.bmp C:\WINDOWS\system32\dgrelcb.bmp C:\WINDOWS\system32\dsbilsjap.bmp C:\WINDOWS\system32\elkfmdknal.bmp C:\WINDOWS\system32\etonmpsrapobmt.bmp C:\WINDOWS\system32\fetgfihon.bmp C:\WINDOWS\system32\filsfilofqdsb.bmp C:\WINDOWS\system32\filsnat.bmp C:\WINDOWS\system32\gbehknat.bmp C:\WINDOWS\system32\hgnelgridkfid.bmp C:\WINDOWS\system32\horilsfqhonid.bmp C:\WINDOWS\system32\ipcbqtgbapknmd.bmp C:\WINDOWS\system32\iporqtsr.bmp C:\WINDOWS\system32\jmdonelkfml.bmp C:\WINDOWS\system32\kbelonel.bmp C:\WINDOWS\system32\lkralsf.bmp C:\WINDOWS\system32\mdgnmlsjmhgjqt.bmp C:\WINDOWS\system32\mdsfqlsj.bmp C:\WINDOWS\system32\nalcb.bmp C:\WINDOWS\system32\nidgfatknql.bmp C:\WINDOWS\system32\nilcrmhsfedon.bmp C:\WINDOWS\system32\nmpcredcned.bmp C:\WINDOWS\system32\ojalgjmpcn.bmp C:\WINDOWS\system32\pkfadkfqpsf.bmp C:\WINDOWS\system32\pkjqpsnmp.bmp C:\WINDOWS\system32\qhgjmdgfatkr.bmp C:\WINDOWS\system32\qlkfap.bmp C:\WINDOWS\system32\rqhof.bmp C:\WINDOWS\system32\sfqpgbah.bmp C:\WINDOWS\system32\snmpkbidobeh.bmp C:\WINDOWS\system32\tcbatkn.bmp C:\WINDOWS\system32\tcnadojqpcnmd.bmp C:\WINDOWS\system32\tobqdgbed.bmp C:\WINDOWS\system32\tonmpcfmpkn.bmp C:\WINDOWS\system32\x.264.exe C:\WINDOWS\system32\yv12vfw.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\AntiVirusPro C:\WINDOWS\system32\bahsnadkrqh.bmp C:\WINDOWS\system32\balgfqd.bmp C:\WINDOWS\system32\cbipgbel.bmp C:\WINDOWS\system32\cfqdkfitcn.bmp C:\WINDOWS\system32\cjadofmt.bmp C:\WINDOWS\system32\CSpool\lass.exe C:\WINDOWS\system32\dcnmh.bmp C:\WINDOWS\system32\dgrelcb.bmp C:\WINDOWS\system32\dsbilsjap.bmp C:\WINDOWS\system32\elkfmdknal.bmp C:\WINDOWS\system32\etonmpsrapobmt.bmp C:\WINDOWS\system32\fetgfihon.bmp C:\WINDOWS\system32\filsfilofqdsb.bmp C:\WINDOWS\system32\filsnat.bmp C:\WINDOWS\system32\gbehknat.bmp C:\WINDOWS\system32\hgnelgridkfid.bmp C:\WINDOWS\system32\horilsfqhonid.bmp C:\WINDOWS\system32\ipcbqtgbapknmd.bmp C:\WINDOWS\system32\iporqtsr.bmp C:\WINDOWS\system32\jmdonelkfml.bmp C:\WINDOWS\system32\kbelonel.bmp C:\WINDOWS\system32\lkralsf.bmp C:\WINDOWS\system32\mdgnmlsjmhgjqt.bmp C:\WINDOWS\system32\mdsfqlsj.bmp C:\WINDOWS\system32\nalcb.bmp C:\WINDOWS\system32\nidgfatknql.bmp C:\WINDOWS\system32\nilcrmhsfedon.bmp C:\WINDOWS\system32\nmpcredcned.bmp C:\WINDOWS\system32\ojalgjmpcn.bmp C:\WINDOWS\system32\pkfadkfqpsf.bmp C:\WINDOWS\system32\pkjqpsnmp.bmp C:\WINDOWS\system32\qhgjmdgfatkr.bmp C:\WINDOWS\system32\qlkfap.bmp C:\WINDOWS\system32\rqhof.bmp C:\WINDOWS\system32\sfqpgbah.bmp C:\WINDOWS\system32\snmpkbidobeh.bmp C:\WINDOWS\system32\tcbatkn.bmp C:\WINDOWS\system32\tcnadojqpcnmd.bmp C:\WINDOWS\system32\tobqdgbed.bmp C:\WINDOWS\system32\tonmpcfmpkn.bmp C:\WINDOWS\system32\x.264.exe C:\WINDOWS\system32\yv12vfw.dll . ((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 ))))))))))))))))))))))))))))))) . 2008-01-22 21:22 . 2008-01-22 21:42 <DIR> d-------- C:\onimusha 2008-01-21 17:58 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-23 04:44 --------- d-----w C:\Documents and Settings\doben\Application Data\uTorrent 2008-01-22 16:01 --------- d-----w C:\Documents and Settings\doben\Application Data\Spyware Terminator 2008-01-21 16:00 --------- d-----w C:\Program Files\Spyware Terminator 2008-01-21 16:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator 2008-01-06 06:58 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-01-06 06:56 --------- d-----w C:\Program Files\DirectVobSub 2008-01-06 06:52 --------- d-----w C:\Program Files\FinePixViewer 2007-12-21 14:15 --------- d-----w C:\Program Files\Microsoft ActiveSync 2007-12-21 14:07 --------- d-----w C:\Documents and Settings\doben\Application Data\Anti-Virus-Pro.com 2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr 2007-12-01 13:12 --------- d-----w C:\Program Files\Autodesk(2) 2007-12-01 13:12 --------- d-----w C:\Program Files\AutoCAD LT 2008 2007-11-25 21:39 3,398 -c--a-w C:\WINDOWS\system32\PerfStringBackup.TMP 2007-08-18 23:35 920 ----a-w C:\Program Files\INSTALL.LOG 2006-09-11 15:00 22,083,376 ----a-w C:\Program Files\QuickTimeInstaller.exe 2006-08-16 13:21 5,118,736 ----a-w C:\Program Files\Firefox Setup 1.5.0.6.exe 2005-05-13 09:12 217,073 --sha-r C:\WINDOWS\meta4.exe 2005-10-24 03:13 66,560 --sha-r C:\WINDOWS\MOTA113.exe 2005-10-13 13:27 422,400 --sha-r C:\WINDOWS\x2.64.exe 2005-10-07 11:14 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll 2005-07-14 04:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll 2005-06-26 07:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll 2005-06-21 14:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll 2004-01-24 16:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll 2005-12-22 12:23 816,640 --sha-r C:\WINDOWS\system32\smab.dll . ((((((((((((((((((((((((((((( snapshot@2008-01-21_19.54.11.29 ))))))))))))))))))))))))))))))))))))))))) . - 2008-01-21 10:00:49 1,409,024 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT + 2008-01-23 04:44:24 1,409,024 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT - 2008-01-21 10:00:50 1,191,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat + 2008-01-23 04:44:25 1,191,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat - 2008-01-21 10:00:50 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat + 2008-01-23 04:44:25 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat - 2008-01-21 10:00:51 1,191,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat + 2008-01-23 04:44:26 1,191,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat - 2008-01-21 10:00:54 6,463,488 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat + 2008-01-23 04:44:29 6,471,680 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat - 2008-01-21 10:00:55 1,363,968 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat + 2008-01-23 04:44:30 1,363,968 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-04 05:42 401491] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22 4670968] "uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2002-01-01 00:25 219952] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 14:25 57393] "IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 14:45 40960] "Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-09-24 13:30 483328] "PrintSpooler"="C:\WINDOWS\system32\CSpool\lass.exe" [ ] "ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-05-17 17:42 933888] "VirtualDrive"="C:\Program Files\FarStone\VirtualDrive\VDTask.exe" [2002-03-21 13:31 204800] "vcdplayx"="C:\WINDOWS\vcdplayx.exe" [2002-03-18 16:31 57344] "anvshell"="anvshell.exe" [2001-04-10 15:36 323584 C:\WINDOWS\anvshell.exe] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 06:56 110592 C:\WINDOWS\system32\bthprops.cpl] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-11 23:02 282624] "NWEReboot"="" [] "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 21:00 79224] "SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2002-01-01 01:17 2834432] |
| padownload:
continuation... R1 ANVIOCTL;ANVIOCTL;C:\WINDOWS\system32\DRIVERS\anvioctl.sys [2001-05-10 13:00] R1 ANVOSDNT;ASUS Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\anvosdnt.sys [2006-08-16 14:45] R1 cdawdm;CDAWDM;C:\WINDOWS\system32\DRIVERS\CDAWDM.sys [2002-01-24 15:25] R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2002-01-01 01:22] S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 12:50] S3 SmartCd;SmartCd;C:\WINDOWS\system32\Drivers\SmartCd.sys [2002-01-19 18:00] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{764c8d96-c882-11db-a778-000d87356e88}] \Shell\AutoOpen\command - G:\.\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{878af9d3-5d00-11dc-8f8f-000d87356e88}] \Shell\AutoRun\command - rawdata.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-23 12:52:19 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** my HJT Log... Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\FarStone\VirtualDrive\VDTask.exe C:\WINDOWS\vcdplayx.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\Spyware Terminator\sp_rsser.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\doben\Desktop\computer_room\applications\HiJackThis.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [PrintSpooler] C:\WINDOWS\system32\CSpool\lass.exe O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun O4 - HKLM\..\Run: [VirtualDrive] "C:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe" O4 - HKLM\..\Run: [anvshell] anvshell.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" O8 - Extra context menu item: Crawler Search - tbr:iemenu O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe -- End of file - 4922 bytes |
| Navigation |
| Message Index |
| Previous page |