Author Topic: HELP ME REMOVE WIN32:BHD-KD[TRJ] (Read 10369 times)

siyete · « **on:** January 11, 2008, 12:03:19 PM »

File Name: c:\windows\system32\dciman3.dll\[UPX]
Malware Name: Win32:BHO-KD [trj]
Malware Type: Trojan Horse
VPS Version: 080110-0, 01/10/2008

i cant delete it / move or rename / move to chest because it is on system32 windows...
i also tried a boot time scan and i still cant do anything...

what can i do to remove this?..
nid heLp..

essexboy · « **Reply #1 on:** January 11, 2008, 12:30:13 PM »

Here we go again

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

siyete · « **Reply #2 on:** January 11, 2008, 01:47:19 PM »

ComboFix 08-01-10.2 - Cherry Lynn 2008-01-11 21:00:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.257 [GMT 8:00]
Running from: C:\Documents and Settings\Cherry Lynn\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dciman3.dll
C:\WINDOWS\system32\drivers\mtuxnmtf.dat
C:\WINDOWS\system32\nhatquanglan22.exe
C:\WINDOWS\system32\scvshosts.exe
C:\WINDOWS\system32\setting.ini
C:\WINDOWS\system32\test3.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CIIHYSIV
-------\ciihysiv

((((((((((((((((((((((((( Files Created from 2007-12-11 to 2008-01-11 )))))))))))))))))))))))))))))))
.

2008-01-11 20:59 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-11 20:52 . 2008-01-11 20:52   <DIR>   d--------   C:\Program Files\Common Files\Stardock
2008-01-11 20:52 . 2008-01-11 20:52   162,176   --a------   C:\WINDOWS\system32\drivers\vidstub.sys
2008-01-11 20:45 . 2007-12-04 20:54   95,608   --a------   C:\WINDOWS\system32\AvastSS.scr
2008-01-11 20:45 . 2007-12-04 22:55   94,544   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-11 20:45 . 2007-12-04 22:56   93,264   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-11 20:45 . 2007-12-04 22:51   42,912   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-11 20:45 . 2007-12-04 22:49   26,624   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-11 20:45 . 2007-12-04 22:53   23,152   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-11 20:44 . 2007-12-04 21:04   837,496   --a------   C:\WINDOWS\system32\aswBoot.exe
2008-01-11 20:44 . 2004-01-09 17:13   380,928   --a------   C:\WINDOWS\system32\actskin4.ocx
2008-01-11 20:40 . 2008-01-11 20:40   <DIR>   d--------   C:\Program Files\MSgames
2008-01-11 19:42 . 2008-01-11 19:42   <DIR>   d--h-----   C:\WINDOWS\PIF
2008-01-11 19:42 . 2008-01-11 19:42   <DIR>   d--------   C:\Program Files\Common Files\Sonic Shared
2008-01-11 19:42 . 2008-01-11 19:42   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\InstallShield
2008-01-11 19:42 . 2008-01-11 19:42   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-11 19:42 . 2008-01-11 19:42   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-11 19:41 . 2008-01-11 19:41   <DIR>   d--------   C:\Program Files\Common Files\Scanner
2008-01-11 19:41 . 2008-01-11 19:41   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-01-11 00:46 . 2008-01-11 20:52   <DIR>   d--------   C:\Program Files\WinCustomize
2008-01-10 15:56 . 2003-01-01 00:07   50   --a------   C:\WINDOWS\system32\BRIDF04A.dat
2008-01-10 15:53 . 2008-01-11 20:37   <DIR>   d--------   C:\Program Files\ScanSoft(2)
2008-01-10 15:53 . 2008-01-11 20:37   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-01-10 15:51 . 2008-01-10 15:51   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Brother
2008-01-07 20:34 . 2008-01-11 20:38   <DIR>   d--------   C:\Documents and Settings\Cherry Lynn\Application Data\uTorrent
2008-01-03 22:01 . 2008-01-11 20:38   <DIR>   d--------   C:\Program Files\Gravity(2)
2007-12-31 00:30 . 2007-12-31 00:30   <DIR>   d--------   C:\Program Files\Stardock
2007-12-22 08:39 . 2008-01-11 19:42   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-22 08:10 . 2005-09-23 08:29   626,688   --a------   C:\WINDOWS\system32\msvcr80.dll
2007-12-19 09:10 . 2007-12-19 09:10   <DIR>   d--------   C:\Program Files\e-Games
2007-12-19 07:41 . 2008-01-11 19:42   <DIR>   d--------   C:\Documents and Settings\LocalService\Application Data\Roxio
2007-12-19 07:41 . 2008-01-11 19:42   <DIR>   d--------   C:\Documents and Settings\Cherry Lynn\Application Data\Roxio
2007-12-19 07:40 . 2007-12-19 07:40   59   --a------   C:\WINDOWS\WININIT.INI
2007-12-19 07:39 . 2007-12-19 07:39   <DIR>   d--------   C:\Program Files\Sonic
2007-12-19 07:38 . 2002-09-21 12:44   24,576   --a------   C:\WINDOWS\system32\xpsp1hfm.exe
2007-12-19 07:37 . 2007-12-19 07:37   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Sonic
2007-12-19 07:30 . 2008-01-11 19:42   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Roxio
2007-12-19 07:27 . 2007-12-19 07:39   <DIR>   d--------   C:\Program Files\Roxio
2007-12-19 07:27 . 2008-01-11 19:40   <DIR>   d--------   C:\Program Files\Common Files\Roxio Shared
2007-12-13 18:20 . 2008-01-11 19:41   <DIR>   d--------   C:\Program Files\CCleaner
2007-12-13 18:14 . 2007-12-13 18:14   <DIR>   d--------   C:\Program Files\Alwil Software
2007-12-12 18:17 . 2007-12-12 18:17   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 12:59   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-11 12:51   ---------   d-----w   C:\Program Files\LimeWire
2008-01-11 12:37   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-01-11 12:37   ---------   d-----w   C:\Program Files\Common Files\InstallShield
2007-12-16 16:19   ---------   d-----w   C:\Program Files\Yahoo!
2007-12-12 01:30   ---------   d-----w   C:\Program Files\Common Files\Symantec Shared
2007-12-12 01:26   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-08 08:10   ---------   d-----w   C:\Program Files\Java
2007-12-08 07:38   ---------   d-----w   C:\Program Files\NetGames
2007-12-06 04:10   ---------   d-----w   C:\Documents and Settings\Cherry Lynn\Application Data\Symantec
2007-11-30 12:13   ---------   d-----w   C:\Program Files\Common Files\L&H
2007-11-26 12:45   ---------   d-----w   C:\Documents and Settings\Cherry Lynn\Application Data\Orbit
2007-11-26 12:31   ---------   d-----w   C:\Documents and Settings\Cherry Lynn\Application Data\FMZilla
2007-11-05 14:29   50,688   ----a-w   C:\WINDOWS\system32\wbhelp2.dll
2007-11-04 11:23   558,142   ----a-w   C:\WINDOWS\java\Packages\EK5J53XZ.ZIP
2007-11-04 11:23   155,995   ----a-w   C:\WINDOWS\java\Packages\YS6Y06AR.ZIP
2007-10-17 17:23   10,752   ----a-w   C:\WINDOWS\system32\WhoisCL.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 18:41 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 16:50 4620288]
"nwiz"="nwiz.exe" [2004-10-29 16:50 921600 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 16:50 86016]
"SoundMan"="SOUNDMAN.EXE" [2004-09-16 20:39 69632 C:\WINDOWS\SOUNDMAN.EXE]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" [2005-09-20 07:53 1687552]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-09-20 07:29 163840]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 21:00 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]

S3 W700bus;Sony Ericsson W700 Driver driver (WDM);C:\WINDOWS\System32\DRIVERS\W700bus.sys [2007-11-04 19:57]
S3 W700mdfl;Sony Ericsson W700 USB WMC Modem Filter;C:\WINDOWS\System32\DRIVERS\W700mdfl.sys [2007-11-04 19:57]
S3 W700mdm;Sony Ericsson W700 USB WMC Modem Driver;C:\WINDOWS\System32\DRIVERS\W700mdm.sys [2007-11-04 19:57]
S3 W700mgmt;Sony Ericsson W700 USB WMC Device Management Drivers (WDM);C:\WINDOWS\System32\DRIVERS\W700mgmt.sys [2007-11-04 19:57]
S3 W700obex;Sony Ericsson W700 USB WMC OBEX Interface;C:\WINDOWS\System32\DRIVERS\W700obex.sys [2007-11-04 19:57]

*Newly Created Service* - ALG
*Newly Created Service* - BOOTSCREEN
*Newly Created Service* - IPNAT
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-11 21:04:25
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-11 21:05:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-11 13:05:53

siyete · « **Reply #3 on:** January 11, 2008, 01:49:07 PM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:01 PM, on 1/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Cherry Lynn\Desktop\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

--
End of file - 7055 bytes

siyete · « **Reply #4 on:** January 11, 2008, 01:50:47 PM »

s0, i did what u said.. what to do next?..
i reaLy have no cLue how t0 rem0ve this virus..
i reaLy nid ur heLp.. thx ph0..

siyete · « **Reply #5 on:** January 11, 2008, 01:53:34 PM »

i aLready tried to do a system rest0re.. but the virus is stiLL there.. i aLs0 tried to d0 a windows repair..
it aLso didnt w0rk.. i tried sfc /Scannow and it aLso didnt work..
:'(

oldman · « **Reply #6 on:** January 11, 2008, 02:57:37 PM »

Please don't try anything else. Wait for essexboy to reply. dciman3.dll
was removed once all ready.

essexboy · « **Reply #7 on:** January 11, 2008, 03:33:31 PM »

If you did a system restore you have now replaced the trojan that was deleted

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote

File::
C:\WINDOWS\system32\BRIDF04A.dat
C:\WINDOWS\java\Packages\EK5J53XZ.ZIP
C:\WINDOWS\java\Packages\YS6Y06AR.ZIP

Driver::
ciihysiv

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

siyete · « **Reply #8 on:** January 12, 2008, 11:45:52 AM »

ComboFix 08-01-10.2 - Cherry Lynn 2008-01-12 8:26:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.306 [GMT 8:00]
Running from: C:\Documents and Settings\Cherry Lynn\Desktop\ComboFix\ComboFix.exe
Command switches used :: C:\Documents and Settings\Cherry Lynn\Desktop\ComboFix\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\java\Packages\EK5J53XZ.ZIP
C:\WINDOWS\java\Packages\YS6Y06AR.ZIP
C:\WINDOWS\system32\BRIDF04A.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\java\Packages\EK5J53XZ.ZIP
C:\WINDOWS\java\Packages\YS6Y06AR.ZIP
C:\WINDOWS\system32\BRIDF04A.dat

.
((((((((((((((((((((((((( Files Created from 2007-12-12 to 2008-01-12 )))))))))))))))))))))))))))))))
.

2008-01-11 20:59 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-11 20:52 . 2008-01-11 20:52   <DIR>   d--------   C:\Program Files\Common Files\Stardock
2008-01-11 20:52 . 2008-01-11 20:52   162,176   --a------   C:\WINDOWS\system32\drivers\vidstub.sys
2008-01-11 20:45 . 2007-12-04 20:54   95,608   --a------   C:\WINDOWS\system32\AvastSS.scr
2008-01-11 20:45 . 2007-12-04 22:55   94,544   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-11 20:45 . 2007-12-04 22:56   93,264   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-11 20:45 . 2007-12-04 22:51   42,912   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-11 20:45 . 2007-12-04 22:49   26,624   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-11 20:45 . 2007-12-04 22:53   23,152   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-11 20:44 . 2007-12-04 21:04   837,496   --a------   C:\WINDOWS\system32\aswBoot.exe
2008-01-11 20:44 . 2004-01-09 17:13   380,928   --a------   C:\WINDOWS\system32\actskin4.ocx
2008-01-11 20:40 . 2008-01-11 20:40   <DIR>   d--------   C:\Program Files\MSgames
2008-01-11 19:42 . 2008-01-11 19:42   <DIR>   d--h-----   C:\WINDOWS\PIF
2008-01-11 19:42 . 2008-01-11 19:42   <DIR>   d--------   C:\Program Files\Common Files\Sonic Shared
2008-01-11 19:42 . 2008-01-11 19:42   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\InstallShield
2008-01-11 19:42 . 2008-01-11 19:42   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-11 19:42 . 2008-01-11 19:42   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-11 19:41 . 2008-01-11 19:41   <DIR>   d--------   C:\Program Files\Common Files\Scanner
2008-01-11 19:41 . 2008-01-11 19:41   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-01-11 00:46 . 2008-01-11 20:52   <DIR>   d--------   C:\Program Files\WinCustomize
2008-01-10 15:53 . 2008-01-11 20:37   <DIR>   d--------   C:\Program Files\ScanSoft(2)
2008-01-10 15:53 . 2008-01-11 20:37   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-01-10 15:51 . 2008-01-10 15:51   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Brother
2008-01-07 20:34 . 2008-01-11 20:38   <DIR>   d--------   C:\Documents and Settings\Cherry Lynn\Application Data\uTorrent
2008-01-03 22:01 . 2008-01-11 20:38   <DIR>   d--------   C:\Program Files\Gravity(2)
2007-12-31 00:30 . 2007-12-31 00:30   <DIR>   d--------   C:\Program Files\Stardock
2007-12-22 08:39 . 2008-01-11 19:42   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-22 08:10 . 2005-09-23 08:29   626,688   --a------   C:\WINDOWS\system32\msvcr80.dll
2007-12-19 09:10 . 2007-12-19 09:10   <DIR>   d--------   C:\Program Files\e-Games
2007-12-19 07:41 . 2008-01-11 19:42   <DIR>   d--------   C:\Documents and Settings\LocalService\Application Data\Roxio
2007-12-19 07:41 . 2008-01-11 19:42   <DIR>   d--------   C:\Documents and Settings\Cherry Lynn\Application Data\Roxio
2007-12-19 07:40 . 2007-12-19 07:40   59   --a------   C:\WINDOWS\WININIT.INI
2007-12-19 07:39 . 2007-12-19 07:39   <DIR>   d--------   C:\Program Files\Sonic
2007-12-19 07:38 . 2002-09-21 12:44   24,576   --a------   C:\WINDOWS\system32\xpsp1hfm.exe
2007-12-19 07:37 . 2007-12-19 07:37   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Sonic
2007-12-19 07:30 . 2008-01-11 19:42   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Roxio
2007-12-19 07:27 . 2007-12-19 07:39   <DIR>   d--------   C:\Program Files\Roxio
2007-12-19 07:27 . 2008-01-11 19:40   <DIR>   d--------   C:\Program Files\Common Files\Roxio Shared
2007-12-13 18:20 . 2008-01-11 19:41   <DIR>   d--------   C:\Program Files\CCleaner
2007-12-13 18:14 . 2007-12-13 18:14   <DIR>   d--------   C:\Program Files\Alwil Software
2007-12-12 18:17 . 2007-12-12 18:17   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 14:30   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-11 12:51   ---------   d-----w   C:\Program Files\LimeWire
2008-01-11 12:37   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-01-11 12:37   ---------   d-----w   C:\Program Files\Common Files\InstallShield
2007-12-16 16:19   ---------   d-----w   C:\Program Files\Yahoo!
2007-12-12 01:30   ---------   d-----w   C:\Program Files\Common Files\Symantec Shared
2007-12-12 01:26   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-08 08:10   ---------   d-----w   C:\Program Files\Java
2007-12-08 07:38   ---------   d-----w   C:\Program Files\NetGames
2007-12-06 04:10   ---------   d-----w   C:\Documents and Settings\Cherry Lynn\Application Data\Symantec
2007-11-30 12:13   ---------   d-----w   C:\Program Files\Common Files\L&H
2007-11-26 12:45   ---------   d-----w   C:\Documents and Settings\Cherry Lynn\Application Data\Orbit
2007-11-26 12:31   ---------   d-----w   C:\Documents and Settings\Cherry Lynn\Application Data\FMZilla
2007-11-05 14:29   50,688   ----a-w   C:\WINDOWS\system32\wbhelp2.dll
2007-10-17 17:23   10,752   ----a-w   C:\WINDOWS\system32\WhoisCL.exe

siyete · « **Reply #9 on:** January 12, 2008, 11:46:15 AM »

((((((((((((((((((((((((((((( snapshot@2008-01-11_21.05.42.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-11 12:59:49   233,472   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-12 00:25:54   233,472   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-11 12:59:49   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-12 00:25:54   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-11 12:59:49   233,472   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-12 00:25:54   4,128,768   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-11 12:59:49   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-12 00:25:54   147,456   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-11 12:59:49   4,116,480   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-12 00:25:54   233,472   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-11 12:59:49   147,456   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-12 00:25:54   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-11 12:59:57   262,144   ----a-w   C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-01-12 00:26:01   262,144   ----a-w   C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-11-21 00:04:14   218,496   ----a-w   C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
- 2007-10-06 19:04:40   48,749   ----a-w   C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-01-11 17:58:42   74,137   ----a-w   C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
- 2007-11-04 21:07:43   52,764   ----a-w   C:\WINDOWS\system32\perfc009.dat
+ 2008-01-11 13:05:27   52,764   ----a-w   C:\WINDOWS\system32\perfc009.dat
- 2007-11-04 21:07:43   380,350   ----a-w   C:\WINDOWS\system32\perfh009.dat
+ 2008-01-11 13:05:28   380,350   ----a-w   C:\WINDOWS\system32\perfh009.dat
+ 2008-01-11 16:01:23   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_510.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-12-17 17:13 3810544]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 18:41 13312]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 16:50 4620288]
"nwiz"="nwiz.exe" [2004-10-29 16:50 921600 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 16:50 86016]
"SoundMan"="SOUNDMAN.EXE" [2004-09-16 20:39 69632 C:\WINDOWS\SOUNDMAN.EXE]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" [2005-09-20 07:53 1687552]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-09-20 07:29 163840]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 21:00 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2002-08-20 15:08 1511453 C:\Program Files\Messenger\msmsgs.exe

S3 W700bus;Sony Ericsson W700 Driver driver (WDM);C:\WINDOWS\System32\DRIVERS\W700bus.sys [2007-11-04 19:57]
S3 W700mdfl;Sony Ericsson W700 USB WMC Modem Filter;C:\WINDOWS\System32\DRIVERS\W700mdfl.sys [2007-11-04 19:57]
S3 W700mdm;Sony Ericsson W700 USB WMC Modem Driver;C:\WINDOWS\System32\DRIVERS\W700mdm.sys [2007-11-04 19:57]
S3 W700mgmt;Sony Ericsson W700 USB WMC Device Management Drivers (WDM);C:\WINDOWS\System32\DRIVERS\W700mgmt.sys [2007-11-04 19:57]
S3 W700obex;Sony Ericsson W700 USB WMC OBEX Interface;C:\WINDOWS\System32\DRIVERS\W700obex.sys [2007-11-04 19:57]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-12 08:27:37
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-12 8:28:13
ComboFix-quarantined-files.txt 2008-01-12 00:27:59

siyete · « **Reply #10 on:** January 12, 2008, 11:46:57 AM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:31 AM, on 1/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Cherry Lynn\Desktop\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

--
End of file - 7026 bytes

siyete · « **Reply #11 on:** January 12, 2008, 11:47:51 AM »

there, i did what u asked me to do.. so what to do next?..
can u tell me what other applications i can use to make my pc spyware free?..

Lisandro · « **Reply #12 on:** January 12, 2008, 12:00:14 PM »

Quote from: siyete on January 12, 2008, 11:47:51 AM

can u tell me what other applications i can use to make my pc spyware free?..

SUPERantispyware
AVG Antispyware
Spyware Terminator
a-squared
anti-rootkit applications like AVG or Trend Micro RootkitBuster.

FreewheelinFrank · « **Reply #13 on:** January 12, 2008, 12:12:08 PM »

Seems DrWeb CureIT! will fix it:

http://forum.avast.com/index.php?topic=32612.0

essexboy · « **Reply #14 on:** January 12, 2008, 06:23:38 PM »

Your log now appears clean are you experiencing any more problems ?

Author Topic: HELP ME REMOVE WIN32:BHD-KD[TRJ] (Read 10369 times)

siyete

HELP ME REMOVE WIN32:BHD-KD[TRJ]

essexboy

Re: HELP ME REMOVE WIN32:BHD-KD[TRJ]

siyete

Re: HELP ME REMOVE WIN32:BHD-KD[TRJ]

siyete

Re: HELP ME REMOVE WIN32:BHD-KD[TRJ]

siyete

Re: HELP ME REMOVE WIN32:BHD-KD[TRJ]

siyete

Re: HELP ME REMOVE WIN32:BHD-KD[TRJ]

oldman

Re: HELP ME REMOVE WIN32:BHD-KD[TRJ]

essexboy

Re: HELP ME REMOVE WIN32:BHD-KD[TRJ]

siyete

Re: HELP ME REMOVE WIN32:BHD-KD[TRJ]

siyete

Re: HELP ME REMOVE WIN32:BHD-KD[TRJ]

siyete

Re: HELP ME REMOVE WIN32:BHD-KD[TRJ]

siyete

Re: HELP ME REMOVE WIN32:BHD-KD[TRJ]

Lisandro

Re: HELP ME REMOVE WIN32:BHD-KD[TRJ]

FreewheelinFrank

Re: HELP ME REMOVE WIN32:BHD-KD[TRJ]

essexboy

Re: HELP ME REMOVE WIN32:BHD-KD[TRJ]