« previous next »
Pages: 1 [2]   Go Down

Author Topic: Another day, another person infected with Win32:BHO-KD  (Read 13763 times)

0 Members and 2 Guests are viewing this topic.

SilentAngel

  • Guest
Re: Another day, another person infected with Win32:BHO-KD
« Reply #15 on: January 04, 2008, 12:39:34 AM »
Okay, I'm awake again and back to try kill this thing. ;)

Vlk, I tried to do that when the virus detection dialog box came up - when I rebooted its like nothing had happened - still getting that its being detected and the same file/directory.

I'll attach the boot log in my next post.
Logged

SilentAngel

  • Guest
Re: Another day, another person infected with Win32:BHO-KD
« Reply #16 on: January 04, 2008, 12:40:10 AM »
CmdLine - quick
aswBoot.exe /M:46c04315 /A:"*" /L:"English" /KBD:2
CmdLine end
Processing file operations...
c:\windows\system32\datacle.dll>  ... c0000022
c:\windows\system32\datacle.dll>  ... c0000022
ProcessFileOperations: 0
CreateKbThread
new CKbBuffer
CKbBuffer::Init
CKbBuffer::Init end
NtCreateEvent(g_hStopEvent)
NtAllocateVirtualMemory - stack
NtGetContextThread - NtCurrentThread
NtCreateThread - KbThread
CreateKbThread end
NtInitializeRegistry
KbThread start
ReadRegistry
DATA=C:\Program Files\Alwil Software\Avast4\DATA
PROG=C:\Program Files\Alwil Software\Avast4
BUILD=1098
Microsoft Windows XP Service Pack 2
SystemRoot=C:\WINDOWS
TEMP=C:\WINDOWS\TEMP
TMP=C:\WINDOWS\TEMP
ReadRegistry end
CreateTemp
CreateTemp end
cmnbInit
SetFolders
SetFolders end
aswEnginDllMain(DLL_PROCESS_ATTACH)
InitLog
InitLog end
CmdLine - full
aswBoot.exe /M:46c04315 /A:"*" /L:"English" /KBD:2
CmdLine end
Unschedule
61,00,75,00,74,00,6F,00,63,00,68,00,65,00,63,00,
6B,00,20,00,61,00,75,00,74,00,6F,00,63,00,68,00,
6B,00,20,00,2A,00,00,00,61,00,73,00,77,00,42,00,
6F,00,6F,00,74,00,2E,00,65,00,78,00,65,00,20,00,
2F,00,4D,00,3A,00,34,00,36,00,63,00,30,00,34,00,
33,00,31,00,35,00,20,00,2F,00,41,00,3A,00,22,00,
2A,00,22,00,20,00,2F,00,4C,00,3A,00,22,00,45,00,
6E,00,67,00,6C,00,69,00,73,00,68,00,22,00,20,00,
2F,00,4B,00,42,00,44,00,3A,00,32,00,00,00,00,00,

Unschedule end
LoadResources
LoadResources end
InitReport
InitReport end
NtSetEvent(g_hInitEvent) - 1
InitKeyboard
g_dwKbdNum: 2
s_dwKbdClassCnt: 2
InitKeyboard end
NtSetEvent(g_hInitEvent) - 2
GetKey
FreeMemory: 356331520
aswintegInitialize
avworkInitialize
FreeMemory: 324481024
CKbBuffer::Wait
CKbBuffer::Get
CKbBuffer::Get end
CKbBuffer::Wait end
ProcessArea
avfilesScanReal(MBR0)
avfilesScanReal C:\
CKbBuffer::Get
0, 1, 3, 0, 0
0, 2, 0, 0, 0
GetKey end
CKbBuffer::Put
CKbBuffer::Put end
GetKey
CKbBuffer::Get end
MarkFileRemoval
MarkFileRemoval end
0, 2, 1, 0, 0
CKbBuffer::Get
0, 1, 3, 0, 0
0, 6, 0, 0, 0
GetKey end
CKbBuffer::Put
CKbBuffer::Put end
GetKey
CKbBuffer::Get end
CKbBuffer::Get
0, 6, 1, 0, 0
0, 2, 0, 0, 0
GetKey end
CKbBuffer::Put
CKbBuffer::Put end
GetKey
CKbBuffer::Get end
0, 2, 1, 0, 0
GetErrorText
CKbBuffer::Get
0, 8, 0, 0, 0
GetKey end
CKbBuffer::Put
CKbBuffer::Put end
GetKey
CKbBuffer::Get end
GetErrorText
0, 8, 1, 0, 0
CKbBuffer::Get
0, 2, 0, 0, 0
GetKey end
CKbBuffer::Put
CKbBuffer::Put end
GetKey
CKbBuffer::Get end
CKbBuffer::Get
0, 2, 1, 0, 0
0, 2, 0, 0, 0
GetKey end
CKbBuffer::Put
CKbBuffer::Put end
GetKey
CKbBuffer::Get end
GetErrorText
0, 2, 1, 0, 0
CKbBuffer::Get
0, 4, 0, 0, 0
GetKey end
CKbBuffer::Put
CKbBuffer::Put end
GetKey
CKbBuffer::Get end
CKbBuffer::Get
0, 4, 1, 0, 0
0, 2, 0, 0, 0
GetKey end
CKbBuffer::Put
CKbBuffer::Put end
GetKey
CKbBuffer::Get end
GetErrorText
0, 2, 1, 0, 0
CKbBuffer::Get
0, 10, 0, 0, 0
GetKey end
CKbBuffer::Put
CKbBuffer::Put end
GetKey
CKbBuffer::Get end
0, 10, 1, 0, 0
avworkClose
aswintegClose
TerminateKbThread
GetKey end
CloseKeyboard
CloseKeyboard end
KbThread stop
CKbBuffer::~CKbBuffer
CKbBuffer::~CKbBuffer end
aswEnginDllMain(DLL_PROCESS_DETACH)
cmnbFree
FreeResources
CloseReport
CloseLog
Logged

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67183
Re: Another day, another person infected with Win32:BHO-KD
« Reply #17 on: January 04, 2008, 01:16:35 AM »
Quote from: Tech on January 03, 2008, 05:50:10 PM
Quote from: Tech on January 03, 2008, 01:54:55 PM
Why avast can't have full access at boot time? This is my doubt... hope they can help us.
Vlk, and so? ???
???
Logged
The best things in life are free.

SilentAngel

  • Guest
Re: Another day, another person infected with Win32:BHO-KD
« Reply #18 on: January 04, 2008, 01:33:05 AM »
I was reading through the other threads concerning this virus, and decided to run Combofix to see if it would help the problem.
And I think it actually fixed the problem. :o
I can't find any traces of datacle.dll in the system32 directory, and no more popups when I open IE are occurring. YAY!
I will run a boot scan again just to make sure that the little bugger is gone.
Logged

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Another day, another person infected with Win32:BHO-KD
« Reply #19 on: January 04, 2008, 02:16:20 AM »
If you ran combofix, you might as well post the log and we can see if anything is left over. And a current hiackthis log.
Logged

SilentAngel

  • Guest
Re: Another day, another person infected with Win32:BHO-KD
« Reply #20 on: January 04, 2008, 02:27:52 AM »
I just got back from doing a boot scan - it detected datacle.dll in the quarantined folder of ComboFix - I moved the infected file to the avast chest successfully.

I'll post the logs from ComboFix and HijackThis in my next couple of posts.
« Last Edit: January 04, 2008, 02:29:38 AM by SilentAngel »
Logged

SilentAngel

  • Guest
Re: Another day, another person infected with Win32:BHO-KD
« Reply #21 on: January 04, 2008, 02:31:05 AM »
OK, this is the ComboFix log. Seems a lot of remnants from old programs I once used is still here, lol. Like my old virus scanner prior to using Avast. :o


ComboFix 08-01-04.1 - kel 2008-01-04 11:14:59.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.184 [GMT 11:00]
Running from: C:\Documents and Settings\kel\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\datacle.dll
C:\WINDOWS\system32\drivers\eduvublg.dat

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_QCCGOYNY
-------\qccgoyny


(((((((((((((((((((((((((   Files Created from 2007-12-04 to 2008-01-04  )))))))))))))))))))))))))))))))
.

2008-01-04 11:14 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-03 23:01 . 2007-01-18 23:00   3,968   --a------   C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-02 00:15 . 2008-01-02 00:17   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-01-02 00:15 . 2008-01-02 00:15   <DIR>   d--------   C:\Documents and Settings\kel\Application Data\SUPERAntiSpyware.com
2008-01-02 00:15 . 2008-01-02 00:15   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-01 14:01 . 2008-01-01 14:01   <DIR>   d--------   C:\Program Files\Lavasoft
2008-01-01 11:25 . 2008-01-01 11:25   <DIR>   d--------   C:\Documents and Settings\LocalService\Application Data\PIE Service
2008-01-01 11:25 . 2008-01-01 11:25   <DIR>   d--------   C:\Documents and Settings\kel\Application Data\AdwareAlert
2007-12-27 12:30 . 2007-12-27 12:30   <DIR>   d--------   C:\Drivers
2007-12-23 22:15 . 2007-12-23 22:15   <DIR>   d--------   C:\WINDOWS\system32\LogFiles
2007-12-18 14:56 . 2007-12-18 14:56   <DIR>   d--------   C:\Program Files\Alwil Software
2007-12-18 14:56 . 2003-03-19 07:20   1,060,864   --a------   C:\WINDOWS\system32\MFC71.dll
2007-12-18 14:56 . 2007-12-05 00:04   837,496   --a------   C:\WINDOWS\system32\aswBoot.exe
2007-12-18 14:56 . 2004-01-09 20:13   380,928   --a------   C:\WINDOWS\system32\actskin4.ocx
2007-12-18 14:56 . 2007-12-04 23:54   95,608   --a------   C:\WINDOWS\system32\AvastSS.scr
2007-12-18 14:56 . 2007-12-05 01:55   94,544   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-18 14:56 . 2007-12-05 01:56   93,264   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-18 14:56 . 2007-12-05 01:51   42,912   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-18 14:56 . 2007-12-05 01:49   26,624   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-18 14:56 . 2007-12-05 01:53   23,152   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-11 16:14 . 2007-12-11 16:14   <DIR>   d--------   C:\Program Files\Windows Journal Viewer

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 14:01   ---------   d-----w   C:\Program Files\PestPatrol
2008-01-01 13:15   ---------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2008-01-01 01:02   ---------   d-----w   C:\Program Files\MSN Messenger
2007-12-25 07:03   ---------   d-----w   C:\Program Files\Messenger Plus! Live
2007-12-18 03:41   ---------   d-----w   C:\Program Files\Scions of Fate
2007-12-17 22:20   ---------   d--h--w   C:\Documents and Settings\kel\Application Data\ijjigame
2007-11-28 08:01   ---------   d-----w   C:\Program Files\GetRight
2007-11-27 22:59   ---------   d-----w   C:\Program Files\SealOnlineUSA
2007-11-27 04:33   65,536   ----a-w   C:\WINDOWS\IFinst27.exe
2007-11-24 23:05   ---------   d-----w   C:\Program Files\Ventrilo
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 02:06 1667584]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 14:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-01-11 18:33 143360 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 16:08 577536 C:\WINDOWS\soundman.exe]
"RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2005-04-22 03:19 589824]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-05 00:00 79224]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^msn_0712_upd262315.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msn_0712_upd262315.exe
backup=C:\WINDOWS\pss\msn_0712_upd262315.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^kel^Start Menu^Programs^Startup^msn_0712_upd262315.exe]
path=C:\Documents and Settings\kel\Start Menu\Programs\Startup\msn_0712_upd262315.exe
backup=C:\WINDOWS\pss\msn_0712_upd262315.exeStartup
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
         C:\WINDOWS\system32\dumprep 0 -k
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
         c:\PROGRA~1\mcafee.com\agent\mcagent.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
         C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
         C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestPatrolCL]
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
         C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys [2005-04-22 03:19]
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\GalaNet\Flyff\GameGuard\dump_wmimmc.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-01 00:25:38 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2007-01-01 05:42:48 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1159684900.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 11:22:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-04 11:29:00 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-04 00:28:56

Logged

SilentAngel

  • Guest
Re: Another day, another person infected with Win32:BHO-KD
« Reply #22 on: January 04, 2008, 02:32:39 AM »
HijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 12:31:45 PM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\VIA\RAID\raid_tool.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\kel\Desktop\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.8:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF6FDB51-4F32-4154-9445-2F089F303973}: NameServer = 202.154.83.53,218.214.227.3
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Logged

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Another day, another person infected with Win32:BHO-KD
« Reply #23 on: January 04, 2008, 03:20:49 AM »
Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.


Quote
File::
C:\WINDOWS\IFinst27.exe



BYW do you have Mcafee still installed?
Logged

SilentAngel

  • Guest
Re: Another day, another person infected with Win32:BHO-KD
« Reply #24 on: January 04, 2008, 03:25:35 AM »
No, I recently uninstalled it and put Avast on instead. Thats why I was kind of weirded out when I saw it in the logs.

I'll try your next step. I'll be back soon.
Logged

SilentAngel

  • Guest
Re: Another day, another person infected with Win32:BHO-KD
« Reply #25 on: January 04, 2008, 03:36:20 AM »
ComboFix log, after completing the previous step:


ComboFix 08-01-04.1 - kel 2008-01-04 13:28:11.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.256 [GMT 11:00]
Running from: C:\Documents and Settings\kel\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\kel\Desktop\CFscript.txt
 * Created a new restore point

FILE
C:\WINDOWS\IFinst27.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\IFinst27.exe

.
(((((((((((((((((((((((((   Files Created from 2007-12-04 to 2008-01-04  )))))))))))))))))))))))))))))))
.

2008-01-04 11:14 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-03 23:01 . 2007-01-18 23:00   3,968   --a------   C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-02 00:15 . 2008-01-02 00:17   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-01-02 00:15 . 2008-01-02 00:15   <DIR>   d--------   C:\Documents and Settings\kel\Application Data\SUPERAntiSpyware.com
2008-01-02 00:15 . 2008-01-02 00:15   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-01 14:01 . 2008-01-01 14:01   <DIR>   d--------   C:\Program Files\Lavasoft
2008-01-01 11:25 . 2008-01-01 11:25   <DIR>   d--------   C:\Documents and Settings\LocalService\Application Data\PIE Service
2008-01-01 11:25 . 2008-01-01 11:25   <DIR>   d--------   C:\Documents and Settings\kel\Application Data\AdwareAlert
2007-12-27 12:30 . 2007-12-27 12:30   <DIR>   d--------   C:\Drivers
2007-12-23 22:15 . 2007-12-23 22:15   <DIR>   d--------   C:\WINDOWS\system32\LogFiles
2007-12-18 14:56 . 2007-12-18 14:56   <DIR>   d--------   C:\Program Files\Alwil Software
2007-12-18 14:56 . 2003-03-19 07:20   1,060,864   --a------   C:\WINDOWS\system32\MFC71.dll
2007-12-18 14:56 . 2007-12-05 00:04   837,496   --a------   C:\WINDOWS\system32\aswBoot.exe
2007-12-18 14:56 . 2004-01-09 20:13   380,928   --a------   C:\WINDOWS\system32\actskin4.ocx
2007-12-18 14:56 . 2007-12-04 23:54   95,608   --a------   C:\WINDOWS\system32\AvastSS.scr
2007-12-18 14:56 . 2007-12-05 01:55   94,544   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-18 14:56 . 2007-12-05 01:56   93,264   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-18 14:56 . 2007-12-05 01:51   42,912   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-18 14:56 . 2007-12-05 01:49   26,624   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-18 14:56 . 2007-12-05 01:53   23,152   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-11 16:14 . 2007-12-11 16:14   <DIR>   d--------   C:\Program Files\Windows Journal Viewer

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 14:01   ---------   d-----w   C:\Program Files\PestPatrol
2008-01-01 13:15   ---------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2008-01-01 01:02   ---------   d-----w   C:\Program Files\MSN Messenger
2007-12-25 07:03   ---------   d-----w   C:\Program Files\Messenger Plus! Live
2007-12-18 03:41   ---------   d-----w   C:\Program Files\Scions of Fate
2007-12-17 22:20   ---------   d--h--w   C:\Documents and Settings\kel\Application Data\ijjigame
2007-11-28 08:01   ---------   d-----w   C:\Program Files\GetRight
2007-11-27 22:59   ---------   d-----w   C:\Program Files\SealOnlineUSA
2007-11-24 23:05   ---------   d-----w   C:\Program Files\Ventrilo
.

(((((((((((((((((((((((((((((   snapshot@2008-01-04_11.28.43.06   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-04 01:24:38   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_628.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 02:06 1667584]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 14:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-01-11 18:33 143360 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 16:08 577536 C:\WINDOWS\soundman.exe]
"RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2005-04-22 03:19 589824]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-05 00:00 79224]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^msn_0712_upd262315.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msn_0712_upd262315.exe
backup=C:\WINDOWS\pss\msn_0712_upd262315.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^kel^Start Menu^Programs^Startup^msn_0712_upd262315.exe]
path=C:\Documents and Settings\kel\Start Menu\Programs\Startup\msn_0712_upd262315.exe
backup=C:\WINDOWS\pss\msn_0712_upd262315.exeStartup
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
         C:\WINDOWS\system32\dumprep 0 -k
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
         c:\PROGRA~1\mcafee.com\agent\mcagent.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
         C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
         C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestPatrolCL]
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
         C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys [2005-04-22 03:19]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-01 00:25:38 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.exe
- C:\Program Files\AdwareAlert
"2007-01-01 05:42:48 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1159684900.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 13:33:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-01-04 13:34:34
ComboFix-quarantined-files.txt  2008-01-04 02:33:39
ComboFix2.txt  2008-01-04 00:29:00
Logged

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Another day, another person infected with Win32:BHO-KD
« Reply #26 on: January 04, 2008, 03:51:05 AM »
Well, well, well, I'd say you are good to go.  :D

Click start, run, copy and paste this line into the box

combofix /u

HJT can be uninstall by clicking the misc tools button, slide the slider down, click uninstall.

Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

Remove old restore points

Disk Cleanup
- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

This clean up utility can be used from time to time. When first run it's in demo mode to show what it will remove, review it, then rerun in real mode

CleanUp




It looks like you may have been using windows firewall. It doesn't provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0






A part of avast seems to be missing, possibly because of the remnants of mcafee. To resolve this I suggest you go to this link and download the mcafee removal tool

http://service.mcafee.com/FAQSearch.aspx?lc=4105&sg=TS&pt=1

Also I suggest you down load both the newest version of avast (the key you have can be re-used) and the avast uninstall utility from

http://avast.com/eng/programs.html

Save them to your destop and physically disconnect from the internet.

Uninstall avast via add/remove
boot
run the avast uninstall utility
boot
run the mcafee tool
boot
install avast
boot
Logged

SilentAngel

  • Guest
Re: Another day, another person infected with Win32:BHO-KD
« Reply #27 on: January 04, 2008, 05:05:55 AM »
Just completed all of that, and it appears that my computer's clear of all viruses and a lot less laggy from cleaning up stuff.

I really appreciate all the help all you guys have given me - for a bit I actually thought my compie was going to require a reinstall just to get rid of the thing.
Thank you so much! :)
And good luck to you other guys who have the same problem - I hope you guys can remove the virus as well.
Logged

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Another day, another person infected with Win32:BHO-KD
« Reply #28 on: January 04, 2008, 06:23:01 AM »
You're welcome.
Logged
Pages: 1 [2]   Go Up
« previous next »