Author Topic: Please help with Win32:BHO-KD [Trj] infection  (Read 30639 times)

0 Members and 1 Guest are viewing this topic.

Grisen

  • Guest
Re: Please help with Win32:BHO-KD [Trj] infection
« Reply #30 on: January 27, 2008, 01:18:46 AM »
(continued)

[Files/Folders - Modified Within 30 days]
boot.ini -> %SystemDrive%\boot.ini ->  [Ver =  | Size = 211 bytes | Modified Date = 1/24/2008 8:02:38 PM | Attr = RHS]
ComboFix -> %SystemDrive%\ComboFix ->  [Folder | Modified Date = 1/26/2008 1:04:32 AM | Attr =    ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys ->  [Ver =  | Size = 2145845248 bytes | Modified Date = 1/26/2008 5:05:28 PM | Attr =  HS]
Images -> %SystemDrive%\Images ->  [Folder | Modified Date = 1/20/2008 10:42:00 AM | Attr =    ]
Maine Harbors -> %SystemDrive%\Maine Harbors ->  [Folder | Modified Date = 1/19/2008 2:49:02 PM | Attr =    ]
MDT -> %SystemDrive%\MDT ->  [Folder | Modified Date = 1/26/2008 5:06:44 PM | Attr =    ]
Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 1/26/2008 5:31:42 PM | Attr =    ]
QooBox -> %SystemDrive%\QooBox ->  [Folder | Modified Date = 1/26/2008 1:04:32 AM | Attr =    ]
System Volume Information -> %SystemDrive%\System Volume Information ->  [Folder | Modified Date = 1/25/2008 4:18:38 AM | Attr =  HS]
WINDOWS -> %SystemRoot% ->  [Folder | Modified Date = 1/26/2008 5:31:52 PM | Attr =    ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ ->  [Folder | Modified Date = 1/10/2008 4:43:02 PM | Attr =  H ]
$NtUninstallKB941644$ -> %SystemRoot%\$NtUninstallKB941644$ ->  [Folder | Modified Date = 1/10/2008 4:44:44 PM | Attr =  H ]
$NtUninstallKB943485$ -> %SystemRoot%\$NtUninstallKB943485$ ->  [Folder | Modified Date = 1/10/2008 4:44:36 PM | Attr =  H ]
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 1/26/2008 5:05:32 PM | Attr =   S]
CSC -> %SystemRoot%\CSC ->  [Folder | Modified Date = 1/26/2008 12:32:36 AM | Attr =  HS]
ctfile.rfc -> %SystemRoot%\ctfile.rfc ->  [Ver =  | Size = 424 bytes | Modified Date = 1/26/2008 5:31:52 PM | Attr = RH ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files ->  [Folder | Modified Date = 1/14/2008 11:17:28 AM | Attr =   S]
erdnt -> %SystemRoot%\erdnt ->  [Folder | Modified Date = 1/25/2008 4:20:20 AM | Attr =    ]
Help -> %SystemRoot%\Help ->  [Folder | Modified Date = 1/21/2008 3:54:14 PM | Attr =    ]
iltwain.ini -> %SystemRoot%\iltwain.ini ->  [Ver =  | Size = 35 bytes | Modified Date = 1/22/2008 11:41:46 AM | Attr =    ]
imsins.BAK -> %SystemRoot%\imsins.BAK ->  [Ver =  | Size = 1374 bytes | Modified Date = 1/10/2008 4:44:42 PM | Attr =    ]
inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 1/26/2008 5:32:04 PM | Attr =  H ]
Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 1/26/2008 5:16:26 PM | Attr =  HS]
Internet Logs -> %SystemRoot%\Internet Logs ->  [Folder | Modified Date = 1/26/2008 5:33:56 PM | Attr =    ]
LastGood -> %SystemRoot%\LastGood ->  [Folder | Modified Date = 1/26/2008 5:32:00 PM | Attr =    ]
Magic40.INI -> %SystemRoot%\Magic40.INI ->  [Ver =  | Size = 26 bytes | Modified Date = 1/1/2008 2:30:14 PM | Attr =    ]
network diagnostic -> %SystemRoot%\network diagnostic ->  [Folder | Modified Date = 1/24/2008 8:27:42 PM | Attr =    ]
Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 1/26/2008 5:17:24 PM | Attr =    ]
pss -> %SystemRoot%\pss ->  [Folder | Modified Date = 1/24/2008 8:02:36 PM | Attr =    ]
QTFont.for -> %SystemRoot%\QTFont.for ->  [Ver =  | Size = 1409 bytes | Modified Date = 1/22/2008 2:49:16 PM | Attr =    ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn ->  [Ver =  | Size = 54156 bytes | Modified Date = 1/26/2008 5:38:30 PM | Attr =  H ]
system -> %SystemRoot%\system ->  [Folder | Modified Date = 1/22/2008 7:29:32 PM | Attr =    ]
system.ini -> %SystemRoot%\system.ini ->  [Ver =  | Size = 227 bytes | Modified Date = 1/26/2008 1:03:54 AM | Attr =    ]
system32 -> %System32% ->  [Folder | Modified Date = 1/26/2008 5:32:00 PM | Attr =    ]
Tasks -> %SystemRoot%\Tasks ->  [Folder | Modified Date = 1/26/2008 5:08:38 PM | Attr =   S]
Temp -> %SystemRoot%\Temp ->  [Folder | Modified Date = 1/26/2008 5:40:18 PM | Attr =    ]
tides.ini -> %SystemRoot%\tides.ini ->  [Ver =  | Size = 8675 bytes | Modified Date = 1/22/2008 2:54:44 PM | Attr =    ]
win.ini -> %SystemRoot%\win.ini ->  [Ver =  | Size = 878 bytes | Modified Date = 1/24/2008 8:02:38 PM | Attr =    ]
WinSxS -> %SystemRoot%\WinSxS ->  [Folder | Modified Date = 1/25/2008 3:54:22 PM | Attr =    ]
wt -> %SystemRoot%\wt ->  [Folder | Modified Date = 1/24/2008 11:22:14 PM | Attr =    ]
MP Scheduled Scan.job -> %SystemRoot%\tasks\MP Scheduled Scan.job ->  [Ver =  | Size = 330 bytes | Modified Date = 1/26/2008 5:08:40 PM | Attr =  H ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 1/26/2008 5:05:42 PM | Attr =  H ]
A006B385BF.sys -> %System32%\A006B385BF.sys ->  [Ver =  | Size = 104 bytes | Modified Date = 1/19/2008 2:22:30 PM | Attr = RHS]
AppCert -> %System32%\AppCert ->  [Folder | Modified Date = 1/22/2008 2:50:14 PM | Attr =    ]
appmgmt -> %System32%\appmgmt ->  [Folder | Modified Date = 1/26/2008 1:07:50 AM | Attr =    ]
Blank.htm -> %System32%\Blank.htm ->  [Ver =  | Size = 91 bytes | Modified Date = 1/22/2008 11:41:46 AM | Attr =    ]
CatRoot -> %System32%\CatRoot ->  [Folder | Modified Date = 1/26/2008 5:03:08 PM | Attr =    ]
CatRoot2 -> %System32%\CatRoot2 ->  [Folder | Modified Date = 1/26/2008 5:08:48 PM | Attr =    ]
config -> %System32%\config ->  [Folder | Modified Date = 1/25/2008 4:20:36 AM | Attr =    ]
CONFIG.NT -> %System32%\CONFIG.NT ->  [Ver =  | Size = 2626 bytes | Modified Date = 1/24/2008 11:32:34 AM | Attr =    ]
dllcache -> %System32%\dllcache ->  [Folder | Modified Date = 1/26/2008 4:01:14 PM | Attr =    ]
drivers -> %System32%\drivers ->  [Folder | Modified Date = 1/26/2008 5:32:00 PM | Attr =    ]
KGyGaAvL.sys -> %System32%\KGyGaAvL.sys ->  [Ver =  | Size = 7518 bytes | Modified Date = 1/26/2008 5:38:26 PM | Attr =  HS]
Restore -> %System32%\Restore ->  [Folder | Modified Date = 1/25/2008 4:18:38 AM | Attr =    ]
vsconfig.xml -> %System32%\vsconfig.xml ->  [Ver =  | Size = 353365 bytes | Modified Date = 1/26/2008 5:06:08 PM | Attr =    ]
wbem -> %System32%\wbem ->  [Folder | Modified Date = 1/26/2008 2:26:38 PM | Attr =    ]
wpa.dbl -> %System32%\wpa.dbl ->  [Ver =  | Size = 2206 bytes | Modified Date = 1/26/2008 5:06:46 PM | Attr =    ]
zllictbl.dat -> %System32%\zllictbl.dat ->  [Ver =  | Size = 4212 bytes | Modified Date = 1/26/2008 5:04:02 PM | Attr =  H ]
ZoneLabs -> %System32%\ZoneLabs ->  [Folder | Modified Date = 1/26/2008 5:05:28 PM | Attr =    ]
etc -> %System32%\drivers\etc ->  [Folder | Modified Date = 1/25/2008 4:23:36 AM | Attr =    ]
fidbox.dat -> %System32%\drivers\fidbox.dat ->  [Ver =  | Size = 497696 bytes | Modified Date = 1/26/2008 5:38:36 PM | Attr =  HS]
fidbox.idx -> %System32%\drivers\fidbox.idx ->  [Ver =  | Size = 32 bytes | Modified Date = 1/26/2008 5:05:32 PM | Attr =  HS]

Grisen

  • Guest
Re: Please help with Win32:BHO-KD [Trj] infection
« Reply #31 on: January 27, 2008, 01:21:39 AM »
(continued)

[File String Scan - Non-Microsoft Only]
UPX! , UPX0 ,  -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 837496 bytes | Modified Date = 12/4/2007 7:04:28 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\BORLNDMM.DLL -> Inprise Corporation [Ver = 4.0.5.37 | Size = 11776 bytes | Modified Date = 5/18/2003 10:53:56 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\DELPHIMM.DLL -> Inprise Corporation [Ver = 4.0.5.37 | Size = 11264 bytes | Modified Date = 5/18/2003 10:53:56 AM | Attr =    ]
PEC2 ,  -> %System32%\dfrg.msc ->  [Ver =  | Size = 41397 bytes | Modified Date = 8/4/2004 5:00:00 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\ElementSyntaxMgr.dll ->  [Ver = 0, 5, 0, 0 | Size = 49664 bytes | Modified Date = 5/18/2003 10:53:56 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\HDPREV.DLL ->  [Ver =  | Size = 129024 bytes | Modified Date = 5/18/2003 10:53:56 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\HDResources.dll -> Sausage Software [Ver = 1, 0, 0, 2 | Size = 60928 bytes | Modified Date = 5/18/2003 10:53:56 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\HotDogNavView.dll ->  [Ver = 1, 0, 0, 1 | Size = 83456 bytes | Modified Date = 5/18/2003 10:53:56 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\HTMLExpertLib.dll ->  [Ver = 1, 0, 0, 1 | Size = 329216 bytes | Modified Date = 5/18/2003 10:53:56 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\HTMLProcessors.dll ->  [Ver = 1, 0, 0, 1 | Size = 59904 bytes | Modified Date = 5/18/2003 10:53:56 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\HTMLValidator.dll ->  [Ver = 1, 0, 0, 1 | Size = 34816 bytes | Modified Date = 5/18/2003 10:53:56 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\Ilanot32.dll -> Creative Development LTD [Ver = 4.021 | Size = 61952 bytes | Modified Date = 5/18/2003 10:53:56 AM | Attr =    ]
Thawte Consulting ,  -> %System32%\Px.dll -> Sonic Solutions [Ver = 3.0.88.500 | Size = 452264 bytes | Modified Date = 8/24/2006 12:33:36 PM | Attr =    ]
Thawte Consulting ,  -> %System32%\pxcpya64.exe -> Sonic Solutions [Ver = 1.00.35a | Size = 63144 bytes | Modified Date = 8/24/2006 12:33:36 PM | Attr =    ]
Thawte Consulting ,  -> %System32%\pxcpyi64.exe -> Sonic Solutions [Ver = 1.00.35a | Size = 114856 bytes | Modified Date = 8/24/2006 12:33:36 PM | Attr =    ]
Thawte Consulting ,  -> %System32%\pxdrv.dll -> Sonic Solutions [Ver = 1.01.88a | Size = 472744 bytes | Modified Date = 8/24/2006 12:33:36 PM | Attr =    ]
Thawte Consulting ,  -> %System32%\pxhpinst.exe -> Sonic Solutions [Ver = 3.00.33a | Size = 67240 bytes | Modified Date = 8/24/2006 12:33:38 PM | Attr =    ]
Thawte Consulting ,  -> %System32%\pxinsa64.exe -> Sonic Solutions [Ver = 3.00.33a | Size = 62632 bytes | Modified Date = 8/24/2006 12:33:38 PM | Attr =    ]
Thawte Consulting ,  -> %System32%\pxinsi64.exe -> Sonic Solutions [Ver = 3.00.33a | Size = 115880 bytes | Modified Date = 8/24/2006 12:33:38 PM | Attr =    ]
Thawte Consulting ,  -> %System32%\PxMas.dll -> Sonic Solutions [Ver = 3.0.88.500 | Size = 181928 bytes | Modified Date = 8/24/2006 12:33:38 PM | Attr =    ]
Thawte Consulting ,  -> %System32%\PxSFS.DLL -> Sonic Solutions [Ver = 3.0.88.500 | Size = 1279656 bytes | Modified Date = 8/24/2006 12:33:38 PM | Attr =    ]
Thawte Consulting ,  -> %System32%\PxWave.dll -> Sonic Solutions [Ver = 3.0.88.500 | Size = 345768 bytes | Modified Date = 8/24/2006 12:33:38 PM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\SausageControls.dll ->  [Ver = 1, 0, 0, 1 | Size = 116736 bytes | Modified Date = 5/18/2003 10:53:56 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\SausagePropertySheet.dll ->  [Ver = 1, 0, 0, 1 | Size = 56320 bytes | Modified Date = 5/18/2003 10:53:56 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\SausageRegistry.dll ->  [Ver = 1, 0, 0, 1 | Size = 10240 bytes | Modified Date = 5/18/2003 10:53:56 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\SausageText.dll ->  [Ver = 1, 0, 0, 1 | Size = 105984 bytes | Modified Date = 5/18/2003 10:53:56 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\SausageTextEdit.dll ->  [Ver = 1, 0, 0, 1 | Size = 135680 bytes | Modified Date = 5/18/2003 10:53:56 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\ScriptSyntaxMgr.dll ->  [Ver = 1, 0, 0, 1 | Size = 43520 bytes | Modified Date = 5/18/2003 10:53:56 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\SSCE4232.DLL -> Wintertree Software Inc. [Ver = 4.21.061 | Size = 49152 bytes | Modified Date = 4/26/1998 8:25:38 PM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.11 | Size = 156160 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\THESDB32.DLL -> Wintertree Software Inc. [Ver = 3, 14, 0, 0 | Size = 37376 bytes | Modified Date = 6/5/1996 11:13:34 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\UAFDLL.DLL ->  [Ver =  | Size = 104960 bytes | Modified Date = 11/1/1997 1:36:28 AM | Attr =    ]
Thawte Consulting ,  -> %System32%\VXBLOCK.dll -> Sonic Solutions [Ver = 1.00.69a | Size = 38568 bytes | Modified Date = 8/24/2006 12:33:38 PM | Attr =    ]
winsync ,  -> %System32%\wbdbase.deu ->  [Ver =  | Size = 1309184 bytes | Modified Date = 8/4/2004 5:00:00 AM | Attr =    ]
Thawte Consulting ,  -> %System32%\XceedFtp.dll -> Xceed Software Inc        (450) 442-2626        support@xceedsoft.com        www.xceedsoft.com [Ver = 1.1.129.0 | Size = 279392 bytes | Modified Date = 8/31/2005 10:35:40 AM | Attr =    ]

< End of report >


BTW CAN WE GET RID OF THE 100% FREE CHESS TOOLBAR THAT ADD/REMOVE SAYS IS GONE (BUT IS STILL IN THE ADD/REM LIST).  IT APPEARS IN THE LOG-- IS IT STILL INSTALLED?

Thanks,
Grisen

Grisen

  • Guest
Re: Please help with Win32:BHO-KD [Trj] infection
« Reply #32 on: January 27, 2008, 07:29:20 AM »
Scan with Avast just picked up a new one-- Win32:Agent RGO in C:\windows\system32\ZoneLabs\avsys - quarantined to chest as pdm2rt.ppl.  (Does this mean ZoneAlarm is compromised?  I just did an update from ZoneLabs 6 hours ago.)

Also noticed in chest dlcxcomm.dll from C:\windows\system32 which is the Win32:BHO-KD.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Please help with Win32:BHO-KD [Trj] infection
« Reply #33 on: January 27, 2008, 04:20:44 PM »
Your best bet with Zone Alarm is to do a full uninstall and then re-install just in case any are infected

Remove the chess from the add/remove by opening Hijackthis
Selecting just start the programme
Select Config
Select misc tools
Select uninstall manager
and delete it from there

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Quote
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {AE4F4014-3BF4-4CEB-B46C-3730A2340C4E} [HKLM] -> %ProgramFiles%\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll [100% Free Chess Toolbar Helper]
YY -> {CA6319C0-31B7-401E-A518-A07C3DB8F777} [HKLM] -> %ProgramFiles%\BAE\BAE.dll [CBrowserHelperObject Object]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YY -> {6F4F95AF-1647-4B72-A632-055405455423} [HKLM] -> %ProgramFiles%\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll [100% Free Chess Toolbar]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YY -> WebBrowser\\{6F4F95AF-1647-4B72-A632-055405455423} [HKLM] -> %ProgramFiles%\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll [100% Free Chess Toolbar]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {DE625294-70E6-45ED-B895-CFFA13AEB044} -> AxisMediaControlEmb Class - CodeBase = http://207.5.168.68/activex/AMC.cab
[Files/Folders - Modified Within 30 days]
YY -> A006B385BF.sys -> %System32%\A006B385BF.sys
YY -> KGyGaAvL.sys -> %System32%\KGyGaAvL.sys
YY -> fidbox.dat -> %System32%\drivers\fidbox.dat
YY -> fidbox.idx -> %System32%\drivers\fidbox.idx
[Empty Temp Folders]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Grisen

  • Guest
Re: Please help with Win32:BHO-KD [Trj] infection
« Reply #34 on: January 27, 2008, 04:44:44 PM »
WinPFind3U ran the fix and then hung (Not Responding).  No notepad log.  Ran a second time and it wants a reboot. Will post log and hijack this when I'm back up.

I'm still getting an error message when the comp has run for awhile, note the misspelling of "Winidow" and the quotes in the message, which seem strange.  The referenced memory address is always the same 0x00000008, don't know about the other one (think I mentioned this in an earlier post, where we could see if it's exactly the same message including memory addresses):

CL RC Engine 3 Dummy Winidow - PCMService.exe - Application Error
The instructions at "0x00402545" referenced memory at "0x00000008". The memory could not be "read".

Grisen

  • Guest
Re: Please help with Win32:BHO-KD [Trj] infection
« Reply #35 on: January 27, 2008, 04:57:01 PM »
(continued - please note previous post for continued problems with comp)

When WinPFind3U asked for reboot, then a message popped up about a log, but "could not initialize log because computer is rebooting", so ran it a third time on reboot - here is log:

[Registry - Non-Microsoft Only]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE4F4014-3BF4-4CEB-B46C-3730A2340C4E} not found.
File C:\Program Files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777} not found.
File C:\Program Files\BAE\BAE.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{6F4F95AF-1647-4B72-A632-055405455423} not found.
File C:\Program Files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{6F4F95AF-1647-4B72-A632-055405455423} not found.
File C:\Program Files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll not found.
Starting removal of ActiveX control {DE625294-70E6-45ED-B895-CFFA13AEB044}
 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DE625294-70E6-45ED-B895-CFFA13AEB044}\InprocServer32 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{DE625294-70E6-45ED-B895-CFFA13AEB044} not found.
Removal of ActiveX control {DE625294-70E6-45ED-B895-CFFA13AEB044} complete!
[Files/Folders - Modified Within 30 days]
File C:\WINDOWS\SYSTEM32\A006B385BF.sys not found!
File C:\WINDOWS\SYSTEM32\KGyGaAvL.sys not found!
File move failed. C:\WINDOWS\SYSTEM32\drivers\fidbox.dat scheduled to be moved on reboot.
File move failed. C:\WINDOWS\SYSTEM32\drivers\fidbox.idx scheduled to be moved on reboot.
[Empty Temp Folders]
C:\DOCUME~1\John\LOCALS~1\Temp\ -> emptied.
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ -> emptied
RecycleBin -> emptied.
< End of log >
Created on 01/27/2008 09:51:42

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:06 AM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\John\Desktop\HiJackThis.exe


Grisen

  • Guest
Re: Please help with Win32:BHO-KD [Trj] infection
« Reply #36 on: January 27, 2008, 04:58:13 PM »
(continued)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061212
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168913282796
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://mobilecountymaps.siteonestudio.com/taxmaps/acgm/acgm.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: dlcx_device -   - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10238 bytes

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Please help with Win32:BHO-KD [Trj] infection
« Reply #37 on: January 27, 2008, 06:20:30 PM »
The file concerned is a legitimate Dell file (including spelling errors).  However research indicates it is just a nag screen so can be safely deleted 

Please re-open HiJackThis and scan.  Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"

Now close all windows other than HiJackThis, then click Fix Checked.  Close HiJackThis.

Let me know how that goes

Grisen

  • Guest
Re: Please help with Win32:BHO-KD [Trj] infection
« Reply #38 on: January 27, 2008, 08:07:05 PM »
Hijackthis deleted the key.

Reinstalled ZoneAlarm and will run another Avast scan to see if it has been reinfected.  Otherwise the machine is acting a lot better.  Will let you know if it seems ship-shape or if any other problems today.  May be ready to give back to my friend.

Thanks!

Grisen

  • Guest
RESOLVED: Please help with Win32:BHO-KD [Trj] infection
« Reply #39 on: January 27, 2008, 08:57:25 PM »
Avast, Spybot and A-Squared scans were clean.

Thanks, you're the best!

Grisen

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Please help with Win32:BHO-KD [Trj] infection
« Reply #40 on: January 27, 2008, 11:12:13 PM »
Now the best part of the day ----- Your log now appears clean  :thumbsup:

You may now delete the tools I had you download

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done



Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:
  • SpywareBlaster to help prevent spyware from installing in the first place.
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?


Keep safe  :wave:

agogo

  • Guest
Re: Please help with Win32:BHO-KD [Trj] infection
« Reply #41 on: January 28, 2008, 11:14:35 AM »
Dear All,

Would anyone help me to clean the Win32:BHO-KD, and my log as below:

Thanks in advance
agogo

ComboFix 08-01-28.2 - ahwa 2008-01-28 17:47:41.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.950.1.1028.18.678 [GMT 8:00]
執行位置?: C:\Documents and Settings\ahwa\桌面\ComboFix.exe
 * 已建立新的還原點

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((   2007-12-28 - 2008-01-28 之間建立的檔案  )))))))))))))))))))))))))))))))))
.


agogo

  • Guest
Re: Please help with Win32:BHO-KD [Trj] infection
« Reply #42 on: January 28, 2008, 11:16:06 AM »
***continue***

2008-01-28 15:17 . 2008-01-28 15:17   <DIR>   d--------   C:\Documents and Settings\ahwa\Application Data\Grisoft
2008-01-28 15:14 . 2007-05-30 20:10   10,872   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-28 14:14 . 2008-01-28 14:17   <DIR>   d--------   C:\Program Files\BitComet
2008-01-28 14:14 . 2008-01-28 14:14   2,560   --a------   C:\WINDOWS\system32\bitcometres.dll
2008-01-07 10:26 . 2008-01-14 16:35   <DIR>   d--------   C:\Program Files\Panda Security
2008-01-04 17:16 . 2008-01-04 17:34   <DIR>   d--------   C:\Program Files\XoftSpySE
2008-01-03 17:38 . 2008-01-03 17:38   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-01-03 16:59 . 2008-01-03 16:59   <DIR>   d--------   C:\Deckard
2008-01-03 16:51 . 2008-01-03 16:51   116,596   -r-hs----   C:\copetttt.com
2008-01-03 15:02 . 2007-08-01 22:47   102,664   --a------   C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-03 13:56 . 2008-01-03 15:02   <DIR>   d--------   C:\Documents and Settings\ahwa\.housecall6.6
2008-01-03 11:52 . 2008-01-03 11:52   <DIR>   d--------   C:\Program Files\Windows Media Connect 2
2008-01-03 11:52 . 2006-10-04 22:06   1,197,294   -----c---   C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-01-03 11:52 . 2006-10-04 22:06   764,868   -----c---   C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-01-03 11:52 . 2006-10-04 22:06   217,118   -----c---   C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-01-03 11:51 . 2008-01-03 11:51   <DIR>   d--------   C:\WINDOWS\system32\drivers\UMDF
2008-01-03 10:20 . 2006-12-11 21:44   288,768   ---------   C:\WINDOWS\system32\rhttpaa.dll
2008-01-03 10:20 . 2006-12-11 21:44   116,736   ---------   C:\WINDOWS\system32\aaclient.dll
2008-01-03 10:20 . 2006-12-11 21:44   36,352   ---------   C:\WINDOWS\system32\tsgqec.dll
2008-01-03 10:18 . 2006-10-12 00:26   313,344   -----c---   C:\WINDOWS\system32\dllcache\p2pgraph.dll
2008-01-03 10:18 . 2006-10-12 00:26   153,088   -----c---   C:\WINDOWS\system32\dllcache\p2p.dll
2008-01-03 10:18 . 2006-10-12 00:26   116,224   -----c---   C:\WINDOWS\system32\dllcache\p2pnetsh.dll
2008-01-03 10:18 . 2006-10-12 00:26   104,960   -----c---   C:\WINDOWS\system32\dllcache\p2pgasvc.dll
2008-01-03 10:18 . 2006-10-12 00:26   58,880   -----c---   C:\WINDOWS\system32\dllcache\pnrpnsp.dll
2008-01-02 18:57 . 2007-08-13 18:54   33,792   --a--c---   C:\WINDOWS\system32\dllcache\custsat.dll
2008-01-02 18:45 . 2008-01-02 18:45   <DIR>   d--------   C:\Program Files\MSXML 6.0
2008-01-02 18:41 . 2006-08-21 17:14   128,896   -----c---   C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-01-02 18:41 . 2006-08-21 17:14   23,040   -----c---   C:\WINDOWS\system32\dllcache\fltmc.exe
2008-01-02 18:41 . 2006-08-21 20:27   16,896   -----c---   C:\WINDOWS\system32\dllcache\fltlib.dll
2008-01-02 18:38 . 2007-07-06 20:50   660,992   -----c---   C:\WINDOWS\system32\dllcache\mqqm.dll
2008-01-02 18:38 . 2007-07-06 20:50   295,936   -----c---   C:\WINDOWS\system32\dllcache\mqutil.dll
2008-01-02 18:38 . 2007-07-06 20:50   177,152   -----c---   C:\WINDOWS\system32\dllcache\mqrt.dll
2008-01-02 18:38 . 2007-07-06 20:50   138,240   -----c---   C:\WINDOWS\system32\dllcache\mqad.dll
2008-01-02 18:38 . 2007-07-06 20:50   95,744   -----c---   C:\WINDOWS\system32\dllcache\mqsec.dll
2008-01-02 18:38 . 2007-07-06 18:05   72,960   -----c---   C:\WINDOWS\system32\dllcache\mqac.sys
2008-01-02 18:38 . 2007-07-06 20:50   48,640   -----c---   C:\WINDOWS\system32\dllcache\mqupgrd.dll
2008-01-02 18:38 . 2007-07-06 20:50   47,104   -----c---   C:\WINDOWS\system32\dllcache\mqdscli.dll
2008-01-02 18:38 . 2007-07-06 20:50   16,896   -----c---   C:\WINDOWS\system32\dllcache\mqise.dll
2008-01-02 18:35 . 2007-10-11 14:10   1,049,088   -----c---   C:\WINDOWS\system32\dllcache\danim.dll
2008-01-02 18:35 . 2007-10-11 14:10   150,016   -----c---   C:\WINDOWS\system32\dllcache\cdfview.dll
2008-01-02 18:32 . 2007-10-30 06:42   1,269,248   -----c---   C:\WINDOWS\system32\dllcache\quartz.dll
2008-01-02 18:19 . 2007-04-23 18:32   364,160   -----c---   C:\WINDOWS\system32\dllcache\update.sys
2008-01-02 18:14 . 2007-07-09 21:11   584,192   -----c---   C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-02 17:51 . 2007-05-17 19:29   549,376   -----c---   C:\WINDOWS\system32\dllcache\oleaut32.dll
2008-01-02 17:49 . 2007-06-18 19:39   977,920   -----c---   C:\WINDOWS\system32\dllcache\explorer.exe
2008-01-02 17:49 . 2007-06-18 19:40   246,784   -----c---   C:\WINDOWS\system32\dllcache\tapisrv.dll
2008-01-02 17:37 . 2007-04-16 23:54   1,150,976   -----c---   C:\WINDOWS\system32\dllcache\kernel32.dll
2008-01-02 17:32 . 2007-04-25 22:22   144,896   -----c---   C:\WINDOWS\system32\dllcache\schannel.dll
2008-01-02 17:26 . 2007-05-16 23:12   1,314,816   -----c---   C:\WINDOWS\system32\dllcache\msoe.dll
2008-01-02 17:26 . 2007-08-21 14:16   683,520   -----c---   C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-01-02 17:26 . 2007-05-16 23:12   510,976   -----c---   C:\WINDOWS\system32\dllcache\wab32.dll
2008-01-02 17:26 . 2007-05-16 23:11   86,528   -----c---   C:\WINDOWS\system32\dllcache\directdb.dll
2008-01-02 17:26 . 2007-05-16 23:12   85,504   -----c---   C:\WINDOWS\system32\dllcache\wabimp.dll
2008-01-02 17:17 . 2007-02-09 19:10   574,464   -----c---   C:\WINDOWS\system32\dllcache\ntfs.sys
2008-01-02 17:16 . 2006-10-12 19:09   256,512   -----c---   C:\WINDOWS\system32\dllcache\agentsvr.exe
2008-01-02 17:16 . 2006-10-12 22:04   42,496   -----c---   C:\WINDOWS\system32\dllcache\agentdp2.dll
2008-01-02 17:12 . 2007-03-09 21:48   57,344   -----c---   C:\WINDOWS\system32\dllcache\agentdpv.dll
2008-01-02 17:10 . 2007-02-06 04:18   182,784   -----c---   C:\WINDOWS\system32\dllcache\upnphost.dll
2008-01-02 17:09 . 2007-03-17 21:44   329,728   -----c---   C:\WINDOWS\system32\dllcache\winsrv.dll
2008-01-02 17:07 . 2007-03-01 00:02   2,180,224   -----c---   C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-01-02 17:07 . 2007-03-01 00:02   2,136,064   -----c---   C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-01-02 17:07 . 2007-03-01 00:02   2,057,472   -----c---   C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-01-02 17:07 . 2007-03-01 00:02   2,015,744   -----c---   C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-01-02 17:02 . 2007-03-08 23:33   1,843,200   -----c---   C:\WINDOWS\system32\dllcache\win32k.sys
2008-01-02 17:02 . 2007-03-08 23:37   572,928   -----c---   C:\WINDOWS\system32\dllcache\user32.dll
2008-01-02 17:02 . 2007-06-19 21:32   282,112   -----c---   C:\WINDOWS\system32\dllcache\gdi32.dll
2008-01-02 17:02 . 2007-03-08 23:37   40,960   -----c---   C:\WINDOWS\system32\dllcache\mf3216.dll
2008-01-02 16:58 . 2006-10-04 21:32   213,504   -----c---   C:\WINDOWS\system32\dllcache\osk.exe
2008-01-02 16:58 . 2006-10-04 21:32   71,680   -----c---   C:\WINDOWS\system32\dllcache\magnify.exe
2008-01-02 16:58 . 2006-10-04 21:32   51,712   -----c---   C:\WINDOWS\system32\dllcache\narrator.exe
2008-01-02 16:58 . 2006-10-04 21:32   49,664   -----c---   C:\WINDOWS\system32\dllcache\utilman.exe
2008-01-02 16:58 . 2006-10-04 21:38   34,816   -----c---   C:\WINDOWS\system32\dllcache\umandlg.dll
2008-01-02 16:55 . 2006-11-27 22:55   539,136   -----c---   C:\WINDOWS\system32\dllcache\msftedit.dll
2008-01-02 16:55 . 2006-11-27 22:55   433,152   -----c---   C:\WINDOWS\system32\dllcache\riched20.dll
2008-01-02 16:53 . 2006-12-26 21:08   536,576   -----c---   C:\WINDOWS\system32\dllcache\msado15.dll

agogo

  • Guest
Re: Please help with Win32:BHO-KD [Trj] infection
« Reply #43 on: January 28, 2008, 11:16:55 AM »
***continue***

2008-01-02 16:53 . 2006-12-26 21:08   200,704   -----c---   C:\WINDOWS\system32\dllcache\msadox.dll
2008-01-02 16:53 . 2006-12-26 21:08   180,224   -----c---   C:\WINDOWS\system32\dllcache\msadomd.dll
2008-01-02 16:53 . 2006-12-26 21:08   102,400   -----c---   C:\WINDOWS\system32\dllcache\msjro.dll
2008-01-02 16:52 . 2006-12-14 21:45   981,760   -----c---   C:\WINDOWS\system32\dllcache\mfc42u.dll
2008-01-02 16:50 . 2006-12-20 02:17   331,776   -----c---   C:\WINDOWS\system32\dllcache\wiaservc.dll
2008-01-02 16:48 . 2007-01-24 03:30   546,304   -----c---   C:\WINDOWS\system32\dllcache\hhctrl.ocx
2008-01-02 16:46 . 2007-10-26 00:42   8,320,512   --a--c---   C:\WINDOWS\system32\dllcache\shell32.dll
2008-01-02 16:46 . 2006-12-20 05:49   133,632   -----c---   C:\WINDOWS\system32\dllcache\shsvcs.dll
2008-01-02 16:39 . 2006-10-20 09:38   704,512   -----c---   C:\WINDOWS\system32\dllcache\sxs.dll
2008-01-02 16:37 . 2006-10-13 18:23   163,584   -----c---   C:\WINDOWS\system32\dllcache\nwrdr.sys
2008-01-02 16:37 . 2006-10-13 20:36   134,656   -----c---   C:\WINDOWS\system32\dllcache\nwprovau.dll
2008-01-02 16:37 . 2006-10-13 20:36   65,536   -----c---   C:\WINDOWS\system32\dllcache\nwwks.dll
2008-01-02 16:35 . 2007-11-07 17:26   699,904   -----c---   C:\WINDOWS\system32\dllcache\lsasrv.dll
2008-01-02 16:35 . 2006-08-17 20:29   332,288   -----c---   C:\WINDOWS\system32\dllcache\netapi32.dll
2008-01-02 16:35 . 2006-08-17 20:29   132,096   -----c---   C:\WINDOWS\system32\dllcache\wkssvc.dll
2008-01-02 16:33 . 2006-08-16 17:37   225,664   -----c---   C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-01-02 16:33 . 2006-08-16 19:59   100,352   -----c---   C:\WINDOWS\system32\dllcache\6to4svc.dll
2008-01-02 16:32 . 2006-08-25 23:49   617,472   -----c---   C:\WINDOWS\system32\dllcache\comctl32.dll
2008-01-02 16:27 . 2007-10-11 14:10   1,497,600   -----c---   C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-01-02 16:25 . 2006-08-14 18:34   332,928   -----c---   C:\WINDOWS\system32\dllcache\srv.sys
2008-01-02 16:23 . 2006-06-22 13:06   1,422,336   -----c---   C:\WINDOWS\system32\dllcache\query.dll
2008-01-02 16:23 . 2006-06-22 13:06   69,120   -----c---   C:\WINDOWS\system32\dllcache\ciodm.dll
2008-01-02 16:15 . 2006-06-27 01:41   8,192   -----c---   C:\WINDOWS\system32\dllcache\rasadhlp.dll
2008-01-02 16:11 . 2006-06-27 01:41   148,480   -----c---   C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-01-02 16:11 . 2006-05-19 21:21   109,056   -----c---   C:\WINDOWS\system32\dllcache\dhcpcsvc.dll

.
((((((((((((((((((((((((((((((((((((   近三個月內更動的檔案   )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 04:09   ---------   d-----w   C:\Program Files\UltimateZip 2007
2008-01-07 05:33   ---------   d-----w   C:\Program Files\Microsoft ActiveSync
2007-12-21 04:10   19,456   ----a-w   C:\WINDOWS\system32\drivers\xyiinixj.dat
2007-12-07 03:02   ---------   d-----w   C:\Documents and Settings\ahwa\Application Data\AdobeUM
2007-12-04 14:56   93,264   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04   837,496   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54   95,608   ----a-w   C:\WINDOWS\system32\AvastSS.scr
2007-11-07 09:26   699,904   ----a-w   C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:42   1,269,248   ----a-w   C:\WINDOWS\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((((((((   重要登錄檔   )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89BA6A94-E207-40A5-B017-272A25CAADBD}]
2001-09-17 20:00   87552   --a------   C:\WINDOWS\system32\dpnwsoc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-11 18:16 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 21:00 79224]
"CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.exe" [2007-03-22 19:17 66400]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.exe" [2007-03-22 19:17 98656]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 17:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-11 18:16 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2006-02-14 12:00 8704 C:\WINDOWS\system32\PCANotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-03 22:32 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"RSVP"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)

R0 amhebrzp;amhebrzp;C:\WINDOWS\system32\drivers\xyiinixj.dat []
R1 ppmoucls;ppmoucls;C:\WINDOWS\system32\DRIVERS\ppmoucls.sys [2001-07-18 15:07]
R1 pptchpad;PenPower Touchpad;C:\WINDOWS\system32\DRIVERS\pptchpd5.sys [2002-01-02 20:28]
R3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2005-10-17 19:50]
S3 Arfumftr;Trust RF-Mouse filter driver;C:\WINDOWS\system32\DRIVERS\Arfumftr.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7aaaf358-6b40-11dc-8bfd-001676c54bfe}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac1974d0-ae9e-11dc-8c48-001a70ab63b5}]
\Shell\AutoRun\command - ntdelect.com
\Shell\explore\Command - ntdeIect.com
\Shell\open\Command - ntdeIect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0b80673-f2d0-11db-8b82-001676c54bfe}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f082993c-b9d8-11dc-8c52-001676c54bfe}]
\Shell\AutoRun\command - G:\copetttt.com
\Shell\explore\Command - G:\copetttt.com
\Shell\open\Command - G:\copetttt.com

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-28 17:48:47
Windows 5.1.2600 Service Pack 2 NTFS

掃描隱藏的程序...

掃描隱藏的進程...

掃描隱藏的檔案...

掃描完成
隱藏檔案?: 0

**************************************************************************
.
完成時間?: 2008-01-28 17:49:03