« previous next »
Pages: 1 [2]   Go Down

Author Topic: Yet another Win32:BHO-KD. Help Please!!  (Read 12983 times)

0 Members and 1 Guest are viewing this topic.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Yet another Win32:BHO-KD. Help Please!!
« Reply #15 on: January 03, 2008, 11:35:46 PM »
Quote from: Maxx_original on January 03, 2008, 11:28:45 PM
my address is available in my profile (for registered users)... anyway it is krejdl[at]avast[dot]com ;)

Strange, I checked before I asked you. I guess I'm not registered??  ;D
Logged

Asha

  • Guest
Re: Yet another Win32:BHO-KD. Help Please!!
« Reply #16 on: January 03, 2008, 11:41:56 PM »
OK - will go do that now. I'm guessing I need to tell him what the password is set to on the zip file?


Anyway - new logfiles:

ComboFix 08-01-03.3 - Asha 2008-01-03 22:28:09.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.2.1033.18.640 [GMT 0:00]
Running from: C:\Documents and Settings\Asha\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Asha\Desktop\CFscript.txt
 * Created a new restore point
.

(((((((((((((((((((((((((   Files Created from 2007-12-03 to 2008-01-03  )))))))))))))))))))))))))))))))
.

2008-01-03 21:05 . 2008-01-03 22:24   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-01-03 21:05 . 2008-01-03 21:05   <DIR>   d--------   C:\Documents and Settings\Asha\Application Data\SUPERAntiSpyware.com
2008-01-03 21:05 . 2008-01-03 21:05   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-03 20:43 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-03 02:37 . 2008-01-03 05:15   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-01-03 02:37 . 2008-01-03 02:37   1,409   --a------   C:\WINDOWS\QTFont.for
2007-12-31 02:19 . 2007-12-31 02:19   <DIR>   d--------   C:\Program Files\Common Files\Blizzard Entertainment
2007-12-22 19:00 . 2007-12-22 19:00   1,188,375   --a------   C:\WINDOWS\system32\libeay32.dll
2007-12-22 19:00 . 2007-12-22 19:00   741,632   --a------   C:\WINDOWS\system32\ggempgum.dat
2007-12-22 19:00 . 2007-12-22 19:00   246,545   --a------   C:\WINDOWS\system32\libssl32.dll
2007-12-22 19:00 . 2007-12-25 19:23   120,576   --a------   C:\WINDOWS\system32\vastqgrq.dat
2007-12-22 19:00 . 2007-12-22 19:00   42,240   --a------   C:\WINDOWS\system32\kwlondop.dat
2007-12-22 19:00 . 2007-12-22 19:00   36,096   --a------   C:\WINDOWS\system32\ebegvisf.dat
2007-12-22 19:00 . 2007-12-22 19:00   35,072   --a------   C:\WINDOWS\system32\zdmrqigk.dat
2007-12-22 17:31 . 2005-10-29 06:49   84,480   --a------   C:\WINDOWS\system32\bcsprsrcc.dll.bak
2007-12-22 17:30 . 2007-12-22 17:30   15,872   --a------   C:\WINDOWS\system32\538cy1.exe
2007-12-13 17:29 . 2007-12-13 17:29   244   --ah-----   C:\sqmnoopt00.sqm
2007-12-13 17:29 . 2007-12-13 17:29   232   --ah-----   C:\sqmdata00.sqm

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 21:04   ---------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2008-01-01 16:45   ---------   d-----w   C:\Program Files\XP Repair Pro 2007
2007-12-08 12:44   ---------   d-----w   C:\Documents and Settings\Asha\Application Data\Canon
2007-12-04 14:56   93,264   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04   837,496   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54   95,608   ----a-w   C:\WINDOWS\system32\AvastSS.scr
2007-11-22 16:06   ---------   d-----w   C:\Program Files\Java
2007-11-13 14:57   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Nokia
2007-11-13 14:56   ---------   d-----w   C:\Program Files\Nokia
2007-11-13 14:56   ---------   d-----w   C:\Program Files\Common Files\Nokia
2007-11-13 14:55   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Installations
2007-11-13 14:52   ---------   d-----w   C:\Documents and Settings\Asha\Application Data\Nokia Multimedia Player
2007-11-13 10:25   20,480   ----a-w   C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43   1,287,680   ----a-w   C:\WINDOWS\system32\quartz.dll
2007-10-27 17:40   227,328   ----a-w   C:\WINDOWS\system32\wmasf.dll
2007-01-01 22:58   57,143   -c--a-w   C:\WINDOWS\Internet Logs\vsmon_2nd_2007_01_01_22_56_39_small.dmp.zip
2006-07-15 12:09   17,654,084   -c--a-w   C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_07_15_13_00_07_full.dmp.zip
2006-05-15 18:39   40,055   -c--a-w   C:\WINDOWS\Internet Logs\vsmon_2nd_2006_05_15_18_06_47_small.dmp.zip
2001-11-23 12:08   712,704   -c--a-w   C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

(((((((((((((((((((((((((((((   snapshot@2008-01-03_20.53.47.75   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-03 21:05:14   29,696   ----a-r   C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2008-01-03 21:05:14   18,944   ----a-r   C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-01-03 21:05:14   65,024   ----a-r   C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-01-03 21:36:14   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_498.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00 79224]
"eTrustPPAP"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe" [2007-06-28 11:53 258048]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22 86016]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 14:28 577536 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-18 22:02 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2005-12-19 11:00 15360]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-07 05:06 5181440]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 09:17 1241088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2004-11-05 14:43]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 22:29:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-03 22:30:04
ComboFix-quarantined-files.txt  2008-01-03 22:29:55
ComboFix2.txt  2008-01-03 20:54:00
.
2007-12-21 12:25:48   --- E O F --- 
Logged

Asha

  • Guest
Re: Yet another Win32:BHO-KD. Help Please!!
« Reply #17 on: January 03, 2008, 11:42:24 PM »
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:31:07, on 03/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ashatank.co.uk
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - E:\Programs\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 4965 bytes
Logged

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Yet another Win32:BHO-KD. Help Please!!
« Reply #18 on: January 03, 2008, 11:42:46 PM »
oldman: hah, sorry.. i forgot, that i've turned on the e-mail address hiding (the weapon against spam robots) ;D
Logged

Asha

  • Guest
Re: Yet another Win32:BHO-KD. Help Please!!
« Reply #19 on: January 03, 2008, 11:47:22 PM »
Just got the following message when I tried to zip the quarantine folder:

!   Quarantine.zip: Cannot open Quarantine\C\WINDOWS\system32\drivers\gykrvpys.dat.vir
    Access is denied.


It's still created a zip file though - so I'll email that through to Maxx now.
Logged

Asha

  • Guest
Re: Yet another Win32:BHO-KD. Help Please!!
« Reply #20 on: January 03, 2008, 11:52:27 PM »
email sent :)
Logged

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Yet another Win32:BHO-KD. Help Please!!
« Reply #21 on: January 04, 2008, 12:28:33 AM »
Well that fix didn't work, for we use something just a bit bigger.

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\bcsprsrcc.dll.bak
    C:\WINDOWS\system32\ggempgum.dat
    C:\WINDOWS\system32\vastqgrq.dat
    C:\WINDOWS\system32\kwlondop.dat
    C:\WINDOWS\system32\ebegvisf.dat
    C:\WINDOWS\system32\libeay32.dll
    C:\WINDOWS\system32\libssl32.dll
    C:\WINDOWS\system32\zdmrqigk.dat
    C:\WINDOWS\system32\538cy1.exe



  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
[color="green"]**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")[/color]

Click "Exit" to close OTMoveIt.

Please post the results and a new combofix log.  Thanks
Logged

Asha

  • Guest
Re: Yet another Win32:BHO-KD. Help Please!!
« Reply #22 on: January 04, 2008, 01:00:57 AM »
C:\WINDOWS\system32\bcsprsrcc.dll.bak moved successfully.
C:\WINDOWS\system32\ggempgum.dat moved successfully.
C:\WINDOWS\system32\vastqgrq.dat moved successfully.
C:\WINDOWS\system32\kwlondop.dat moved successfully.
C:\WINDOWS\system32\ebegvisf.dat moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\libeay32.dll
C:\WINDOWS\system32\libeay32.dll NOT unregistered.
C:\WINDOWS\system32\libeay32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\libssl32.dll
C:\WINDOWS\system32\libssl32.dll NOT unregistered.
C:\WINDOWS\system32\libssl32.dll moved successfully.
C:\WINDOWS\system32\zdmrqigk.dat moved successfully.
C:\WINDOWS\system32\538cy1.exe moved successfully.
 
OTMoveIt2 v1.0.4 log created on 01032008_235906


Just off to run ComboFix again now...
Logged

Asha

  • Guest
Re: Yet another Win32:BHO-KD. Help Please!!
« Reply #23 on: January 04, 2008, 01:07:13 AM »
ComboFix 08-01-03.3 - Asha 2008-01-04  0:03:30.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.2.1033.18.518 [GMT 0:00]
Running from: C:\Documents and Settings\Asha\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((   Files Created from 2007-12-04 to 2008-01-04  )))))))))))))))))))))))))))))))
.

2008-01-03 21:05 . 2008-01-03 22:24   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-01-03 21:05 . 2008-01-03 21:05   <DIR>   d--------   C:\Documents and Settings\Asha\Application Data\SUPERAntiSpyware.com
2008-01-03 21:05 . 2008-01-03 21:05   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-03 20:43 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-03 02:37 . 2008-01-03 05:15   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-01-03 02:37 . 2008-01-03 02:37   1,409   --a------   C:\WINDOWS\QTFont.for
2007-12-31 02:19 . 2007-12-31 02:19   <DIR>   d--------   C:\Program Files\Common Files\Blizzard Entertainment
2007-12-13 17:29 . 2007-12-13 17:29   244   --ah-----   C:\sqmnoopt00.sqm
2007-12-13 17:29 . 2007-12-13 17:29   232   --ah-----   C:\sqmdata00.sqm

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 23:43   ---------   d-----w   C:\Program Files\XP Repair Pro 2007
2008-01-03 21:04   ---------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2007-12-08 12:44   ---------   d-----w   C:\Documents and Settings\Asha\Application Data\Canon
2007-12-04 14:56   93,264   -c--a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   -c--a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   -c--a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   -c--a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   -c--a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04   837,496   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54   95,608   -c--a-w   C:\WINDOWS\system32\AvastSS.scr
2007-11-22 16:06   ---------   d-----w   C:\Program Files\Java
2007-11-13 14:57   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Nokia
2007-11-13 14:56   ---------   d-----w   C:\Program Files\Nokia
2007-11-13 14:56   ---------   d-----w   C:\Program Files\Common Files\Nokia
2007-11-13 14:55   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Installations
2007-11-13 14:52   ---------   d-----w   C:\Documents and Settings\Asha\Application Data\Nokia Multimedia Player
2007-11-13 10:25   20,480   -c--a-w   C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43   1,287,680   -c--a-w   C:\WINDOWS\system32\quartz.dll
2007-10-27 17:40   227,328   -c--a-w   C:\WINDOWS\system32\wmasf.dll
2007-01-01 22:58   57,143   -c--a-w   C:\WINDOWS\Internet Logs\vsmon_2nd_2007_01_01_22_56_39_small.dmp.zip
2006-07-15 12:09   17,654,084   -c--a-w   C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_07_15_13_00_07_full.dmp.zip
2006-05-15 18:39   40,055   -c--a-w   C:\WINDOWS\Internet Logs\vsmon_2nd_2006_05_15_18_06_47_small.dmp.zip
2001-11-23 12:08   712,704   -c--a-w   C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

(((((((((((((((((((((((((((((   snapshot@2008-01-03_20.53.47.75   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-03 21:05:14   29,696   ----a-r   C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2008-01-03 21:05:14   18,944   ----a-r   C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-01-03 21:05:14   65,024   ----a-r   C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-01-03 21:36:14   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_498.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00 79224]
"eTrustPPAP"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe" [2007-06-28 11:53 258048]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22 86016]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 14:28 577536 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-18 22:02 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2005-12-19 11:00 15360]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-07 05:06 5181440]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 09:17 1241088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2004-11-05 14:43]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 00:04:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-04  0:04:39
ComboFix-quarantined-files.txt  2008-01-04 00:04:31
ComboFix2.txt  2008-01-04 00:02:52
ComboFix3.txt  2008-01-03 22:30:04
ComboFix4.txt  2008-01-03 20:54:00
.
2007-12-21 12:25:48   --- E O F --- 
Logged

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Yet another Win32:BHO-KD. Help Please!!
« Reply #24 on: January 04, 2008, 01:39:16 AM »
Looks good. Can you quickly guve me a HJT log.
Logged

Asha

  • Guest
Re: Yet another Win32:BHO-KD. Help Please!!
« Reply #25 on: January 04, 2008, 03:09:29 AM »
Yep, sorry got watching a film.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:08:55, on 04/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ashatank.co.uk
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - E:\Programs\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 4978 bytes
Logged

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Yet another Win32:BHO-KD. Help Please!!
« Reply #26 on: January 04, 2008, 03:29:40 AM »
Quote
Yep, sorry got watching a film.


No problem.  ;)

Looks good.

click start, run copy and paste this line into the box

combofix /u

Open OTMOVEIT, then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

Remove old restore points

Disk Cleanup
- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.



Download and run this clean up utility, keep it around and use it from time to time. When first run it will be in demo mode, have a look at what it will remove, then rerun in real mode. It is confiqurable.

CleanUp




If you are using windows firewall, please be advised it doesn't provide out bound monitoring. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0


Take care.
Logged

Asha

  • Guest
Re: Yet another Win32:BHO-KD. Help Please!!
« Reply #27 on: January 04, 2008, 08:06:49 PM »
Thanks very much.

Seems to be running much faster now :D
Logged

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Yet another Win32:BHO-KD. Help Please!!
« Reply #28 on: January 04, 2008, 08:16:42 PM »
Gald I could help. Keep safe.  8)
Logged
Pages: 1 [2]   Go Up
« previous next »