« previous next »
Pages: 1 [2] 3   Go Down

Author Topic: Win32:BHO-R  (Read 20869 times)

0 Members and 1 Guest are viewing this topic.

MareJordan

  • Guest
Re: Win32:BHO-R
« Reply #15 on: November 30, 2006, 03:21:21 PM »
Wow!!  More homework!!  But I do thank you Frank, and look at the new knowledge that is being instilled into me!!

Not understanding your  Statement of HijackTHis has its own folder..  I do have a HijackThis folder on my desk top, I assume that I can just use it when ready for another scan?
Logged

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Win32:BHO-R
« Reply #16 on: November 30, 2006, 03:22:59 PM »
According to your log, it's running from a temp folder:

C:\DOCUME~1\Owner\LOCALS~1\Temp\HijackThis.exe
Logged
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

MareJordan

  • Guest
Re: Win32:BHO-R
« Reply #17 on: November 30, 2006, 09:59:31 PM »
Sorry for the lengthy time, the computer is pretty slow now. Everytime I reboot, I have to wait for Avast to get done with detecting them win32:BHO-R virus, which avg about 8 detections.
__________________________________________________
Assignments I managed to get done:
UCSearch, SoftwareOnline, MyWebSearch were no locationed in the Add/Remove Listing. I did find and deleted the first two with using Search, locating them in the files. I could not find MyWebSearch, I had Hijack Fix it.
__________________________________________________
Need you to check one file. Can you please submit this file:
C:\PROGRA~1\CAMDEV~1\CAMUNZ~1\cuz.exe
to VirusTotal and report if any of the scanners identify it as malware?

From: scan@virustotal.com
Date: 11/30/06 09:12:45
To: rdj@pop.ctctel.com
Subject: [VirusTotal] Server notification
 
 
Complete scanning result of "cuz.exe", processed in VirusTotal at 11/30/2006 17:31:37 (CET).
 
[ file data ]
* name: cuz.exe
* size: 1310720
* md5.: 70fa86d2064a7ccfa53b6a647f9b643f
* sha1: da5c19747a0e17432973c0ba073f4e1c63c0059d
 
[ scan result ]
  AntiVir 7.2.0.46/20061130 found nothing
Authentium 4.93.8/20061130 found nothing
Avast 4.7.892.0/20061130 found nothing
AVG 386/20061130 found nothing
BitDefender 7.2/20061130 found nothing
CAT-QuickHeal 8.00/20061130 found nothing
ClamAV devel-20060426/20061130 found nothing
DrWeb 4.33/20061130 found nothing
eSafe 7.0.14.0/20061130 found nothing
eTrust-InoculateIT 23.73.72/20061129 found nothing
eTrust-Vet 30.3.3223/20061130 found nothing
Ewido 4.0/20061130 found nothing
F-Prot 3.16f/20061130 found nothing
F-Prot4 4.2.1.29/20061130 found nothing
Fortinet 2.82.0.0/20061130 found nothing
Ikarus 0.2.65.0/20061130 found nothing
Kaspersky 4.0.2.24/20061130 found nothing
McAfee 4907/20061129 found nothing
Microsoft 1.1804/20061130 found nothing
NOD32v2 1892/20061130 found nothing
Norman 5.80.02/20061130 found nothing
Panda 9.0.0.4/20061129 found nothing
Prevx1 V2/20061130 found nothing
Sophos 4.11.0/20061116 found nothing
TheHacker 6.0.3.126/20061129 found nothing
UNA 1.83/20061129 found nothing
VBA32 3.11.1/20061130 found nothing
VirusBuster 4.3.15:9/20061130 found nothing
__________________________________________________
I did: Run the Microsoft MS Java removal tool.
__________________________________________________
And then install Sun Java: I was not able to download this program, it was taking way too long. I will try later..



Logged

MareJordan

  • Guest
Re: Win32:BHO-R
« Reply #18 on: November 30, 2006, 10:02:15 PM »
The Hijack Scanning:

Logfile of HijackThis v1.99.1
Scan saved at 1:32:20 PM, on 11/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Micro Innovations\Wireless Optical Mouse\mouse32a.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Registry Cleaner\RCSystemTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Corel\Office7\Dad7\QUICK.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Owner\Desktop\HijackThis\HijackThis.exe



Logged

MareJordan

  • Guest
Re: Win32:BHO-R
« Reply #19 on: November 30, 2006, 10:04:12 PM »
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn3\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn3\yt.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Wireless Optical Mouse\mouse32a.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] c:\Corel\Office7\Shared\QFinder7\QFSCHED.EXE
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [RCSystemTray] C:\Program Files\Registry Cleaner\RCSystemTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SOProc_RegSoAlertWxLiteNnAj] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~2\soproc.exe -pack RegSoAlertWxLiteNnAj
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: Corel Desktop Application Director.LNK = C:\Corel\Office7\Dad7\QUICK.EXE
O4 - Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.ctctel.com/
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{070B5D4F-B732-48E6-B93E-4F9AE8CC58B0}: NameServer = 72.20.64.11 72.20.64.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{070B5D4F-B732-48E6-B93E-4F9AE8CC58B0}: NameServer = 72.20.64.11 72.20.64.12
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Logged

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Win32:BHO-R
« Reply #20 on: November 30, 2006, 11:09:18 PM »
OK I'm sure now that cuz.exe is nothing to worry about.

Have you tried ticking these entries in HijackThis! and clicking 'fix' then rebooting?

O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)

O4 - HKCU\..\Run: [SOProc_RegSoAlertWxLiteNnAj] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~2\soproc.exe -pack RegSoAlertWxLiteNnAj

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
Logged
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

MareJordan

  • Guest
Re: Win32:BHO-R
« Reply #21 on: November 30, 2006, 11:50:00 PM »
Clicked and Fixed the 4 items you listed:


Logfile of HijackThis v1.99.1
Scan saved at 3:47:01 PM, on 11/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Micro Innovations\Wireless Optical Mouse\mouse32a.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Registry Cleaner\RCSystemTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Corel\Office7\Dad7\QUICK.EXE
C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis\HijackThis.exe


Logged

MareJordan

  • Guest
Re: Win32:BHO-R
« Reply #22 on: November 30, 2006, 11:51:19 PM »
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn3\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn3\yt.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Wireless Optical Mouse\mouse32a.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] c:\Corel\Office7\Shared\QFinder7\QFSCHED.EXE
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [RCSystemTray] C:\Program Files\Registry Cleaner\RCSystemTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: Corel Desktop Application Director.LNK = C:\Corel\Office7\Dad7\QUICK.EXE
O4 - Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.ctctel.com/
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{070B5D4F-B732-48E6-B93E-4F9AE8CC58B0}: NameServer = 72.20.64.11 72.20.64.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{070B5D4F-B732-48E6-B93E-4F9AE8CC58B0}: NameServer = 72.20.64.11 72.20.64.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{070B5D4F-B732-48E6-B93E-4F9AE8CC58B0}: NameServer = 72.20.64.11 72.20.64.12
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Logged

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Win32:BHO-R
« Reply #23 on: December 01, 2006, 12:01:00 AM »
Any more warnings?

You can delete this file now:

C:\PROGRA~1\SOFTWA~2\soproc.exe
Logged
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

MareJordan

  • Guest
Re: Win32:BHO-R
« Reply #24 on: December 01, 2006, 12:09:04 AM »
I only got  2 (TWO)  Virus notices this time!! Gosh,what a tech!!   I'll do the deleting, be right back with scan report..
Logged

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Win32:BHO-R
« Reply #25 on: December 01, 2006, 12:29:41 AM »
It may be worth cleaning out your temp files with CCleaner:

http://www.ccleaner.com/

And you might need to create a clean System Restore point and delete all previous System Restore points to remove all traces:

http://www.bleepingcomputer.com/tutorials/tutorial56.html
Logged
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

MareJordan

  • Guest
Re: Win32:BHO-R
« Reply #26 on: December 01, 2006, 12:50:42 AM »
I am finding this really bazaaring!!  this file  ..  C:\PROGRA~1\SOFTWA~2\soproc.exe  ..  that you want me to delete.
Every sense my stepson (Mr. KnowItAll) missed around with my computer during my absent earlier this yr. I would get a message dialog box pop up just before dial up connection would pop on, stating that I have a this file missing!! So, everytime, we would reboot, we would have to clik [OK] on it before we could go any further, and of course computer ran ok after that. ..  But now?  I can not find that file, to delete!!

I rebooted again, hoping that dialog box would pop up for me to get exact statement, no pop up for  PROGRA~1\SOFTWA~2\soproc.exe !  ..  However,   4  Avast warning detections showed up.

I can't seem to get the pop up  for  [WinAntiViris] to stop jumping up at me either!!
Logged

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Win32:BHO-R
« Reply #27 on: December 01, 2006, 09:49:41 AM »
Sounds like a hidden Vundo infection:

http://wiki.castlecops.com/Vundo_Rootkit_Detection_and_Removal_Procedure

You need to follow step 8 on the page above:

8. Download VundoFix.exe by Atribuneto your desktop.

To tell what the problem is with your remaining warnings, we need to know the file name and location given in the warnings.

Don't worry about soproc.exe- it's not active now. But you should have a good look for any files and folders related to MyWebSearch and delete them.
Logged
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

MareJordan

  • Guest
Re: Win32:BHO-R
« Reply #28 on: December 01, 2006, 07:14:38 PM »
Hmmmm... Got it?
I took careful notice, posted all doings onto a wordpad, so I can share with you all !!
*********************************************
[Info copied from Avast Detection Awareness dialog box]

Malware Name: Win32:BHO-R [Trj]
Malware Type: Trojan Horse
VPS version: 0652-6, 12/01/2006

[Earlier Booting] List of Warnings from Avast:
6:58 - C:\DOCUME~1\Owner\LOCALS~1\Temp\asqieakb.dll
7:00 – C:\DOCUME~1\Owner\LOCALS~1\Temp\tngjlcnc.dll
7:02 – C:\DOCUME~1\Owner\LOCALS~1\Temp\juxgjubq.dll
7:03 – C:\DOCUME~1\Owner\LOCALS~1\Temp\heoiygaa.dll
8:18 – C:\DOCUME~1\Owner\LOCALS~1\Temp\bikrhkhh.dll
8:20 – C:\DOCUME~1\Owner\LOCALS~1\Temp\smmyuwbj.dll
8:23 – C:\DOCUME~1\Owner\LOCALS~1\Temp\efpkuvag.dll
8:24 – C:\DOCUME~1\Owner\LOCALS~1\Temp\nkfkuhgi.dll
8:25 – C:\DOCUME~1\Owner\LOCALS~1\Temp\aqqwonja.dll

[Rebooted] List of Warnings from Avast:
9:07 - C:\DOCUME~1\Owner\LOCALS~1\Temp\pjxbbeoa.dll 
9:13 - C:\DOCUME~1\Owner\LOCALS~1\Temp\shiiqynx.dll
9:14 - C:\DOCUME~1\Owner\LOCALS~1\Temp\hynnqjdu.dll
9:16 - C:\DOCUME~1\Owner\LOCALS~1\Temp\vkctngtb.dll

[Rebooted, emptied internet temp files] List of Warnings from Avast:
9:47 - C:\DOCUME~1\Owner\LOCALS~1\Temp\qaecbqpd.dll
9:51 - C:\DOCUME~1\Owner\LOCALS~1\Temp\uramwsci.dll
9:54 - C:\DOCUME~1\Owner\LOCALS~1\Temp\pltrllsn.dll
9:55 - C:\DOCUME~1\Owner\LOCALS~1\Temp\icplxxta.dll
9:56 - C:\DOCUME~1\Owner\LOCALS~1\Temp\tdxcoeba.dll

[Ran VundoFix.exe/Rebooted]
10:26 AM

Copy of VundoFix in C:\vundofix.txt :
    C:\WINDOWS\dobcbk.dll
    C:\WINDOWS\kbcbod.ini
    C:\WINDOWS\kbcbod.bak1
    C:\WINDOWS\kbcbod.bak2
    C:\WINDOWS\kbcbod.ini2
    C:\WINDOWS\kbcbod.tmp

10:51 – No Warning Detections from Avast

[Rebooted]
10:56 AM

**********************************************
It is 11:15AM ... and no Pop UPs ...  no Avast Warnings !

Logged

MareJordan

  • Guest
Re: Win32:BHO-R
« Reply #29 on: December 01, 2006, 07:26:39 PM »
So, I am now feeling well taught!! And so extremely appreciated for you Techs. I would like to donate for this cause, please let me know if I can do this..

After looking thro all of our notes, I noticed in the very first request for your help, I stated where Avast was detecting the virus from, and noted that I had numerous Popups.. 

I have learnt, that not having an anti-malware on our systems is not something to be nieve about!!  Such a simple requirement, with complicated responses!! Duh...
But, how can us country persons be smart enough to know of these things?

It is 11:26AM ...  Still No Popups and NO Avast Detection Warnings !!
Logged
Pages: 1 [2] 3   Go Up
« previous next »