please help me with my Win32:BHO-KD [Trj] problem

[polonus]

Yes, ceann,

Do as oldman tells you because this could infect any drive, so also a flash drive, what an USB stick is actually, and RAVMON.exe is dangerous: - RAVMON.exe a.k.a. W32.Nomvar is a worm that copies itself to the root of all drives, including removable and shared drives, and downloads potentially malicious files on to the compromised computer.
Related files:
[DRIVE LETTER]:\RavMon.exe
[DRIVE LETTER]:\Autorun.inf
%Windir%\svchost.exe

Kill the process RavMon.exe and remove RavMon.exe from Windows startup

polonus

[ceann]

ravmon is not in the list of processes in task manager and it isnt in the windows startup items as well

[ceann]

here's the result... 

ComboFix 08-01-04.1 - Manalang 2008-01-06  9:17:59.2 - NTFSx86
Running from: D:\ComboFix.exe
.

(((((((((((((((((((((((((   Files Created from 2007-12-06 to 2008-01-06  )))))))))))))))))))))))))))))))
.

2008-01-05 19:21 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-05 17:48 . 2008-01-05 17:48   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-01-05 17:41 . 2008-01-05 17:50   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-01-05 17:41 . 2008-01-05 17:41   <DIR>   d--------   C:\Documents and Settings\Manalang\Application Data\SUPERAntiSpyware.com
2008-01-05 17:40 . 2008-01-05 17:40   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-01-01 10:40 . 2008-01-05 16:54   <DIR>   d--------   C:\Program Files\Windows Media Connect 2
2008-01-01 10:36 . 2008-01-01 10:36   <DIR>   d--------   C:\WINDOWS\system32\LogFiles
2008-01-01 10:36 . 2008-01-01 10:38   <DIR>   d--------   C:\WINDOWS\system32\drivers\UMDF
2008-01-01 09:53 . 2008-01-01 09:53   <DIR>   d--------   C:\WINDOWS\system32\Kaspersky Lab
2008-01-01 09:53 . 2008-01-01 09:53   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-01 09:50 . 2008-01-01 09:50   <DIR>   d--------   C:\WINDOWS\system32\ActiveScan
2008-01-01 09:50 . 2008-01-01 09:50   30,590   --a------   C:\WINDOWS\system32\pavas.ico
2008-01-01 09:50 . 2008-01-01 09:50   2,550   --a------   C:\WINDOWS\system32\Uninstall.ico
2008-01-01 09:50 . 2008-01-01 09:50   1,406   --a------   C:\WINDOWS\system32\Help.ico
2008-01-01 07:28 . 2008-01-01 07:28   <DIR>   d--------   C:\Program Files\Microsoft Works
2008-01-01 07:17 . 2008-01-01 07:27   <DIR>   d--------   C:\WINDOWS\SHELLNEW
2008-01-01 07:15 . 2008-01-01 07:33   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-01 07:14 . 2008-01-01 07:14   <DIR>   dr-h-----   C:\MSOCache
2008-01-01 07:08 . 2008-01-01 07:08   <DIR>   d--------   C:\Documents and Settings\Manalang\Application Data\DAEMON Tools
2008-01-01 07:07 . 2008-01-01 07:08   <DIR>   d--------   C:\Program Files\DAEMON Tools Lite
2007-12-31 16:25 . 2007-12-31 16:26   715,248   --a------   C:\WINDOWS\system32\drivers\sptd.sys
2007-12-31 08:02 . 2007-10-10 15:55   6,065,664   -----c---   C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-31 08:02 . 2007-06-30 19:31   2,455,488   -----c---   C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-31 08:02 . 2007-06-30 19:36   991,232   -----c---   C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-31 08:02 . 2007-10-10 15:55   459,264   -----c---   C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-31 08:02 . 2007-10-10 15:55   383,488   -----c---   C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-31 08:02 . 2007-10-10 15:55   267,776   -----c---   C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-31 08:02 . 2007-10-10 15:55   63,488   -----c---   C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-31 08:02 . 2007-10-10 15:55   52,224   -----c---   C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-31 08:02 . 2007-10-10 02:59   13,824   -----c---   C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-31 07:37 . 2007-12-31 07:37   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-12-25 11:48 . 2007-12-25 11:48   <DIR>   d--------   C:\Program Files\e-Games
2007-12-22 13:45 . 2007-12-22 13:45   <DIR>   d--------   C:\Documents and Settings\Manalang\LimeWire Store Purchased
2007-12-21 11:13 . 2007-12-21 11:13   <DIR>   d--------   C:\WINDOWS\Sun
2007-12-21 08:49 . 2007-12-22 13:17   <DIR>   d--------   C:\Documents and Settings\Manalang\Application Data\DivX
2007-12-21 08:42 . 2007-12-21 08:43   <DIR>   d--------   C:\Program Files\DivX
2007-12-20 19:03 . 2004-08-03 14:56   221,184   --a------   C:\WINDOWS\system32\wmpns.dll
2007-12-20 18:33 . 2007-12-20 18:33   <DIR>   d--------   C:\Program Files\Windows Defender
2007-12-20 18:14 . 2007-05-27 04:17   676,224   --a------   C:\WINDOWS\system32\OGACheckControl.dll
2007-12-20 18:14 . 2007-04-10 14:01   336,768   --a------   C:\WINDOWS\system32\wgatray.exe.old
2007-12-20 18:14 . 2007-04-10 14:00   236,928   --a------   C:\WINDOWS\system32\wgalogon.dll.old
2007-12-20 17:33 . 2007-12-20 17:33   <DIR>   d--------   C:\Program Files\Panicware
2007-12-20 16:40 . 2007-12-20 16:40   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-20 15:04 . 2004-08-03 23:08   26,496   --a--c---   C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-20 12:34 . 2007-12-20 12:34   <DIR>   d--------   C:\Documents and Settings\Manalang\Incomplete
2007-12-20 12:33 . 2008-01-05 14:30   <DIR>   d--------   C:\Documents and Settings\Manalang\Application Data\LimeWire
2007-12-20 12:15 . 2003-07-20 01:17   5,174   --a------   C:\WINDOWS\system32\nppt9x.vxd
2007-12-20 12:15 . 2005-01-03 16:43   4,682   --a------   C:\WINDOWS\system32\npptNT2.sys
2007-12-20 11:56 . 2007-12-20 13:39   754   --a------   C:\WINDOWS\WORDPAD.INI
2007-12-20 10:48 . 2008-01-06 09:07   <DIR>   d--------   C:\Program Files\LimeWire
2007-12-20 10:48 . 2007-09-24 23:31   69,632   --a------   C:\WINDOWS\system32\javacpl.cpl
2007-12-20 10:46 . 2007-12-20 10:48   <DIR>   d--------   C:\Program Files\Java
2007-12-20 10:33 . 2007-12-20 10:33   <DIR>   d--------   C:\Program Files\Common Files\Java
2007-12-20 10:25 . 2007-12-31 11:23   <DIR>   d--h-----   C:\WINDOWS\$hf_mig$
2007-12-20 10:25 . 2006-09-25 17:58   23,856   --a------   C:\WINDOWS\system32\spupdsvc.exe
2007-12-20 09:32 . 2007-12-20 09:32   <DIR>   d--------   C:\Program Files\Alwil Software
2007-12-20 09:20 . 2006-06-14 00:47   172,416   --a------   C:\WINDOWS\system32\drivers\kmixer.sys
2007-12-20 09:19 . 2007-10-26 11:20   4,124,352   -ra------   C:\WINDOWS\system32\drivers\alcxwdm.sys
2007-12-20 09:15 . 2007-12-20 09:15   <DIR>   d--------   C:\Program Files\Realtek AC97
2007-12-20 09:15 . 2006-12-08 15:20   10,528,768   --a------   C:\WINDOWS\system32\RTLCPL.exe
2007-12-20 09:15 . 2002-02-05 13:54   141,016   --a------   C:\WINDOWS\system32\alsndmgr.wav
2007-12-20 09:14 . 2007-12-20 09:14   <DIR>   d--h-----   C:\Program Files\InstallShield Installation Information
2007-12-20 09:14 . 2007-12-20 09:14   <DIR>   d--------   C:\Program Files\Common Files\InstallShield
2007-12-20 09:14 . 2007-12-20 09:14   <DIR>   d--hs----   C:\Documents and Settings\Manalang\UserData
2007-12-20 09:14 . 2006-11-17 05:40   18,804,736   --a------   C:\WINDOWS\system32\alsndmgr.cpl
2007-12-20 09:14 . 2007-04-16 15:28   577,536   --a------   C:\WINDOWS\soundman.exe
2007-12-20 09:14 . 2006-07-31 11:19   315,392   --a------   C:\WINDOWS\alcupd.exe
2007-12-20 09:14 . 2006-07-31 11:27   217,088   --a------   C:\WINDOWS\Alcrmv.exe
2007-12-20 09:14 . 2006-10-18 02:53   147,456   --a------   C:\WINDOWS\system32\RtlCPAPI.dll
2007-12-11 14:35 . 2007-12-11 14:35   524,288   --a------   C:\WINDOWS\system32\DivXsm.exe
2007-12-11 14:35 . 2007-12-11 14:35   4,816   --a------   C:\WINDOWS\system32\divxsm.tlb
2007-12-11 14:34 . 2007-12-11 14:34   3,596,288   --a------   C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 14:34 . 2007-12-11 14:34   1,044,480   --a------   C:\WINDOWS\system32\libdivx.dll
2007-12-11 14:34 . 2007-12-11 14:34   200,704   --a------   C:\WINDOWS\system32\ssldivx.dll
2007-12-11 14:32 . 2007-12-11 14:32   352,401   --a------   C:\WINDOWS\system32\DivXMedia.ax
2007-12-11 14:32 . 2007-12-11 14:32   156,992   --a------   C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-11 14:32 . 2007-12-11 14:32   12,288   --a------   C:\WINDOWS\system32\DivXWMPExtType.dll

.

[ceann]

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-20 14:39   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-20 14:38   ---------   d-----w   C:\Program Files\Yahoo!
2007-12-20 14:10   ---------   d-----w   C:\Program Files\microsoft frontpage
2007-12-11 22:34   9,464   ------w   C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-11 22:34   9,336   ------w   C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-11 22:34   43,528   ------w   C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-11 22:34   129,784   ------w   C:\WINDOWS\system32\pxafs.dll
2007-12-11 22:34   120,056   ------w   C:\WINDOWS\system32\pxcpyi64.exe
2007-12-11 22:34   118,520   ------w   C:\WINDOWS\system32\pxinsi64.exe
2007-12-11 22:33   823,296   ----a-w   C:\WINDOWS\system32\divx_xx0c.dll
2007-12-11 22:33   823,296   ----a-w   C:\WINDOWS\system32\divx_xx07.dll
2007-12-11 22:33   81,920   ----a-w   C:\WINDOWS\system32\dpl100.dll
2007-12-11 22:33   802,816   ----a-w   C:\WINDOWS\system32\divx_xx11.dll
2007-12-11 22:33   682,496   ----a-w   C:\WINDOWS\system32\DivX.dll
2007-12-11 22:33   593,920   ----a-w   C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 22:33   57,344   ----a-w   C:\WINDOWS\system32\dpv11.dll
2007-12-11 22:33   53,248   ----a-w   C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 22:33   344,064   ----a-w   C:\WINDOWS\system32\dpus11.dll
2007-12-11 22:33   294,912   ----a-w   C:\WINDOWS\system32\dpu11.dll
2007-12-11 22:33   294,912   ----a-w   C:\WINDOWS\system32\dpu10.dll
2007-12-11 22:33   196,608   ----a-w   C:\WINDOWS\system32\dtu100.dll
2007-12-04 14:56   93,264   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04   837,496   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54   95,608   ----a-w   C:\WINDOWS\system32\AvastSS.scr
2007-11-13 10:25   20,480   ----a-w   C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43   1,287,680   ----a-w   C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40   222,720   ----a-w   C:\WINDOWS\system32\wmasf.dll
.

(((((((((((((((((((((((((((((   snapshot@2008-01-05_19.35.51.34   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-06 15:12:42   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_5ec.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 14:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2007-12-29 04:05   486856   --a------   C:\Program Files\DAEMON Tools Lite\daemon.exe
         
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
         C:\Program Files\Messenger\msmsgs.exe /background


.
Contents of the 'Scheduled Tasks' folder
"2008-01-06 15:15:42 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 09:20:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-06  9:21:40
ComboFix-quarantined-files.txt  2008-01-06 17:21:22
ComboFix2.txt  2008-01-06 03:36:24
.
2008-01-06 15:20:56   --- E O F --- 




is it ok now?

please say 'yes' 

[polonus]

Hi ceann,

But did you scan the USB stick with the tool I asked you to download, what did it say then? The corrupted autorun.inf could be only on your USB stick and launch the virus from there. Scan the stick again please, and run the batch script that oldman gave you. Safety first, scanning and running this batch script won't hurt your computer one bit or should I say byte?

polonus

[ceann]

this is what i downloaded... http://javedkhalil.com/techBlog/wp-content/uploads/2007/11/ravmon-removal.rar

i run it and clicked 'Remove Virus from USB Drive'
and the it says '2USB Drive Detected' and then I clicked 'OK'
and a Windows - No Disk thing popped up, it says 'Exception Processing Message c0000013 Parameters 75b6bf9c 4 75b6bf9c 75b6bf9c' -I clicked Continue and then it popped up again, I clicked continue again.
The Windows - No Disk thing did not popped up anymore.
Another thing popped up which says Your USB Drive does not contain Ravmon Virus, i clicked OK.
The Windows - No Disk thing popped up again it says the same thing as the first one I did the same thing also. This time it popped up 4 times.
Another thing popped which says Ravmon Virus was successfully removed from Usb. Now unplug the USB
I clicked OK
Another thing popped up which says Your USB Drive does not contain Ravmon Virus
I clicked OK
Ravmon Virus was successfully removed from Usb. Now unplug the USB popped up again
I clicked Ok again
And then I unplugged the USB

that is what happened

[ceann]

is this the batch script that you're talking about?

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3c7f1807-af2c-11dc-ac16-003018632b4a}]

if it is, i already run it. (or merge it)

 

[oldman]

Hi ceann

Everything look goods, The mount point was all that had references to Ravmon. Someone may have at one time plugged in a partially infected flash drive and created the references. The regfix removed the key. The key may come back, but this time without the Ravmon reference.

We'll clean yo the tools you downloaded.

Click start button, click run copy and paste this line into the box, click ok.

combofix /u

Open HJT, click the misc tools button, slide the slider down and click uninstall.

Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

Remove old restore points

Disk Cleanup
- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

Download and run this clean up utility. You can use it regularly. When it's first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp

You may consider using this tool to prevent autorun infections.

Download this program, Flash Drive Disinfector by sUBs from

http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

Plug in your usb device(s)
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

This utility will do a couple of things. First it will remove any autorun.inf it finds. There shouldn't be one on a fixed HD anyway. There is no need for such a file on any removable storage device -- iPod, USB flash drive, cell phone, .etc as you can open these drives manually.

It will create a SYSTEM protected, read-only, and perfectly harmless Autorun.inf file on any hard drive or removable storage device it finds when run. This file will not only help prevent future autorun infections, it will disable any current Autorun infection its ability to restart.


It looks like you are using windows firewall. It doesn't provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0


Take care and keep safe.

[ceann]

i cant uninstall combofix so what i did was i deleted all the folders and files related with it.
is it ok?

i was able to uninstall the hijackthis...

i did the system restore thing,
the cleanup thing,
the flash drive thing
and about the third party firewall, im still in the process of choosing...

so its pretty much everything that you suggested me to do...

thanks a lot oldman, polonus and Tech for the replies (for the help)

really appreciate it.

you're the best!!!

[oldman]

Deleting combofix if fine. The command should have worked if combofix was downloaded to your desktop. C:\Qoobox is also apart of combofix.

You  can hang onto Flash Drive Disinfector if you want. You can use it if you ever buy another flash.

You're welcome.