Yet another Win32:BHO-KD. Help Please!!

[Asha]

Hi folks, looks like this bug is affecting a lot of people!

I'm on Windows XP Professional, My Avast is v4.7 Home Edition... it has picked up the Win32:BHO-KD Trojan, the file name location is c:\windows\system32\dpnete.dll\[UPX]

Avast cannot delete or move to chest, and I have also tried it's boot-time scan... again it detected the Trojan but access was denied when I attempted to move to chest or delete it.

Help please?!

[oldman]

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.




please note:

Combofix should never take more that 20 minutes including the reboot if malware is detected.

Do the following only if combofix stalls after 20 or so minutes and you are sure it has stalled, ie no hard drive light or noise.

If it does, open Task Manager  (press ctrl, alt and del at the same time) then Processes tab and end any processes of findstr, find, sed or swreg, then combofix should continue.

End one at a time and see if combofix resumes.




Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  
• Put a check by Create a desktop icon then click Next again.
  
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
  

>
Please run in the order I posted them and post the combofix and hijackthis log in your next reply.

[Asha]

ComboFix 08-01-03.3 - Asha 2008-01-03 20:44:44.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.2.1033.18.622 [GMT 0:00]
Running from: C:\Documents and Settings\Asha\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\bcsprsrcc.dll
C:\WINDOWS\system32\dpnete.dll
C:\WINDOWS\system32\drivers\gykrvpys.dat
C:\WINDOWS\system32\pskill.exe
C:\WINDOWS\Tasks.\At1.job

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_EGTOVYXB
-------\LEGACY_KOUKVANW
-------\LEGACY_POOF
-------\egtovyxb
-------\koukvanw


(((((((((((((((((((((((((   Files Created from 2007-12-03 to 2008-01-03  )))))))))))))))))))))))))))))))
.

2008-01-03 20:43 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-03 02:37 . 2008-01-03 05:15   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-01-03 02:37 . 2008-01-03 02:37   1,409   --a------   C:\WINDOWS\QTFont.for
2007-12-31 02:19 . 2007-12-31 02:19   <DIR>   d--------   C:\Program Files\Common Files\Blizzard Entertainment
2007-12-22 19:00 . 2007-12-22 19:00   1,188,375   --a------   C:\WINDOWS\system32\libeay32.dll
2007-12-22 19:00 . 2007-12-22 19:00   741,632   --a------   C:\WINDOWS\system32\ggempgum.dat
2007-12-22 19:00 . 2007-12-22 19:00   246,545   --a------   C:\WINDOWS\system32\libssl32.dll
2007-12-22 19:00 . 2007-12-25 19:23   120,576   --a------   C:\WINDOWS\system32\vastqgrq.dat
2007-12-22 19:00 . 2007-12-22 19:00   42,240   --a------   C:\WINDOWS\system32\kwlondop.dat
2007-12-22 19:00 . 2007-12-22 19:00   36,096   --a------   C:\WINDOWS\system32\ebegvisf.dat
2007-12-22 19:00 . 2007-12-22 19:00   35,072   --a------   C:\WINDOWS\system32\zdmrqigk.dat
2007-12-22 17:31 . 2005-10-29 06:49   84,480   --a------   C:\WINDOWS\system32\bcsprsrcc.dll.bak
2007-12-22 17:30 . 2007-12-22 17:30   15,872   --a------   C:\WINDOWS\system32\538cy1.exe
2007-12-13 17:29 . 2007-12-13 17:29   244   --ah-----   C:\sqmnoopt00.sqm
2007-12-13 17:29 . 2007-12-13 17:29   232   --ah-----   C:\sqmdata00.sqm

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 16:45   ---------   d-----w   C:\Program Files\XP Repair Pro 2007
2007-12-08 12:44   ---------   d-----w   C:\Documents and Settings\Asha\Application Data\Canon
2007-12-04 14:56   93,264   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-22 16:06   ---------   d-----w   C:\Program Files\Java
2007-11-13 14:57   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Nokia
2007-11-13 14:56   ---------   d-----w   C:\Program Files\Nokia
2007-11-13 14:56   ---------   d-----w   C:\Program Files\Common Files\Nokia
2007-11-13 14:55   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Installations
2007-11-13 14:52   ---------   d-----w   C:\Documents and Settings\Asha\Application Data\Nokia Multimedia Player
2007-11-13 10:25   20,480   ----a-w   C:\WINDOWS\system32\drivers\secdrv.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"538cy1"="C:\WINDOWS\system32\538cy1.exe" [2007-12-22 17:30 15872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00 79224]
"eTrustPPAP"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe" [2007-06-28 11:53 258048]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22 86016]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 14:28 577536 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-18 22:02 282624]
"538cy1"="C:\WINDOWS\system32\538cy1.exe" [2007-12-22 17:30 15872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2005-12-19 11:00 15360]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-07 05:06 5181440]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 09:17 1241088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2004-11-05 14:43]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 20:52:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-03 20:54:00 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-03 20:53:58
.
2007-12-21 12:25:48   --- E O F --- 

[Asha]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:02:32, on 03/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\538cy1.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.darkarts.org.uk/phpBB2/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [538cy1] C:\WINDOWS\system32\538cy1.exe
O4 - HKCU\..\Run: [538cy1] C:\WINDOWS\system32\538cy1.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - E:\Programs\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 5162 bytes

[oldman]

Please submit the following file to www.virustotal.com wait for the results and post them here. Copy and paste the following line into the send a file box on their site and click submit

C:\WINDOWS\system32\538cy1.exe

[Asha]

Ok, results were:

File has already been analysed:
MD5:    9bc1e540d36dc68b2ca0d10ae4063b54
Date:    12.14.2007 13:38:30 (CET) [>20D]
Results:    13/32
Permalink:    analisis/38fa6dd831b02bf4c22255512daf996e

File 538cy1.exe received on 12.14.2007 13:38:30 (CET)
Current status: finished
Result: 13/32 (40.62%)
Compact Compact

AhnLab-V3    -    -    -
AntiVir    -    -    TR/Crypt.Morphine.Gen
Authentium    -    -    -
Avast    -    -    -
AVG    -    -    Generic9.ADJW
BitDefender    -    -    -
CAT-QuickHeal    -    -    (Suspicious) - DNAScan
ClamAV    -    -    -
DrWeb    -    -    -
eSafe    -    -    Suspicious File
eTrust-Vet    -    -    -
Ewido    -    -    -
FileAdvisor    -    -    -
Fortinet    -    -    -
F-Prot    -    -    W32/Heuristic-114!Eldorado
F-Secure    -    -    Trojan.Win32.Agent.dgg
Ikarus    -    -    Trojan.Win32.Agent.dgg
Kaspersky    -    -    Trojan.Win32.Agent.dgg
McAfee    -    -    -
Microsoft    -    -    VirTool:Win32/Obfuscator.Q
NOD32v2    -    -    a variant of Win32/Small.BB
Norman    -    -    -
Panda    -    -    Suspicious file
Prevx1    -    -    -
Rising    -    -    -
Sophos    -    -    -
Sunbelt    -    -    -
Symantec    -    -    -
TheHacker    -    -    -
VBA32    -    -    Trojan.Win32.Agent.dgg
VirusBuster    -    -    -
Webwasher-Gateway    -    -    Trojan.Crypt.Morphine.Gen

Additional information
MD5: 9bc1e540d36dc68b2ca0d10ae4063b54

[oldman]

Here's a couple of more for you to check

C:\WINDOWS\system32\libeay32.dll
C:\WINDOWS\system32\libssl32.dll

[polonus]

Hi Asha,

The logfile of HijackThis seems OK, nothing out of the ordinairy there,

polonus

[Asha]

File has already been analysed:
MD5:    1f495134ec94669eb71fb966d18b8748
Date:    12.29.2007 17:23:28 (CET) [>5D]
Results:    0/31
Permalink:    analisis/d225dfdf4ae010ffa720d0444c83ceed

File libeay32.dll received on 12.29.2007 17:09:36 (CET)
Current status: finished
Result: 0/31 (0.00%)

AhnLab-V3    2007.12.29.11    2007.12.29    -
AntiVir    7.6.0.46    2007.12.29    -
Authentium    4.93.8    2007.12.29    -
Avast    4.7.1098.0    2007.12.28    -
AVG    7.5.0.516    2007.12.29    -
BitDefender    7.2    2007.12.29    -
CAT-QuickHeal    9.00    2007.12.29    -
ClamAV    0.91.2    2007.12.29    -
DrWeb    4.44.0.09170    2007.12.29    -
eSafe    7.0.15.0    2007.12.27    -
eTrust-Vet    31.3.5410    2007.12.29    -
Ewido    4.0    2007.12.29    -
FileAdvisor    1    2007.12.29    -
Fortinet    3.14.0.0    2007.12.29    -
F-Prot    4.4.2.54    2007.12.28    -
F-Secure    6.70.13030.0    2007.12.28    -
Ikarus    T3.1.1.15    2007.12.29    -
Kaspersky    7.0.0.125    2007.12.29    -
McAfee    5195    2007.12.28    -
Microsoft    1.3109    2007.12.29    -
NOD32v2    2755    2007.12.29    -
Norman    5.80.02    2007.12.28    -
Panda    9.0.0.4    2007.12.29    -
Prevx1    V2    2007.12.29    -
Rising    20.24.52.00    2007.12.29    -
Sophos    4.24.0    2007.12.29    -
Sunbelt    2.2.907.0    2007.12.28    -
Symantec    10    2007.12.29    -
TheHacker    6.2.9.174    2007.12.28    -
VBA32    3.12.2.5    2007.12.29    -
VirusBuster    4.3.26:9    2007.12.29    -
Additional information
File size: 1188375 bytes
MD5: 1f495134ec94669eb71fb966d18b8748
SHA1: 6ee791ef7aacf6179d608c766de26b174e6e86d2
PEiD: -
packers: ZIP



File has already been analysed:
MD5:    b6a1121e63e5c9c7a62844373a06e2ff
Date:    01.03.2008 14:15:46 (CET) [<1D]
Results:    0/32
Permalink:    analisis/1c9c5dcc6cf6b3b939bf02ce6724e440

File libssl32.dll received on 01.03.2008 14:09:03 (CET)
Current status: finished
Result: 0/32 (0.00%)

AhnLab-V3    2008.1.3.10    2008.01.02    -
AntiVir    7.6.0.46    2008.01.03    -
Authentium    4.93.8    2008.01.02    -
Avast    4.7.1098.0    2008.01.03    -
AVG    7.5.0.516    2008.01.02    -
BitDefender    7.2    2008.01.03    -
CAT-QuickHeal    9.00    2008.01.02    -
ClamAV    0.91.2    2008.01.03    -
DrWeb    4.44.0.09170    2008.01.03    -
eSafe    7.0.15.0    2008.01.02    -
eTrust-Vet    31.3.5427    2008.01.03    -
Ewido    4.0    2008.01.03    -
FileAdvisor    1    2008.01.03    -
Fortinet    3.14.0.0    2008.01.03    -
F-Prot    4.4.2.54    2008.01.02    -
F-Secure    6.70.13030.0    2008.01.03    -
Ikarus    T3.1.1.15    2008.01.03    -
Kaspersky    7.0.0.125    2008.01.03    -
McAfee    5198    2008.01.03    -
Microsoft    1.3109    2008.01.03    -
NOD32v2    2763    2008.01.03    -
Norman    5.80.02    2008.01.03    -
Panda    9.0.0.4    2008.01.03    -
Prevx1    V2    2008.01.03    -
Rising    20.25.32.00    2008.01.03    -
Sophos    4.24.0    2008.01.03    -
Sunbelt    2.2.907.0    2008.01.03    -
Symantec    10    2008.01.03    -
TheHacker    6.2.9.178    2008.01.03    -
VBA32    3.12.2.5    2008.01.02    -
VirusBuster    4.3.26:9    2008.01.02    -
Webwasher-Gateway    6.6.2    2008.01.03    -
Additional information
File size: 246545 bytes
MD5: b6a1121e63e5c9c7a62844373a06e2ff
SHA1: 0981dcb314b65b71657d0b01966cb256add37557
PEiD: -

[Asha]

I think ComboFix got the dpnete.dll with the Trojan and deleted it - can't see it in my System32 folder anymore... should that be the end of it??

[oldman]

Open HJT and do a system scan only, checkmark the following lines if present

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [538cy1] C:\WINDOWS\system32\538cy1.exe
O4 - HKCU\..\Run: [538cy1] C:\WINDOWS\system32\538cy1.exe


Close all other browsers and windows, click fix. Close HJT


Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File::
C:\WINDOWS\system32\bcsprsrcc.dll.bak
C:\WINDOWS\system32\ggempgum.dat
C:\WINDOWS\system32\vastqgrq.dat
C:\WINDOWS\system32\kwlondop.dat
C:\WINDOWS\system32\ebegvisf.dat
C:\WINDOWS\system32\zdmrqigk.dat
C:\WINDOWS\system32\538cy1.exe

This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HJT log.


How are you at making password protected zips?

[Maxx_original]

libeay and libssl are valid libraries from openssl.org

[Asha]

How are you at making password protected zips?

Think I can manage that

[oldman]

How are you at making password protected zips?

Think I can manage that

After you are done the above fix, could you please  zip the following folder in a password protected zip and send it to Maxx_original ? He posted just above your last post. Hopefully he'll supply an address.

C:\QOOBOX\QUARANTINE

[Maxx_original]

my address is available in my profile (for registered users)... anyway it is krejdl[at]avast[dot]com