Yet another Win32:BHO-KD Infection

[BebeOne]

Hello,
everytime I open the explorer (the browser or the classic windows explorer), Avast founds  Win32:BHO-KD [trj]

located in:

D:\WINDOWS\system32\clusap.dll\[UPX]

Can't delete, can't move, can't send to chest, can't delete on boot time, can't unload dll .

I tried everything, now Im desperate. Im on Windows XP pro and dont know where the trojan comes from.
Combofix and HJT log follows.

Thanks for your help!
( volek {at} vol {dot} cz )

[BebeOne]

ComboFix 08-01-04.1 - Bebe_One 2008-01-05 15:42:22.3 - NTFSx86
Systém Microsoft Windows XP Professional  5.1.2600.2.1250.1.1029.18.201 [GMT 1:00]
Running from: D:\Documents and Settings\Bebe_One\Plocha\ComboFix.exe
.

(((((((((((((((((((((((((   Files Created from 2007-12-05 to 2008-01-05  )))))))))))))))))))))))))))))))
.

2008-01-02 21:03 . 2000-08-31 08:00   51,200   --a------   D:\WINDOWS\NirCmd.exe
2008-01-02 12:44 . 2008-01-02 12:44   103,571   --a------   D:\WINDOWS\system32\clusap.rar
2007-12-22 10:54 . 2007-12-22 10:54   69   --a------   D:\WINDOWS\NeroDigital.ini
2007-12-15 12:11 . 2007-12-15 12:11   <DIR>   dr-------   D:\Documents and Settings\NetworkService\Oblíbené položky
2007-12-15 11:46 . 2007-12-15 11:46   <DIR>   d--------   D:\Program Files\Sygate
2007-12-15 11:46 . 2004-10-15 18:32   83,096   --a------   D:\WINDOWS\system32\SSSensor.dll
2007-12-15 11:46 . 2004-10-15 18:17   60,496   --a------   D:\WINDOWS\system32\drivers\Teefer.sys
2007-12-15 11:46 . 2004-10-15 18:18   21,075   --a------   D:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-12-15 11:46 . 2004-10-15 18:32   14,568   --a------   D:\WINDOWS\system32\drivers\wg6n.sys
2007-12-15 11:46 . 2004-10-15 18:32   14,568   --a------   D:\WINDOWS\system32\drivers\wg5n.sys
2007-12-15 11:46 . 2004-10-15 18:32   14,568   --a------   D:\WINDOWS\system32\drivers\wg4n.sys
2007-12-15 11:46 . 2004-10-15 18:32   14,568   --a------   D:\WINDOWS\system32\drivers\wg3n.sys
2007-12-14 00:08 . 2007-12-14 00:08   <DIR>   d--------   D:\Documents and Settings\All Users\Data aplikací\MailFrontier
2007-12-14 00:08 . 2004-04-27 04:40   11,264   --a------   D:\WINDOWS\system32\SpOrder.dll
2007-12-14 00:08 . 2007-12-14 00:09   4,212   ---h-----   D:\WINDOWS\system32\zllictbl.dat
2007-12-14 00:07 . 2007-12-20 22:54   <DIR>   d--------   D:\WINDOWS\system32\ZoneLabs
2007-12-14 00:07 . 2007-12-20 22:54   <DIR>   d--------   D:\WINDOWS\Internet Logs
2007-12-10 19:25 . 2007-12-04 14:04   837,496   --a------   D:\WINDOWS\system32\aswBoot.exe
2007-12-10 19:25 . 2004-01-09 10:13   380,928   --a------   D:\WINDOWS\system32\actskin4.ocx
2007-12-10 19:25 . 2007-12-04 13:54   95,608   --a------   D:\WINDOWS\system32\AvastSS.scr
2007-12-10 19:25 . 2007-12-04 15:55   94,544   --a------   D:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-10 19:25 . 2007-12-04 15:56   93,264   --a------   D:\WINDOWS\system32\drivers\aswmon.sys
2007-12-10 19:25 . 2007-12-04 15:51   42,912   --a------   D:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-10 19:25 . 2007-12-04 15:49   26,624   --a------   D:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-10 19:25 . 2007-12-04 15:53   23,152   --a------   D:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-07 13:39 . 2007-12-07 13:39   <DIR>   d--------   D:\Program Files\Common Files\Adobe Systems Shared
2007-12-07 13:39 . 2007-12-07 13:39   <DIR>   d--------   D:\Documents and Settings\All Users\Data aplikací\Adobe Systems
2007-12-06 14:01 . 2007-12-06 14:01   <DIR>   d--------   D:\Program Files\Lavasoft
2007-12-06 14:01 . 2007-12-06 14:01   <DIR>   d--------   D:\Documents and Settings\All Users\Data aplikací\Lavasoft
2007-12-06 14:00 . 2007-12-15 11:45   <DIR>   d--------   D:\Program Files\Common Files\Wise Installation Wizard
2007-12-06 11:26 . 2007-11-07 13:58   <DIR>   d--------   D:\Documents and Settings\Administrator\Plocha
2007-12-06 11:26 . 2007-11-07 13:58   <DIR>   d--h-----   D:\Documents and Settings\Administrator\Okolní tiskárny
2007-12-06 11:26 . 2007-11-07 13:58   <DIR>   d--h-----   D:\Documents and Settings\Administrator\Okolní síť
2007-12-06 11:26 . 2007-11-07 13:58   <DIR>   d--------   D:\Documents and Settings\Administrator\Oblíbené položky
2007-12-06 11:26 . 2007-11-07 13:05   <DIR>   d--h-----   D:\Documents and Settings\Administrator\Šablony
2007-12-06 11:26 . 2007-11-07 13:58   <DIR>   dr-------   D:\Documents and Settings\Administrator\Nabídka Start
2007-12-06 11:26 . 2007-11-07 13:58   <DIR>   d--------   D:\Documents and Settings\Administrator\Dokumenty
2007-12-06 11:26 . 2007-11-07 13:58   <DIR>   dr-h-----   D:\Documents and Settings\Administrator\Data aplikací

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 17:25   14,080   --sha-w   D:\WINDOWS\system32\drivers\274210051.sys
2008-01-01 14:37   ---------   d--h--w   D:\Program Files\InstallShield Installation Information
2007-12-21 11:42   ---------   d-----w   D:\Documents and Settings\Bebe_One\Data aplikací\Nokia
2007-12-08 10:57   ---------   d-----w   D:\Documents and Settings\All Users\Data aplikací\Spybot - Search & Destroy
2007-12-07 12:43   ---------   d-----w   D:\Program Files\Common Files\Adobe
2007-12-06 21:39   19,456   ----a-w   D:\WINDOWS\system32\drivers\ovtlvdsu.dat
2007-11-19 20:20   ---------   d-----w   D:\Documents and Settings\Bebe_One\Data aplikací\Skype
2007-11-18 14:50   ---------   d-----w   D:\Program Files\Nokia
2007-11-18 14:50   ---------   d-----w   D:\Program Files\Common Files\Nokia
2007-11-18 14:50   ---------   d-----w   D:\Documents and Settings\All Users\Data aplikací\Nokia
2007-11-18 14:49   ---------   d-----w   D:\Documents and Settings\All Users\Data aplikací\Installations
2007-11-18 14:18   40,448   ----a-w   D:\WINDOWS\system32\w32drv6.exe
2007-11-18 14:18   14,336   ----a-w   D:\WINDOWS\system32\svchost.exe
2007-11-14 19:16   ---------   d-----w   D:\Documents and Settings\Bebe_One\Data aplikací\Sony
2007-11-14 19:07   ---------   d-----w   D:\Documents and Settings\Bebe_One\Data aplikací\Publish Providers
2007-11-14 19:07   ---------   d-----w   D:\Documents and Settings\Bebe_One\Data aplikací\NetMedia Providers
2007-11-14 09:21   ---------   d-----w   D:\Documents and Settings\Bebe_One\Data aplikací\Media Player Classic
2007-11-13 20:42   ---------   d-----w   D:\Program Files\Microsoft SQL Server
2007-11-13 20:42   ---------   d-----w   D:\Documents and Settings\All Users\Data aplikací\Sony
2007-11-13 20:41   ---------   d-----w   D:\Program Files\Vstplugins
2007-11-13 15:36   ---------   d-----w   D:\Documents and Settings\Bebe_One\Data aplikací\Ahead
2007-11-12 17:41   ---------   d-----w   D:\Program Files\Skype
2007-11-12 17:41   ---------   d-----w   D:\Program Files\Common Files\Skype
2007-11-12 17:41   ---------   d-----w   D:\Documents and Settings\All Users\Data aplikací\Skype
2007-11-12 10:57   ---------   d-----w   D:\Documents and Settings\Bebe_One\Data aplikací\Nokia Multimedia Player
2007-11-11 16:26   ---------   d-----w   D:\Documents and Settings\Guest\Data aplikací\PC Suite
2007-11-11 16:06   ---------   d-----w   D:\Program Files\Microsoft.NET
2007-11-11 16:06   ---------   d-----w   D:\Program Files\Microsoft ActiveSync
2007-11-11 00:51   ---------   d-----w   D:\Program Files\Common Files\Symbian
2007-11-11 00:29   ---------   d-----w   D:\Documents and Settings\Bebe_One\Data aplikací\PC Suite
2007-11-11 00:28   ---------   d-----w   D:\Documents and Settings\All Users\Data aplikací\PC Suite
2007-11-11 00:26   ---------   d-----w   D:\Program Files\PC Connectivity Solution
2007-11-11 00:26   ---------   d-----w   D:\Program Files\DIFX
2007-11-11 00:26   ---------   d-----w   D:\Program Files\Common Files\PCSuite
2007-11-08 16:15   ---------   d-----w   D:\Program Files\Common Files\Ahead
2007-11-08 16:13   ---------   d-----w   D:\Program Files\Nero
2007-11-08 15:45   685,816   ----a-w   D:\WINDOWS\system32\drivers\sptd.sys
2007-11-08 15:00   ---------   d-----w   D:\Program Files\microsoft frontpage
2007-11-07 19:02   ---------   d-----w   D:\Program Files\Java
2007-11-07 18:53   ---------   d-----w   D:\Program Files\Hewlett-Packard
2007-11-07 18:53   ---------   d-----w   D:\Program Files\Common Files\Java
2007-11-07 18:36   ---------   d-----w   D:\Program Files\EPSON
2007-11-07 18:32   ---------   d-----w   D:\Program Files\Common Files\EPSON
2007-11-07 17:59   ---------   d-----w   D:\Documents and Settings\Bebe_One\Data aplikací\K9
2007-11-07 17:55   ---------   d-----w   D:\Program Files\Creative
2007-11-07 17:54   86,016   ----a-w   D:\WINDOWS\system32\OpenAL32.dll
2007-11-07 17:54   409,600   ----a-w   D:\WINDOWS\system32\wrap_oal.dll
2007-11-07 17:54   ---------   d-----w   D:\Documents and Settings\Bebe_One\Data aplikací\Creative
2007-11-07 17:47   0   ----a-w   D:\WINDOWS\system32\drivers\SET14E.tmp
2007-11-07 17:09   ---------   d-----w   D:\Documents and Settings\Bebe_One\Data aplikací\ICQLite
2007-11-07 14:45   ---------   d-----w   D:\Program Files\Common Files\InstallShield
2007-11-07 14:41   ---------   d-----w   D:\Program Files\Setup Files
2007-11-07 14:37   ---------   d-----w   D:\Program Files\Intel
2007-11-07 14:31   ---------   d-----w   D:\Program Files\SystemRequirementsLab
2007-11-07 12:25   ---------   d-----w   D:\Program Files\Alwil Software
2007-11-07 12:15   ---------   d-----w   D:\Program Files\ASUS
.

[BebeOne]

part2 combofix

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFBC4057-D9FA-4F9D-A9DD-7DEC4DB00A7F}]
2004-08-17 14:49   106496   --a------   D:\WINDOWS\system32\clusap.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-17 14:49 15360]
"DAEMON Tools"="E:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 15:16 171464]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Control Center"="D:\Program Files\ASUS\WLAN Card Utilities\Center.exe" [2004-02-24 12:17 1448448]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 17:14 1626112 D:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 17:14 81920]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 D:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 D:\WINDOWS\system32\CTXFIHLP.EXE]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"NeroFilterCheck"="D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"PCSuiteTrayApplication"="E:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]
"avast!"="D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"SmcService"="D:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 14:49 15360]
"Nokia.PCSync"="E:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

D:\Documents and Settings\Bebe_One\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma.lnk - D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50]
Launch K9.lnk - E:\Program Files\KeirNet\K9\K9.exe [2004-04-18 20:43:44]

D:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
EPSON Status Monitor 3 Environment Check(2).lnk - D:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-11-07 19:32:12]

R0 qkfyttmd;qkfyttmd;D:\WINDOWS\system32\drivers\ovtlvdsu.dat []
R3 ASNDIS5;ASNDIS5 Protocol Driver;D:\WINDOWS\system32\ASNDIS5.SYS [2002-09-09 19:54]
R3 PSched;Plánovač paketů technologie QoS;D:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 22:04]
R3 W8100PCI;ASUS 802.11b/g Driver for Windows XP;D:\WINDOWS\system32\DRIVERS\mrv8k51.sys [2003-12-24 12:43]
S2 DhcpMSSQLServerADHelper;Klient DHCP DhcpMSSQLServerADHelper;D:\WINDOWS\system32\w32drv6.exe srv []
S3 9J5XVr95HpbRZXrz33;9J5XVr95HpbRZXrz33;D:\WINDOWS\system32\drivers\274210051.sys [2008-01-04 18:25]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 15:43:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-05 15:44:08

[BebeOne]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:44:44, on 5.1.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Sygate\SPF\smc.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\ASUS\WLAN Card Utilities\Center.exe
D:\WINDOWS\CTHELPER.EXE
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\WINDOWS\system32\ctfmon.exe
E:\Program Files\DAEMON Tools\daemon.exe
E:\Program Files\KeirNet\K9\K9.exe
D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_L19382.EXE
D:\WINDOWS\explorer.exe
E:\HJTs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {FFBC4057-D9FA-4F9D-A9DD-7DEC4DB00A7F} - D:\WINDOWS\system32\clusap.dll
O4 - HKLM\..\Run: [Control Center] D:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] E:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-789336058-920026266-725345543-501\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe (User 'Guest')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Launch K9.lnk = E:\Program Files\KeirNet\K9\K9.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = D:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Klient DHCP DhcpMSSQLServerADHelper (DhcpMSSQLServerADHelper) - Unknown owner - D:\WINDOWS\system32\w32drv6.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - D:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe

--
End of file - 7586 bytes

[polonus]

Hi BebeOne,

What you have there is another version of the win32. bho.kd trojan also known as BHO ABO trojan,
the two malicious dll are:
windows\system32\clusapp.dll
windows\system32\clusapp.dll UPXv12_m2.dll
There is another way to treat this:
 In cmd.exe amassed tasklist and see PID process. In cmd.exe amassed taskkill /PID Then amassed taskkill / PID (eg 1732) / F / T and treat this shit.

polonus

[oldman]

You also have something else running.

Submit these files to www.virustoatal.com copy and paste them in the box one at a time, click send, wait for the results and post them here.

D:\WINDOWS\system32\w32drv6.exe
D:\WINDOWS\system32\clusap.rar
D:\WINDOWS\system32\drivers\274210051.sys [2008-01-04 18:25]





Please download The Avenger by Swandog46 to your Desktop.

1.
• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

Drivers to unload:
qkfyttmd

Files to delete:
D:\WINDOWS\system32\drivers\ovtlvdsu.dat

Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.
2. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
  
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  
• Copy/Paste all the text  in the above quote box into this window by
• MAKE SURE THE TEXT MATCHES EXACTLY
  
• Click Done
  
• Now click on the Green Light to begin execution of the script
  
• Answer "Yes" twice when prompted.
  

3. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions.  This log file will be located at  C:\avenger.txt
  
  

4. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Combofix log  

[BebeOne]

Thanks for fast reply, so

Polonus:
" In cmd.exe amassed tasklist and see PID process. In cmd.exe amassed taskkill /PID Then amassed taskkill / PID (eg 1732) / F / T and treat this shit."

I dont understand,unfortunately,give me some advice please...

Oldman:

D:\WINDOWS\system32\w32drv6.exe >>> can't upload, can't add to email  ...strange
D:\WINDOWS\system32\clusap.rar     >>> made by me while tryin to make something with clusap.dll , deleted now.
D:\WINDOWS\system32\drivers\274210051.sys [2008-01-04 18:25]  >>> can't find it there

Avenger script was made and log is >

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kbfwblhd

*******************

Script file located at: \??\D:\WINDOWS\ybkuijug.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at D:\Avenger

*******************

Beginning to process script file:



Could not open registry key \Registry\Machine\System\CurrentControlSet\Services\qkfyttmd for deletion
Unload of driver qkfyttmd failed!

Could not process line:
qkfyttmd
Status: 0xc0000022



Could not open file D:\WINDOWS\system32\drivers\ovtlvdsu.dat for deletion
Deletion of file D:\WINDOWS\system32\drivers\ovtlvdsu.dat failed!

Could not process line:
D:\WINDOWS\system32\drivers\ovtlvdsu.dat
Status: 0xc0000022


Completed script processing.

*******************

Finished!  Terminate.

[BebeOne]

ComboFix 08-01-04.1 - Bebe_One 2008-01-05 18:13:33.4 - NTFSx86
Systém Microsoft Windows XP Professional  5.1.2600.2.1250.1.1029.18.210 [GMT 1:00]
Running from: D:\Documents and Settings\Bebe_One\Plocha\ComboFix.exe
.

(((((((((((((((((((((((((   Files Created from 2007-12-05 to 2008-01-05  )))))))))))))))))))))))))))))))
.

2008-01-05 18:07 . 2008-01-05 18:07   <DIR>   d--h-----   D:\WINDOWS\PIF
2008-01-02 21:03 . 2000-08-31 08:00   51,200   --a------   D:\WINDOWS\NirCmd.exe
2007-12-22 10:54 . 2007-12-22 10:54   69   --a------   D:\WINDOWS\NeroDigital.ini
2007-12-15 12:11 . 2007-12-15 12:11   <DIR>   dr-------   D:\Documents and Settings\NetworkService\Oblíbené položky
2007-12-15 11:46 . 2007-12-15 11:46   <DIR>   d--------   D:\Program Files\Sygate
2007-12-15 11:46 . 2004-10-15 18:32   83,096   --a------   D:\WINDOWS\system32\SSSensor.dll
2007-12-15 11:46 . 2004-10-15 18:17   60,496   --a------   D:\WINDOWS\system32\drivers\Teefer.sys
2007-12-15 11:46 . 2004-10-15 18:18   21,075   --a------   D:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-12-15 11:46 . 2004-10-15 18:32   14,568   --a------   D:\WINDOWS\system32\drivers\wg6n.sys
2007-12-15 11:46 . 2004-10-15 18:32   14,568   --a------   D:\WINDOWS\system32\drivers\wg5n.sys
2007-12-15 11:46 . 2004-10-15 18:32   14,568   --a------   D:\WINDOWS\system32\drivers\wg4n.sys
2007-12-15 11:46 . 2004-10-15 18:32   14,568   --a------   D:\WINDOWS\system32\drivers\wg3n.sys
2007-12-14 00:08 . 2007-12-14 00:08   <DIR>   d--------   D:\Documents and Settings\All Users\Data aplikací\MailFrontier
2007-12-14 00:08 . 2004-04-27 04:40   11,264   --a------   D:\WINDOWS\system32\SpOrder.dll
2007-12-14 00:08 . 2007-12-14 00:09   4,212   ---h-----   D:\WINDOWS\system32\zllictbl.dat
2007-12-14 00:07 . 2007-12-20 22:54   <DIR>   d--------   D:\WINDOWS\system32\ZoneLabs
2007-12-14 00:07 . 2007-12-20 22:54   <DIR>   d--------   D:\WINDOWS\Internet Logs
2007-12-10 19:25 . 2007-12-04 14:04   837,496   --a------   D:\WINDOWS\system32\aswBoot.exe
2007-12-10 19:25 . 2004-01-09 10:13   380,928   --a------   D:\WINDOWS\system32\actskin4.ocx
2007-12-10 19:25 . 2007-12-04 13:54   95,608   --a------   D:\WINDOWS\system32\AvastSS.scr
2007-12-10 19:25 . 2007-12-04 15:55   94,544   --a------   D:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-10 19:25 . 2007-12-04 15:56   93,264   --a------   D:\WINDOWS\system32\drivers\aswmon.sys
2007-12-10 19:25 . 2007-12-04 15:51   42,912   --a------   D:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-10 19:25 . 2007-12-04 15:49   26,624   --a------   D:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-10 19:25 . 2007-12-04 15:53   23,152   --a------   D:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-07 13:39 . 2007-12-07 13:39   <DIR>   d--------   D:\Program Files\Common Files\Adobe Systems Shared
2007-12-07 13:39 . 2007-12-07 13:39   <DIR>   d--------   D:\Documents and Settings\All Users\Data aplikací\Adobe Systems
2007-12-06 14:01 . 2007-12-06 14:01   <DIR>   d--------   D:\Program Files\Lavasoft
2007-12-06 14:01 . 2007-12-06 14:01   <DIR>   d--------   D:\Documents and Settings\All Users\Data aplikací\Lavasoft
2007-12-06 14:00 . 2007-12-15 11:45   <DIR>   d--------   D:\Program Files\Common Files\Wise Installation Wizard
2007-12-06 11:26 . 2007-11-07 13:58   <DIR>   d--------   D:\Documents and Settings\Administrator\Plocha
2007-12-06 11:26 . 2007-11-07 13:58   <DIR>   d--h-----   D:\Documents and Settings\Administrator\Okolní tiskárny
2007-12-06 11:26 . 2007-11-07 13:58   <DIR>   d--h-----   D:\Documents and Settings\Administrator\Okolní síť
2007-12-06 11:26 . 2007-11-07 13:58   <DIR>   d--------   D:\Documents and Settings\Administrator\Oblíbené položky
2007-12-06 11:26 . 2007-11-07 13:05   <DIR>   d--h-----   D:\Documents and Settings\Administrator\Šablony
2007-12-06 11:26 . 2007-11-07 13:58   <DIR>   dr-------   D:\Documents and Settings\Administrator\Nabídka Start
2007-12-06 11:26 . 2007-11-07 13:58   <DIR>   d--------   D:\Documents and Settings\Administrator\Dokumenty
2007-12-06 11:26 . 2007-11-07 13:58   <DIR>   dr-h-----   D:\Documents and Settings\Administrator\Data aplikací

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 17:12   14,080   --sha-w   D:\WINDOWS\system32\drivers\274210051.sys
2008-01-01 14:37   ---------   d--h--w   D:\Program Files\InstallShield Installation Information
2007-12-21 11:42   ---------   d-----w   D:\Documents and Settings\Bebe_One\Data aplikací\Nokia
2007-12-08 10:57   ---------   d-----w   D:\Documents and Settings\All Users\Data aplikací\Spybot - Search & Destroy
2007-12-07 12:43   ---------   d-----w   D:\Program Files\Common Files\Adobe
2007-12-06 21:39   19,456   ----a-w   D:\WINDOWS\system32\drivers\ovtlvdsu.dat
2007-11-19 20:20   ---------   d-----w   D:\Documents and Settings\Bebe_One\Data aplikací\Skype
2007-11-18 14:50   ---------   d-----w   D:\Program Files\Nokia
2007-11-18 14:50   ---------   d-----w   D:\Program Files\Common Files\Nokia
2007-11-18 14:50   ---------   d-----w   D:\Documents and Settings\All Users\Data aplikací\Nokia
2007-11-18 14:49   ---------   d-----w   D:\Documents and Settings\All Users\Data aplikací\Installations
2007-11-18 14:18   40,448   ----a-w   D:\WINDOWS\system32\w32drv6.exe
2007-11-18 14:18   14,336   ----a-w   D:\WINDOWS\system32\svchost.exe
2007-11-14 19:16   ---------   d-----w   D:\Documents and Settings\Bebe_One\Data aplikací\Sony
2007-11-14 19:07   ---------   d-----w   D:\Documents and Settings\Bebe_One\Data aplikací\Publish Providers
2007-11-14 19:07   ---------   d-----w   D:\Documents and Settings\Bebe_One\Data aplikací\NetMedia Providers
2007-11-14 09:21   ---------   d-----w   D:\Documents and Settings\Bebe_One\Data aplikací\Media Player Classic
2007-11-13 20:42   ---------   d-----w   D:\Program Files\Microsoft SQL Server
2007-11-13 20:42   ---------   d-----w   D:\Documents and Settings\All Users\Data aplikací\Sony
2007-11-13 20:41   ---------   d-----w   D:\Program Files\Vstplugins
2007-11-13 15:36   ---------   d-----w   D:\Documents and Settings\Bebe_One\Data aplikací\Ahead
2007-11-12 17:41   ---------   d-----w   D:\Program Files\Skype
2007-11-12 17:41   ---------   d-----w   D:\Program Files\Common Files\Skype
2007-11-12 17:41   ---------   d-----w   D:\Documents and Settings\All Users\Data aplikací\Skype
2007-11-12 10:57   ---------   d-----w   D:\Documents and Settings\Bebe_One\Data aplikací\Nokia Multimedia Player
2007-11-11 16:26   ---------   d-----w   D:\Documents and Settings\Guest\Data aplikací\PC Suite
2007-11-11 16:06   ---------   d-----w   D:\Program Files\Microsoft.NET
2007-11-11 16:06   ---------   d-----w   D:\Program Files\Microsoft ActiveSync
2007-11-11 00:51   ---------   d-----w   D:\Program Files\Common Files\Symbian
2007-11-11 00:29   ---------   d-----w   D:\Documents and Settings\Bebe_One\Data aplikací\PC Suite
2007-11-11 00:28   ---------   d-----w   D:\Documents and Settings\All Users\Data aplikací\PC Suite
2007-11-11 00:26   ---------   d-----w   D:\Program Files\PC Connectivity Solution
2007-11-11 00:26   ---------   d-----w   D:\Program Files\DIFX
2007-11-11 00:26   ---------   d-----w   D:\Program Files\Common Files\PCSuite
2007-11-08 16:15   ---------   d-----w   D:\Program Files\Common Files\Ahead
2007-11-08 16:13   ---------   d-----w   D:\Program Files\Nero
2007-11-08 15:45   685,816   ----a-w   D:\WINDOWS\system32\drivers\sptd.sys
2007-11-08 15:00   ---------   d-----w   D:\Program Files\microsoft frontpage
2007-11-07 19:02   ---------   d-----w   D:\Program Files\Java
2007-11-07 18:53   ---------   d-----w   D:\Program Files\Hewlett-Packard
2007-11-07 18:53   ---------   d-----w   D:\Program Files\Common Files\Java
2007-11-07 18:36   ---------   d-----w   D:\Program Files\EPSON
2007-11-07 18:32   ---------   d-----w   D:\Program Files\Common Files\EPSON
2007-11-07 17:59   ---------   d-----w   D:\Documents and Settings\Bebe_One\Data aplikací\K9
2007-11-07 17:55   ---------   d-----w   D:\Program Files\Creative
2007-11-07 17:54   86,016   ----a-w   D:\WINDOWS\system32\OpenAL32.dll
2007-11-07 17:54   409,600   ----a-w   D:\WINDOWS\system32\wrap_oal.dll
2007-11-07 17:54   ---------   d-----w   D:\Documents and Settings\Bebe_One\Data aplikací\Creative
2007-11-07 17:47   0   ----a-w   D:\WINDOWS\system32\drivers\SET14E.tmp
2007-11-07 17:09   ---------   d-----w   D:\Documents and Settings\Bebe_One\Data aplikací\ICQLite
2007-11-07 14:45   ---------   d-----w   D:\Program Files\Common Files\InstallShield
2007-11-07 14:41   ---------   d-----w   D:\Program Files\Setup Files
2007-11-07 14:37   ---------   d-----w   D:\Program Files\Intel
2007-11-07 14:31   ---------   d-----w   D:\Program Files\SystemRequirementsLab
2007-11-07 12:25   ---------   d-----w   D:\Program Files\Alwil Software
2007-11-07 12:15   ---------   d-----w   D:\Program Files\ASUS
.

(((((((((((((((((((((((((((((   snapshot@2008-01-05_15.40.47.28   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-05 17:12:05   16,384   ----atw   D:\WINDOWS\Temp\Perflib_Perfdata_7bc.dat
.

[BebeOne]

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFBC4057-D9FA-4F9D-A9DD-7DEC4DB00A7F}]
2004-08-17 14:49   106496   --a------   D:\WINDOWS\system32\clusap.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-17 14:49 15360]
"DAEMON Tools"="E:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 15:16 171464]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Control Center"="D:\Program Files\ASUS\WLAN Card Utilities\Center.exe" [2004-02-24 12:17 1448448]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 17:14 1626112 D:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 17:14 81920]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 D:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 D:\WINDOWS\system32\CTXFIHLP.EXE]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"NeroFilterCheck"="D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"PCSuiteTrayApplication"="E:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]
"avast!"="D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"SmcService"="D:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 14:49 15360]
"Nokia.PCSync"="E:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

D:\Documents and Settings\Bebe_One\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma.lnk - D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50]
Launch K9.lnk - E:\Program Files\KeirNet\K9\K9.exe [2004-04-18 20:43:44]

D:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
EPSON Status Monitor 3 Environment Check(2).lnk - D:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-11-07 19:32:12]

R0 qkfyttmd;qkfyttmd;D:\WINDOWS\system32\drivers\ovtlvdsu.dat []
R3 ASNDIS5;ASNDIS5 Protocol Driver;D:\WINDOWS\system32\ASNDIS5.SYS [2002-09-09 19:54]
R3 PSched;Plánovač paketů technologie QoS;D:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 22:04]
R3 W8100PCI;ASUS 802.11b/g Driver for Windows XP;D:\WINDOWS\system32\DRIVERS\mrv8k51.sys [2003-12-24 12:43]
S2 DhcpMSSQLServerADHelper;Klient DHCP DhcpMSSQLServerADHelper;D:\WINDOWS\system32\w32drv6.exe srv []
S3 9J5XVr95HpbRZXrz33;9J5XVr95HpbRZXrz33;D:\WINDOWS\system32\drivers\274210051.sys [2008-01-05 18:12]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 18:15:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-05 18:15:50

[BebeOne]

Hey Polonus,
I have figured out what you mean, but cant find what to kill?

Best regards Bebeone

[oldman]

Polonus will have to explain what he means.

Ok let's try.

Open HJT, run a system scan only, checkmark the following line(s) if present

O2 - BHO: (no name) - {FFBC4057-D9FA-4F9D-A9DD-7DEC4DB00A7F} - D:\WINDOWS\system32\clusap.dll




Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File::
D:\WINDOWS\system32\drivers\ovtlvdsu.dat 
D:\WINDOWS\system32\clusap.dll

This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply .




This one is running in this service, I can't find anything on it.

O23 - Service: Klient DHCP DhcpMSSQLServerADHelper (DhcpMSSQLServerADHelper) - Unknown owner - D:\WINDOWS\system32\w32drv6.exe


What type of error message did you recieve when you tried to upload it?

[BebeOne]

Hi Oldman,

I tried to flag it in HJT but its still there after next scan.

On the w32drv6.exe I get "0 bytes size received / Se ha recibido un archivo vacio" on VirusTotal and

When I add to email and try to send,it says "Some of attached files cant be found"

I will now try the combofix.

[oldman]

Sorry, somehow this line didn't get copied "Close all other browser and windows, click fix, close HJT"


This what it should have been

Open HJT, run a system scan only, checkmark the following line(s) if present

O2 - BHO: (no name) - {FFBC4057-D9FA-4F9D-A9DD-7DEC4DB00A7F} - D:\WINDOWS\system32\clusap.dll


Close all other browser and windows, click fix, close HJT

[BebeOne]

Hello,
the HJT procedure was unsucessful, but the combofix did the job and it seems that Im clear now. Thank you very much, I apreciate what you doing.

The combofix log follows>

ComboFix 08-01-04.1 - Bebe_One 2008-01-05 19:23:44.5 - NTFSx86
Systém Microsoft Windows XP Professional  5.1.2600.2.1250.1.1029.18.186 [GMT 1:00]
Running from: D:\Documents and Settings\Bebe_One\Plocha\ComboFix.exe
Command switches used :: D:\Documents and Settings\Bebe_One\Plocha\CFScript.txt
 * Created a new restore point

FILE
D:\WINDOWS\system32\clusap.dll
D:\WINDOWS\system32\drivers\ovtlvdsu.dat
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\WINDOWS\system32\clusap.dll
D:\WINDOWS\system32\drivers\ovtlvdsu.dat

.
(((((((((((((((((((((((((   Files Created from 2007-12-05 to 2008-01-05  )))))))))))))))))))))))))))))))
.

2008-01-05 18:07 . 2008-01-05 18:07   <DIR>   d--h-----   D:\WINDOWS\PIF
2008-01-02 21:03 . 2000-08-31 08:00   51,200   --a------   D:\WINDOWS\NirCmd.exe
2007-12-22 10:54 . 2007-12-22 10:54   69   --a------   D:\WINDOWS\NeroDigital.ini
2007-12-15 12:11 . 2007-12-15 12:11   <DIR>   dr-------   D:\Documents and Settings\NetworkService\Oblˇben‚ polo§ky
2007-12-15 11:46 . 2007-12-15 11:46   <DIR>   d--------   D:\Program Files\Sygate
2007-12-15 11:46 . 2004-10-15 18:32   83,096   --a------   D:\WINDOWS\system32\SSSensor.dll
2007-12-15 11:46 . 2004-10-15 18:17   60,496   --a------   D:\WINDOWS\system32\drivers\Teefer.sys
2007-12-15 11:46 . 2004-10-15 18:18   21,075   --a------   D:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-12-15 11:46 . 2004-10-15 18:32   14,568   --a------   D:\WINDOWS\system32\drivers\wg6n.sys
2007-12-15 11:46 . 2004-10-15 18:32   14,568   --a------   D:\WINDOWS\system32\drivers\wg5n.sys
2007-12-15 11:46 . 2004-10-15 18:32   14,568   --a------   D:\WINDOWS\system32\drivers\wg4n.sys
2007-12-15 11:46 . 2004-10-15 18:32   14,568   --a------   D:\WINDOWS\system32\drivers\wg3n.sys
2007-12-14 00:08 . 2004-04-27 04:40   11,264   --a------   D:\WINDOWS\system32\SpOrder.dll
2007-12-14 00:08 . 2007-12-14 00:09   4,212   ---h-----   D:\WINDOWS\system32\zllictbl.dat
2007-12-14 00:07 . 2007-12-20 22:54   <DIR>   d--------   D:\WINDOWS\system32\ZoneLabs
2007-12-14 00:07 . 2007-12-20 22:54   <DIR>   d--------   D:\WINDOWS\Internet Logs
2007-12-10 19:25 . 2007-12-04 14:04   837,496   --a------   D:\WINDOWS\system32\aswBoot.exe
2007-12-10 19:25 . 2004-01-09 10:13   380,928   --a------   D:\WINDOWS\system32\actskin4.ocx
2007-12-10 19:25 . 2007-12-04 13:54   95,608   --a------   D:\WINDOWS\system32\AvastSS.scr
2007-12-10 19:25 . 2007-12-04 15:55   94,544   --a------   D:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-10 19:25 . 2007-12-04 15:56   93,264   --a------   D:\WINDOWS\system32\drivers\aswmon.sys
2007-12-10 19:25 . 2007-12-04 15:51   42,912   --a------   D:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-10 19:25 . 2007-12-04 15:49   26,624   --a------   D:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-10 19:25 . 2007-12-04 15:53   23,152   --a------   D:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-07 13:39 . 2007-12-07 13:39   <DIR>   d--------   D:\Program Files\Common Files\Adobe Systems Shared
2007-12-06 14:01 . 2007-12-06 14:01   <DIR>   d--------   D:\Program Files\Lavasoft
2007-12-06 14:00 . 2007-12-15 11:45   <DIR>   d--------   D:\Program Files\Common Files\Wise Installation Wizard
2007-12-06 11:26 . 2007-11-07 13:05   <DIR>   d--h-----   D:\Documents and Settings\Administrator\ćablony
2007-12-06 11:26 . 2007-11-07 13:58   <DIR>   d--------   D:\Documents and Settings\Administrator\Plocha
2007-12-06 11:26 . 2007-11-07 13:58   <DIR>   d--h-----   D:\Documents and Settings\Administrator\Okolnˇ tisk rny
2007-12-06 11:26 . 2007-11-07 13:58   <DIR>   d--h-----   D:\Documents and Settings\Administrator\Okolnˇ sˇś
2007-12-06 11:26 . 2007-11-07 13:58   <DIR>   d--------   D:\Documents and Settings\Administrator\Oblˇben‚ polo§ky
2007-12-06 11:26 . 2007-11-07 13:58   <DIR>   dr-------   D:\Documents and Settings\Administrator\Nabˇdka Start
2007-12-06 11:26 . 2007-11-07 13:58   <DIR>   d--------   D:\Documents and Settings\Administrator\Dokumenty
2007-12-06 11:26 . 2007-11-07 13:58   <DIR>   dr-h-----   D:\Documents and Settings\Administrator\Data aplikacˇ

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 18:27   14,080   --sha-w   D:\WINDOWS\system32\drivers\274210051.sys
2008-01-01 14:37   ---------   d--h--w   D:\Program Files\InstallShield Installation Information
2007-12-07 12:43   ---------   d-----w   D:\Program Files\Common Files\Adobe
2007-11-18 14:50   ---------   d-----w   D:\Program Files\Nokia
2007-11-18 14:50   ---------   d-----w   D:\Program Files\Common Files\Nokia
2007-11-18 14:18   40,448   ----a-w   D:\WINDOWS\system32\w32drv6.exe
2007-11-18 14:18   14,336   ----a-w   D:\WINDOWS\system32\svchost.exe
2007-11-13 20:42   ---------   d-----w   D:\Program Files\Microsoft SQL Server
2007-11-13 20:41   ---------   d-----w   D:\Program Files\Vstplugins
2007-11-12 17:41   ---------   d-----w   D:\Program Files\Skype
2007-11-12 17:41   ---------   d-----w   D:\Program Files\Common Files\Skype
2007-11-11 16:06   ---------   d-----w   D:\Program Files\Microsoft.NET
2007-11-11 16:06   ---------   d-----w   D:\Program Files\Microsoft ActiveSync
2007-11-11 00:51   ---------   d-----w   D:\Program Files\Common Files\Symbian
2007-11-11 00:26   ---------   d-----w   D:\Program Files\PC Connectivity Solution
2007-11-11 00:26   ---------   d-----w   D:\Program Files\DIFX
2007-11-11 00:26   ---------   d-----w   D:\Program Files\Common Files\PCSuite
2007-11-08 16:15   ---------   d-----w   D:\Program Files\Common Files\Ahead
2007-11-08 16:13   ---------   d-----w   D:\Program Files\Nero
2007-11-08 15:45   685,816   ----a-w   D:\WINDOWS\system32\drivers\sptd.sys
2007-11-08 15:00   ---------   d-----w   D:\Program Files\microsoft frontpage
2007-11-07 19:02   ---------   d-----w   D:\Program Files\Java
2007-11-07 18:53   ---------   d-----w   D:\Program Files\Hewlett-Packard
2007-11-07 18:53   ---------   d-----w   D:\Program Files\Common Files\Java
2007-11-07 18:36   ---------   d-----w   D:\Program Files\EPSON
2007-11-07 18:32   ---------   d-----w   D:\Program Files\Common Files\EPSON
2007-11-07 17:55   ---------   d-----w   D:\Program Files\Creative
2007-11-07 17:54   86,016   ----a-w   D:\WINDOWS\system32\OpenAL32.dll
2007-11-07 17:54   409,600   ----a-w   D:\WINDOWS\system32\wrap_oal.dll
2007-11-07 17:47   0   ----a-w   D:\WINDOWS\system32\drivers\SET14E.tmp
2007-11-07 14:45   ---------   d-----w   D:\Program Files\Common Files\InstallShield
2007-11-07 14:41   ---------   d-----w   D:\Program Files\Setup Files
2007-11-07 14:37   ---------   d-----w   D:\Program Files\Intel
2007-11-07 14:31   ---------   d-----w   D:\Program Files\SystemRequirementsLab
2007-11-07 12:25   ---------   d-----w   D:\Program Files\Alwil Software
2007-11-07 12:15   ---------   d-----w   D:\Program Files\ASUS
.

(((((((((((((((((((((((((((((   snapshot@2008-01-05_15.40.47.28   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-05 18:27:38   16,384   ----atw   D:\WINDOWS\Temp\Perflib_Perfdata_6e8.dat
.

[BebeOne]

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-17 14:49 15360]
"DAEMON Tools"="E:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 15:16 171464]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Control Center"="D:\Program Files\ASUS\WLAN Card Utilities\Center.exe" [2004-02-24 12:17 1448448]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 17:14 1626112 D:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 17:14 81920]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 D:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 D:\WINDOWS\system32\CTXFIHLP.EXE]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"NeroFilterCheck"="D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"PCSuiteTrayApplication"="E:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]
"avast!"="D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"SmcService"="D:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 14:49 15360]
"Nokia.PCSync"="E:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

R3 ASNDIS5;ASNDIS5 Protocol Driver;D:\WINDOWS\system32\ASNDIS5.SYS [2002-09-09 19:54]
R3 PSched;Plánovač paketů technologie QoS;D:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 22:04]
R3 W8100PCI;ASUS 802.11b/g Driver for Windows XP;D:\WINDOWS\system32\DRIVERS\mrv8k51.sys [2003-12-24 12:43]
S0 qkfyttmd;qkfyttmd;D:\WINDOWS\system32\drivers\ovtlvdsu.dat []
S2 DhcpMSSQLServerADHelper;Klient DHCP DhcpMSSQLServerADHelper;D:\WINDOWS\system32\w32drv6.exe srv []
S3 9J5XVr95HpbRZXrz33;9J5XVr95HpbRZXrz33;D:\WINDOWS\system32\drivers\274210051.sys [2008-01-05 19:27]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 19:28:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-05 19:29:29 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-05 18:29:26
ComboFix2.txt  2008-01-05 17:15:51