Author Topic: Win32:BHO-KD [Trj] (Read 7126 times)

gianina · « **on:** January 10, 2008, 11:07:11 PM »

i have this virus Win32:BHO-KD [trj] and i an not able to remove at all i was detected by my avast it is in the file windows/system32/catsrvp.dll
can anyone help me to remove this from my computer

essexboy · « **Reply #1 on:** January 10, 2008, 11:33:00 PM »

Hi gianina try this and I will follow you through the steps

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

gianina · « **Reply #2 on:** January 10, 2008, 11:45:00 PM »

this is the result of the combofix

ComboFix 08-01-10.2 - USER 2008-01-10 16:36:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.572 [GMT -6:00]
Running from: C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\84QFDJ8C\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\USER\Application Data\DriveCleaner Free
C:\Documents and Settings\USER\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\USER\Application Data\macromedia\Flash Player\#SharedObjects\HY639LKC\www.broadcaster.com
C:\Documents and Settings\USER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\USER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\USER\Local Settings\Application Data\mmljbksj.dat
C:\Documents and Settings\USER\Local Settings\Application Data\mmljbksj_nav.dat
C:\Documents and Settings\USER\Local Settings\Application Data\mmljbksj_navps.dat
C:\Documents and Settings\USER\Start Menu\Programs\Startup\TA_Start.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\catsrvp.dll
C:\WINDOWS\system32\drivers\gwqdgfyb.dat
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\ihhkj.bak1
C:\WINDOWS\system32\ihhkj.bak2
C:\WINDOWS\system32\ihhkj.ini
C:\WINDOWS\system32\kldsrngp.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\tmp1.tmp.dll
C:\WINDOWS\system32\tmp33.tmp.dll
C:\WINDOWS\system32\tmp6.tmp.dll
C:\WINDOWS\system32\tmpE.tmp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_LWQOOZSW
-------\lwqoozsw

((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 )))))))))))))))))))))))))))))))
.

2008-01-10 16:35 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-03 09:42 . 2008-01-03 09:42   <DIR>   d--------   C:\Documents and Settings\USER\Application Data\PrevxCSI
2008-01-03 09:42 . 2008-01-03 09:42   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-02 15:04 . 2008-01-02 15:04   <DIR>   d--------   C:\Program Files\Enigma Software Group
2008-01-02 13:27 . 2007-12-04 07:04   837,496   --a------   C:\WINDOWS\system32\aswBoot.exe
2008-01-02 13:27 . 2004-01-09 03:13   380,928   --a------   C:\WINDOWS\system32\actskin4.ocx
2008-01-02 13:27 . 2007-12-04 06:54   95,608   --a------   C:\WINDOWS\system32\AVASTSS.scr
2008-01-02 13:27 . 2007-12-04 08:55   94,544   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-02 13:27 . 2007-12-04 08:56   93,264   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-02 13:27 . 2007-12-04 08:51   42,912   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-02 13:27 . 2007-12-04 08:49   26,624   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-02 13:27 . 2007-12-04 08:53   23,152   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-17 08:58 . 2007-08-13 18:54   33,792   --a------   C:\WINDOWS\system32\dllcache\custsat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-05 15:24   ---------   d-----w   C:\Documents and Settings\USER\Application Data\Yahoo!
2007-11-23 18:34   ---------   d-----w   C:\Program Files\Comodo
2007-11-23 18:34   ---------   d-----w   C:\Documents and Settings\USER\Application Data\Comodo
2007-11-23 18:33   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Comodo
2007-11-13 10:25   20,480   ----a-w   C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 03:56   ---------   d-----w   C:\Documents and Settings\USER\Application Data\U3
2007-11-10 03:20   ---------   d-----w   C:\Program Files\Lavasoft
2007-11-10 03:20   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-10 03:19   ---------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2007-11-10 03:01   ---------   d-----w   C:\Program Files\Compaq
2007-11-05 17:13   407,680   ----a-w   C:\Program Files\aswclnr.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c59e17e4-0ca1-479e-b220-54912169182c}]
         C:\WINDOWS\system32\dsouctr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D857A1C7-E675-4B22-924E-6E18C58D4B41}]
         C:\WINDOWS\system32\jkhhi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
NETGEAR WG311T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311T\wlancfg5.exe [2006-02-22 11:59:32]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-08-17 13:20:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dsouctr]
dsouctr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnkiig]
nnnkiig.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

R3 HPKBCCID;HP Keyboard Smart Card Driver;C:\WINDOWS\system32\DRIVERS\HPKBCCID.sys [2005-08-03 22:30]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 16:41:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-10 16:42:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-10 22:42:31
.
2008-01-10 14:56:11   --- E O F ---

gianina · « **Reply #3 on:** January 10, 2008, 11:56:30 PM »

and here is the log for hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:55:52 PM, on 1/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\39311PIA\HiJackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: (no name) - {c59e17e4-0ca1-479e-b220-54912169182c} - C:\WINDOWS\system32\dsouctr.dll (file missing)
O2 - BHO: (no name) - {D857A1C7-E675-4B22-924E-6E18C58D4B41} - C:\WINDOWS\system32\jkhhi.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O20 - AppInit_DLLs:
O20 - Winlogon Notify: dsouctr - dsouctr.dll (file missing)
O20 - Winlogon Notify: nnnkiig - nnnkiig.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Altiris Client Service (AClient) - Unknown owner - C:\Program Files\Aclient\AClient.exe (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 5894 bytes

essexboy · « **Reply #4 on:** January 11, 2008, 12:10:19 AM »

Looks fair

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {c59e17e4-0ca1-479e-b220-54912169182c} - C:\WINDOWS\system32\dsouctr.dll (file missing)
O2 - BHO: (no name) - {D857A1C7-E675-4B22-924E-6E18C58D4B41} - C:\WINDOWS\system32\jkhhi.dll (file missing)
O20 - Winlogon Notify: dsouctr - dsouctr.dll (file missing)
O20 - Winlogon Notify: nnnkiig - nnnkiig.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Then let me know how your system is running

gianina · « **Reply #5 on:** January 11, 2008, 12:15:48 AM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:43 PM, on 1/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: (no name) - {c59e17e4-0ca1-479e-b220-54912169182c} - C:\WINDOWS\system32\dsouctr.dll (file missing)
O2 - BHO: (no name) - {D857A1C7-E675-4B22-924E-6E18C58D4B41} - C:\WINDOWS\system32\jkhhi.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O20 - AppInit_DLLs:
O20 - Winlogon Notify: dsouctr - dsouctr.dll (file missing)
O20 - Winlogon Notify: nnnkiig - nnnkiig.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Altiris Client Service (AClient) - Unknown owner - C:\Program Files\Aclient\AClient.exe (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 5859 bytes
this is the new hijack this log i just tried again

essexboy · « **Reply #6 on:** January 11, 2008, 12:20:16 AM »

ok lets hit with combofix

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dsouctr]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnkiig]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c59e17e4-0ca1-479e-b220-54912169182c}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D857A1C7-E675-4B22-924E-6E18C58D4B41}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

gianina · « **Reply #7 on:** January 11, 2008, 12:26:38 AM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:25:08 PM, on 1/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O20 - AppInit_DLLs:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Altiris Client Service (AClient) - Unknown owner - C:\Program Files\Aclient\AClient.exe (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 5375 bytes
here is the hijack log after doing checking off the 4 items listed

gianina · « **Reply #8 on:** January 11, 2008, 12:39:09 AM »

ComboFix 08-01-10.2 - USER 2008-01-10 17:37:08.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.605 [GMT -6:00]
Running from: C:\Documents and Settings\USER\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\USER\My Documents\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 )))))))))))))))))))))))))))))))
.

2008-01-10 17:14 . 2008-01-10 17:14   <DIR>   d--------   C:\Program Files\Trend Micro
2008-01-10 16:35 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-03 09:42 . 2008-01-03 09:42   <DIR>   d--------   C:\Documents and Settings\USER\Application Data\PrevxCSI
2008-01-03 09:42 . 2008-01-03 09:42   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-02 15:04 . 2008-01-02 15:04   <DIR>   d--------   C:\Program Files\Enigma Software Group
2008-01-02 13:27 . 2007-12-04 07:04   837,496   --a------   C:\WINDOWS\system32\aswBoot.exe
2008-01-02 13:27 . 2004-01-09 03:13   380,928   --a------   C:\WINDOWS\system32\actskin4.ocx
2008-01-02 13:27 . 2007-12-04 06:54   95,608   --a------   C:\WINDOWS\system32\AVASTSS.scr
2008-01-02 13:27 . 2007-12-04 08:55   94,544   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-02 13:27 . 2007-12-04 08:56   93,264   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-02 13:27 . 2007-12-04 08:51   42,912   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-02 13:27 . 2007-12-04 08:49   26,624   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-02 13:27 . 2007-12-04 08:53   23,152   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-17 08:58 . 2007-08-13 18:54   33,792   --a------   C:\WINDOWS\system32\dllcache\custsat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-05 15:24   ---------   d-----w   C:\Documents and Settings\USER\Application Data\Yahoo!
2007-11-23 18:34   ---------   d-----w   C:\Program Files\Comodo
2007-11-23 18:34   ---------   d-----w   C:\Documents and Settings\USER\Application Data\Comodo
2007-11-23 18:33   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Comodo
2007-11-23 14:51   139,008   ----a-w   C:\WINDOWS\system32\guard32.dll
2007-11-13 10:25   20,480   ----a-w   C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 03:56   ---------   d-----w   C:\Documents and Settings\USER\Application Data\U3
2007-11-10 03:20   ---------   d-----w   C:\Program Files\Lavasoft
2007-11-10 03:20   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-10 03:19   ---------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2007-11-10 03:01   ---------   d-----w   C:\Program Files\Compaq
2007-11-07 09:26   721,920   ----a-w   C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26   721,920   ------w   C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-11-05 17:13   407,680   ----a-w   C:\Program Files\aswclnr.exe
2007-10-31 11:12   3,590,656   ------w   C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 17:20   360,064   ------w   C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:43   1,287,680   ----a-w   C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43   1,287,680   ------w   C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 23:40   222,720   ----a-w   C:\WINDOWS\system32\wmasf.dll
2007-10-27 23:40   222,720   ------w   C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34   8,460,288   ----a-w   C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-11 06:13   474,112   ------w   C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-10-11 06:13   151,040   ------w   C:\WINDOWS\system32\dllcache\cdfview.dll
2007-10-11 06:13   1,494,528   ------w   C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-11 06:13   1,054,208   ------w   C:\WINDOWS\system32\dllcache\danim.dll
2007-10-11 06:13   1,023,488   ------w   C:\WINDOWS\system32\dllcache\browseui.dll
2007-10-10 23:56   824,832   ------w   C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56   232,960   ------w   C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56   1,159,680   ------w   C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55   671,232   ------w   C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:55   63,488   ------w   C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55   6,065,664   ------w   C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55   52,224   ------w   C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55   478,208   ------w   C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55   459,264   ------w   C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55   44,544   ------w   C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55   384,512   ------w   C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55   383,488   ------w   C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55   27,648   ------w   C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55   267,776   ------w   C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55   230,400   ------w   C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55   214,528   ------w   C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55   193,024   ------w   C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55   153,088   ------w   C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55   132,608   ------w   C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55   124,928   ------w   C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:55   105,984   ------w   C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:55   102,400   ------w   C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 10:59   70,656   ------w   C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59   625,152   ------w   C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59   13,824   ------w   C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46   161,792   ------w   C:\WINDOWS\system32\dllcache\ieakui.dll
2005-09-20 17:05   456,768   ----a-w   C:\WINDOWS\inf\WG311T\WG311T13.sys
2004-10-20 01:58   35,232   ----a-w   C:\WINDOWS\inf\WG311T\ME_INST.EXE
2004-10-20 01:58   26,112   ----a-w   C:\WINDOWS\inf\WG311T\install.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-10_16.42.23.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-10 22:36:31   229,376   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-10 23:37:05   229,376   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-10 22:36:31   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-10 23:37:05   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-10 22:36:31   233,472   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-10 23:37:05   233,472   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-10 22:36:32   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-10 23:37:05   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-10 22:36:32   4,374,528   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-10 23:37:05   4,374,528   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-10 22:36:32   20,480   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-10 23:37:05   20,480   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
NETGEAR WG311T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311T\wlancfg5.exe [2006-02-22 11:59:32]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-08-17 13:20:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

R3 HPKBCCID;HP Keyboard Smart Card Driver;C:\WINDOWS\system32\DRIVERS\HPKBCCID.sys [2005-08-03 22:30]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 17:37:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-10 17:37:52
ComboFix-quarantined-files.txt 2008-01-10 23:37:50
ComboFix2.txt 2008-01-10 23:34:59
ComboFix3.txt 2008-01-10 22:42:34
.
2008-01-10 14:56:11   --- E O F ---
here is the new combofix log

gianina · « **Reply #9 on:** January 11, 2008, 12:40:09 AM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:39:20 PM, on 1/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O20 - AppInit_DLLs:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Altiris Client Service (AClient) - Unknown owner - C:\Program Files\Aclient\AClient.exe (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 5464 bytes
and here is the new hijack this log (btw the system did not ask me to re boot )

gianina · « **Reply #10 on:** January 11, 2008, 01:02:26 AM »

thank you i just ran avast again and there is no more virus detected
and my computer seems to be running way better now

i sure hope this means that it is gone

Lisandro · « **Reply #11 on:** January 11, 2008, 01:06:49 AM »

Quote from: gianina on January 11, 2008, 01:02:26 AM

i sure hope this means that it is gone

It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

gianina · « **Reply #12 on:** January 11, 2008, 01:10:16 AM »

ok thank you again
this was extremley helpfull i cant tell you what a relief this is for me now

essexboy · « **Reply #13 on:** January 11, 2008, 10:31:10 AM »

Hi gianina glad it worked I popped of to bed after my last post

Now the best part of the day ----- Your log now appears clean :thumbsup:

Time for some housekeeping

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:

SpywareBlaster to help prevent spyware from installing in the first place.

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

Microsoft Windows Update

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Keep safe :wave:

gianina · « **Reply #14 on:** January 11, 2008, 04:31:20 PM »

yes i have done the steps that were listed and i just would like to thank you again for all the help

Author Topic: Win32:BHO-KD [Trj] (Read 7126 times)

gianina

Win32:BHO-KD [Trj]

essexboy

Re: Win32:BHO-KD [Trj]

gianina

Re: Win32:BHO-KD [Trj]

gianina

Re: Win32:BHO-KD [Trj]

essexboy

Re: Win32:BHO-KD [Trj]

gianina

Re: Win32:BHO-KD [Trj]

essexboy

Re: Win32:BHO-KD [Trj]

gianina

Re: Win32:BHO-KD [Trj]

gianina

Re: Win32:BHO-KD [Trj]

gianina

Re: Win32:BHO-KD [Trj]

gianina

Re: Win32:BHO-KD [Trj]

Lisandro

Re: Win32:BHO-KD [Trj]

gianina

Re: Win32:BHO-KD [Trj]

essexboy

Re: Win32:BHO-KD [Trj]

gianina

Re: Win32:BHO-KD [Trj]