Author Topic: Another Variation of Win32.BHO.abo (Read 19388 times)

zippie31 · « **on:** January 31, 2008, 09:36:49 PM »

Hi
I'm having trouble removing a file "C:\WINDOWS\system32\datacle.dll

This was first recognized by F-Secure as Trojan.Win23.BHO.abo (virus)

After multiple scans, F-secure did a fair job of cleaning up several other issues, but I downloaded Avast to do a boot scan. After multiple scans, it cleaned everything but this file. I get an "access denied" message whenever I try to do anything other than ignore it.

After looking at other posts, I downloaded ComboFix, and it encountered the same problem. It appeared to move the file to it's "Catchme" folder, and then Avast allowed me to delete that file, but the original file is still located in my system32 folder.

I can include the latest logs for both Avast and ComboFix. I have not downloaded HijackThis...I don't really know what the heck I'm doing and I was a little afraid of the program...

Please, can anybody help?

1975maggie · « **Reply #1 on:** January 31, 2008, 09:41:57 PM »

Please post the combofix log and a hijackthis log. Don't fix anyhting with HJT until instructed. The program will only do a scan.

zippie31 · « **Reply #2 on:** January 31, 2008, 09:49:48 PM »

Here's the combofix log...I will download HJT and post the log as soon as it is finished....thanks

ComboFix 08-01-31.5 - Compaq_Owner 2008-01-31 11:34:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.106 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2006
C:\Documents and Settings\Compaq_Owner\Application Data\searchtoolbarcorp
C:\Documents and Settings\Compaq_Owner\Application Data\searchtoolbarcorp\Toolbar Vision\PageHistory.txt
C:\Documents and Settings\Compaq_Owner\Application Data\searchtoolbarcorp\Toolbar Vision\WebHistory.txt
C:\Documents and Settings\Compaq_Owner\err.log
C:\Program Files\PopsMedia Site Adviser
C:\Program Files\vsadd-in
C:\WA6P
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\datacle.dll . . . . failed to delete
C:\WINDOWS\system32\gdvljfpy.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\stera.job
C:\WINDOWS\system32\stera.log
D:\Autorun.inf . . . . failed to delete
C:\WINDOWS\system32\datacle.dll . . . . failed to delete
D:\Autorun.inf . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\LEGACY_VSPF
-------\LEGACY_VSPF_HK
-------\ApiMon
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-30 18:41 . 2007-12-04 09:51   42,912   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-30 18:41 . 2007-12-04 09:49   26,624   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-30 18:41 . 2007-12-04 09:53   23,152   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-30 18:40 . 2007-12-04 07:54   95,608   --a------   C:\WINDOWS\system32\AvastSS.scr
2008-01-30 18:40 . 2007-12-04 09:55   94,544   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-30 18:40 . 2007-12-04 09:56   93,264   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-30 18:39 . 2008-01-30 18:39   <DIR>   d--------   C:\Program Files\Alwil Software
2008-01-30 18:39 . 2007-12-04 08:04   837,496   --a------   C:\WINDOWS\system32\aswBoot.exe
2008-01-30 18:39 . 2004-01-09 04:13   380,928   --a------   C:\WINDOWS\system32\actskin4.ocx
2008-01-30 18:11 . 2008-01-30 18:11   18,884,808   --a------   C:\setupeng.exe
2008-01-29 18:05 . 2008-01-29 18:05   407,680   --a------   C:\aswclnr.exe
2008-01-08 23:20 . 2008-01-13 13:13   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-01-08 23:20 . 2008-01-08 23:20   1,409   --a------   C:\WINDOWS\QTFont.for
2007-12-27 22:48 . 2007-12-27 22:48   <DIR>   d--------   C:\WINDOWS\.jagex_cache_32
2007-12-24 16:08 . 2007-12-24 16:08   <DIR>   d--------   C:\Documents and Settings\Compaq_Owner\Application Data\Viewpoint

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 16:41   ---------   d-----w   C:\Program Files\Plaxo
2008-01-31 04:38   ---------   d-----w   C:\Documents and Settings\Compaq_Owner\Application Data\LimeWire
2008-01-31 04:28   ---------   d-----w   C:\Program Files\EMBARQ Online Security
2008-01-31 03:26   ---------   d-----w   C:\Program Files\Palm
2008-01-31 03:22   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\F-Secure
2008-01-28 23:36   ---------   d-----w   C:\Program Files\PC-Doctor for Windows
2007-12-24 21:07   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Viewpoint
2005-12-29 02:05   497   ---ha-w   C:\Documents and Settings\Compaq_Owner\hpothb07.dat
2005-09-09 01:32   164   ---ha-w   C:\Documents and Settings\All Users\hpothb07.dat
2005-08-31 02:21   185   ---ha-w   C:\Documents and Settings\All Users\Application Data\hpothb07.dat
2005-08-31 02:18   497   ---ha-w   C:\Documents and Settings\Default User\hpothb07.dat
2005-08-31 02:18   497   ---ha-w   C:\Documents and Settings\Administrator\hpothb07.dat
2005-08-31 02:18   0   ---ha-w   C:\Documents and Settings\NetworkService\hpothb07.dat
2005-08-31 02:18   0   ---ha-w   C:\Documents and Settings\LocalService\hpothb07.dat
2006-06-17 15:00   0   --sha-w   C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

zippie31 · « **Reply #3 on:** January 31, 2008, 09:50:45 PM »

continued.....

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3161E80A-10B1-4011-B569-67B5AFF890B9}]
2007-12-03 20:56   102656   --a------   C:\WINDOWS\system32\datacle.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59AA14E7-2599-4CFF-8584-C2C9C495AECb}]
         C:\WINDOWS\system32\dpetcork.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6F6A449-5FE6-4569-8650-8C9688D01931}]
         C:\WINDOWS\system32\dpetcork.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA7C105E-76AD-4C6A-8DA0-3483F4129695}]
         C:\WINDOWS\system32\dpetcork.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7715BF8-235F-4116-8980-9E86FC984977}]
         C:\WINDOWS\system32\dpetcork.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA6B6A48-C0B7-476D-AD0C-80750FC0F5A1}]
         C:\WINDOWS\system32\dpetcork.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF54E354-10BE-4A8A-AA07-F9CFFD443528}]
         C:\WINDOWS\system32\dpetcork.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ECBF168F-942B-469B-B2CA-63A1E9E88E5B}]
         C:\WINDOWS\inf\gvaars.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 16:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [2007-12-11 17:21 227914]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-12 14:53 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-10-21 23:41 32881]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-21 00:55 155648]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 10:01 110592]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-10-22 00:31 180269]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-06-04 21:38 286720]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 22:43 233472]
"VTTimer"="VTTimer.exe" []
"SiSPower"="SiSPower.dll" [2004-09-24 11:49 49152 C:\WINDOWS\system32\SiSPower.dll]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [ ]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 23:54 253952]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-12-04 07:44 176128]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe" [2003-11-12 08:23 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2004-02-02 03:41 495616]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-05-09 10:38 36864]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32 53248]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 22:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"NI.UWFX5_0001_N57M2811"="C:\Documents and Settings\Compaq_Owner\My Documents\error.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-10-22 01:01 98304]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 21:41 196608]
"NI.UWFX6_0001_N57M0912"="C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\WXEVO1Q3\WinFixer2006FreeInstall[1].exe" [ ]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2004-08-03 17:18 1083392]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]

C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\
Palm Registration.lnk - C:\Program Files\Palm\register.exe [2008-01-30 22:26:10 2494464]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gvaars]
C:\WINDOWS\inf\gvaars.dll

R0 dueavlel;dueavlel;C:\WINDOWS\system32\drivers\ikuracjg.dat []
S2 DP1112;DP1112;C:\WINDOWS\system32\Drivers\DP.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-31 11:49:05 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\pexpress\hphped05.exe
"2008-01-26 01:00:01 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (COMPUTER-Compaq_Owner).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2006-12-03 03:33:06 C:\WINDOWS\Tasks\WebReg .job"
- C:\Program Files\Hewlett-Packard\digital imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 11:42:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
.
**************************************************************************
.
Completion time: 2008-01-31 11:44:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-31 16:44:45
.
2008-01-09 08:08:57   --- E O F ---

zippie31 · « **Reply #4 on:** January 31, 2008, 10:05:24 PM »

HJT log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:58:07 PM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HiJackThis.exe

zippie31 · « **Reply #5 on:** January 31, 2008, 10:06:17 PM »

HJT log continued....

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dialup24.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3161E80A-10B1-4011-B569-67B5AFF890B9} - C:\WINDOWS\system32\datacle.dll
O2 - BHO: (no name) - {59AA14E7-2599-4CFF-8584-C2C9C495AECb} - C:\WINDOWS\system32\dpetcork.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B6F6A449-5FE6-4569-8650-8C9688D01931} - C:\WINDOWS\system32\dpetcork.dll (file missing)
O2 - BHO: (no name) - {BA7C105E-76AD-4C6A-8DA0-3483F4129695} - C:\WINDOWS\system32\dpetcork.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {C7715BF8-235F-4116-8980-9E86FC984977} - C:\WINDOWS\system32\dpetcork.dll (file missing)
O2 - BHO: (no name) - {CA6B6A48-C0B7-476D-AD0C-80750FC0F5A1} - C:\WINDOWS\system32\dpetcork.dll (file missing)
O2 - BHO: (no name) - {DF54E354-10BE-4A8A-AA07-F9CFFD443528} - C:\WINDOWS\system32\dpetcork.dll (file missing)
O2 - BHO: (no name) - {ECBF168F-942B-469B-B2CA-63A1E9E88E5B} - C:\WINDOWS\inf\gvaars.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NI.UWFX5_0001_N57M2811] "C:\Documents and Settings\Compaq_Owner\My Documents\error.exe" -nag
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [NI.UWFX6_0001_N57M0912] "C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\WXEVO1Q3\WinFixer2006FreeInstall[1].exe" -nag
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster Gold 17\Remind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.dialup24.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O20 - Winlogon Notify: gvaars - C:\WINDOWS\inf\gvaars.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/COMPAQ~1/LOCALS~1/Temp/msoclip1/01/clip_image002.jpg

--
End of file - 11155 bytes

1975maggie · « **Reply #6 on:** January 31, 2008, 10:25:19 PM »

Please open HJT, run a system scan only, check mark the following lines

O2 - BHO: (no name) - {3161E80A-10B1-4011-B569-67B5AFF890B9} - C:\WINDOWS\system32\datacle.dll
O2 - BHO: (no name) - {59AA14E7-2599-4CFF-8584-C2C9C495AECb} - C:\WINDOWS\system32\dpetcork.dll (file missing)
O2 - BHO: (no name) - {B6F6A449-5FE6-4569-8650-8C9688D01931} - C:\WINDOWS\system32\dpetcork.dll (file missing)
O2 - BHO: (no name) - {BA7C105E-76AD-4C6A-8DA0-3483F4129695} - C:\WINDOWS\system32\dpetcork.dll (file missing)
O2 - BHO: (no name) - {C7715BF8-235F-4116-8980-9E86FC984977} - C:\WINDOWS\system32\dpetcork.dll (file missing)
O2 - BHO: (no name) - {CA6B6A48-C0B7-476D-AD0C-80750FC0F5A1} - C:\WINDOWS\system32\dpetcork.dll (file missing)
O2 - BHO: (no name) - {DF54E354-10BE-4A8A-AA07-F9CFFD443528} - C:\WINDOWS\system32\dpetcork.dll (file missing)
O2 - BHO: (no name) - {ECBF168F-942B-469B-B2CA-63A1E9E88E5B} - C:\WINDOWS\inf\gvaars.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O20 - Winlogon Notify: gvaars - C:\WINDOWS\inf\gvaars.dll (file missing)

Click fix, close HJT

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

Quote

File::
C:\WINDOWS\system32\drivers\ikuracjg.dat
C:\WINDOWS\system32\datacle.dll

Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

Quote

Drivers to unload:
DP1112
dueavlel

Files to delete:
C:\WINDOWS\system32\Drivers\DP.sys
C:\WINDOWS\system32\drivers\ikuracjg.dat

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
2. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Copy/Paste all the text in the above quote box into this window by
MAKE SURE THE TEXT MATCHES EXACTLY
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

3. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt

Please post the combofix log, the avenger results and a new HJT log in you next reply.

And do you have an image on your desktop that you put there. See the 024 line in the HJT log. Thanks.

zippie31 · « **Reply #7 on:** January 31, 2008, 11:13:29 PM »

OK...followed all directions (correctly I hope)...here goes
combofix log:

ComboFix 08-01-31.5 - Compaq_Owner 2008-01-31 16:42:57.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.103 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFscript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\datacle.dll
C:\WINDOWS\system32\drivers.ikuracjg.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\datacle.dll . . . . failed to delete
D:\Autorun.inf . . . . failed to delete
C:\WINDOWS\system32\datacle.dll . . . . failed to delete
D:\Autorun.inf . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-30 18:41 . 2007-12-04 09:51   42,912   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-30 18:41 . 2007-12-04 09:49   26,624   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-30 18:41 . 2007-12-04 09:53   23,152   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-30 18:40 . 2007-12-04 07:54   95,608   --a------   C:\WINDOWS\system32\AvastSS.scr
2008-01-30 18:40 . 2007-12-04 09:55   94,544   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-30 18:40 . 2007-12-04 09:56   93,264   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-30 18:39 . 2008-01-30 18:39   <DIR>   d--------   C:\Program Files\Alwil Software
2008-01-30 18:39 . 2007-12-04 08:04   837,496   --a------   C:\WINDOWS\system32\aswBoot.exe
2008-01-30 18:39 . 2004-01-09 04:13   380,928   --a------   C:\WINDOWS\system32\actskin4.ocx
2008-01-30 18:11 . 2008-01-30 18:11   18,884,808   --a------   C:\setupeng.exe
2008-01-29 18:05 . 2008-01-29 18:05   407,680   --a------   C:\aswclnr.exe
2008-01-08 23:20 . 2008-01-13 13:13   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-01-08 23:20 . 2008-01-08 23:20   1,409   --a------   C:\WINDOWS\QTFont.for
2007-12-27 22:48 . 2007-12-27 22:48   <DIR>   d--------   C:\WINDOWS\.jagex_cache_32
2007-12-24 16:08 . 2007-12-24 16:08   <DIR>   d--------   C:\Documents and Settings\Compaq_Owner\Application Data\Viewpoint

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 21:47   ---------   d-----w   C:\Program Files\Plaxo
2008-01-31 04:38   ---------   d-----w   C:\Documents and Settings\Compaq_Owner\Application Data\LimeWire
2008-01-31 04:28   ---------   d-----w   C:\Program Files\EMBARQ Online Security
2008-01-31 03:26   ---------   d-----w   C:\Program Files\Palm
2008-01-31 03:22   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\F-Secure
2008-01-28 23:36   ---------   d-----w   C:\Program Files\PC-Doctor for Windows
2007-12-24 21:07   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Viewpoint
2005-12-29 02:05   497   ---ha-w   C:\Documents and Settings\Compaq_Owner\hpothb07.dat
2005-09-09 01:32   164   ---ha-w   C:\Documents and Settings\All Users\hpothb07.dat
2005-08-31 02:21   185   ---ha-w   C:\Documents and Settings\All Users\Application Data\hpothb07.dat
2005-08-31 02:18   497   ---ha-w   C:\Documents and Settings\Default User\hpothb07.dat
2005-08-31 02:18   497   ---ha-w   C:\Documents and Settings\Administrator\hpothb07.dat
2005-08-31 02:18   0   ---ha-w   C:\Documents and Settings\NetworkService\hpothb07.dat
2005-08-31 02:18   0   ---ha-w   C:\Documents and Settings\LocalService\hpothb07.dat
2006-06-17 15:00   0   --sha-w   C:\WINDOWS\SMINST\HPCD.sys
.

zippie31 · « **Reply #8 on:** January 31, 2008, 11:14:31 PM »

combofix log continued....

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3161E80A-10B1-4011-B569-67B5AFF890B9}]
2007-12-03 20:56 102656 --a------ C:\WINDOWS\system32\datacle.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 16:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [2007-12-11 17:21 227914]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-12 14:53 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-10-21 23:41 32881]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-21 00:55 155648]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 10:01 110592]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-10-22 00:31 180269]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-06-04 21:38 286720]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 22:43 233472]
"VTTimer"="VTTimer.exe" []
"SiSPower"="SiSPower.dll" [2004-09-24 11:49 49152 C:\WINDOWS\system32\SiSPower.dll]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [ ]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 23:54 253952]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-12-04 07:44 176128]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe" [2003-11-12 08:23 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2004-02-02 03:41 495616]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-05-09 10:38 36864]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32 53248]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 22:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"NI.UWFX5_0001_N57M2811"="C:\Documents and Settings\Compaq_Owner\My Documents\error.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-10-22 01:01 98304]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 21:41 196608]
"NI.UWFX6_0001_N57M0912"="C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\WXEVO1Q3\WinFixer2006FreeInstall[1].exe" [ ]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2004-08-03 17:18 1083392]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]

C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\
Palm Registration.lnk - C:\Program Files\Palm\register.exe [2008-01-30 22:26:10 2494464]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]

R0 dueavlel;dueavlel;C:\WINDOWS\system32\drivers\ikuracjg.dat []
S2 DP1112;DP1112;C:\WINDOWS\system32\Drivers\DP.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-31 19:49:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\pexpress\hphped05.exe
"2008-01-26 01:00:01 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (COMPUTER-Compaq_Owner).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2006-12-03 03:33:06 C:\WINDOWS\Tasks\WebReg .job"
- C:\Program Files\Hewlett-Packard\digital imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 16:47:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2008-01-31 16:50:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-31 21:50:46
ComboFix2.txt 2008-01-31 16:44:56
.
2008-01-09 08:08:57 --- E O F ---

zippie31 · « **Reply #9 on:** January 31, 2008, 11:15:31 PM »

Avenger log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qnxviwrw

*******************

Script file located at: \??\C:\Documents and Settings\joxdndjm.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver DP1112 unloaded successfully.

Could not open registry key \Registry\Machine\System\CurrentControlSet\Services\dueavlel for deletion
Unload of driver dueavlel failed!

Could not process line:
dueavlel
Status: 0xc0000022

File C:\WINDOWS\system32\Drivers\DP.sys not found!
Deletion of file C:\WINDOWS\system32\Drivers\DP.sys failed!

Could not process line:
C:\WINDOWS\system32\Drivers\DP.sys
Status: 0xc0000034

Could not open file C:\WINDOWS\system32\drivers\ikuracjg.dat for deletion
Deletion of file C:\WINDOWS\system32\drivers\ikuracjg.dat failed!

Could not process line:
C:\WINDOWS\system32\drivers\ikuracjg.dat
Status: 0xc0000022

Completed script processing.

*******************

Finished! Terminate.

zippie31 · « **Reply #10 on:** January 31, 2008, 11:16:49 PM »

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:06:28 PM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HiJackThis.exe

zippie31 · « **Reply #11 on:** January 31, 2008, 11:17:35 PM »

HJT log continued...

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dialup24.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3161E80A-10B1-4011-B569-67B5AFF890B9} - C:\WINDOWS\system32\datacle.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NI.UWFX5_0001_N57M2811] "C:\Documents and Settings\Compaq_Owner\My Documents\error.exe" -nag
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [NI.UWFX6_0001_N57M0912] "C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\WXEVO1Q3\WinFixer2006FreeInstall[1].exe" -nag
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster Gold 17\Remind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.dialup24.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/COMPAQ~1/LOCALS~1/Temp/msoclip1/01/clip_image002.jpg

--
End of file - 10280 bytes

1975maggie · « **Reply #12 on:** January 31, 2008, 11:40:34 PM »

What is your D drive? And what about the desktop image?

zippie31 · « **Reply #13 on:** January 31, 2008, 11:51:27 PM »

i deleted the desktop image of the hijackthis.txt but when it created a new log, it placed it there again.

The D: drive was partitioned by Compaq. It has 2 folders...Backup and a locked Recovery folder. There are also a handful of other files, but I'm not sure what they are.

1975maggie · « **Reply #14 on:** February 01, 2008, 12:39:12 AM »

Open HJT, run a system scan only, checkmark these lines

O4 - HKLM\..\Run: [NI.UWFX5_0001_N57M2811] "C:\Documents and Settings\Compaq_Owner\My Documents\error.exe" -nag
O4 - HKLM\..\Run: [NI.UWFX6_0001_N57M0912] "C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\WXEVO1Q3\WinFixer2006FreeInstall[1].exe" -nag
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/COMPAQ~1/LOCALS~1/Temp/msoclip1/01/clip_image002.jpg

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

Quote

File::
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\WXEVO1Q3\WinFixer2006FreeInstall[1].exe
C:\Documents and Settings\Compaq_Owner\My Documents\error.exe

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dueavlel]

According to combofix, you have the recovery console installed, so we will use it to disable a service.

To access the recovery console follow this link, scroll down to just below #6.

http://www.bleepingcomputer.com/tutorials/tutorial117.html

Once in the console and are at the c:\windows prompt, do the following

When doing this, any thing you see in curly brackets {} means an action, for example {space} means 1 space and {enter} means enter key

listsvc{enter}
disable{space}dueavlel{enter}
ren{space}C:\WINDOWS\system32\drivers\ikuracjg.dat{space}ikuracjg.old{enter}
del{space}C:\WINDOWS\system32\datacle.dll{enter}
restart your computer.

Plese post the new combofix log and let me know how things are going, any problems preforming the above steps.

Author Topic: Another Variation of Win32.BHO.abo (Read 19388 times)

zippie31

Another Variation of Win32.BHO.abo

1975maggie

Re: Another Variation of Win32.BHO.abo

zippie31

Re: Another Variation of Win32.BHO.abo

zippie31

Re: Another Variation of Win32.BHO.abo

zippie31

Re: Another Variation of Win32.BHO.abo

zippie31

Re: Another Variation of Win32.BHO.abo

1975maggie

Re: Another Variation of Win32.BHO.abo

zippie31

Re: Another Variation of Win32.BHO.abo

zippie31

Re: Another Variation of Win32.BHO.abo

zippie31

Re: Another Variation of Win32.BHO.abo

zippie31

Re: Another Variation of Win32.BHO.abo

zippie31

Re: Another Variation of Win32.BHO.abo

1975maggie

Re: Another Variation of Win32.BHO.abo

zippie31

Re: Another Variation of Win32.BHO.abo

1975maggie

Re: Another Variation of Win32.BHO.abo