Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Win32.BHO.df - removal guidance requested

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Win32.BHO.df - removal guidance requested

Unread postby makem » November 10th, 2007, 3:54 pm

Hi, one of my machines was infected with various things including Virtumonde and Win32.BHO.df.
I used the following and they all appear to have been removed except for Win32.BHO.df. My log showed cuysickr.dll which I removed but it returns after reboot. SpyBot is unable to remove Win32.BHO.df.
Programs used:
Adaware 2007
AVG 7.5
cswshredder
stinger.exe
Vundofix.exe
vx2finder.exe

I would be grateful for any guidance.

I do not have a pre-Hijack.This log but here is the post log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:38:08, on 10/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [644a7d2b] rundll32.exe "C:\WINDOWS\system32\cuysickr.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4702362498
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0039F18.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3983 bytes
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm
Advertisement
Register to Remove

Unread postby ndmmxiaomayi » November 11th, 2007, 12:42 am

Hi makem. :)

Step 1

  1. Please go to C:\Program Files\HiJackThis and right click on HijackThis.exe. Select Rename.
  2. Type in scanner and press Enter.
  3. Double click on scanner to run it.
  4. Select Do a system scan and save a logfile. Please post back this log in your next reply.
Don't close HijackThis yet.

Step 2

  1. Click on the Config... button at the bottom right hand corner.
  2. At the top, click on the Misc Tools button.
  3. Look under System tools.
  4. Click on the Open Uninstall Manager... button.
  5. Click on the Save list... button.
  6. It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  7. Notepad will open. Please post this log in your next reply.

In your next reply, please post:

  1. A new HijackThis log (after running scanner.exe)
  2. The Uninstall list
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Win32.BHO.df - removal guidance requested - reply

Unread postby makem » November 11th, 2007, 5:49 am

Hi ndmmxiaomayi, here are the two logs you requested. Many thanks for your assistance.

HyjackThis.log (after renaming):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:40:00, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HiJackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {2FBB7E7E-9BAE-40B4-9EA3-5229A1F68A6C} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A0890868-7F34-4530-810F-6D9109257666} - C:\WINDOWS\system32\pmnml.dll
O2 - BHO: (no name) - {C710BA8E-102C-496A-937A-202D2150A452} - (no file)
O2 - BHO: (no name) - {D0446DE8-566A-4FF9-8C59-228215007271} - (no file)
O2 - BHO: {af5c7f70-6cb1-e84a-1ad4-080f3b38501f} - {f10583b3-f080-4da1-a48e-1bc607f7c5fa} - C:\WINDOWS\system32\obtvcqwq.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [644a7d2b] rundll32.exe "C:\WINDOWS\system32\cuysickr.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4702362498
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0039F18.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4771 bytes

Uninstall_list:

Ad-Aware 2007
Ad-Aware SE Professional
Adobe Flash Player 9 ActiveX
AVG Anti-Spyware 7.5
Black & White® 2
Black & White® 2 Battle of the Gods
Day of Defeat: Source
Diskeeper Professional Edition
Half-Life Dedicated Server Update Tool
HijackThis 2.0.2
IrfanView (remove only)
Java(TM) 6 Update 3
Mozilla Firefox (2.0.0.7)
Nero 7 Premium
NOD32 antivirus system
NOD32 FiX v2.1
NVIDIA Drivers
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Spybot - Search & Destroy
Steam
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows XP Hotfix - KB885835
WinRAR archiver
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm

Unread postby ndmmxiaomayi » November 11th, 2007, 5:56 am

Hi makem. :)

Please go to Virus Total or Jotti and upload C:\WINDOWS\system32\obtvcqwq.dll for scanning.

For Virus Total

  1. Please copy and paste C:\WINDOWS\system32\obtvcqwq.dll in the text box next to the Browse button.
  2. Click on Send File.

For Jotti

  1. Please copy and paste C:\WINDOWS\system32\obtvcqwq.dll in the text box next to the Browse button.
  2. Click on Submit.


Please post back the scan results of this file in your next reply.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Win32.BHO.df - removal guidance requested - reply

Unread postby makem » November 11th, 2007, 7:33 am

Hi again,

Scan result requested:

Antivirus Version Last Update Result
AhnLab-V3 2007.11.10.0 2007.11.09 -
AntiVir 7.6.0.34 2007.11.09 TR/Dldr.ConHook.Gen
Authentium 4.93.8 2007.11.10 -
Avast 4.7.1074.0 2007.11.10 -
AVG 7.5.0.503 2007.11.11 Lop
BitDefender 7.2 2007.11.11 -
CAT-QuickHeal 9.00 2007.11.10 -
ClamAV 0.91.2 2007.11.11 -
DrWeb 4.44.0.09170 2007.11.11 -
eSafe 7.0.15.0 2007.11.08 -
eTrust-Vet 31.2.5284 2007.11.09 -
Ewido 4.0 2007.11.11 -
FileAdvisor 1 2007.11.11 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.10 -
F-Secure 6.70.13030.0 2007.11.10 -
Ikarus T3.1.1.12 2007.11.11 -
Kaspersky 7.0.0.125 2007.11.11 -
McAfee 5160 2007.11.09 Vundo
Microsoft 1.3007 2007.11.11 -
NOD32v2 2652 2007.11.11 -
Norman 5.80.02 2007.11.09 Vundo.gen49
Panda 9.0.0.4 2007.11.10 Suspicious file
Prevx1 V2 2007.11.11 Heuristic: Suspicious Self Modifying EXE
Rising 20.17.62.00 2007.11.11 -
Sophos 4.23.0 2007.11.11 -
Sunbelt 2.2.907.0 2007.11.09 -
Symantec 10 2007.11.11 -
TheHacker 6.2.9.123 2007.11.10 -
VBA32 3.12.2.4 2007.11.08 -
VirusBuster 4.3.26:9 2007.11.10 -
Webwasher-Gateway 6.0.1 2007.11.11 Trojan.Dldr.ConHook.Gen
Additional information
File size: 81472 bytes
MD5: 83cc5b43f794bdf68f82f899c22d006e
SHA1: 069929c69aa35621c952f24a6f01f1b9f58a19a5
Prevx info: http://fileinfo.prevx.com/fileinfo.asp? ... 004DBCF6CC
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm

Unread postby ndmmxiaomayi » November 11th, 2007, 10:27 am

Hi makem. :)

Step 1

Please disable Spybot Teatimer temporarily as it may interfere with the fixes. It can re-enabled once your PC is clean.

  1. Right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).
  2. Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  3. Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
  4. Click on Mode > Advanced Mode. When it prompts you, click Yes.
  5. On the left hand side, click on Tools.
  6. Check (tick) this box if it is not yet ticked: Resident.
  7. You will notice that Resident is now added under Tools. Click on Resident.
  8. Uncheck (untick) this box: Resident "TeaTimer" (Protection of over-all system settings) active.
  9. Exit Spybot Search & Destroy.
  10. Restart your computer for the changes to take effect.

Step 2

Please download Combofix from Tech Support Forum. Save it to your desktop.

Double click to run it. Follow the prompts. Once done, it will reboot and a log will be produced. Please post that log and a new HijackThis log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

In your next reply, please post:

  1. Combofix log (C:\Combofix.txt)
  2. A new HijackThis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby makem » November 11th, 2007, 10:54 am

Results:

ComboFix 07-11-08.3 - calvin 2007-11-11 14:46:25.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.262 [GMT 0:00]
Running from: C:\Documents and Settings\calvin\Desktop\Spyware Progs\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.

2007-11-11 09:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-10 20:49 <DIR> d-------- C:\Program Files\ATF-Cleaner
2007-11-10 15:14 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-11-10 11:12 81,472 --a------ C:\WINDOWS\system32\obtvcqwq.dll
2007-11-10 11:06 85,056 --a------ C:\WINDOWS\system32\cuysickr.dll
2007-11-10 01:55 <DIR> d-------- C:\VundoFix Backups
2007-11-10 01:29 <DIR> d-------- C:\Documents and Settings\calvin\.housecall6.6
2007-11-10 01:18 <DIR> d-------- C:\Program Files\Java
2007-11-10 01:16 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-09 20:53 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-11-09 20:53 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-11-09 20:53 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-11-09 20:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-09 19:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-09 19:42 <DIR> d-------- C:\Documents and Settings\calvin\Application Data\Grisoft
2007-11-09 19:41 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-09 19:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-09 18:03 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-11-09 16:24 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-11-09 16:16 <DIR> d-------- C:\WINDOWS\Web Download
2007-11-08 22:14 <DIR> d-------- C:\Documents and Settings\calvin\Application Data\Leadertech
2007-11-08 22:11 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-11-08 22:10 <DIR> d-------- C:\Program Files\Diskeeper Corporation
2007-11-08 22:10 <DIR> d-------- C:\Documents and Settings\calvin\Application Data\U3
2007-11-08 22:09 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-11-08 11:50 <DIR> d-------- C:\Program Files\Lionhead Studios

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 14:43 --------- d-----w C:\Program Files\Steam
2007-11-10 01:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-09 20:00 --------- d-----w C:\Program Files\Lavasoft
2007-11-08 17:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-08 12:19 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-05 11:20 --------- d-----w C:\Program Files\MSN Messenger
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-11_10.10.13.62 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-11 14:42:58 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_508.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2FBB7E7E-9BAE-40B4-9EA3-5229A1F68A6C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C710BA8E-102C-496A-937A-202D2150A452}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D0446DE8-566A-4FF9-8C59-228215007271}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f10583b3-f080-4da1-a48e-1bc607f7c5fa}]
2007-11-10 11:12 81472 --a------ C:\WINDOWS\system32\obtvcqwq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 17:38]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-11-09 20:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"644a7d2b"="C:\WINDOWS\system32\cuysickr.dll" [2007-11-10 11:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"Steam"="C:\Program Files\Steam\Steam.exe" [2007-10-05 11:11]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 15:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\arun.exe

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 14:48:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-11 14:50:15
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:52:01, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HiJackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {2FBB7E7E-9BAE-40B4-9EA3-5229A1F68A6C} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {C710BA8E-102C-496A-937A-202D2150A452} - (no file)
O2 - BHO: (no name) - {D0446DE8-566A-4FF9-8C59-228215007271} - (no file)
O2 - BHO: {af5c7f70-6cb1-e84a-1ad4-080f3b38501f} - {f10583b3-f080-4da1-a48e-1bc607f7c5fa} - C:\WINDOWS\system32\obtvcqwq.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [644a7d2b] rundll32.exe "C:\WINDOWS\system32\cuysickr.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4702362498
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4423 bytes
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm

Unread postby makem » November 11th, 2007, 10:59 am

谢谢你你帮忙, 我最感谢

I will be back in 1 hour :o)
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm

Re: Win32.BHO.df - removal guidance requested

Unread postby ndmmxiaomayi » November 12th, 2007, 8:22 pm

Hi makem,

There will some delay before I post back. I'll need to get something check before posting back again. Thank you for your patience.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Win32.BHO.df - removal guidance requested

Unread postby makem » November 12th, 2007, 8:53 pm

Ok. In the meantime I have a scan of the file cuysickr.dll from Virus Total

File cuysickr.dll received on 11.13.2007 01:40:48 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.11.13.0 2007.11.12 -
AntiVir 7.6.0.34 2007.11.13 TR/Dldr.ConHook.Gen
Authentium 4.93.8 2007.11.13 -
Avast 4.7.1074.0 2007.11.12 -
AVG 7.5.0.503 2007.11.12 BHO.CNM
BitDefender 7.2 2007.11.13 -
CAT-QuickHeal 9.00 2007.11.12 -
ClamAV 0.91.2 2007.11.12 -
DrWeb 4.44.0.09170 2007.11.12 -
eSafe 7.0.15.0 2007.11.08 -
eTrust-Vet 31.2.5290 2007.11.12 -
Ewido 4.0 2007.11.12 -
FileAdvisor 1 2007.11.13 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.10 -
F-Secure 6.70.13030.0 2007.11.13 -
Ikarus T3.1.1.12 2007.11.13 -
Kaspersky 7.0.0.125 2007.11.13 -
McAfee 5161 2007.11.12 -
Microsoft 1.3007 2007.11.12 -
NOD32v2 2653 2007.11.12 -
Norman 5.80.02 2007.11.12 Vundo.gen49
Panda 9.0.0.4 2007.11.12 Suspicious file
Rising 20.18.02.00 2007.11.12 -
Sophos 4.23.0 2007.11.12 -
Sunbelt 2.2.907.0 2007.11.13 -
Symantec 10 2007.11.13 -
TheHacker 6.2.9.124 2007.11.13 -
VBA32 3.12.2.4 2007.11.11 -
VirusBuster 4.3.26:9 2007.11.12 -
Webwasher-Gateway 6.0.1 2007.11.13 Trojan.Dldr.ConHook.Gen
Additional information
File size: 85056 bytes
MD5: c136cba694e8e1e8a97cedd673bdb874
SHA1: 528c57b496bd6ffe4c6f4ce525d1437179cd4eb9
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm

Re: Win32.BHO.df - removal guidance requested

Unread postby ndmmxiaomayi » November 13th, 2007, 6:32 pm

Hi makem,

Sorry for the delay. :(

Please open a new Notepad file and copy and paste the following in the Code box into Notepad:

Code: Select all
FileLook::
C:\WINDOWS\system32\wmpns.dll

File::
C:\WINDOWS\system32\obtvcqwq.dll
C:\WINDOWS\system32\cuysickr.dll

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2FBB7E7E-9BAE-40B4-9EA3-5229A1F68A6C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C710BA8E-102C-496A-937A-202D2150A452}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D0446DE8-566A-4FF9-8C59-228215007271}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f10583b3-f080-4da1-a48e-1bc607f7c5fa}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"644a7d2b"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]


Click on File > Save As....

In the File Name box, copy and paste in CFScript.txt. Do not change the file name.

Click Save.

Referring to the image below, drag CFScript into Combofix.

Image

Combofix will start running. Please post back the Combofix log and a new HijackThis log in your next reply.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Win32.BHO.df - removal guidance requested

Unread postby makem » November 13th, 2007, 6:50 pm

ComboFix 07-11-08.3 - makem 2007-11-13 22:45:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.228 [GMT 0:00]
Running from: C:\Documents and Settings\makem\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\makem\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\cuysickr.dll
C:\WINDOWS\system32\obtvcqwq.dll
.

((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 )))))))))))))))))))))))))))))))
.

2007-11-13 21:10 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-11 20:02 <DIR> d-------- C:\Magic
2007-11-11 20:01 <DIR> d-------- C:\DOSBox-0.72
2007-11-11 12:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-11 12:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-10 23:46 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-10 22:46 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-10 22:46 <DIR> d-------- C:\Documents and Settings\makem\Application Data\SUPERAntiSpyware.com
2007-11-10 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-10 21:48 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-04 20:13 <DIR> d-------- C:\Program Files\FlashFXP 3.4.1.1179
2007-11-04 17:54 729,088 --a------ C:\WINDOWS\iun6002.exe
2007-11-04 17:53 <DIR> d-------- C:\Program Files\Azureus
2007-11-04 14:33 <DIR> d-------- C:\Program Files\No-IP
2007-11-02 19:29 <DIR> d-------- C:\Documents and Settings\makem\Downloads
2007-11-02 19:29 <DIR> d-------- C:\Documents and Settings\makem\Application Data\NewsLeecher
2007-11-02 19:27 <DIR> d-------- C:\Program Files\NewsLeecher
2007-11-01 18:50 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-01 18:50 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-01 18:50 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-01 18:50 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-01 18:50 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-01 18:50 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-01 18:50 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-01 18:50 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-30 21:02 <DIR> d-------- C:\Program Files\QuickTime
2007-10-30 21:02 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-30 21:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-30 21:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-10-23 11:58 <DIR> d-------- C:\Program Files\IrfanView
2007-10-23 11:10 <DIR> d-------- C:\Documents and Settings\makem\Application Data\Logitech
2007-10-23 11:08 13,568 --a------ C:\WINDOWS\system32\drivers\L8042Kbd.SYS
2007-10-23 11:06 <DIR> d-------- C:\Program Files\Logitech
2007-10-23 11:06 <DIR> d-------- C:\Program Files\Common Files\Logitech
2007-10-23 11:06 155,648 --a------ C:\WINDOWS\system32\kemutb.dll
2007-10-23 11:06 126,976 --a------ C:\WINDOWS\system32\KemUtil.dll
2007-10-23 11:06 110,592 --a------ C:\WINDOWS\system32\KemWnd.dll
2007-10-23 11:06 94,208 --a------ C:\WINDOWS\KHALMNPR.Exe
2007-10-23 11:06 69,760 --a------ C:\WINDOWS\system32\drivers\LMouKE.Sys
2007-10-23 11:06 55,808 --a------ C:\WINDOWS\system32\drivers\L8042mou.Sys
2007-10-23 11:06 53,248 --a------ C:\WINDOWS\system32\KemXML.dll
2007-10-23 11:06 36,736 --a------ C:\WINDOWS\system32\drivers\LHidUsbK.sys
2007-10-23 11:06 27,008 --a------ C:\WINDOWS\system32\drivers\LHidKE.Sys
2007-10-17 20:53 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2007-10-17 20:53 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2007-10-17 13:05 <DIR> d-------- C:\Program Files\Resco
2007-10-17 13:05 90,112 --a------ C:\WINDOWS\RSetupCE.exe
2007-10-16 23:21 <DIR> d-------- C:\Program Files\Westtek
2007-10-16 16:47 <DIR> d-------- C:\Program Files\Radmin Viewer 3.0
2007-10-16 16:47 <DIR> d-------- C:\Documents and Settings\makem\Application Data\Radmin
2007-10-16 16:16 <DIR> d-------- C:\Program Files\Ilium Software
2007-10-15 20:38 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-10-15 20:38 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-10-15 20:38 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 22:05 --------- d-----w C:\Program Files\Microsoft Money
2007-11-13 21:08 --------- d-----w C:\Program Files\DigiGuide TV Guide
2007-11-13 21:06 --------- d-----w C:\Program Files\zone_mIRC
2007-11-13 21:06 --------- d-----w C:\Program Files\tz_mIRC
2007-11-13 21:06 --------- d-----w C:\Program Files\tbsg_mIRC
2007-11-13 19:49 --------- d-----w C:\Program Files\GuildFTPd
2007-11-13 19:14 --------- d-----w C:\Program Files\geordies_mIRC
2007-11-13 19:13 --------- d-----w C:\Documents and Settings\makem\Application Data\MailWasherPro
2007-11-13 16:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-12 00:15 --------- d-----w C:\Program Files\FlashFXP
2007-11-10 22:56 --------- d-----w C:\Documents and Settings\makem\Application Data\U3
2007-11-10 22:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-10 18:29 --------- d-----w C:\Documents and Settings\makem\Application Data\Lavasoft
2007-11-10 18:23 --------- d-----w C:\Program Files\Lavasoft
2007-11-06 19:43 --------- d-----w C:\Program Files\BitTornado
2007-11-01 18:28 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-23 11:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-15 22:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-15 19:21 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-08 15:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-10-06 22:31 --------- d-----w C:\Program Files\Common Files\Nero
2007-10-06 22:30 --------- d-----w C:\Program Files\Nero
2007-10-06 22:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-10-06 13:46 --------- d-----w C:\Program Files\AskTBar
2007-10-05 22:33 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-10-05 22:33 286,720 ------w C:\WINDOWS\SETUP1.EXE
2007-10-05 22:33 --------- d-----w C:\Program Files\Brad Smith
2007-10-05 16:42 --------- d-----w C:\Program Files\Microsoft AutoRoute
2007-10-04 00:05 --------- d-----w C:\Documents and Settings\makem\Application Data\Nero
2007-10-03 22:55 --------- d-----w C:\Program Files\Common Files\Ahead
2007-10-03 20:35 --------- d-----w C:\Documents and Settings\makem\Application Data\dvdcss
2007-10-03 20:13 --------- d-----w C:\Documents and Settings\makem\Application Data\.BitTornado
2007-10-02 20:16 --------- d-----w C:\Program Files\Real
2007-10-02 20:16 --------- d-----w C:\Program Files\Common Files\xing shared
2007-10-02 20:16 --------- d-----w C:\Program Files\Common Files\Real
2007-09-24 08:05 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
2007-09-24 08:05 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
2007-09-22 18:23 --------- d-----w C:\Documents and Settings\makem\Application Data\Kingsoft
2007-09-22 17:40 --------- d-----w C:\Program Files\Common Files\Kingsoft
2007-09-22 17:39 --------- d-----w C:\Program Files\Kingsoft
2007-09-22 07:53 --------- d-----w C:\Program Files\SecCopy
2007-09-20 08:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 08:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-09-20 08:55 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-09-18 17:24 --------- d-----w C:\Program Files\Blowfish Advanced 211
2007-09-18 17:13 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2007-09-18 17:13 --------- d-----w C:\Documents and Settings\makem\Application Data\TuneUp Software
2007-09-18 17:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2007-09-18 16:53 --------- d-----w C:\Documents and Settings\makem\Application Data\vlc
2007-09-18 16:50 --------- d-----w C:\Program Files\VideoLAN
2007-08-21 06:25 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-13 18:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-13 18:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-13 18:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-13 18:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-13 18:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-13 18:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-13 18:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-13 18:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-13 18:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Outpost Firewall"="C:\Program Files\Agnitum\Outpost Firewall\outpost.exe" [2006-12-18 11:39]
"OutpostFeedBack"="C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" [2006-12-29 13:06]
"V0250Mon.exe"="C:\WINDOWS\V0250Mon.exe" [2006-06-08 00:00]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 08:51]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 16:38]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-15 20:37]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-03-28 16:38 C:\WINDOWS\KHALMNPR.Exe]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-08-25 12:47]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"NWEReboot"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 12:39]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 11:00]

C:\Documents and Settings\makem\Start Menu\Programs\Startup\
GuildFTPd - FTP server deamon.lnk - C:\Program Files\GuildFTPd\GuildFTPd.exe [2007-10-04 13:20:32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 timounter;Acronis TrueImage Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R1 SandBox;Outpost Firewall Sandbox Driver;\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS
R1 VFILT;Outpost Firewall Kernel Driver;\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\FILTNT.SYS
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
R2 tifsfilter;Acronis TrueImage FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe -k netsvcs
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\ADBLOCK.DLL
R3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\ARP.DLL
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\CONTENT.DLL
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\DNSCACHE.DLL
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\FTPFILT.DLL
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\HTMLFILT.DLL
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\HTTPFILT.DLL
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\IMAPFILT.DLL
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\MAILFILT.DLL
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\NNTPFILT.DLL
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\POP3FILT.DLL
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\PROTECT.DLL
R3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\SECRET.DLL
R3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys
R3 V0250Dev;Live! Cam Notebook Pro;C:\WINDOWS\system32\DRIVERS\V0250Dev.sys
R3 V0250Vfx;V0250Vfx;C:\WINDOWS\system32\DRIVERS\V0250Vfx.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\E:\INSTAL~E\Core\BVRPMPR5.SYS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3c65c478-468e-11dc-909d-00037af9450c}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - APPMGMT
.
Contents of the 'Scheduled Tasks' folder
"2007-11-02 17:16:27 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-13 22:46:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-13 22:47:21
.
--- E O F ---

HJ log with iseeu.exe:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:48:34, on 13/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\V0250Mon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\GuildFTPd\GuildFTPd.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DigiGuide TV Guide\digiguide.exe
C:\Program Files\MailWasher Pro\MailWasher.exe
C:\Program Files\geordies_mIRC\mirc.exe
C:\Program Files\tbsg_mIRC\mirc.exe
C:\Program Files\tz_mIRC\mirc.exe
C:\Program Files\zone_mIRC\mirc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Money\System\mnyschdl.exe
C:\Program Files\Microsoft Money\System\misuser.exe
C:\Program Files\Microsoft Money\System\mis.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\iseeu.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe" /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [V0250Mon.exe] C:\WINDOWS\V0250Mon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: GuildFTPd - FTP server deamon.lnk = C:\Program Files\GuildFTPd\GuildFTPd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crl ... crlocx.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ ... /CTPID.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - -"C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"C:\Program Files\MSN Messenger\usnsvc.exe" (file missing)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - -"C:\Program Files\Windows Media Player\WMPNetwk.exe" (file missing)

--
End of file - 7084 bytes

Many thanks
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm

Re: Win32.BHO.df - removal guidance requested

Unread postby makem » November 13th, 2007, 6:55 pm

Please ignore the last post - it was from the wrong machine!

I will submit the correct logs in a few minutes
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm

Re: Win32.BHO.df - removal guidance requested

Unread postby makem » November 13th, 2007, 7:16 pm

ComboFix 07-11-08.3 - calvin 2007-11-13 23:05:30.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.178 [GMT 0:00]
Running from: C:\Documents and Settings\calvin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\calvin\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\cuysickr.dll
C:\WINDOWS\system32\obtvcqwq.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cuysickr.dll
C:\WINDOWS\system32\obtvcqwq.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 )))))))))))))))))))))))))))))))
.

2007-11-11 09:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-10 20:49 <DIR> d-------- C:\Program Files\ATF-Cleaner
2007-11-10 15:14 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-11-10 01:55 <DIR> d-------- C:\VundoFix Backups
2007-11-10 01:29 <DIR> d-------- C:\Documents and Settings\calvin\.housecall6.6
2007-11-10 01:18 <DIR> d-------- C:\Program Files\Java
2007-11-10 01:16 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-09 20:53 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-11-09 20:53 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-11-09 20:53 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-11-09 20:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-09 19:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-09 19:42 <DIR> d-------- C:\Documents and Settings\calvin\Application Data\Grisoft
2007-11-09 19:41 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-09 19:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-09 18:03 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-11-09 16:24 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-11-09 16:16 <DIR> d-------- C:\WINDOWS\Web Download
2007-11-08 22:14 <DIR> d-------- C:\Documents and Settings\calvin\Application Data\Leadertech
2007-11-08 22:11 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-11-08 22:10 <DIR> d-------- C:\Program Files\Diskeeper Corporation
2007-11-08 22:10 <DIR> d-------- C:\Documents and Settings\calvin\Application Data\U3
2007-11-08 22:09 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-11-08 11:50 <DIR> d-------- C:\Program Files\Lionhead Studios

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 23:11 --------- d-----w C:\Program Files\Steam
2007-11-10 01:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-09 20:00 --------- d-----w C:\Program Files\Lavasoft
2007-11-08 17:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-08 12:19 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-05 11:20 --------- d-----w C:\Program Files\MSN Messenger
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- C:\WINDOWS\system32\wmpns.dll ----

Company: Microsoft Corporation
File Description: Windows Media Player Applet Support DLL
File Version: 9.00.00.3250
Product Name: Microsoft(R) Windows Media Player
Copyright: (C) Microsoft Corporation. All rights reserved.
Original file name: WMPNS.DLL


((((((((((((((((((((((((((((( snapshot@2007-11-11_10.10.13.62 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-13 22:59:20 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 17:38]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-11-09 20:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"Steam"="C:\Program Files\Steam\Steam.exe" [2007-10-05 11:11]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 15:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-13 23:11:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-13 23:13:08 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-11 14:50
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:14:20, on 13/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HiJackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4702362498
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4061 bytes
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm

Re: Win32.BHO.df - removal guidance requested

Unread postby ndmmxiaomayi » November 14th, 2007, 12:23 am

Hi makem,

Step 1

Please uninstall the following program - NOD32 FiX v2.1

  1. Click on Start > Control Panel and double click on Add/Remove Programs.
  2. Locate NOD32 FiX v2.1 and click on Change/Remove to uninstall it.
  3. Close Add/Remove Programs and Control Panel.

When your NOD32 trial expires, you can get uninstall NOD32 and get a free antivirus program from one of the following links:

AVG Antivirus Free Edition
avast! 4 Home Edition
AntiVir Free Edition
PC Tools Antivirus

Step 2

    Start AVG Anti-Spyware by going to Start > All Programs > AVG Anti-Spyware 7.5 > AVG Anti-Spyware.
  1. In the main screen, you should see Your Computer's Security.
    • Next to Resident Shield, click on Change state. It should now be Inactive.
    • Next to Automatic Updates, click on Change state. It should now be Inactive.
    • Next to Last Update, click on Update now. If your firewall prompts you, tell your firewall to allow it. Should you be unable to update it, download the updates from here. Save it to your desktop. Double click to run the installation and the updates will be installed. Make sure AVG Anti-Spyware is closed during the installation.
    • Right-click the AVG Anti-Spyware icon near the clock and uncheck (untick) Start with Windows. Confirm by clicking Yes.
  2. Now click on the Scanner button at the top.
  3. Select the Settings tab.
  4. Under How to act?, click on Recommended actions and select Quarantine.
  5. Under How to scan?, check (tick) all the boxes.
  6. Under Possibly unwanted software:, check (tick) all the boxes.
  7. Under Reports:, uncheck (untick) the Only if threats were found box and select Do not automatically generate report.
  8. Under What to scan?, select Scan every file.
Do not run a scan yet. You will run a scan later.

Step 3

Please download ATF Cleaner by Atribune.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All.
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All.
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All.
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Step 4

Please print out or save this set of instructions as you will not have internet access during the fix.

Reboot into Safe Mode by following the instructions below:

  • When you see BIOS screen, start pressing F8.
  • A boot menu will appear shortly.
  • Using the up down arrows, select Safe Mode and press the Enter key.
  • Windows will now load.
  • Log in to your usual account.

Step 5

  1. Start AVG Anti-Spyware by going to Start > All Programs > AVG Anti-Spyware 7.5 > AVG Anti-Spyware.
  2. Click on the Scanner button at the top.
  3. Select the Scan tab.
  4. Click on Complete System Scan to start the scan.
  5. When the scan has finished, follow the instructions below.
    IMPORTANT: Don't click on the Save Scan Report button before you did hit the Apply all Actions button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  6. When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  7. Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Restart your computer in Normal Mode.

In your next reply, please post:

  1. AVG Antispyware scan report
  2. A new HijackThis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 62 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware