Avast finds but cannot deal with Win32:BHO-KD (Trojan)

oldman960 · 2008-01-01T22:05:37.000Z

That may or may not work, I can’t say for sure.

To submit a file to virustoal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\system32\AC3AP.dll

scroll down a bit and click “send file”, wait for the results and post then in your next reply. Post the results here.

You may also want to try the SAS posted at the top of this page.

system · 2008-01-01T22:43:18.000Z

Hi Oldman.

I tried sending the file but get the following message in an otherwise blank white screen:

0 bytes size received

The affected .dll can not be copied or moved so that means it also can not be uploaded.

system · 2008-01-01T22:56:20.000Z

Here is what virustotal gave me.

The answer is in Italian, which is fine for me because it is my mother language.

I hope you will understand nevertheless:

File AC3AP.dll_ ricevuto il 2008.01.01 23:52:01 (CET)
Stato corrente: Carico … in coda attesa scansione finito NON TROVATO INTERROTTO

Risultato:
Carico informazioni server…
Il tuo file è in coda in posizione: 5.
Tempo stimato inizio tra 50 e 72 secondi.
Non chiudere la finestra fino al termine della scansione.
Lo scanner che stava processando il tuo file si è fermato in questo momento, stiamo aspettando alcuni secondi per tentare di recuperare i tuoi risultati.
Se stai aspettando da più di cinque minuti devi rimandare il tuo file.
VirusTotal sta controllando il tuo file in questo momento,
i risultati saranno visualizzati mentre vengono generati.
Formattato Stampa risultati
Il tuo file è scaduto o non esiste.
Il servizio è fermo in questo momento, il tuo file sta aspettando di essere controllato (posizione: ) da un tempo indefinito.

Puoi aspettare la risposta sul web (ricarico automatico) o digitare il tuo indirizzo email nel riquadro qui sotto e premere “richiesta” così il sistema ti invierà una notifica al termine della scansione.
Email:

Antivirus Versione Ultimo aggiornamento Risultato
AhnLab-V3 2008.1.1.10 2007.12.31 Win-Trojan/Bho.84992.E
AntiVir 7.6.0.46 2007.12.31 TR/BHO.agz.16
Authentium 4.93.8 2007.12.31 -
Avast 4.7.1098.0 2008.01.01 Win32:BHO-KD
AVG 7.5.0.516 2008.01.01 Generic9.AJGV
BitDefender 7.2 2008.01.01 Trojan.Spy.Bzub.NGP
CAT-QuickHeal 9.00 2007.12.31 Trojan.BHO.agz
ClamAV 0.91.2 2008.01.01 -
DrWeb 4.44.0.09170 2007.12.31 Trojan.DownLoader.38058
eSafe 7.0.15.0 2008.01.01 -
eTrust-Vet 31.3.5421 2008.01.01 Win32/Kvol!generic
Ewido 4.0 2008.01.01 Trojan.BHO.agz
Informazioni addizionali
File size: 90880 bytes
MD5: 78dc77baf74190269500facd24c738eb
SHA1: b7904100d761fe31c441c5e0674b48f2bb6fd64a
PEiD: -
packers: UPX
packers: UPX

ATTENZIONE: VirusTotal è un servizio gratuito offerto da Hispasec Sistemas. Non esiste garanzia circa la disponibilità e la continuità di questo servizio. Nonostante il livello di identificazione conseguito da multipli motori antivirus sia molto superiore a quello offerto dal singolo prodotto, questi risultati NON garantiscono la sicurezza di un file. Attualmente, non esiste soluzione che offra certezza al 100% sull’identificazione di virus e malware.

oldman960 · 2008-01-01T23:09:37.000Z

@pino-88

It’s definatley infected. I’ don’t know if you can replace it as you suggested. It may be worth a try. It’s also possible SAS will remove it, if you want to try.

Click on this link for download and set up instructions.

http://forum.avast.com/index.php?topic=32338.msg270447#msg270447

Failing that, we can use a different method.

oldman960 · 2008-01-01T23:14:36.000Z

@ dholliday

When you ran SAS did you update and run it in safe mode with these settings?

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked

CHECK ALL BOXES

Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.(and other fixed drives)
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

system · 2008-01-01T23:18:46.000Z

Update:

The file crypt3.dll appears to be almost like a phantom. When I tried to email it to VirusTotal the email just sent with the file apparently uploaded and attached but when I looked in Sent Objects the email that was sent did not have an attachment.

So in summary:

SuperAntiSpyware does not find the Trojan
Avast does find the Trojan
Security Task Manager identifies crypt3.dll as being a 92% dangerous file, but cannot delete/move it
Upon Boot scan with Avast with Archive ON Trojan file is found but remains Access Denied
crypt3.dll will not let itself be moved, copied or uploaded. It has no identifiable properties. It has next to zero mentions on the web apart from an ongoing epic saga here:

http://www.bleepingcomputer.com/forums/topic121819.html

We do not yet know:

what Win32:BHO-KD is exactly as I haven’t found any sites that identify it.
how to force ownership of the affected file so that we can quarantine it.
what kind of file crypt3.dll is supposed to be: of what processes/applications it runs from or where it comes from.

system · 2008-01-01T23:20:25.000Z

[i]Hi Oldman…I’ve just now seen yr post so will try SAS in safe and report back.

Thanks.[/i]

oldman post:27:

@ dholliday

When you ran SAS did you update and run it in safe mode with these settings?

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked

CHECK ALL BOXES

Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.(and other fixed drives)
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

system · 2008-01-02T17:57:52.000Z

Hallo Oldman,

I have performed the suggested procedure, but the trojan is still there.

My experience is similar to that of dholyday i.e.

SuperAntiSpyware does not find the Trojan
Avast does find the Trojan
Upon Boot scan with Avast with Archive ON Trojan file is found but remains Access Denied

I also tried (unsuccesfully) a low-tech solution by copying a non-infected copy of c:\windows\system32\ac3ap.dll[UPX] from partition e: and replacing the infected file.

have you any idea of what this trojan exactly does? If it simply “spyes” on me there will be no problem: I never process sensible/confidential information on this PC/connection.
it must be connected to Internet explorer because when I start the browser avast pops up with it. So what will happen if I simply stop to use IE and use anoter browser instead? (Opera? what is the most basic one?)

oldman960 · 2008-01-02T18:01:11.000Z

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

system · 2008-01-02T18:08:52.000Z

Hi, i have this virus “Win32:BHO-KD (Trojan)”, you can help me please??

what i have to do?? thanks…

system · 2008-01-02T18:18:02.000Z

I have already, main.txt and extra.txt, with Hijack… and next what i do??

oldman960 · 2008-01-02T18:42:19.000Z

gipsyking post:33:

I have already, main.txt and extra.txt, with Hijack… and next what i do??

Please start your own thread and post the logs in it. With more than one person posting logs in the same thread, it will get really confusing.

system · 2008-01-02T18:54:36.000Z

Hi,
I’m very new to the forums, so please bear w/me. I also have the trojan Win32:BHO-KD. I followed the reboot instructions and the message I get is access denied when I try to place it in the chest.
Does anyone have any info on what type of trojan it is, the damage level etc. ANY help and info would be greatly appreciated.
Thanks,
Nico

oldman960 · 2008-01-02T19:19:09.000Z

Welcome to the forum

If you start your own thread by clicking on the “new topic” button at the top of the page. I will give you instructions on removal of this pest.

system · 2008-01-02T20:03:47.000Z

oldman post:36:

Welcome to the forum

If you start your own thread by clicking on the “new topic” button at the top of the page. I will give you instructions on removal of this pest.

I’m not sure if you are ref. to me or not…sorry, I am not familiar w/the protocol on this board. Don’t know which button/topic you want me to start. I thought this was a good place to post my problem since I too have gone through the steps and Avast doesn’t seem to be able to rid my PC of this pest. So,any help anyone can give me would be greatly appreciated.
Thank you in advance.

essexboy · 2008-01-02T20:41:47.000Z

Hi nic I will start a new topic for you with your name and we can work from there

system · 2008-01-02T22:13:27.000Z

Hi Oldman

hereafter there are the logfiles of combofix and of Hijack This

thank you for your patience

ComboFix 08-01-03.3 - Anna 2000-01-01 8.40.31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.176 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Anna\Impostazioni locali\Temporary Internet Files\Content.IE5\G5QFOD2J\ComboFix[1].exe

Creato nuovo punto di ripristino
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\start.exe

.
((((((((((((((((((((((((( Files Creati Da 2007-12-03 al 2008-01-03 )))))))))))))))))))))))))))))))))))
.

Nessun nuovo file creato in questo arco di tempo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-25 10:49 19,456 ----a-w C:\WINDOWS\system32\drivers\ckocvhvs.dat
2007-05-26 21:10 19,160 ----a-w C:\Documents and Settings\Anna\Dati applicazioni\GDIPFONTCACHEV1.DAT
2004-04-23 16:08 271 --sha-w C:\Programmi\desktop.ini
2004-04-23 16:08 23,476 —ha-w C:\Programmi\folder.htt
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
Nota i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{721C1358-D3EF-4497-938F-3239AA4F74E7}]
2003-08-28 09:44 90880 --a------ C:\WINDOWS\system32\AC3AP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-19 15:39 15360]
“H/PC Connection Agent”=“C:\Programmi\Microsoft ActiveSync\Wcescomm.exe” [2006-11-13 13:38 1289000]
“SUPERAntiSpyware”=“C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SystemTray”=“SysTray.Exe” [2001-08-31 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2004-07-15 11:42 4112384]
“nwiz”=“nwiz.exe” [2004-07-15 11:42 843776 C:\WINDOWS\SYSTEM32\nwiz.exe]
“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2004-07-15 11:42 81920]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 11:50 155648]
“CTHelper”=“CTHELPER.EXE” [2003-08-28 09:45 24576 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
“UpdReg”=“C:\WINDOWS\UpdReg.EXE” [2000-05-11 01:00 90112]
“ashMaiSv”=“C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe” [2007-09-06 11:05 243064]
“HP Software Update”=“C:\Programmi\HP\HP Software Update\HPWuSchd2.exe” [2006-02-19 01:41 49152]
“Control Center”=“C:\Programmi\ASUS\WLAN Card Utilities\Center.exe” [2004-11-04 18:36 1569280]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-09-06 11:06 79224]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-19 15:39 15360]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica
HP Digital Imaging Monitor.lnk - C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 03:21:22]
Microsoft Office.lnk - C:\Programmi\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Programmi\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Programmi\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programmi\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
“LoadPowerProfile”=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
“Rscmpt”=C:\WINDOWS\SYSTEM32\RSCMPT.EXE
“NvCplDaemon”=RUNDLL32.EXE C:\WINDOWS\SYSTEM32\NVCPL.DLL,NvStartup
“CARPService”=carpserv.exe

R0 jfbibhbj;jfbibhbj;C:\WINDOWS\system32\drivers\ckocvhvs.dat
R2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys [2003-12-02 16:47]
R3 ASNDIS5;ASNDIS5 Protocol Driver;C:\WINDOWS\system32\ASNDIS5.SYS [2002-09-09 18:54]
S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys [2003-12-02 16:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{5ac6bc31-0a29-11dc-b080-0015f29962d3}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{aa2233a0-6d45-11dc-b0ea-0015f29962d3}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

Newly Created Service - HTTPFILTER
Newly Created Service - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
“C:\Programmi\Outlook Express\setup50.exe” /APP:OE /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
“C:\Programmi\Outlook Express\setup50.exe” /APP:OE /CALLER:WIN9X /user /install
“C:\Programmi\Outlook Express\setup50.exe” /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{7790769C-0471-11d2-AF11-00C04FA35D02}]
“C:\Programmi\Outlook Express\setup50.exe” /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{7790769C-0471-11d2-AF11-00C04FA35D02}]
“C:\Programmi\Outlook Express\setup50.exe” /APP:WAB /CALLER:WIN9X /user /install
“C:\Programmi\Outlook Express\setup50.exe” /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contenuto della cartella ‘Scheduled Tasks’
“2000-01-01 08:00:00 C:\WINDOWS\Tasks\Avvio ottimizzazione applicazione.job”
“2007-12-31 17:19:00 C:\WINDOWS\Tasks\Disinstalla Promemoria scadenza.job”

C:\WINDOWS\System32\OOBE\oobebaln.exe
“2007-12-31 16:15:16 C:\WINDOWS\Tasks\Utilità di pianificazione di Prevenzione e risoluzione dei problemi per Raccolta dati.job”
C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE
.

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 08:45:53
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti …

scansione entrate autostart nascoste …

Scansione files nascosti …

Scansione completata con successo
Files nascosti: 0

.
Ora fine scansione: 2008-01-02 22.43.01
ComboFix-quarantined-files.txt 2008-01-02 21:42:29

END OF COMBOFIX LOG

HIJACKTHIS LOG FOLLOWS ON DIFFERENT POST (max lenght exceeded)

system · 2008-01-02T22:14:00.000Z

START OF HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23.02.22, on 02/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\ASUS\WLAN Card Utilities\Center.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Microsoft ActiveSync\Wcescomm.exe
C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Hijack This\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {721C1358-D3EF-4497-938F-3239AA4F74E7} - C:\WINDOWS\system32\AC3AP.dll
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [Control Center] C:\Programmi\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [H/PC Connection Agent] “C:\Programmi\Microsoft ActiveSync\Wcescomm.exe”
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SERVIZIO LOCALE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SERVIZIO DI RETE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra ‘Tools’ menuitem: Crea preferiti portatile… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O12 - Plugin for .tif: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin4.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

–
End of file - 5531 bytes

oldman960 · 2008-01-02T22:42:34.000Z

Please download The Avenger by Swandog46 to your Desktop.
[*]Click on Avenger.zip to open the file[*]Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

[QUOTE]drivers to unload:
jfbibhbj

Files to delete:
C:\WINDOWS\system32\drivers\ckocvhvs.dat
C:\WINDOWS\system32\AC3AP.dll
[/quote]

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
[*] Under “Script file to execute” choose “Input Script Manually”.
[*]Now click on the Magnifying Glass icon which will open a new window titled “View/edit script”
[*] Paste the text copied to clipboard into this window by pressing (Ctrl+V).
[*] Click Done
[*] Now click on the Green Light to begin execution of the script
[*] Answer “Yes” twice when prompted.
The Avenger will automatically do the following:
[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Unload”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
[*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

system · 2008-01-02T23:02:18.000Z

extra.txt

Deckard’s System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

– System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Portuguese

CPU 0: Intel(R) Pentium(R) D CPU 3.00GHz
CPU 1: Intel(R) Pentium(R) D CPU 3.00GHz
Percentage of Memory in Use: 26%
Physical Memory (total/avail): 2047.04 MiB / 1504.77 MiB
Pagefile Memory (total/avail): 3942.67 MiB / 3539.86 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1907.73 MiB

A: is Removable (Unformatted)
C: is Fixed (NTFS) - 136.09 GiB total, 113.7 GiB free.
D: is Fixed (NTFS) - 97.65 GiB total, 65.56 GiB free.
E: is CDROM (No Media)

\.\PHYSICALDRIVE0 - Maxtor 6V250F0 - 233.76 GiB - 2 partitions
\PARTITION0 (bootable) - Sistema de ficheiros instalável - 136.09 GiB - C:
\PARTITION1 - Partição expandida - 97.65 GiB - D:

– Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: avast! antivirus 4.7.1098 [VPS 080101-0] v4.7.1098 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“C:\Programas\MSN Messenger\msnmsgr.exe”=“C:\Programas\MSN Messenger\msnmsgr.exe:*:Enabled:Messenger”

– Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\JP\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Programas\Ficheiros comuns
COMPUTERNAME=JP-915B3FD3F42E
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\JP
LOGONSERVER=\JP-915B3FD3F42E
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Programas\Ficheiros comuns\Adobe\AGL;C:\Programas\Ficheiros comuns\Teleca Shared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 6 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0602
ProgramFiles=C:\Programas
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\JP\DEFINI~1\Temp
TMP=C:\DOCUME~1\JP\DEFINI~1\Temp
USERDOMAIN=JP-915B3FD3F42E
USERNAME=JP
USERPROFILE=C:\Documents and Settings\JP
windir=C:\WINDOWS

– User Profiles ---------------------------------------------------------------

JP I[/I]
Convidado (new local, guest)

– Add/Remove Programs ---------------------------------------------------------

→ rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acronis True Image → C:\Programas\Acronis\TrueImage\MediaBuilder.exe -uninstall
Actualização para Windows XP (KB898461) → “C:\WINDOWS$NtUninstallKB898461$\spuninst\spuninst.exe”
Actualização para Windows XP (KB904942) → “C:\WINDOWS$NtUninstallKB904942$\spuninst\spuninst.exe”
Adobe Acrobat 6.0 Professional → MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}
Adobe Bridge 1.0 → MsiExec.exe /I{AE3D38A6-13B1-40B3-9423-D1FA9982FB6A}
Adobe Common File Installer → MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5102}
Adobe Flash Player ActiveX → C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 2.0 → MsiExec.exe /I{8FFC924C-ED06-44CB-8867-3CA778ECE903}
Adobe Premiere Pro 2.0 → msiexec /I {FA17A726-B229-4116-B793-A2AB1A4EAE2E}
Adobe Shockwave Player → C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos 1.0 → MsiExec.exe /I{786C5747-1437-443D-B06E-79A00FE45110}
Ahead NeroMediaPlayer → C:\WINDOWS\UNNMP.exe /UNINSTALL
Ahead NeroVision Express → C:\WINDOWS\UNNeroVision.exe /UNINSTALL
ASUS Enhanced Display Driver → RunDll32 C:\PROGRA~1\FICHEI~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup “C:\Programas\InstallShield Installation Information{315ACD04-BCEB-478B-9B1D-5431D0E6CB11}\setup.exe” -l0x9 -removeonly
ASUS nVIDIA Driver → C:\PROGRA~1\FICHEI~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{3C3B2C97-0DAB-482F-9C95-6610827210E3} /l1033
avast! Antivirus → rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
High Definition Audio - KB888111 → “C:\WINDOWS$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe”
HijackThis 2.0.2 → “C:\PROGRA~1\TRENDM~1\HIJACK~1\HijackThis.exe” /uninstall
Hotfix para Windows XP (KB914440) → “C:\WINDOWS$NtUninstallKB914440$\spuninst\spuninst.exe”
Java™ 6 Update 3 → MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
K-Lite Codec Pack 2.82 Standard → “C:\Programas\K-Lite Codec Pack\unins000.exe”
Language Engineering Power Translator → MsiExec.exe /I{66EDF2E5-6C37-4939-A837-FBF2C52F91CD}
Lexmark X1100 Series → C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKUN5C.EXE -dLexmark X1100 Series
Marvell Miniport Driver → MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Microsoft Compression Client Pack 1.0 for Windows XP → “C:\WINDOWS$NtUninstallMSCompPackV1$\spuninst\spuninst.exe”
Microsoft Office Professional Edition 2003 → MsiExec.exe /I{90110816-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 → “C:\WINDOWS$NtUninstallWudf01000$\spuninst\spuninst.exe”
Mozilla Firefox (2.0.0.11) → C:\Programas\Mozilla Firefox\uninstall\helper.exe
Multimedia Keyboard Driver → C:\Programas\Ficheiros comuns\InstallShield\Driver\8\Intel 32\IDriver.exe /M{AA5AF806-46E2-498A-A562-0DD3145D2949}
Nero 6 Ultra Edition → C:\Programas\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NVIDIA Drivers → C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Os Sims™ 2 H&M® Moda Acessórios → C:\Programas\EA GAMES\Os Sims 2 H&M® Moda Acessórios\EAUninstall.exe
Realtek High Definition Audio Driver → RunDll32 C:\PROGRA~1\FICHEI~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup “C:\Programas\InstallShield Installation Information{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe” -l0x816 -removeonly
SpeechRedist → MsiExec.exe /X{8795CBED-55E2-4693-9F14-84EC446935BE}
SpeedTouch USB Software → RunDll32 C:\PROGRA~1\FICHEI~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Programas\InstallShield Installation Information{D41FAAA9-8048-4906-86B2-9AADEA1FA0B7}\Setup.exe” /l0416 -Control_Panel
Spybot - Search & Destroy → “C:\Programas\Spybot - Search & Destroy\unins000.exe”
The Sims 2 → C:\Programas\EA GAMES\The Sims 2\EAUninstall.exe
Unreal Tournament 2004 → C:\UT2004\System\Setup.exe uninstall “UT2004”
Windows Defender → MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live Messenger → MsiExec.exe /I{37FD253D-5064-4034-8CEC-CC3995F823A4}
Windows Live Sign-in Assistant → MsiExec.exe /I{F652D238-5F29-42D5-BAF3-0115EF977EC2}
Windows Media Format 11 runtime → “C:\WINDOWS$NtUninstallWMFDist11$\spuninst\spuninst.exe”
WinRAR archiver → C:\Programas\WinRAR\uninstall.exe

– Application Event Log -------------------------------------------------------

Event Record #/Type169 / Success
Event Submitted/Written: 01/02/2008 05:59:17 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type166 / Warning
Event Submitted/Written: 01/02/2008 05:57:26 PM
Event ID/Source: 1524 / Userenv
Event Description:
Não é possível ao Windows descarregar o ficheiro de registo de classes - ainda está a ser utilizado por outras aplicações ou serviços. O ficheiro será descarregado quando já não estiver a ser utilizado.

Event Record #/Type154 / Success
Event Submitted/Written: 01/02/2008 05:14:54 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type143 / Success
Event Submitted/Written: 01/02/2008 03:38:28 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type140 / Warning
Event Submitted/Written: 01/02/2008 01:21:05 PM
Event ID/Source: 1524 / Userenv
Event Description:
Não é possível ao Windows descarregar o ficheiro de registo de classes - ainda está a ser utilizado por outras aplicações ou serviços. O ficheiro será descarregado quando já não estiver a ser utilizado.

Announcements