I do NOT have skype installed on my latop, so this filename sounds at least weird.
The problem I have are that IE6 randomly tries to connect to what seems a chinese page and that it fails to open PDF links (in this case the error message reports the ‘skypecomm.dll’ as source of the error.
Can you send the samples to virus@avast.com ?
You can zip and password the files… Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks for helping improving detection.
Firstly there are only two detections and one of those is a generic detection so it isn’t a good confirmation one way or another.
Though if you don’t have skype it is a little strange, however with much unknown junk installed on new systems it is entirely possible it could have been prepared for skype. If this skypecomm.dll has anything to do with skype and a google search on this file name doesn’t seem to confirm that, http://www.google.co.uk/search?q=skypecomm.dll.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. There are some different scanners on VT so it might show some additional hits.
I also believe you should do some further analysis.
Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.
Download and run HJT and post the contents of the log file (cut and paste) into this topic, you may need to split it over two or more posts depending on how large it is or attach the log file to the post (Additional Options).
I apologize with DavidR and Tech, but I do not have anymore this file to post.
What happened is that I have installed HiJackThis and:
1 - ran the scan
2 - located the ‘skypecomm.dll’ call in the list
3 - checked and ‘fixed’ it with HJT (delete)
4 - searched with win explorer
5 - file was still there in \system32 dir
6 - deleted it with standard win command (*)
7 - cleaned the trash bin
(*) I had tried this before using HJT, but file was reported as ‘in use’ and won’t delete
Now it seems that the thing (whatever it was) is gone from the PC: I have tried to reboot, run IE, searched for the file etc. but the file is not there anymore
I attach in a separate message the first log of HJT where it was listed as
O2 - BHO: Skype Control Class - {9018F6A8-2495-45DF-9F16-C738F8F3C8FF} - C:\WINDOWS\system32\SkypeComm.dll
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16.51.27, on 15/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
First your HJT log shows anoyher antivirus also installed McAfee Enterprise ?
Having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.
Second, it is advided that you have a specific folder for HiJackThis and not just dumped/installed in your downloads folder, e.g. C:\HJT (or C:\Program Files\HJT) would be fine, though the HJT installation foile would normally install it to its own folder.
You don’t appear to have an active firewall or it is disabled or you are using the XP firewall ?
Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.
See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/firewall-challenge/results.php.
Unknown
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
Do you have a Lexmark printer as this may be connected (if you have it is likely to be legitimate) ?
See http://www.auditmypc.com/process/lmpdpsrv.asp for more info.
Unknown
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = right.com
O17 - HKLM\Software..\Telephony: DomainName = right.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = right.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = right.com
What do you know about right.com or why these entries might be there ?
FIX:
Unknown
O2 - BHO: Skype Control Class - {9018F6A8-2495-45DF-9F16-C738F8F3C8FF} - C:\WINDOWS\system32\SkypeComm.dll
antivirus: the machine has corporate sw packages installed, mcafee is part of it. It has always update problems and so is of little help. I don’t like it, but can’t uninstall, I have just disabled it.
I need to zap and reinstall everything, but have to find time (or I’m just lazy)
firewall: again, standard corporate setup. I will try one of the fw you suggested.
lexmark: is OK, I do have a Lexmark X4270 as local printer
‘cognos’ and ‘right’ : are both OK, I know what they are.
Even when disabled a resident AV still loads low level virtual drivers, it is these that can be the most risk of conflict, removal is absolutely the best option.
If you have fixed the O2 BHO entry for the SkypeComm.dll file, then it looks like you are good to go.