hi everyone

please help me with my Win32:BHO-KD [trj] problem

its in C:\WINDOWS\system32\comsna.dll[UPX]

avast antivirus cannot do anything with it…

what should I do now?

please help me…

Thanks…

Hi welcome to the forum.

Please run the programs in the order I poted them.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

.
Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Can you follow the instructions here?
http://forum.avast.com/index.php?topic=32405.0;topicseen
or search the forum for Win 32: BHO-KD [trj]

i did the combofix thing
and this is the result

ComboFix 08-01-04.1 - Manalang 2008-01-05 19:23:31.1 - NTFSx86
Running from: C:\Documents and Settings\Manalang\Local Settings\Temporary Internet Files\Content.IE5\CDQV45MV\ComboFix[1].exe

• Created a new restore point
  .

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\comsna.dll
C:\WINDOWS\system32\drivers\tdjkhpfl.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_OGKDCMOS
-------\ogkdcmos

((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.

2008-01-05 19:21 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-05 17:48 . 2008-01-05 17:48 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-01-05 17:41 . 2008-01-05 17:50 d-------- C:\Program Files\SUPERAntiSpyware
2008-01-05 17:41 . 2008-01-05 17:41 d-------- C:\Documents and Settings\Manalang\Application Data\SUPERAntiSpyware.com
2008-01-05 17:40 . 2008-01-05 17:40 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-01 10:40 . 2008-01-05 16:54 d-------- C:\Program Files\Windows Media Connect 2
2008-01-01 10:36 . 2008-01-01 10:36 d-------- C:\WINDOWS\system32\LogFiles
2008-01-01 10:36 . 2008-01-01 10:38 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-01 09:53 . 2008-01-01 09:53 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-01 09:53 . 2008-01-01 09:53 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-01 09:50 . 2008-01-01 09:50 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-01 09:50 . 2008-01-01 09:50 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-01 09:50 . 2008-01-01 09:50 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-01 09:50 . 2008-01-01 09:50 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-01 07:28 . 2008-01-01 07:28 d-------- C:\Program Files\Microsoft Works
2008-01-01 07:17 . 2008-01-01 07:27 d-------- C:\WINDOWS\SHELLNEW
2008-01-01 07:15 . 2008-01-01 07:33 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-01 07:14 . 2008-01-01 07:14 dr-h----- C:\MSOCache
2008-01-01 07:08 . 2008-01-01 07:08 d-------- C:\Documents and Settings\Manalang\Application Data\DAEMON Tools
2008-01-01 07:07 . 2008-01-01 07:08 d-------- C:\Program Files\DAEMON Tools Lite
2007-12-31 16:25 . 2007-12-31 16:26 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-31 08:02 . 2007-10-10 15:55 6,065,664 -----c— C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-31 08:02 . 2007-06-30 19:31 2,455,488 -----c— C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-31 08:02 . 2007-06-30 19:36 991,232 -----c— C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-31 08:02 . 2007-10-10 15:55 459,264 -----c— C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-31 08:02 . 2007-10-10 15:55 383,488 -----c— C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-31 08:02 . 2007-10-10 15:55 267,776 -----c— C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-31 08:02 . 2007-10-10 15:55 63,488 -----c— C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-31 08:02 . 2007-10-10 15:55 52,224 -----c— C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-31 08:02 . 2007-10-10 02:59 13,824 -----c— C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-31 07:37 . 2007-12-31 07:37 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-12-25 11:48 . 2007-12-25 11:48 d-------- C:\Program Files\e-Games
2007-12-22 13:45 . 2007-12-22 13:45 d-------- C:\Documents and Settings\Manalang\LimeWire Store Purchased
2007-12-21 11:13 . 2007-12-21 11:13 d-------- C:\WINDOWS\Sun
2007-12-21 08:49 . 2007-12-22 13:17 d-------- C:\Documents and Settings\Manalang\Application Data\DivX
2007-12-21 08:42 . 2007-12-21 08:43 d-------- C:\Program Files\DivX
2007-12-20 19:03 . 2004-08-03 14:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-12-20 18:33 . 2007-12-20 18:33 d-------- C:\Program Files\Windows Defender
2007-12-20 18:14 . 2007-05-27 04:17 676,224 --a------ C:\WINDOWS\system32\OGACheckControl.dll
2007-12-20 18:14 . 2007-04-10 14:01 336,768 --a------ C:\WINDOWS\system32\wgatray.exe.old
2007-12-20 18:14 . 2007-04-10 14:00 236,928 --a------ C:\WINDOWS\system32\wgalogon.dll.old
2007-12-20 17:33 . 2007-12-20 17:33 d-------- C:\Program Files\Panicware
2007-12-20 16:40 . 2007-12-20 16:40 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-20 15:04 . 2004-08-03 23:08 26,496 --a–c— C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-20 12:34 . 2007-12-20 12:34 d-------- C:\Documents and Settings\Manalang\Incomplete
2007-12-20 12:33 . 2008-01-05 14:30 d-------- C:\Documents and Settings\Manalang\Application Data\LimeWire
2007-12-20 12:15 . 2003-07-20 01:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2007-12-20 12:15 . 2005-01-03 16:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-12-20 11:56 . 2007-12-20 13:39 754 --a------ C:\WINDOWS\WORDPAD.INI
2007-12-20 10:48 . 2007-12-22 13:44 d-------- C:\Program Files\LimeWire
2007-12-20 10:48 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-20 10:46 . 2007-12-20 10:48 d-------- C:\Program Files\Java
2007-12-20 10:33 . 2007-12-20 10:33 d-------- C:\Program Files\Common Files\Java
2007-12-20 10:25 . 2007-12-31 11:23 d–h----- C:\WINDOWS$hf_mig$
2007-12-20 10:25 . 2006-09-25 17:58 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-20 09:32 . 2007-12-20 09:32 d-------- C:\Program Files\Alwil Software
2007-12-20 09:20 . 2006-06-14 00:47 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2007-12-20 09:19 . 2007-10-26 11:20 4,124,352 -ra------ C:\WINDOWS\system32\drivers\alcxwdm.sys
2007-12-20 09:15 . 2007-12-20 09:15 d-------- C:\Program Files\Realtek AC97
2007-12-20 09:15 . 2006-12-08 15:20 10,528,768 --a------ C:\WINDOWS\system32\RTLCPL.exe
2007-12-20 09:15 . 2002-02-05 13:54 141,016 --a------ C:\WINDOWS\system32\alsndmgr.wav
2007-12-20 09:14 . 2007-12-20 09:14 d–h----- C:\Program Files\InstallShield Installation Information
2007-12-20 09:14 . 2007-12-20 09:14 d-------- C:\Program Files\Common Files\InstallShield
2007-12-20 09:14 . 2007-12-20 09:14 d–hs---- C:\Documents and Settings\Manalang\UserData
2007-12-20 09:14 . 2006-11-17 05:40 18,804,736 --a------ C:\WINDOWS\system32\alsndmgr.cpl
2007-12-20 09:14 . 2007-04-16 15:28 577,536 --a------ C:\WINDOWS\soundman.exe
2007-12-20 09:14 . 2006-07-31 11:19 315,392 --a------ C:\WINDOWS\alcupd.exe
2007-12-20 09:14 . 2006-07-31 11:27 217,088 --a------ C:\WINDOWS\Alcrmv.exe
2007-12-20 09:14 . 2006-10-18 02:53 147,456 --a------ C:\WINDOWS\system32\RtlCPAPI.dll
2007-12-11 14:35 . 2007-12-11 14:35 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-12-11 14:35 . 2007-12-11 14:35 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-12-11 14:34 . 2007-12-11 14:34 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 14:34 . 2007-12-11 14:34 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 14:34 . 2007-12-11 14:34 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 14:32 . 2007-12-11 14:32 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2007-12-11 14:32 . 2007-12-11 14:32 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-11 14:32 . 2007-12-11 14:32 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

.

(cont…)

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-20 14:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-20 14:38 --------- d-----w C:\Program Files\Yahoo!
2007-12-20 14:10 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-11 22:34 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-11 22:34 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-11 22:34 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Yahoo! Pager”=“C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe” [2007-08-30 17:43 4670704]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 14:56 15360]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SoundMan”=“SOUNDMAN.EXE” [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 05:00 79224]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496]
“Windows Defender”=“C:\Program Files\Windows Defender\MSASCui.exe” [2006-11-03 19:20 866584]
“GrooveMonitor”=“C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe” [2006-10-27 00:47 31016]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2007-12-29 04:05 486856 --a------ C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3c7f1807-af2c-11dc-ac16-003018632b4a}]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

.
Contents of the ‘Scheduled Tasks’ folder
“2008-01-06 03:35:30 C:\WINDOWS\Tasks\MP Scheduled Scan.job”

• C:\Program Files\Windows Defender\MpCmdRun.exe
  .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 19:33:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-01-05 19:36:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-06 03:36:11

and I also did the hijackthis thing

and this is the result…

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:37 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\DOCUME~1\Manalang\LOCALS~1\Temp\Rar$EX00.641\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”
O4 - HKCU..\Run: [Yahoo! Pager] “C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScannerV2.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

–
End of file - 4925 bytes

im sorry… but what will i do next?..

The Bho is gone, however are you having problems with your usb drives. Flash drives etc.

flash drives? oh…
can it be fixed?
how?

I saw some reference to Ravmon in an old mount point and was wondering if you where having or had that type of infection/problem.

If you are, then please describe the problem(s) and we’ll see what we can do.

avast did not detect other viruses other than BHO…
Is Ravmon a virus?
what are the possible symptoms of infection if it is?

Hi ceann,

Here is a link to a Ravmon removal tool: http://technodigits.wordpress.com/2007/09/29/ravmon-virus-removal-tool-31/

polonus

polonus…
i downloaded something from the link that you gave me
i run it and it says that im not infected with the ravmon.exe virus…
what will i do now?

i havent tried scanning the usb drives just the hard disk…

Well ceann,

There is one thing you don’t have to worry about then, because that tool was an expert tool against that specific virus. OK let it rest for a while, and just wait for what our friend oldman has in store for you, at least he does not have to consider ravmon. I think he will come up with another scantool, but I leave him to that, and about this forum as they say “Haste ye back!”.

polonus

P.S. Try to scan the flash drive/pen drive/USB stick as well with the tool I presented you.

Hi ceann

Do as polonus advised regarding the usb drive.

I asked about RAVMON, because one reg key showed signs of an infectiion, old or new.

We can clean that key.

REGISTRY FIX

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3c7f1807-af2c-11dc-ac16-003018632b4a}]

You will need to create the repair registry fix. To do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
Make sure that the SAVE IN is set to DESKTOP

This will create a fix.reg file on your desktop
http://img127.imageshack.us/img127/433/regtg8.jpg

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

When you have done the two items above in the order posted, please run combofix again and post the log.

Yes, ceann,

Do as oldman tells you because this could infect any drive, so also a flash drive, what an USB stick is actually, and RAVMON.exe is dangerous: - RAVMON.exe a.k.a. W32.Nomvar is a worm that copies itself to the root of all drives, including removable and shared drives, and downloads potentially malicious files on to the compromised computer.
Related files:
[DRIVE LETTER]:\RavMon.exe
[DRIVE LETTER]:\Autorun.inf
%Windir%\svchost.exe

Kill the process RavMon.exe and remove RavMon.exe from Windows startup

polonus

ravmon is not in the list of processes in task manager and it isnt in the windows startup items as well

here’s the result…

ComboFix 08-01-04.1 - Manalang 2008-01-06 9:17:59.2 - NTFSx86
Running from: D:\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.

2008-01-05 19:21 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-05 17:48 . 2008-01-05 17:48 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-01-05 17:41 . 2008-01-05 17:50 d-------- C:\Program Files\SUPERAntiSpyware
2008-01-05 17:41 . 2008-01-05 17:41 d-------- C:\Documents and Settings\Manalang\Application Data\SUPERAntiSpyware.com
2008-01-05 17:40 . 2008-01-05 17:40 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-01 10:40 . 2008-01-05 16:54 d-------- C:\Program Files\Windows Media Connect 2
2008-01-01 10:36 . 2008-01-01 10:36 d-------- C:\WINDOWS\system32\LogFiles
2008-01-01 10:36 . 2008-01-01 10:38 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-01 09:53 . 2008-01-01 09:53 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-01 09:53 . 2008-01-01 09:53 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-01 09:50 . 2008-01-01 09:50 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-01 09:50 . 2008-01-01 09:50 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-01 09:50 . 2008-01-01 09:50 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-01 09:50 . 2008-01-01 09:50 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-01 07:28 . 2008-01-01 07:28 d-------- C:\Program Files\Microsoft Works
2008-01-01 07:17 . 2008-01-01 07:27 d-------- C:\WINDOWS\SHELLNEW
2008-01-01 07:15 . 2008-01-01 07:33 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-01 07:14 . 2008-01-01 07:14 dr-h----- C:\MSOCache
2008-01-01 07:08 . 2008-01-01 07:08 d-------- C:\Documents and Settings\Manalang\Application Data\DAEMON Tools
2008-01-01 07:07 . 2008-01-01 07:08 d-------- C:\Program Files\DAEMON Tools Lite
2007-12-31 16:25 . 2007-12-31 16:26 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-31 08:02 . 2007-10-10 15:55 6,065,664 -----c— C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-31 08:02 . 2007-06-30 19:31 2,455,488 -----c— C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-31 08:02 . 2007-06-30 19:36 991,232 -----c— C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-31 08:02 . 2007-10-10 15:55 459,264 -----c— C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-31 08:02 . 2007-10-10 15:55 383,488 -----c— C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-31 08:02 . 2007-10-10 15:55 267,776 -----c— C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-31 08:02 . 2007-10-10 15:55 63,488 -----c— C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-31 08:02 . 2007-10-10 15:55 52,224 -----c— C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-31 08:02 . 2007-10-10 02:59 13,824 -----c— C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-31 07:37 . 2007-12-31 07:37 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-12-25 11:48 . 2007-12-25 11:48 d-------- C:\Program Files\e-Games
2007-12-22 13:45 . 2007-12-22 13:45 d-------- C:\Documents and Settings\Manalang\LimeWire Store Purchased
2007-12-21 11:13 . 2007-12-21 11:13 d-------- C:\WINDOWS\Sun
2007-12-21 08:49 . 2007-12-22 13:17 d-------- C:\Documents and Settings\Manalang\Application Data\DivX
2007-12-21 08:42 . 2007-12-21 08:43 d-------- C:\Program Files\DivX
2007-12-20 19:03 . 2004-08-03 14:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-12-20 18:33 . 2007-12-20 18:33 d-------- C:\Program Files\Windows Defender
2007-12-20 18:14 . 2007-05-27 04:17 676,224 --a------ C:\WINDOWS\system32\OGACheckControl.dll
2007-12-20 18:14 . 2007-04-10 14:01 336,768 --a------ C:\WINDOWS\system32\wgatray.exe.old
2007-12-20 18:14 . 2007-04-10 14:00 236,928 --a------ C:\WINDOWS\system32\wgalogon.dll.old
2007-12-20 17:33 . 2007-12-20 17:33 d-------- C:\Program Files\Panicware
2007-12-20 16:40 . 2007-12-20 16:40 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-20 15:04 . 2004-08-03 23:08 26,496 --a–c— C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-20 12:34 . 2007-12-20 12:34 d-------- C:\Documents and Settings\Manalang\Incomplete
2007-12-20 12:33 . 2008-01-05 14:30 d-------- C:\Documents and Settings\Manalang\Application Data\LimeWire
2007-12-20 12:15 . 2003-07-20 01:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2007-12-20 12:15 . 2005-01-03 16:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-12-20 11:56 . 2007-12-20 13:39 754 --a------ C:\WINDOWS\WORDPAD.INI
2007-12-20 10:48 . 2008-01-06 09:07 d-------- C:\Program Files\LimeWire
2007-12-20 10:48 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-20 10:46 . 2007-12-20 10:48 d-------- C:\Program Files\Java
2007-12-20 10:33 . 2007-12-20 10:33 d-------- C:\Program Files\Common Files\Java
2007-12-20 10:25 . 2007-12-31 11:23 d–h----- C:\WINDOWS$hf_mig$
2007-12-20 10:25 . 2006-09-25 17:58 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-20 09:32 . 2007-12-20 09:32 d-------- C:\Program Files\Alwil Software
2007-12-20 09:20 . 2006-06-14 00:47 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2007-12-20 09:19 . 2007-10-26 11:20 4,124,352 -ra------ C:\WINDOWS\system32\drivers\alcxwdm.sys
2007-12-20 09:15 . 2007-12-20 09:15 d-------- C:\Program Files\Realtek AC97
2007-12-20 09:15 . 2006-12-08 15:20 10,528,768 --a------ C:\WINDOWS\system32\RTLCPL.exe
2007-12-20 09:15 . 2002-02-05 13:54 141,016 --a------ C:\WINDOWS\system32\alsndmgr.wav
2007-12-20 09:14 . 2007-12-20 09:14 d–h----- C:\Program Files\InstallShield Installation Information
2007-12-20 09:14 . 2007-12-20 09:14 d-------- C:\Program Files\Common Files\InstallShield
2007-12-20 09:14 . 2007-12-20 09:14 d–hs---- C:\Documents and Settings\Manalang\UserData
2007-12-20 09:14 . 2006-11-17 05:40 18,804,736 --a------ C:\WINDOWS\system32\alsndmgr.cpl
2007-12-20 09:14 . 2007-04-16 15:28 577,536 --a------ C:\WINDOWS\soundman.exe
2007-12-20 09:14 . 2006-07-31 11:19 315,392 --a------ C:\WINDOWS\alcupd.exe
2007-12-20 09:14 . 2006-07-31 11:27 217,088 --a------ C:\WINDOWS\Alcrmv.exe
2007-12-20 09:14 . 2006-10-18 02:53 147,456 --a------ C:\WINDOWS\system32\RtlCPAPI.dll
2007-12-11 14:35 . 2007-12-11 14:35 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-12-11 14:35 . 2007-12-11 14:35 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-12-11 14:34 . 2007-12-11 14:34 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 14:34 . 2007-12-11 14:34 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 14:34 . 2007-12-11 14:34 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 14:32 . 2007-12-11 14:32 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2007-12-11 14:32 . 2007-12-11 14:32 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-11 14:32 . 2007-12-11 14:32 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-20 14:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-20 14:38 --------- d-----w C:\Program Files\Yahoo!
2007-12-20 14:10 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-11 22:34 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-11 22:34 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-11 22:34 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-11 22:34 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-12-11 22:34 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-12-11 22:34 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-12-11 22:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-11 22:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-11 22:33 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-11 22:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-11 22:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-11 22:33 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 22:33 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-11 22:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 22:33 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-11 22:33 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-11 22:33 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-11 22:33 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-05_19.35.51.34 )))))))))))))))))))))))))))))))))))))))))
.

• 2008-01-06 15:12:42 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5ec.dat
  .
  ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
  .
  .
  Note empty entries & legit default entries are not shown
  REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Yahoo! Pager”=“C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe” [2007-08-30 17:43 4670704]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 14:56 15360]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SoundMan”=“SOUNDMAN.EXE” [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 05:00 79224]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496]
“Windows Defender”=“C:\Program Files\Windows Defender\MSASCui.exe” [2006-11-03 19:20 866584]
“GrooveMonitor”=“C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe” [2006-10-27 00:47 31016]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2007-12-29 04:05 486856 --a------ C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

.
Contents of the ‘Scheduled Tasks’ folder
“2008-01-06 15:15:42 C:\WINDOWS\Tasks\MP Scheduled Scan.job”

• C:\Program Files\Windows Defender\MpCmdRun.exe
  .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 09:20:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-01-06 9:21:40
ComboFix-quarantined-files.txt 2008-01-06 17:21:22
ComboFix2.txt 2008-01-06 03:36:24
.
2008-01-06 15:20:56 — E O F —

is it ok now?

please say ‘yes’

Hi ceann,

But did you scan the USB stick with the tool I asked you to download, what did it say then? The corrupted autorun.inf could be only on your USB stick and launch the virus from there. Scan the stick again please, and run the batch script that oldman gave you. Safety first, scanning and running this batch script won’t hurt your computer one bit or should I say byte?

polonus