Win32:BHO-KD--cant figure out past post

system · January 3, 2008, 2:53am

Ok, I know there has been a discussion on this already, but in reading everything I still cant figure out what to do. Downloading the free stuff on the web hasnt worked and I’m not to computer savy so all those post w/what appeared to be logs of something I cant understand…can someone please help? Thanks!

oldman960 · January 3, 2008, 3:00am

Download these two programs, run them in the order posted and poat the logs from them. Someone will review them and help you get rid of this criiter

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

system · January 21, 2008, 12:23pm

I hope you could help me remove Win32:BHO-KD. I tried all the steps in this forum including using Spyware Terminator and Anti-root kit (AVG) but none of them work so I’ve decided to post my Combofix log and HJT log. Thanks!

Log from Combofix:
ComboFix 08-01-20.1 - doben 2008-01-21 18:01:33.1 - NTFSx86
Running from: C:\Documents and Settings\doben\Desktop\ComboFix.exe

Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\doben\Application Data\ultra
C:\Documents and Settings\doben\Application Data\ultra\uninstall.bat
C:\WINDOWS\dwatson.dll
C:\WINDOWS\system_sv_CMD_
C:\WINDOWS\system32\appmgmt.dll
C:\WINDOWS\system32\drivers\fqyknmyd.dat
C:\WINDOWS\system32\vovfffmh.dllbox
C:\WINDOWS\winndm32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_YGTBXDDU
-------\nm
-------\ygtbxddu

((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.

2008-01-21 17:58 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-09 21:10 . 2008-01-09 21:10 269,334 --a–c— C:\WINDOWS\system32\filsnat.bmp
2008-01-08 07:56 . 2008-01-08 07:56 269,334 --a–c— C:\WINDOWS\system32\iporqtsr.bmp
2008-01-08 07:39 . 2008-01-08 07:39 269,334 --a–c— C:\WINDOWS\system32\bahsnadkrqh.bmp
2008-01-08 07:28 . 2008-01-08 07:28 269,334 --a–c— C:\WINDOWS\system32\tcnadojqpcnmd.bmp
2008-01-07 19:26 . 2008-01-07 19:26 269,334 --a–c— C:\WINDOWS\system32\nalcb.bmp
2008-01-07 19:19 . 2008-01-07 19:19 269,334 --a–c— C:\WINDOWS\system32\jmdonelkfml.bmp
2008-01-07 18:51 . 2008-01-07 18:51 269,334 --a–c— C:\WINDOWS\system32\dsbilsjap.bmp
2008-01-07 18:37 . 2008-01-07 18:37 269,334 --a–c— C:\WINDOWS\system32\pkfadkfqpsf.bmp
2008-01-06 15:51 . 2008-01-06 15:51 269,334 --a–c— C:\WINDOWS\system32\mdsfqlsj.bmp
2008-01-06 14:04 . 2008-01-06 14:04 269,334 --a–c— C:\WINDOWS\system32\cfqdkfitcn.bmp
2008-01-06 09:35 . 2008-01-06 09:35 269,334 --a–c— C:\WINDOWS\system32\etonmpsrapobmt.bmp
2008-01-06 00:06 . 2008-01-06 00:06 269,334 --a–c— C:\WINDOWS\system32\cbipgbel.bmp
2008-01-05 09:06 . 2008-01-05 09:06 269,334 --a–c— C:\WINDOWS\system32\qlkfap.bmp
2008-01-04 20:22 . 2008-01-04 20:22 269,334 --a–c— C:\WINDOWS\system32\dcnmh.bmp
2008-01-03 07:10 . 2008-01-03 07:10 269,334 --a–c— C:\WINDOWS\system32\nidgfatknql.bmp
2008-01-03 07:05 . 2008-01-03 07:05 269,334 --a–c— C:\WINDOWS\system32\nmpcredcned.bmp
2008-01-02 16:27 . 2008-01-02 16:27 269,334 --a–c— C:\WINDOWS\system32\ojalgjmpcn.bmp
2007-12-30 10:03 . 2007-12-30 10:03 269,334 --a–c— C:\WINDOWS\system32\tcbatkn.bmp
2007-12-30 08:25 . 2007-12-30 08:25 269,334 --a–c— C:\WINDOWS\system32\elkfmdknal.bmp
2007-12-28 23:11 . 2007-12-28 23:11 269,334 --a–c— C:\WINDOWS\system32\qhgjmdgfatkr.bmp
2007-12-27 15:57 . 2007-12-27 15:57 269,334 --a–c— C:\WINDOWS\system32\nilcrmhsfedon.bmp
2007-12-27 14:09 . 2007-12-27 14:09 269,334 --a–c— C:\WINDOWS\system32\ipcbqtgbapknmd.bmp
2007-12-26 20:35 . 2007-12-26 20:35 269,334 --a–c— C:\WINDOWS\system32\mdgnmlsjmhgjqt.bmp
2007-12-26 10:09 . 2007-12-26 10:09 269,334 --a–c— C:\WINDOWS\system32\horilsfqhonid.bmp
2007-12-26 09:55 . 2007-12-26 09:55 269,334 --a–c— C:\WINDOWS\system32\pkjqpsnmp.bmp
2007-12-26 08:58 . 2007-12-26 08:58 269,334 --a–c— C:\WINDOWS\system32\kbelonel.bmp
2007-12-25 20:05 . 2007-12-25 20:05 269,334 --a–c— C:\WINDOWS\system32\gbehknat.bmp
2007-12-25 14:40 . 2007-12-25 14:40 269,334 --a–c— C:\WINDOWS\system32\fetgfihon.bmp
2007-12-24 20:58 . 2007-12-24 20:58 269,334 --a–c— C:\WINDOWS\system32\lkralsf.bmp
2007-12-24 20:10 . 2007-12-24 20:10 269,334 --a–c— C:\WINDOWS\system32\hgnelgridkfid.bmp
2007-12-24 16:08 . 2007-12-24 16:08 269,334 --a–c— C:\WINDOWS\system32\dgrelcb.bmp
2007-12-24 15:55 . 2007-12-24 15:55 269,334 --a–c— C:\WINDOWS\system32\balgfqd.bmp
2007-12-24 03:24 . 2007-12-24 03:24 269,334 --a–c— C:\WINDOWS\system32\cjadofmt.bmp
2007-12-24 02:53 . 2007-12-24 02:53 269,334 --a–c— C:\WINDOWS\system32\rqhof.bmp
2007-12-24 02:04 . 2007-12-24 02:04 269,334 --a–c— C:\WINDOWS\system32\tobqdgbed.bmp
2007-12-23 15:08 . 2007-12-23 15:08 269,334 --a–c— C:\WINDOWS\system32\sfqpgbah.bmp
2007-12-22 11:04 . 2007-12-22 11:04 269,334 --a–c— C:\WINDOWS\system32\filsfilofqdsb.bmp
2007-12-21 22:10 . 2007-12-21 22:10 269,334 --a–c— C:\WINDOWS\system32\tonmpcfmpkn.bmp
2007-12-21 22:07 . 2007-12-21 22:07 d-------- C:\Documents and Settings\doben\Application Data\Anti-Virus-Pro.com
2007-12-21 22:06 . 2007-12-22 11:03 d-------- C:\Program Files\AntiVirusPro
2007-12-21 22:05 . 2007-12-21 22:05 269,334 --a------ C:\WINDOWS\system32\snmpkbidobeh.bmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-21 11:44 --------- d-----w C:\Documents and Settings\doben\Application Data\uTorrent
2008-01-06 06:58 --------- d–h–w C:\Program Files\InstallShield Installation Information
2008-01-06 06:56 --------- d-----w C:\Program Files\DirectVobSub
2008-01-06 06:52 --------- d-----w C:\Program Files\FinePixViewer
2007-12-21 14:15 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-01 13:12 --------- d-----w C:\Program Files\Autodesk(2)
2007-12-01 13:12 --------- d-----w C:\Program Files\AutoCAD LT 2008
2007-08-18 23:35 920 ----a-w C:\Program Files\INSTALL.LOG
2006-09-11 15:00 22,083,376 ----a-w C:\Program Files\QuickTimeInstaller.exe
2006-08-16 13:21 5,118,736 ----a-w C:\Program Files\Firefox Setup 1.5.0.6.exe
2005-05-13 09:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 03:13 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-13 13:27 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-10-07 11:14 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll
2005-07-14 04:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 07:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 14:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2004-01-24 16:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2005-12-22 12:23 816,640 --sha-r C:\WINDOWS\system32\smab.dll
2005-02-28 05:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-24 16:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“H/PC Connection Agent”=“C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE” [2004-02-04 05:42 401491]
“Yahoo! Pager”=“C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe” [2007-03-27 15:22 4670968]
“uTorrent”=“C:\Program Files\uTorrent\uTorrent.exe” [2002-01-01 00:25 219952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“PaperPort PTD”=“C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe” [2005-03-17 14:25 57393]
“IndexSearch”=“C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe” [2005-03-17 14:45 40960]
“Acrobat Assistant 7.0”=“C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe” [2005-09-24 13:30 483328]
“PrintSpooler”=“C:\WINDOWS\system32\CSpool\lass.exe” [2007-09-30 01:40 4620288]
“ControlCenter2.0”=“C:\Program Files\Brother\ControlCenter2\brctrcen.exe” [2005-05-17 17:42 933888]
“VirtualDrive”=“C:\Program Files\FarStone\VirtualDrive\VDTask.exe” [2002-03-21 13:31 204800]
“vcdplayx”=“C:\WINDOWS\vcdplayx.exe” [2002-03-18 16:31 57344]
“anvshell”=“anvshell.exe” [2001-04-10 15:36 323584 C:\WINDOWS\anvshell.exe]
“BluetoothAuthenticationAgent”=“bthprops.cpl” [2004-08-04 06:56 110592 C:\WINDOWS\system32\bthprops.cpl]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2006-09-11 23:02 282624]
“NWEReboot”=“”
“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2006-01-12 16:40 155648]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-05-11 03:06 40048]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 21:00 79224]
“SpywareTerminator”=“C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe” [2002-01-01 01:17 2834432]
“@”=“”

R1 ANVIOCTL;ANVIOCTL;C:\WINDOWS\system32\DRIVERS\anvioctl.sys [2001-05-10 13:00]
R1 ANVOSDNT;ASUS Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\anvosdnt.sys [2006-08-16 14:45]
R1 cdawdm;CDAWDM;C:\WINDOWS\system32\DRIVERS\CDAWDM.sys [2002-01-24 15:25]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2002-01-01 01:22]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 12:50]
S3 SmartCd;SmartCd;C:\WINDOWS\system32\Drivers\SmartCd.sys [2002-01-19 18:00]

system · January 21, 2008, 12:27pm

continuation…

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{41596d7a-2d43-11db-a551-000d87356e88}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL NETSVCS.EXE
\Shell\é_†™\command - NETSVCS.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{764c8d96-c882-11db-a778-000d87356e88}]
\Shell\AutoOpen\command - G:.\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{878af9d3-5d00-11dc-8f8f-000d87356e88}]
\Shell\AutoRun\command - rawdata.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{a13cc520-ac39-11dc-9015-000d87356e88}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e27abc60-337b-11db-a560-000d87356e88}]
\Shell\Auto\command - boot.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{ecb80a3b-9611-11db-a6e0-000d87356e88}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe

.

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 19:49:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-01-21 19:55:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-21 11:54:51
[size=10pt][size=10pt]
FOR MY HJT LOG…[/size][/size]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:15:09 AM, on 1/1/2002
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\WINDOWS\vcdplayx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\CSpool\lass.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Spyware Terminator\SpywareTerminator.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\doben\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {683C284B-796E-433C-8267-DF08CABE988A} - C:\WINDOWS\system32\appmgmt.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM..\Run: [Acrobat Assistant 7.0] “C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe”
O4 - HKLM..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM..\Run: [VirtualDrive] “C:\Program Files\FarStone\VirtualDrive\VDTask.exe” /AutoRestore
O4 - HKLM..\Run: [vcdplayx] “C:\WINDOWS\vcdplayx.exe”
O4 - HKLM..\Run: [anvshell] anvshell.exe
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [PrintSpooler] C:\WINDOWS\system32\CSpool\lass.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SpywareTerminator] “C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe”
O4 - HKCU..\Run: [H/PC Connection Agent] “C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE”
O4 - HKCU..\Run: [Yahoo! Pager] “C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet
O4 - HKCU..\Run: [uTorrent] “C:\Program Files\uTorrent\uTorrent.exe”
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

–
End of file - 5119 bytes

essexboy · January 21, 2008, 9:49pm

Hi there whilst Oldman is busy elsewhere I will give you a hand By the way you have the latest rogue antispy

Please open Notepad
[*] Click Start , then Run[*]Type notepad .exe in the Run Box.
Now copy/paste the entire content of the codebox below into the Notepad window:


File::
C:\WINDOWS\system32\CSpool\lass.exe
C:\WINDOWS\system32\filsnat.bmp
C:\WINDOWS\system32\iporqtsr.bmp
C:\WINDOWS\system32\bahsnadkrqh.bmp
C:\WINDOWS\system32\tcnadojqpcnmd.bmp
C:\WINDOWS\system32\nalcb.bmp
C:\WINDOWS\system32\jmdonelkfml.bmp
C:\WINDOWS\system32\dsbilsjap.bmp
C:\WINDOWS\system32\pkfadkfqpsf.bmp
C:\WINDOWS\system32\mdsfqlsj.bmp
C:\WINDOWS\system32\cfqdkfitcn.bmp
C:\WINDOWS\system32\etonmpsrapobmt.bmp
C:\WINDOWS\system32\cbipgbel.bmp
C:\WINDOWS\system32\qlkfap.bmp
C:\WINDOWS\system32\dcnmh.bmp
C:\WINDOWS\system32\nidgfatknql.bmp
C:\WINDOWS\system32\nmpcredcned.bmp
C:\WINDOWS\system32\ojalgjmpcn.bmp
C:\WINDOWS\system32\tcbatkn.bmp
C:\WINDOWS\system32\elkfmdknal.bmp
C:\WINDOWS\system32\qhgjmdgfatkr.bmp
C:\WINDOWS\system32\nilcrmhsfedon.bmp
C:\WINDOWS\system32\ipcbqtgbapknmd.bmp
C:\WINDOWS\system32\mdgnmlsjmhgjqt.bmp
C:\WINDOWS\system32\horilsfqhonid.bmp
C:\WINDOWS\system32\pkjqpsnmp.bmp
C:\WINDOWS\system32\kbelonel.bmp
C:\WINDOWS\system32\gbehknat.bmp
C:\WINDOWS\system32\fetgfihon.bmp
C:\WINDOWS\system32\lkralsf.bmp
C:\WINDOWS\system32\hgnelgridkfid.bmp
C:\WINDOWS\system32\dgrelcb.bmp
C:\WINDOWS\system32\balgfqd.bmp
C:\WINDOWS\system32\cjadofmt.bmp
C:\WINDOWS\system32\rqhof.bmp
C:\WINDOWS\system32\tobqdgbed.bmp
C:\WINDOWS\system32\sfqpgbah.bmp
C:\WINDOWS\system32\filsfilofqdsb.bmp
C:\WINDOWS\system32\tonmpcfmpkn.bmp
C:\Documents and Settings\doben\Application Data\Anti-Virus-Pro.com
C:\WINDOWS\system32\snmpkbidobeh.bmp
C:\WINDOWS\system32\yv12vfw.dll
C:\WINDOWS\system32\x.264.exe

Folder::
C:\Program Files\AntiVirusPro

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41596d7a-2d43-11db-a551-000d87356e88}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a13cc520-ac39-11dc-9015-000d87356e88}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e27abc60-337b-11db-a560-000d87356e88}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ecb80a3b-9611-11db-a6e0-000d87356e88}]

Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Save the above as CFScript.txt
Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
[*]Combofix.txt [*]A new HijackThis log.

system · January 22, 2008, 7:37pm

Hey, Just FYI.

ComboFix repaired my Win:BHO-KD(trj)… Tkx

The file that was infected, C:\Windows\system32\fdeplo.dll(upx) is gone. I must have tried to repair,clean, eradicate this trojan for over 12 hours, the last 3 days.

system · January 23, 2008, 7:56am

Thanks for offering your help. Here’s my new Combofix log and HJT Log.
FILE
C:\Documents and Settings\doben\Application Data\Anti-Virus-Pro.com
C:\WINDOWS\system32\bahsnadkrqh.bmp
C:\WINDOWS\system32\balgfqd.bmp
C:\WINDOWS\system32\cbipgbel.bmp
C:\WINDOWS\system32\cfqdkfitcn.bmp
C:\WINDOWS\system32\cjadofmt.bmp
C:\WINDOWS\system32\CSpool\lass.exe
C:\WINDOWS\system32\dcnmh.bmp
C:\WINDOWS\system32\dgrelcb.bmp
C:\WINDOWS\system32\dsbilsjap.bmp
C:\WINDOWS\system32\elkfmdknal.bmp
C:\WINDOWS\system32\etonmpsrapobmt.bmp
C:\WINDOWS\system32\fetgfihon.bmp
C:\WINDOWS\system32\filsfilofqdsb.bmp
C:\WINDOWS\system32\filsnat.bmp
C:\WINDOWS\system32\gbehknat.bmp
C:\WINDOWS\system32\hgnelgridkfid.bmp
C:\WINDOWS\system32\horilsfqhonid.bmp
C:\WINDOWS\system32\ipcbqtgbapknmd.bmp
C:\WINDOWS\system32\iporqtsr.bmp
C:\WINDOWS\system32\jmdonelkfml.bmp
C:\WINDOWS\system32\kbelonel.bmp
C:\WINDOWS\system32\lkralsf.bmp
C:\WINDOWS\system32\mdgnmlsjmhgjqt.bmp
C:\WINDOWS\system32\mdsfqlsj.bmp
C:\WINDOWS\system32\nalcb.bmp
C:\WINDOWS\system32\nidgfatknql.bmp
C:\WINDOWS\system32\nilcrmhsfedon.bmp
C:\WINDOWS\system32\nmpcredcned.bmp
C:\WINDOWS\system32\ojalgjmpcn.bmp
C:\WINDOWS\system32\pkfadkfqpsf.bmp
C:\WINDOWS\system32\pkjqpsnmp.bmp
C:\WINDOWS\system32\qhgjmdgfatkr.bmp
C:\WINDOWS\system32\qlkfap.bmp
C:\WINDOWS\system32\rqhof.bmp
C:\WINDOWS\system32\sfqpgbah.bmp
C:\WINDOWS\system32\snmpkbidobeh.bmp
C:\WINDOWS\system32\tcbatkn.bmp
C:\WINDOWS\system32\tcnadojqpcnmd.bmp
C:\WINDOWS\system32\tobqdgbed.bmp
C:\WINDOWS\system32\tonmpcfmpkn.bmp
C:\WINDOWS\system32\x.264.exe
C:\WINDOWS\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\AntiVirusPro
C:\WINDOWS\system32\bahsnadkrqh.bmp
C:\WINDOWS\system32\balgfqd.bmp
C:\WINDOWS\system32\cbipgbel.bmp
C:\WINDOWS\system32\cfqdkfitcn.bmp
C:\WINDOWS\system32\cjadofmt.bmp
C:\WINDOWS\system32\CSpool\lass.exe
C:\WINDOWS\system32\dcnmh.bmp
C:\WINDOWS\system32\dgrelcb.bmp
C:\WINDOWS\system32\dsbilsjap.bmp
C:\WINDOWS\system32\elkfmdknal.bmp
C:\WINDOWS\system32\etonmpsrapobmt.bmp
C:\WINDOWS\system32\fetgfihon.bmp
C:\WINDOWS\system32\filsfilofqdsb.bmp
C:\WINDOWS\system32\filsnat.bmp
C:\WINDOWS\system32\gbehknat.bmp
C:\WINDOWS\system32\hgnelgridkfid.bmp
C:\WINDOWS\system32\horilsfqhonid.bmp
C:\WINDOWS\system32\ipcbqtgbapknmd.bmp
C:\WINDOWS\system32\iporqtsr.bmp
C:\WINDOWS\system32\jmdonelkfml.bmp
C:\WINDOWS\system32\kbelonel.bmp
C:\WINDOWS\system32\lkralsf.bmp
C:\WINDOWS\system32\mdgnmlsjmhgjqt.bmp
C:\WINDOWS\system32\mdsfqlsj.bmp
C:\WINDOWS\system32\nalcb.bmp
C:\WINDOWS\system32\nidgfatknql.bmp
C:\WINDOWS\system32\nilcrmhsfedon.bmp
C:\WINDOWS\system32\nmpcredcned.bmp
C:\WINDOWS\system32\ojalgjmpcn.bmp
C:\WINDOWS\system32\pkfadkfqpsf.bmp
C:\WINDOWS\system32\pkjqpsnmp.bmp
C:\WINDOWS\system32\qhgjmdgfatkr.bmp
C:\WINDOWS\system32\qlkfap.bmp
C:\WINDOWS\system32\rqhof.bmp
C:\WINDOWS\system32\sfqpgbah.bmp
C:\WINDOWS\system32\snmpkbidobeh.bmp
C:\WINDOWS\system32\tcbatkn.bmp
C:\WINDOWS\system32\tcnadojqpcnmd.bmp
C:\WINDOWS\system32\tobqdgbed.bmp
C:\WINDOWS\system32\tonmpcfmpkn.bmp
C:\WINDOWS\system32\x.264.exe
C:\WINDOWS\system32\yv12vfw.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-22 21:22 . 2008-01-22 21:42 d-------- C:\onimusha
2008-01-21 17:58 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 04:44 --------- d-----w C:\Documents and Settings\doben\Application Data\uTorrent
2008-01-22 16:01 --------- d-----w C:\Documents and Settings\doben\Application Data\Spyware Terminator
2008-01-21 16:00 --------- d-----w C:\Program Files\Spyware Terminator
2008-01-21 16:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-01-06 06:58 --------- d–h–w C:\Program Files\InstallShield Installation Information
2008-01-06 06:56 --------- d-----w C:\Program Files\DirectVobSub
2008-01-06 06:52 --------- d-----w C:\Program Files\FinePixViewer
2007-12-21 14:15 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-21 14:07 --------- d-----w C:\Documents and Settings\doben\Application Data\Anti-Virus-Pro.com
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-12-01 13:12 --------- d-----w C:\Program Files\Autodesk(2)
2007-12-01 13:12 --------- d-----w C:\Program Files\AutoCAD LT 2008
2007-11-25 21:39 3,398 -c–a-w C:\WINDOWS\system32\PerfStringBackup.TMP
2007-08-18 23:35 920 ----a-w C:\Program Files\INSTALL.LOG
2006-09-11 15:00 22,083,376 ----a-w C:\Program Files\QuickTimeInstaller.exe
2006-08-16 13:21 5,118,736 ----a-w C:\Program Files\Firefox Setup 1.5.0.6.exe
2005-05-13 09:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 03:13 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-13 13:27 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-10-07 11:14 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll
2005-07-14 04:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 07:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 14:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2004-01-24 16:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2005-12-22 12:23 816,640 --sha-r C:\WINDOWS\system32\smab.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-21_19.54.11.29 )))))))))))))))))))))))))))))))))))))))))
.

2008-01-21 10:00:49 1,409,024 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000001\NTUSER.DAT

2008-01-23 04:44:24 1,409,024 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000001\NTUSER.DAT

2008-01-21 10:00:50 1,191,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000002\UsrClass.dat

2008-01-23 04:44:25 1,191,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000002\UsrClass.dat

2008-01-21 10:00:50 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000003\ntuser.dat

2008-01-23 04:44:25 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000003\ntuser.dat

2008-01-21 10:00:51 1,191,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000004\UsrClass.dat

2008-01-23 04:44:26 1,191,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000004\UsrClass.dat

2008-01-21 10:00:54 6,463,488 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000005\ntuser.dat

2008-01-23 04:44:29 6,471,680 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000005\ntuser.dat

2008-01-21 10:00:55 1,363,968 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000006\UsrClass.dat

2008-01-23 04:44:30 1,363,968 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“H/PC Connection Agent”=“C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE” [2004-02-04 05:42 401491]
“Yahoo! Pager”=“C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe” [2007-03-27 15:22 4670968]
“uTorrent”=“C:\Program Files\uTorrent\uTorrent.exe” [2002-01-01 00:25 219952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“PaperPort PTD”=“C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe” [2005-03-17 14:25 57393]
“IndexSearch”=“C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe” [2005-03-17 14:45 40960]
“Acrobat Assistant 7.0”=“C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe” [2005-09-24 13:30 483328]
“PrintSpooler”=“C:\WINDOWS\system32\CSpool\lass.exe”
“ControlCenter2.0”=“C:\Program Files\Brother\ControlCenter2\brctrcen.exe” [2005-05-17 17:42 933888]
“VirtualDrive”=“C:\Program Files\FarStone\VirtualDrive\VDTask.exe” [2002-03-21 13:31 204800]
“vcdplayx”=“C:\WINDOWS\vcdplayx.exe” [2002-03-18 16:31 57344]
“anvshell”=“anvshell.exe” [2001-04-10 15:36 323584 C:\WINDOWS\anvshell.exe]
“BluetoothAuthenticationAgent”=“bthprops.cpl” [2004-08-04 06:56 110592 C:\WINDOWS\system32\bthprops.cpl]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2006-09-11 23:02 282624]
“NWEReboot”=“”
“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2006-01-12 16:40 155648]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-05-11 03:06 40048]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 21:00 79224]
“SpywareTerminator”=“C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe” [2002-01-01 01:17 2834432]

system · January 23, 2008, 7:58am

continuation…
R1 ANVIOCTL;ANVIOCTL;C:\WINDOWS\system32\DRIVERS\anvioctl.sys [2001-05-10 13:00]
R1 ANVOSDNT;ASUS Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\anvosdnt.sys [2006-08-16 14:45]
R1 cdawdm;CDAWDM;C:\WINDOWS\system32\DRIVERS\CDAWDM.sys [2002-01-24 15:25]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2002-01-01 01:22]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 12:50]
S3 SmartCd;SmartCd;C:\WINDOWS\system32\Drivers\SmartCd.sys [2002-01-19 18:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{764c8d96-c882-11db-a778-000d87356e88}]
\Shell\AutoOpen\command - G:.\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{878af9d3-5d00-11dc-8f8f-000d87356e88}]
\Shell\AutoRun\command - rawdata.exe

.

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 12:52:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

my HJT Log…
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\WINDOWS\vcdplayx.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\doben\Desktop\computer_room\applications\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM..\Run: [Acrobat Assistant 7.0] “C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe”
O4 - HKLM..\Run: [PrintSpooler] C:\WINDOWS\system32\CSpool\lass.exe
O4 - HKLM..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM..\Run: [VirtualDrive] “C:\Program Files\FarStone\VirtualDrive\VDTask.exe” /AutoRestore
O4 - HKLM..\Run: [vcdplayx] “C:\WINDOWS\vcdplayx.exe”
O4 - HKLM..\Run: [anvshell] anvshell.exe
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SpywareTerminator] “C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe”
O4 - HKCU..\Run: [H/PC Connection Agent] “C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE”
O4 - HKCU..\Run: [Yahoo! Pager] “C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet
O4 - HKCU..\Run: [uTorrent] “C:\Program Files\uTorrent\uTorrent.exe”
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

–
End of file - 4922 bytes

Win32:BHO-KD--cant figure out past post

Announcements