Win32:BHO-KD - Location: C:\windows\system32\dlcicubj.dll\[upx]

Viruses and worms
1

Greetings:

My AVAST! boot scan detected the Win32:BHO-KD virus/worm in C:\windows\system32\dlcicubj.dll[upx]

After coming to the forum and reading many of the posts concerning this issue, I have downloaded ComboFix and HJT per the Oldman’s instructions to so many previous visitors. Pasted below is the ComboFix log file. HTJ shall follow under separate post. Additionally, I have not “fixed anything yet” via HTJ.

I look foward to your response and thank you in advance for your assistance.

Kind Regards,
CTBlax7

ComboFix 08-02-14.1 - Todd Breithaupt 2008-02-13 20:14:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1452 [GMT -7:00]
Running from: C:\Documents and Settings\Todd Breithaupt\Desktop\ComboFix.exe

  • Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Todd Breithaupt\g2mdlhlpx.exe
C:\WINDOWS\system32\danimk.dll
C:\WINDOWS\system32\dlcicubj.dll
C:\WINDOWS\system32\drivers\opumrtny.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NOBCGEGH
-------\LEGACY_NZEDFFRQ
-------\nobcgegh
-------\nzedffrq

((((((((((((((((((((((((( Files Created from 2008-01-14 to 2008-02-14 )))))))))))))))))))))))))))))))
.

2008-02-13 16:38 . 2008-02-13 16:38 d-------- C:\Program Files\Alwil Software
2008-02-13 16:38 . 2007-12-04 06:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-13 16:38 . 2004-01-09 02:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-02-13 16:38 . 2007-12-04 05:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-13 16:38 . 2007-12-04 07:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-13 16:38 . 2007-12-04 07:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-13 16:38 . 2007-12-04 07:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-13 16:38 . 2007-12-04 07:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-13 16:38 . 2007-12-04 07:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-13 14:44 . 2008-02-13 15:53 d-------- C:\Program Files\Enigma Software Group
2008-02-13 14:16 . 2008-02-13 14:16 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2008-02-13 14:16 . 2008-02-13 14:16 741,632 --a------ C:\WINDOWS\system32\ktzdjndq.dat
2008-02-13 14:16 . 2008-02-13 14:16 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2008-02-13 14:16 . 2008-02-13 14:16 42,752 --a------ C:\WINDOWS\system32\lqqdlrtn.dat
2008-02-13 14:16 . 2008-02-13 14:16 36,608 --a------ C:\WINDOWS\system32\tagtcyib.dat
2008-02-13 14:16 . 2008-02-13 14:16 35,072 --a------ C:\WINDOWS\system32\ezmwzaiw.dat
2008-02-13 08:32 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-12 14:12 . 2008-02-12 14:12 120,576 --a------ C:\WINDOWS\system32\mwtreqzs.dat
2008-02-12 12:52 . 2008-02-12 14:30 d-------- C:\WINDOWS\system32\AppCert
2008-02-12 12:52 . 2008-02-13 09:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-12 12:52 . 2008-02-12 12:52 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-08 08:54 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-02-08 08:54 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-02-08 08:54 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-02-08 08:54 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-14 03:17 --------- d-----w C:\Program Files\Dl_cats
2008-02-13 23:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-13 15:32 --------- d-----w C:\Program Files\Java
2008-02-10 17:11 --------- d-----w C:\Documents and Settings\Todd Breithaupt\Application Data\U3
2008-02-05 13:23 --------- d-----w C:\Program Files\FTP Commander
2007-12-18 19:05 --------- d—a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-18 19:03 --------- d-----w C:\Program Files\WinSCP
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“DellSupport”=“C:\Program Files\DellSupport\DSAgnt.exe” [2007-03-15 10:09 460784]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 09:24 1694208]
“GoToMeeting”=“C:\Program Files\Citrix\GoToMeeting\198\g2mstart.exe” [2007-08-17 09:13 31816]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 03:00 15360]
“tqi1kkfcf”=“C:\WINDOWS\system32\tqi1kkfcf.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2007-05-27 20:14 8429568]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496]
“RTHDCPL”=“RTHDCPL.EXE” [2007-06-13 18:41 16132608 C:\WINDOWS\RTHDCPL.EXE]
“ISUSPM Startup”=“C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe” [2006-10-03 09:35 221184]
“ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [2006-10-03 09:37 81920]
“RoxWatchTray”=“C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe” [2006-11-05 09:22 221184]
“RoxioDragToDisc”=“C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe” [2006-08-17 07:00 1116920]
“PDVDDXSrv”=“C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe” [2006-10-20 15:23 118784]
“D-Link RangeBooster G WDA-2320”=“C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe” [2005-12-15 11:21 2490368]
“ANIWZCS2Service”=“C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe” [2005-11-30 09:35 49152]
“DLCICATS”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCItime.dll” [2006-02-24 00:30 73728]
“dlcimon.exe”=“C:\Program Files\Dell AIO Printer 946\dlcimon.exe” [2006-02-13 12:26 430080]
“Acrobat Assistant 8.0”=“C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe” [2007-05-10 21:46 624248]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-06-29 05:24 286720]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 06:00 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 20:05:26 29696]
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2007-02-16 17:40:52 6379080]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
appsecdll REG_EXPAND_SZ C:\WINDOWS\system32\AppCert\wsil32.dll

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 08:35]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);“c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe” [2006-04-14 08:07]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-08-25 14:00]
R3 dlci_device;dlci_device;C:\WINDOWS\system32\dlcicoms.exe [2006-05-11 00:22]
S3 PNDIS5;PNDIS5 NDIS Protocol Driver;D:\PNDIS5.SYS
S3 SQLWriter;SQL Server VSS Writer;“c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe” [2006-04-14 08:04]

.

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 20:18:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Citrix\GoToMeeting\198\g2mcomm.exe
C:\Program Files\Citrix\GoToMeeting\198\g2mlauncher.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
.

.
Completion time: 2008-02-13 20:19:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-14 03:19:25
.
2007-11-15 14:38:47 — E O F —

2

The following is the HTJ Log File.

Kind Regards,
CTBlax7

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:17 PM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Dell AIO Printer 946\dlcimon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\WINDOWS\system32\dlcicoms.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [RoxWatchTray] “C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe”
O4 - HKLM..\Run: [RoxioDragToDisc] “C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe”
O4 - HKLM..\Run: [PDVDDXSrv] “C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe”
O4 - HKLM..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
O4 - HKLM..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM..\Run: [DLCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCItime.dll,_RunDLLEntry@16
O4 - HKLM..\Run: [dlcimon.exe] “C:\Program Files\Dell AIO Printer 946\dlcimon.exe”
O4 - HKLM..\Run: [Acrobat Assistant 8.0] “C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [DellSupport] “C:\Program Files\DellSupport\DSAgnt.exe” /startup
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\198\g2mstart.exe “/Trigger RunAtLogon”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [tqi1kkfcf] C:\WINDOWS\system32\tqi1kkfcf.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: dlci_device - - C:\WINDOWS\system32\dlcicoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe


End of file - 8971 bytes

3

Greetings:

I noticed that last night I failed to include the following information:

Was running McAffee Virus protection and firewall when the following began to occur:

a.) Firewall began blocking outbound emails that were being generated by my XP SP2 system to the outside
b.) Google re-direct via Serach daily
c.) Ran a McAffee scan no detections
d.) Ran SpyHunter, from Enigma Software Group Inc, removed an application that began with a “V”. Sorry cannot remeber the name at this point.
e.) Continued sluggish behavior on PC
f.) Blocked my PC from the interenet at my router
g.) Downloaded loaded Avast to a flash drive via another computer
H.) Unistalled McAffee and installed Avast
I.) Ran Boot Level scan with Avast and identified Win32:BHO-KD
J.) came to Avast forum produced and posted Combo Fix and HTJ logs

Today I researched the following files as it seemed very odd that they were all created in a cluster around the same time period.

Notes on suspicious Files:

1.) HKCU..\Run: [tqi1kkfcf] C:\WINDOWS\system32\tqi1kkfcf.exe
-nothing on this anywhere

2.) C:\WINDOWS\system32\ktzdjndq.dat
-nothing on this anywhere

3.) C:\WINDOWS\system32\libssl32.dll
-libssl32.dll is a OpenSSL Shared Library belonging to The OpenSSL Toolkit from The OpenSSL Project, http://www.openssl.org/

4.) C:\WINDOWS\system32\libeay32.dll
-The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the …
-libeay32.dll contains encryption functions which allow for coded communications over networks. This file is opensource and is used in many opensource programs to help with SSL communication

5.) C:\WINDOWS\system32\ktzdjndq.dat
-Your search - ktzdjndq.dat - did not match any documents.

6.) C:\WINDOWS\system32\lqqdlrtn.dat
-Your search - C:\WINDOWS\system32\lqqdlrtn.dat - did not match any documents.

7.) C:\WINDOWS\system32\tagtcyib.dat
-Your search - C:\WINDOWS\system32\tagtcyib.dat - did not match any documents.

8.) C:\WINDOWS\system32\ezmwzaiw.dat
-Your search - C:\WINDOWS\system32\ezmwzaiw.dat - did not match any documents.

9.) C:\WINDOWS\system32\mwtreqzs.dat
-Your search - C:\WINDOWS\system32\mwtreqzs.dat - did not match any documents.

10.) C:\WINDOWS\system32\AppCert
-contains the following: filter.drv, hb13a.dll, options.dat, wnl32.dll, wsil32.dll
-These appear to be malware files per: http://forums.majorgeeks.com/showthread.php?p=1107127 02/09/08; 18:08 entryC:\WINDOWS\QTFont.qfn

11.) C:\WINDOWS\QTFont.qfn
-

12.) C:\WINDOWS\QTFont.for

Any thoughts on if/how to remove these along with Win32:BHO-KD would be greatly appreciated.

Kind Regards,
CTB

4

Here you go try this

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:


File::
C:\WINDOWS\system32\ktzdjndq.dat
C:\WINDOWS\system32\tagtcyib.dat
C:\WINDOWS\system32\ezmwzaiw.dat
C:\WINDOWS\system32\tqi1kkfcf.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tqi1kkfcf"=-

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt [*]A new HijackThis log.
5

Hello Essexboy:

Thank you. Looks like we’re off to a good start here. Thank you very much. You’ll find the Combo Fix and HTJ logs attached due to their size.

Question: Any thoughts on the following files?

3.) C:\WINDOWS\system32\libssl32.dll
-libssl32.dll is a OpenSSL Shared Library belonging to The OpenSSL Toolkit from The OpenSSL Project, http://www.openssl.org/

4.) C:\WINDOWS\system32\libeay32.dll
-The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the …
-libeay32.dll contains encryption functions which allow for coded communications over networks. This file is opensource and is used in many opensource programs to help with SSL communication

  1. C:\WINDOWS\system32\lqqdlrtn.dat
    -Your search - C:\WINDOWS\system32\lqqdlrtn.dat - did not match any documents.

8.) C:\WINDOWS\system32\ezmwzaiw.dat
-Your search - C:\WINDOWS\system32\ezmwzaiw.dat - did not match any documents.

9.) C:\WINDOWS\system32\mwtreqzs.dat
-Your search - C:\WINDOWS\system32\mwtreqzs.dat - did not match any documents.

10.) C:\WINDOWS\system32\AppCert
-contains the following: filter.drv, hb13a.dll, options.dat, wnl32.dll, wsil32.dll
-These appear to be malware files per: http://forums.majorgeeks.com/showthread.php?p=1107127 02/09/08; 18:08