win32:bho-kd problem here the results of hijackthis. what to do now????

Viruses and worms
1

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:11, on 6-1-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\michiel\Local Settings\Temporary Internet Files\Content.IE5\ACAZCN8A\HiJackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Dcads Search Assistant - {1648E328-3E5A-4EA5-A9C6-E5F09EE272DA} - C:\WINDOWS\system32\dcads_sidebar.dll
O2 - BHO: (no name) - {749E1309-EDE8-4F6D-A2B7-D870D0BF6742} - C:\WINDOWS\system32\cnvfa.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [RemoveIT Pro XT] D:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Lokale service’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Netwerkservice’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


End of file - 5291 bytes

2

Please download and run combofix do not reboot unless the programme asks you to or run any uneccessary programes as this infection needs to be killed in one sweep

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

3

Hi michiel2411,

Do as essexboy says, follow instructions completely. Concerning your logfile, you can find it online here:
http://www.hijackthis.de/logfiles/7fceff8825345bd0c3f31a397c0a7a42.html and for the next three consequent days.

“Dit even apart omdat ik denk dat je Nederlandstalig bent, je hebt een adware infectie Search Assistent, de eerste 02 BHO en de volgende is waarschijnlijk die de win32.bho-kd heeft veroorzaakt, je bevindt je in goede handen bij essexboy, hij zal je wel een paar tooltjes laten draaien en dan ben je van de narigheid af en heb je na Drie Koningen weer een schone computer,” The nasty ones are:

O2 - BHO: Dcads Search Assistant - {1648E328-3E5A-4EA5-A9C6-E5F09EE272DA} - C:\WINDOWS\system32\dcads_sidebar.dll
O2 - BHO: (no name) - {749E1309-EDE8-4F6D-A2B7-D870D0BF6742} - C:\WINDOWS\system32\cnvfa.dll
(SpyAway infection)

groetjes (kindest regards)

polonus

4

ComboFix 08-01-04.1 - michiel 2008-01-06 11:25:55.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.79 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\michiel\Local Settings\Temporary Internet Files\Content.IE5\ACAZCN8A\ComboFix[1].exe

  • Nieuw herstelpunt werd aangemaakt
    .

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\nsp1C.dll

.
(((((((((((((((((((( Bestanden Gemaakt van 2007-12-06 to 2008-01-06 ))))))))))))))))))))))))))))))
.

2008-01-06 11:24 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-06 11:06 . 2008-01-06 11:06 d-------- C:\Program Files\XoftSpySE
2008-01-04 10:32 . 2005-03-30 11:26 d–h----- C:\Documents and Settings\Administrator\Sjablonen
2008-01-04 10:32 . 2005-03-30 13:17 d–h----- C:\Documents and Settings\Administrator\Onlangs geopend
2008-01-04 10:32 . 2005-03-30 13:17 d–h----- C:\Documents and Settings\Administrator\Netwerkprinteromgeving
2008-01-04 10:32 . 2005-03-30 13:17 d-------- C:\Documents and Settings\Administrator\Mijn documenten
2008-01-04 10:32 . 2005-03-30 13:17 dr------- C:\Documents and Settings\Administrator\Menu Start
2008-01-04 10:32 . 2005-03-30 13:17 d-------- C:\Documents and Settings\Administrator\Favorieten
2008-01-04 10:32 . 2005-03-30 13:17 d-------- C:\Documents and Settings\Administrator\Bureaublad
2008-01-02 09:19 . 2008-01-02 09:20 d-------- C:\Documents and Settings\michiel\Application Data\PrevxCSI
2008-01-02 09:19 . 2008-01-02 09:19 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-31 14:23 . 19,456 C:\WINDOWS\system32\drivers\jzteklsm.dat
2007-12-31 14:22 . 2001-09-07 13:00 84,992 --a------ C:\WINDOWS\system32\cnvfa.dll
2007-12-31 14:22 . 2007-12-31 14:22 40,731 --a------ C:\WINDOWS\system32\superiorads-uninst.exe
2007-12-31 14:21 . 2007-12-31 14:21 d-------- C:\Program Files\Dcads Games Collection
2007-12-31 14:21 . 2007-12-31 14:23 80,097 --a------ C:\WINDOWS\system32\dcads-remove.exe
2007-12-31 14:21 . 2007-12-31 14:24 77,360 --a------ C:\WINDOWS\system32\dcads_sidebar_uninstall.exe
2007-12-28 13:34 . 2007-12-28 13:34 319,488 --a------ C:\WINDOWS\system32\dcads_sidebar.dll
2007-12-15 13:47 . 2007-12-28 13:27 84 --a------ C:\WINDOWS\BARGRAPH.INI

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 14:56 93,264 -c–a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-12-01 21:00 --------- d-----w C:\Program Files\Webroot
2007-12-01 19:33 --------- d-----w C:\Program Files\Western Digital Technologies
2007-11-26 08:49 --------- d-----w C:\Program Files\LimeWire
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:45 1,291,776 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-25 08:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-17 17:23 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe
2007-10-07 08:40 6,656 ----a-w C:\WINDOWS\system32\haspvdd.dll
2006-07-24 04:52 1,112 ----a-w C:\Documents and Settings\michiel\Application Data\ViewerApp.dat
2006-03-22 12:23 164 -c-ha-w C:\Documents and Settings\All Users\hpothb07.dat
2006-03-22 12:23 0 -c-ha-w C:\Documents and Settings\michiel\hpothb07.dat
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
Nota lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{1648E328-3E5A-4EA5-A9C6-E5F09EE272DA}]
2007-12-28 13:34 319488 --a------ C:\WINDOWS\system32\dcads_sidebar.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{749E1309-EDE8-4F6D-A2B7-D870D0BF6742}]
2001-09-07 13:00 84992 --a------ C:\WINDOWS\system32\cnvfa.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 09:03 15360]
“RemoveIT Pro XT”=“D:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 14:00 79224]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496]
“NeroCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2002-09-11 17:01 155648]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-10-10 19:51 39792]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 09:03 15360]

C:\Documents and Settings\All Users\Menu Start\Programma’s\Opstarten
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-09 16:41:38]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 17:11:12]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 09:15:56]
Picture Package Menu.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2005-04-28 07:28:06]
Picture Package VCD Maker.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2005-04-28 07:28:02]

R0 tbystsug;tbystsug;C:\WINDOWS\system32\drivers\jzteklsm.dat

Newly Created Service - PROCEXP90
.
Inhoud van de ‘Gedeelde Taken’ map
“2008-01-06 10:06:49 C:\WINDOWS\Tasks\XoftSpySE 2.job”

  • C:\Program Files\XoftSpySE\XoftSpy.exe
    “2008-01-06 10:06:48 C:\WINDOWS\Tasks\XoftSpySE.job”
  • C:\Program Files\XoftSpySE\XoftSpy.exe
    .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 11:29:03
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen …

scannen van verborgen autostart items …

scannen van verborgen bestanden …

Scan succesvol afgerond
verborgen bestanden: 0

.
Voltooingstijd: 2008-01-06 11:30:23
ComboFix-quarantined-files.txt 2008-01-06 10:30:05
.
2007-12-12 14:30:32 — E O F —

5

You have adware blinkator. I would have thought that removeit pro would have killed it. However, lets get rid of it now

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:

  1. Save the above as CFScript.txt

  2. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt [*]A new HijackThis log.
6

Hi essexboy,

Is that the same as so-called SpyAway infection (cnvfa.dll)? This just for the record,

polonus

7

I believe that may be one of it’s names

8

essexboy, are you dutch??? :wink:

9

No I am English but I can use Babelfish :smiley:

10

Hi michiel2411 and essexboy,

No but the one that is Dutch, that is me,

polonus

11

ComboFix 08-01-04.1 - michiel 2008-01-06 18:16:21.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.76 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\michiel\Mijn documenten\ComboFix.exe
Command switches used :: C:\Documents and Settings\michiel\Mijn documenten\CFScript.txt

  • Nieuw herstelpunt werd aangemaakt

FILE
C:\WINDOWS\BARGRAPH.INI
C:\WINDOWS\system32\cnvfa.dll
C:\WINDOWS\system32\dcads-remove.exe
C:\WINDOWS\system32\dcads_sidebar.dll
C:\WINDOWS\system32\dcads_sidebar_uninstall.exe
C:\WINDOWS\system32\drivers\jzteklsm.dat
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BARGRAPH.INI
C:\WINDOWS\system32\cnvfa.dll
C:\WINDOWS\system32\dcads-remove.exe
C:\WINDOWS\system32\dcads_sidebar.dll
C:\WINDOWS\system32\dcads_sidebar_uninstall.exe
C:\WINDOWS\system32\drivers\jzteklsm.dat

.
(((((((((((((((((((( Bestanden Gemaakt van 2007-12-06 to 2008-01-06 ))))))))))))))))))))))))))))))
.

2008-01-06 13:09 . 2001-09-07 13:00 12,315 --a------ C:\WINDOWS\system32\CNVFAT.DL_
2008-01-06 11:24 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 10:32 . 2005-03-30 11:26 d–h----- C:\Documents and Settings\Administrator\Sjablonen
2008-01-04 10:32 . 2005-03-30 13:17 d–h----- C:\Documents and Settings\Administrator\Onlangs geopend
2008-01-04 10:32 . 2005-03-30 13:17 d–h----- C:\Documents and Settings\Administrator\Netwerkprinteromgeving
2008-01-04 10:32 . 2005-03-30 13:17 d-------- C:\Documents and Settings\Administrator\Mijn documenten
2008-01-04 10:32 . 2005-03-30 13:17 dr------- C:\Documents and Settings\Administrator\Menu Start
2008-01-04 10:32 . 2005-03-30 13:17 d-------- C:\Documents and Settings\Administrator\Favorieten
2008-01-04 10:32 . 2005-03-30 13:17 d-------- C:\Documents and Settings\Administrator\Bureaublad
2008-01-02 09:19 . 2008-01-02 09:20 d-------- C:\Documents and Settings\michiel\Application Data\PrevxCSI
2008-01-02 09:19 . 2008-01-02 09:19 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-31 14:22 . 2007-12-31 14:22 40,731 --a------ C:\WINDOWS\system32\superiorads-uninst.exe

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 14:56 93,264 -c–a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-01 21:00 --------- d-----w C:\Program Files\Webroot
2007-12-01 19:33 --------- d-----w C:\Program Files\Western Digital Technologies
2007-11-26 08:49 --------- d-----w C:\Program Files\LimeWire
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2006-07-24 04:52 1,112 ----a-w C:\Documents and Settings\michiel\Application Data\ViewerApp.dat
2006-03-22 12:23 164 -c-ha-w C:\Documents and Settings\All Users\hpothb07.dat
2006-03-22 12:23 0 -c-ha-w C:\Documents and Settings\michiel\hpothb07.dat
.

((((((((((((((((((((((((((((( snapshot@2008-01-06_11.29.34,17 )))))))))))))))))))))))))))))))))))))))))
.

  • 2008-01-06 17:49:28 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_494.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    Nota lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 09:03 15360]
“RemoveIT Pro XT”=“D:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 14:00 79224]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496]
“NeroCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2002-09-11 17:01 155648]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-10-10 19:51 39792]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 09:03 15360]

C:\Documents and Settings\All Users\Menu Start\Programma’s\Opstarten
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-09 16:41:38]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 17:11:12]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 09:15:56]
Picture Package Menu.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2005-04-28 07:28:06]
Picture Package VCD Maker.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2005-04-28 07:28:02]

S0 tbystsug;tbystsug;C:\WINDOWS\system32\drivers\jzteklsm.dat

.

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 18:50:03
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen …

scannen van verborgen autostart items …

scannen van verborgen bestanden …

Scan succesvol afgerond
verborgen bestanden: 0

.
Voltooingstijd: 2008-01-06 18:52:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-06 17:52:23
ComboFix2.txt 2008-01-06 17:13:35
ComboFix3.txt 2008-01-06 13:39:47
ComboFix4.txt 2008-01-06 10:30:24
.
2007-12-12 14:30:32 — E O F —

12

A quick Avenger fix

  1. Please download The Avenger by Swandog46 to your Desktop.
    [*]Click on Avenger.zip to open the file[*]Extract avenger.exe to your desktop

  2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

[QUOTE]drivers to unload:
tbystsug

Files to delete:
C:\WINDOWS\system32\drivers\jzteklsm.dat
[/quote]

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Now, start The Avenger program by clicking on its icon on your desktop.
    [*] Under “Script file to execute” choose “Input Script Manually”.
    [*]Now click on the Magnifying Glass icon which will open a new window titled “View/edit script
    [*] Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    [*] Click Done
    [*] Now click on the Green Light to begin execution of the script
    [*] Answer “Yes” twice when prompted.
  2. The Avenger will automatically do the following:
    [*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Unload”, The Avenger will actually restart your system twice.)
    [*]On reboot, it will briefly open a black command window on your desktop, this is normal.
    [*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    [*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  3. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
13

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:35:57, on 6-1-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\michiel\Mijn documenten\Nieuwe map (2)\bug\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [RemoveIT Pro XT] D:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Lokale service’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Netwerkservice’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


End of file - 5130 bytes
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\jhquhtrm

Script file located at: ??\C:\WINDOWS\system32\ngnikxbh.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

Beginning to process script file:

Driver tbystsug unloaded successfully.

File C:\WINDOWS\system32\drivers\jzteklsm.dat not found!
Deletion of file C:\WINDOWS\system32\drivers\jzteklsm.dat failed!

Could not process line:
C:\WINDOWS\system32\drivers\jzteklsm.dat
Status: 0xc0000034

Completed script processing.

Finished! Terminate.

14

How is your system running now

15

hi essexboy,
system seems to be ok. did run virus scanner several times but nothing found anymore. I"m very happy and wanna thank you for your help.
greetz, michiel.

16

Now the best part of the day ----- Your log now appears clean :thumbsup:

Time for some housekeeping
[*] Click START then RUN
[*] Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

[*]
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

[*] When shown the disclaimer, Select “2”

The above procedure will:
[] Delete the following:
[] ComboFix and its associated files and folders.
[] VundoFix backups, if present
[] The C:\Deckard folder, if present
[*] The C:_OtMoveIt folder, if present

[] Reset the clock settings.
[] Hide file extensions, if required.
[] Hide System/Hidden files, if required.
[] Set a new, clean Restore Point.

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

  1. Select Start > All Programs > Accessories > System tools > System Restore.
  2. On the dialogue box that appears select Create a Restore Point
  3. Click NEXT
  4. Enter a name e.g. Clean
  5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

  1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  2. In the Drop down box that appears select your main drive e.g. C
  3. Click OK
  4. The System will do some calculation and the display a dialogue box with TABS
  5. Select the More Options Tab.
  6. At the bottom will be a system restore box with a CLEANUP button click this
  7. Accept the Warning and select OK again, the program will close and you are done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:
[*]SpywareBlaster to help prevent spyware from installing in the first place.
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Keep safe :wave: