Trojan.Win32.BHO.aayd Options

[Shifty203]

Hey guys,
Keep getting the above trojan popping up in c:windows\system32\nkqerasi.dll, and KIS keeps telling me it will remove it on reboot, but every time I reboot, it pops up again. Here is my Hi-Jack this log.

Logfile of HijackThis v1.99.1
Scan saved at 5:58:45 PM, on 10/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\WINDOWS\system32\cisvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony Ericsson\Sony Ericsson MD400 Wireless Modem\wwanSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08121908-5CFE-4B2E-B484-627266C029FE} - C:\DOCUME~1\Owner\LOCALS~1\Temp\dmB7.dll (file missing)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {E060951A-E504-4859-9A8A-81F424F5E978} - c:\windows\system32\hrhkzpx.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1199914021919
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: eshduxpt - C:\WINDOWS\SYSTEM32\hrhkzpx.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" -r (file missing)
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: wwanSvc - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson MD400 Wireless Modem\wwanSvc.exe

[richbuff]

A few things come to mind first.

If you see the Important read me topic, it will indicate which log is requested.

If your Windows is (still) cracked, you're going to get infected, no AV will save you.

The last reply you received hasn't expired.

[Shifty203]

A few things come to mind first.

If you see the Important read me topic, it will indicate which log is requested.

If your Windows is (still) cracked, you're going to get infected, no AV will save you.

The last reply you received hasn't expired.

Well, I guess I will have to call the store the computer was bought at and give them a heads up they are selling cracked versions of windows.

<?xml version="1.0" encoding="windows-1251" ?>
- <!-- AVZ XML Report
</WIZARD-TSW>
</AVZ>

edit: del wrong lengthy pasted log.

This post has been edited by richbuff: 26.10.2009 07:14

[Shifty203]

K. The copy of windows is legit. Here is the AVZ Log. Any help would be appreciated.

Attached File(s)

 AVZ_Log.txt ( 77.46K ) Number of downloads: 7

 

[richbuff]

Wrong log. We need the zip.

[Shifty203]

Ok, Here is the proper one.

Attached File(s)

 sysinfo.zip ( 34.27K ) Number of downloads: 6

 

[richbuff]

How did antiwpa.dll get on your PC? C:\WINDOWS\system32\antiwpa.dll

How to see how legit it is.

[Shifty203]

How did antiwpa.dll get on your PC? C:\WINDOWS\system32\antiwpa.dll

How to see how legit it is.

Well, First off, I don't know what that file is or how it got there. It isn't my computer, it is my in-laws, and I am trying to fix it for them. They bought this computer less than a year ago from a reputable computer store here in edmonton ( www.memoryexpress.com ). The computer has the microsoft sticker with the serial number on it. They have been using it at their house on a dial-up connection, as they live on an acerage. The antiwpa.dll file says it was created on January 9 2008, and modified on September 18 2005. Now I know they haven't had this machine a full year yet.

I can connect the machine to the internet ( I have it disconnected as I don't want it infecting my other machines.) and run WGA if you like, but I was hoping not too, as I have 6 other machines on my network, and didn't really want to un-wire it all to connect this machine.

[Shifty203]

Alright. I validated windows. Can anyone help? I need to get this fixed before the weekend, cause my in-laws are coming to town this weekend, and would like to take their computer back with them. Is there anyone here who can help, or should I just tell them to buy a different anti-virus?

Attached File(s)

 screenshot.JPG ( 113.2K ) Number of downloads: 7

 

[richbuff]

Run this script, instructions: http://forum.kaspersky.com/index.php?s=&am...st&p=678328 PC will reboot:

CODE

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\WINDOWS\system32\drivers\rvovfqoh.sys','');
DeleteService('rvovfqoh');
StopService('rvovfqoh');
QuarantineFile('digeste.dll','');
QuarantineFile('antiwpa.dll','');
DelBHO('{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}');
DelBHO('{E060951A-E504-4859-9A8A-81F424F5E978}');
DelBHO('{08121908-5CFE-4B2E-B484-627266C029FE}');
QuarantineFile('c:\windows\system32\hrhkzpx.dll','');
QuarantineFile('C:\DOCUME~1\Owner\LOCALS~1\Temp\dmB7.dll','');
DeleteFile('C:\DOCUME~1\Owner\LOCALS~1\Temp\dmB7.dll');
DeleteFile('c:\windows\system32\hrhkzpx.dll');
DeleteFile('antiwpa.dll');
DeleteFile('digeste.dll');
DeleteFile('C:\WINDOWS\system32\drivers\rvovfqoh.sys');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

Then, run this one:

CODE

begin
CreateQurantineArchive('c:\quarantine.zip');
end.

A file called quarantine.zip should be created in C:\. Then please upload C:\quarantine.zip to a filehost such as http://rapidshare.com/
Then, Private Message me the Download link to the uploaded file. Click my user name and select Send message.

[Shifty203]

I sent you the link. Thank you very much for your time.

[richbuff]

Attach a Combofix log, please review and follow these instructions carefully.

Before Saving combofix to Desktop, please rename combofix to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the
option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't
forget to resume the Kaspersky that you paused.

Download Combofix from here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

[Shifty203]

Here you go.

Thnx again.

Attached File(s)

 ComboFix.txt ( 11.09K ) Number of downloads: 2

 

[richbuff]

Run this script, PC will reboot:

CODE

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('c:\documents and settings\Owner\Local Settings\Application Data\rrpzraun\*.*','');
QuarantineFile('c:\documents and settings\Owner\Application Data\rrpzraun\*.*','');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

Then, run this one:

CODE

begin
CreateQurantineArchive('c:\quarantine.zip');
end.

A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\quarantine.zip to a filehost such as http://rapidshare.com/
Then, Private Message me the Download link to the uploaded file. Click my user name and select Send message.

[richbuff]

Thank you for the links that you just sent me.

Uninstall Combofix by: pause Kaspersky > Start > run > type combofix /u > ok. Or Start > run > type 123 /u > ok. Restart Kaspersky.

Also, if you use Windows System restore, turn it off > reboot and do a full scan with Kaspersky. This to remove malware from system volume information files. Then turn system restore back on, if you wish. How to turn it off/on: http://support.kaspersky.com/faq/?qid=208279208

Before doing the scan, Clear the Detected list: Detected > Active threats > right click > Disinfect all > right click > Clear list > then scan again > then post screenshot of Detected >
Active threats. With columns widened to show full name and object details.

Also, scan with Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php Update it first, scan and attach its log, but Please Don't fix anything yet, until the log is reviewed.

How to take and post screenshot: PrtSc (Print screen) key (upper right part of keyboard)> open Paint (Start > All programs > Accessories) > Edit > Paste, File > Save as (jpeg or
png, Not bmp). When replying, Browse > click once to select file > Open > Upload > add reply.

[Shifty203]

Here is the screenshot from kaspesky,

Attached File(s)

 screenshot3.JPG ( 90.46K ) Number of downloads: 5

 

[Shifty203]

And here is the malwarebytes log.

Attached File(s)

 mbam_log_2009_11_07__19_09_25_.txt ( 840bytes ) Number of downloads: 2

 

[richbuff]

You are all good. Fix the vulnerabilities, see: http://forum.kaspersky.com/index.php?showtopic=68831 and: http://forum.kaspersky.com/index.php?s=&am...st&p=841600