Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Need help removing worm.win32.autorun.evh

  • This topic is locked This topic is locked
3 replies to this topic

#1 austinspace


  • Members
  • 2 posts
  • Local time:03:33 AM

Posted 11 February 2009 - 01:32 PM

Only Kaspersky scan finds this worm which I see is also identified in this thread on bleepingcomputer.com: http://www.bleepingcomputer.com/forums/lof...hp/t198483.html.

file: c:\windows\system32\javaupd.exe
threat: worm.win32.autorun.evh

I cannot see this file in the file system, yet the scan finds it every time - as if it is a rootkit virus ?

Am running Windows XP with service pack 3. I have tried SUPERantispyware, Malwarebytes' anti-malware and spybot in normal mode and in safe-mode, none of them detect this worm. I also tried Rootkit Revealer which did not identify the problem in memory or key files, but did not allow it to complete a scan of all files on my laptop.

Following is Kapersky scan report, followed by DDS.log. attach.txt and Hijackthis log are attached. I appreciate any help that can be offered toward removing this worm.

Wednesday, February 11, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version:
Program database last update: Wednesday, February 11, 2009 16:26:07
Records in database: 1782939

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\Admin\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Program Files

Scan statistics:
Files scanned: 62447
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 00:50:08

File name / Threat name / Threats count
C:\WINDOWS\system32\javaupd.exe Infected: Worm.Win32.AutoRun.evh 1

The selected area was scanned.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Admin at 12:23:20.32 on Wed 02/11/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2545 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
FW: Symantec Protection Agent 5.1 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
c:\Program Files\Symantec\SPA\smc.exe
c:\Program Files\Symantec\SPA\snac.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
c:\Program Files\Symantec\SPA\SmcGui.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\TextPad 5\TextPad.exe
C:\Program Files\PuTTY\PUTTY.EXE
C:\Program Files\PuTTY\PUTTY.EXE
C:\Program Files\FileZilla FTP Client\filezilla.exe
C:\Program Files\FileZilla FTP Client\filezilla.exe
C:\Program Files\FileZilla FTP Client\fzsftp.exe
C:\Program Files\FileZilla FTP Client\fzsftp.exe
C:\Documents and Settings\Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://conferencing.consolidated.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
StartupFolder: c:\docume~1\admin\startm~1\programs\startup\startu~1.lnk - c:\documents and settings\admin\my documents\util\startup.cmd
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: {C02F68EC-F3F0-4D37-91C1-87BB8E3008FC} =,
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: qrev - {9DE24BAC-FC3C-42c4-9FC4-76B3FAFDBD90} - c:\progra~1\quests~1\toadfo~1\RNetPin.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\37bah9t0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2007-5-29 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-29 169576]
R2 MyDesktopWindows;MyDesktopService;c:\windows\orclobi\mydesktop\MyDesktopService.exe [2009-2-2 988672]
R2 OracleOraHome92Agent;OracleOraHome92Agent;c:\oracle\ora92\bin\agntsrvc.exe [2002-4-26 28944]
R2 OracleOraHome92HTTPServer;OracleOraHome92HTTPServer;c:\oracle\ora92\apache\apache\Apache.exe [2002-4-18 4096]
R2 QOSMyDesktop;QOS MyDesktop;c:\windows\orclobi\mydesktop\MyDesktopQOS.exe [2008-12-4 470016]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-6-6 116928]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-6-6 1821376]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-10 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090210.003\naveng.sys [2009-2-10 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090210.003\navex15.sys [2009-2-10 876112]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 OracleOraHome92SNMPPeerEncapsulator;OracleOraHome92SNMPPeerEncapsulator;c:\oracle\ora92\bin\encsvc.exe [2002-2-13 187392]
S3 OracleOraHome92SNMPPeerMasterAgent;OracleOraHome92SNMPPeerMasterAgent;c:\oracle\ora92\bin\agntsvc.exe [2002-2-13 254464]
S4 SysGuard;SysGuard;c:\windows\system32\drivers\Sysguard.sys [2009-2-9 44544]
S4 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-02-11 01:52 <DIR> --d----- c:\temp\Planet.Terror.German.720p.BluRay.x264-DEFUSED
2009-02-11 01:50 <DIR> a-d----- c:\temp\The Honeymooners - The Lost Episodes 1952-55
2009-02-11 01:39 <DIR> a-d----- c:\temp\The Honeymooners - The Classic Episodes 1955-1956
2009-02-11 01:37 <DIR> --d----- c:\temp\Songsmith
2009-02-11 01:37 <DIR> a-d----- c:\temp\Revolutionary.Road.DVDSCR.XviD-ORC
2009-02-11 01:36 <DIR> a-d----- c:\temp\Rachel Getting Married[2008]DvDrip[Eng]-FXG
2009-02-11 01:34 <DIR> a-d----- c:\temp\Happy.Go.Lucky.[2008.Eng].DVDRip.DivX-LTT
2009-02-11 01:33 <DIR> a-d----- c:\temp\Changeling[2008]DvDrip-aXXo
2009-02-10 23:04 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-02-10 23:00 <DIR> --d----- c:\windows\ERUNT
2009-02-10 22:59 <DIR> --d----- C:\SDFix
2009-02-10 22:53 <DIR> --d----- c:\temp\SDFix_files
2009-02-10 22:14 <DIR> --d----- c:\docume~1\admin\applic~1\Malwarebytes
2009-02-10 22:14 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-10 22:14 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-10 22:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-10 22:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-10 20:30 <DIR> --d----- C:\!KillBox
2009-02-10 19:39 <DIR> --d----- c:\program files\CCleaner
2009-02-10 17:50 <DIR> --d----- C:\MSD5
2009-02-10 16:09 <DIR> --d----- c:\windows\system32\appmgmt
2009-02-10 15:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-02-10 15:42 <DIR> --d----- c:\program files\common files\iS3
2009-02-10 15:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-02-10 15:03 2 a--shrot c:\windows\winstart.bat
2009-02-10 15:03 <DIR> --d----- c:\program files\UnHackMe
2009-02-10 14:25 <DIR> a-d----- C:\dataimDI2
2009-02-10 14:25 1,322 a------- C:\installToolsets.bat
2009-02-10 14:25 <DIR> a-d----- C:\dataimDI
2009-02-10 14:25 <DIR> --d----- C:\dataimDI8
2009-02-10 14:25 <DIR> --d----- C:\dataimDI7
2009-02-10 14:25 <DIR> --d----- C:\dataimDI6
2009-02-10 14:25 <DIR> --d----- C:\dataimDI5
2009-02-10 14:25 <DIR> a-d----- C:\dataimDI4
2009-02-10 14:25 <DIR> a-d----- C:\dataimDI3
2009-02-10 13:40 <DIR> --d----- C:\MSD3
2009-02-10 09:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-10 09:04 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-10 09:04 <DIR> --d----- c:\docume~1\admin\applic~1\SUPERAntiSpyware.com
2009-02-10 09:03 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-02-10 08:42 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-10 08:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-09 20:53 108,336 a------- c:\windows\system32\mswinsck.ocx
2009-02-09 15:12 <DIR> --d----- c:\docume~1\admin\applic~1\KaDonk
2009-02-09 14:14 221,184 a------- c:\windows\system32\wmpns.dll
2009-02-09 13:39 <DIR> --d----- C:\cygwin
2009-02-09 12:32 <DIR> --d----- c:\windows\ServicePackFiles
2009-02-09 12:28 19,569 a------- c:\windows\003091_.tmp
2009-02-09 06:34 <DIR> --d----- c:\program files\Windows Resource Kits
2009-02-09 06:26 <DIR> --d----- c:\program files\Yahoo!
2009-02-09 06:03 36 a------- c:\windows\webica.ini
2009-02-09 06:01 <DIR> --d----- c:\docume~1\admin\applic~1\ICAClient
2009-02-09 05:54 <DIR> --d----- c:\windows\system32\Resource
2009-02-09 05:54 <DIR> --d----- c:\program files\Citrix
2009-02-09 05:34 794,624 a------- c:\windows\system32\spr32d35.dll
2009-02-09 05:28 510 a------- c:\windows\ODBC.INI
2009-02-09 05:27 <DIR> --d----- c:\program files\Punch! Home Design - AS4000
2009-02-09 05:13 <DIR> --d----- c:\docume~1\admin\applic~1\Helios
2009-02-09 05:13 <DIR> --d----- c:\program files\TextPad 5
2009-02-09 05:12 <DIR> --d----- c:\program files\HyperSnap 6
2009-02-09 05:09 0 a------- c:\windows\vpc32.INI
2009-02-09 05:05 <DIR> --d----- c:\program files\common files\Cisco Systems
2009-02-09 04:53 110,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-09 04:53 48,768 a------- c:\windows\system32\S32EVNT1.DLL
2009-02-09 04:53 8,014 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-09 04:53 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-02-09 04:51 <DIR> --d----- c:\program files\Symantec
2009-02-09 04:51 <DIR> --d----- c:\program files\Symantec AntiVirus
2009-02-09 04:51 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-02-09 04:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-02-09 04:50 57,344 a------- c:\windows\obitime.dll
2009-02-09 04:42 <DIR> --d----- c:\windows\orclobi
2009-02-09 03:45 <DIR> --d----- C:\oracle
2009-02-09 03:38 <DIR> --d----- c:\program files\Oracle
2009-02-09 03:05 32,592 a------- c:\windows\system32\msonpmon.dll
2009-02-09 03:02 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2009-02-09 03:02 <DIR> --d----- c:\windows\SHELLNEW
2009-02-09 02:37 <DIR> --d----- c:\windows\logs
2009-02-09 02:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Quest Software
2009-02-09 02:35 <DIR> --d----- C:\CodeSite
2009-02-09 02:35 <DIR> --d----- c:\program files\MSXML 4.0
2009-02-09 02:35 <DIR> --d----- c:\docume~1\admin\applic~1\Software
2009-02-09 02:35 <DIR> --d----- c:\program files\common files\Quest Shared
2009-02-09 02:35 378,880 a------- c:\windows\system32\KXauth.dll
2009-02-09 02:35 135,168 a------- c:\windows\system32\KXproc.dll
2009-02-09 02:35 <DIR> --d----- c:\program files\Quest Software
2009-02-08 19:15 320 a------- c:\windows\hpbafd.ini
2009-02-08 19:14 <DIR> --d----- C:\lj3300
2009-02-08 19:08 0 a------- c:\windows\HPMProp.INI
2009-02-08 19:07 233,472 a------- c:\windows\system32\hpmtp083.dll
2009-02-08 19:07 64,024 a------- c:\windows\system32\hppccompio.dll
2009-02-08 19:07 18,944 a------- c:\windows\system32\hppmopjl.dll
2009-02-08 19:07 299,008 a------- c:\windows\system32\hpmml083.dll
2009-02-08 19:07 241,664 a------- c:\windows\system32\hpmpm081.dll
2009-02-08 19:07 212,992 a------- c:\windows\system32\hpmja083.dll
2009-02-08 19:07 208,896 a------- c:\windows\system32\hpmpw081.dll
2009-02-08 19:07 160,768 a------- c:\windows\system32\hpcpn083.dll
2009-02-08 19:07 59,928 a------- c:\windows\system32\fxcompchannel.dll
2009-02-08 19:07 49,252 a------- c:\windows\system32\HPMNQUE.DLL
2009-02-08 19:07 49,250 a------- c:\windows\system32\HPMNNDPS.DLL
2009-02-08 19:01 <DIR> --d----- C:\HP PCL6 Universal Print Driver
2009-02-06 09:17 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-06 09:17 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-28 03:00 <DIR> --d----- c:\program files\MSXML 6.0
2009-01-26 20:53 <DIR> --d----- c:\program files\Songsmith
2009-01-26 20:28 <DIR> --d----- c:\windows\system32\XPSViewer
2009-01-26 20:27 14,048 -------- c:\windows\system32\spmsg2.dll
2009-01-24 22:03 <DIR> --d----- c:\program files\VideoLAN

==================== Find3M ====================

2009-02-10 23:22 66,007 a------- c:\windows\system32\nvModes.dat
2009-02-09 12:36 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-04-14 05:42 54,898 ---shr-- c:\windows\system32\javaupd.exe

============= FINISH: 12:23:38.04 ===============

Attached Files

BC AdBot (Login to Remove)


#2 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:05:33 AM

Posted 23 February 2009 - 04:13 PM


The reason why you can't see it because it's 'hidden', we will remove it. Please perform the following:

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with:
-MBAM Scan log
-New DDS logs

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:05:33 AM

Posted 26 February 2009 - 04:38 PM


Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:05:33 AM

Posted 28 February 2009 - 07:56 AM


Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users