mIRC32 auto loads on startup new thread

[keevill]

On bootup the mIRC32 program automatically loads. I have not installed this program and I assume that it's a malware/virus of some kind.
I have scanned using AVG Free 8.5 with the latest definitions and also superantispyware also with the latest definitions.
I have done this both in normal and in safe mode.
I've checked the msconfig file and also searched the registry for entries but I cannot find anything.

What can I do to remove it without formatting of course?
WinXP SP3.


Many thx !
-keevill-

In accordance with instructions, I attach the necessary files and paste below the other file results.

DDS (Ver_09-10-26.01) - NTFSx86
Run by Administrator at 17:29:46.97 on 27-Oct-09
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.874.1.1033.18.1471.797 [GMT 7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\mdaemon\WebAdmin\WebAdmin.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VistaDrive\VistaDrive.exe
C:\WINDOWS\system32\ctfmon.exe
C:\mdaemon\APP\MDAEMON.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\mdaemon\APP\CFEngine.exe
C:\mdaemon\WorldClient\WorldClient.exe
C:\mdaemon\SpamAssassin\MDSpamD.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator.GOTHAILAND\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://speedtest.net/
mWinlogon: SfcDisable=-99 (0xffffff9d)
uWindows: run=c:\windows\system32\softwaredistribution\setup\servicestartup\wups.dll\winupdate\microsoft\services.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [wppquuee.exe] c:\windows\wppquuee.exe
mRun: [VistaDrive] c:\windows\vistadrive\VistaDrive.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Microsoft(R) System Manager] c:\windows\system32\sysmgr.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunServices: [LoadPowerProfiles] System32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\Winupdate\Microsoft\run.bat
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mdaemon.lnk - c:\mdaemon\app\MDLaunch.exe
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
TCP: {EC89D541-103E-478B-865F-4D7E698E04F2} = 192.168.0.249,203.146.0.20
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: ngkyxyeq - ngkyxyeq.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap
mASetup: {34A19196-274E-4D75-9D30-D7A45A0A4178} - "c:\program files\windows sidebar\.\regsvr32.exe" /s wlsrvc.dll
mASetup: {6B9228DA-9C15-419e-856C-19E768A13BDC} - "c:\program files\windows sidebar\.\regsvr32.exe" /s sbdrop.dll
mASetup: {D58F39FF-953E-4F45-898F-59F243B9A523} - c:\windows\system32\hidec /w "c:\program files\vaioxp\tools\regtlib.exe" "c:\program files\windows sidebar\sidebar.exe"

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-21 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-21 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-9-21 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-1 297752]
R2 WebAdmin;WebAdmin;c:\mdaemon\webadmin\WebAdmin.exe [2008-5-1 196608]
R3 MDaemon;MDaemon;c:\mdaemon\app\MDaemon.exe [2008-5-1 2083328]
S0 ati0waxx;ati0waxx;c:\windows\system32\drivers\ati0waxx.sys --> c:\windows\system32\drivers\ati0waxx.sys [?]
S0 ati4ruxx;ati4ruxx;c:\windows\system32\drivers\ati4ruxx.sys --> c:\windows\system32\drivers\ati4ruxx.sys [?]
S1 346ba18;346ba18;c:\windows\system32\drivers\346ba18.sys --> c:\windows\system32\drivers\346ba18.sys [?]
S1 424c1f56;424c1f56;c:\windows\system32\drivers\424c1f56.sys --> c:\windows\system32\drivers\424c1f56.sys [?]
S1 82742b36;82742b36;c:\windows\system32\drivers\82742b36.sys --> c:\windows\system32\drivers\82742b36.sys [?]
S1 87263940;87263940;c:\windows\system32\drivers\87263940.sys --> c:\windows\system32\drivers\87263940.sys [?]
S1 c2f787af;c2f787af;c:\windows\system32\drivers\c2f787af.sys --> c:\windows\system32\drivers\c2f787af.sys [?]
S1 c6fea487;c6fea487;c:\windows\system32\drivers\c6fea487.sys --> c:\windows\system32\drivers\c6fea487.sys [?]
S1 ethxkftt;ethxkftt;c:\windows\system32\drivers\ethxkftt.sys --> c:\windows\system32\drivers\ethxkftt.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]
S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\drivers\smcwgu.sys --> c:\windows\system32\drivers\SMCWGU.sys [?]

=============== Created Last 30 ================

2009-10-25 11:03:16 80896 ------w- c:\windows\system32\dllcache\tlntsess.exe
2009-10-25 11:03:16 76288 ------w- c:\windows\system32\dllcache\telnet.exe
2009-10-25 10:56:50 1435648 ------w- c:\windows\system32\dllcache\query.dll
2009-10-25 10:49:21 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2009-10-25 10:49:21 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2009-10-25 10:47:51 132096 ------w- c:\windows\system32\dllcache\wkssvc.dll
2009-10-25 10:46:34 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-10-25 10:41:41 345600 ------w- c:\windows\system32\dllcache\localspl.dll
2009-10-25 10:35:29 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-10-25 10:34:09 58880 ------w- c:\windows\system32\dllcache\atl.dll
2009-10-25 10:27:52 585216 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2009-10-25 10:21:59 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-10-25 10:13:40 92928 ------w- c:\windows\system32\dllcache\ksecdd.sys
2009-10-25 10:13:40 54272 ------w- c:\windows\system32\dllcache\wdigest.dll
2009-10-25 10:13:40 301568 ------w- c:\windows\system32\dllcache\kerberos.dll
2009-10-25 10:13:40 147456 ------w- c:\windows\system32\dllcache\schannel.dll
2009-10-25 10:13:40 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-10-25 09:44:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-10-25 09:41:02 128512 ------w- c:\windows\system32\dllcache\dhtmled.ocx
2009-10-25 09:37:32 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-10-25 02:54:10 0 d-----w- c:\docume~1\administrator.gothailand\application data\Malwarebytes
2009-10-25 02:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-25 02:54:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-25 02:54:04 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-25 02:54:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-25 00:57:48 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-10-25 00:57:42 0 d-----w- c:\program files\SUPERAntiSpyware
2009-10-25 00:57:42 0 d-----w- c:\docume~1\administrator.gothailand\application data\SUPERAntiSpyware.com
2009-10-25 00:57:28 0 d-----w- c:\program files\common files\Wise Installation Wizard

==================== Find3M ====================

2009-09-22 10:32:57 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-22 10:32:57 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-22 10:32:51 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-08-13 15:16:05 512000 ------w- c:\windows\system32\dllcache\jscript.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13:08 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 15:13:08 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 14:20:09 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-04 14:20:09 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 14:20:08 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-08-04 13:44:46 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-10 20:23:53 32768 -csha-w- c:\windows\system32\config\systemprofile\cookies\index.dat
2008-12-10 20:23:53 524288 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-09-09 15:07:41 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090920080910\index.dat
2008-12-03 02:19:02 245760 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008112420081201\index.dat
2008-12-10 20:17:33 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120120081208\index.dat
2008-12-10 20:23:54 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121120081212\index.dat
2008-12-10 20:23:53 1458176 -csha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 17:30:08.58 ===============

[Carolyn]

Hello and Welcome to the forums!

My name is Carolyn and I'll be glad to help you with your computer problems. The logs that you will be posting can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please do not run any other tool untill instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.


If you follow these instructions, everything should go smoothly.


Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.


P2P Warning!

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Ares, BitTornado, LimeWire

P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

This article from InfoWorld illustrates perfectly the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/...D-theft_1.html

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.

I would recommend that you uninstall Ares, BitTornado, LimeWire, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

Note:
If you have malware cleaned from your system by one of our Hjt Team/Malware Hunters and then later return with more infections....and these P2P programs are still installed, you maybe refused help.

==================

I hate to give you bad news but one or more of the identified infections is a backdoor trojan.

Backdoor Trojans are the most dangerous and most widespread type of Trojan. Backdoor Trojans provide the author or "master" of the Trojan with remote "administration" of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

In addition to the backdoor Trojan that has been identified, your computer is afflicted with multiple other infections. Although we can make an attempt to clean this machine, we cannot guarantee that it will be secure afterwards. Your best and safest course of action is a reformat and reinstallation of the Windows operating system.

If you do decide to attempt cleaning rather than a reformat, do understand that although we may be able to remove all known visible malware, we cannot guarantee that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damages it may possibly have caused to vital system files.

Please note that even if we should be successful in removing these infections from your system, it is quite possible that the changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post.

[keevill]

Dear Carolyn,
Thank you for replying. I had sort of given up hope but glad you are able to try help.
Since my original posting, I have only done one thing. I went into add/remove software and uninstalled mIRC - I repeat that I did not install this program.
I also have not installed any p2p software on this machine and I cannot find any instances them in the add/remove progs.
This machines sole job is to run MDaemon mail server.
There are multiple accounts and it would be very disruptive to take it down and reformat.
I would like to try to remove the infections and will of course back up the data prior to doing anything you may advise.
I look forward to hearing back from you.
Many thanks !
-keevill-

[Carolyn]

Hello keevill,

Before we start: Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start.

================


Download and Run ComboFix (by sUBs)

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

[Carolyn]

It has been a couple of days, are you still in need of assistance?

[Carolyn]

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help