Major Issue?

[Brico]

Ok I have scanned with AVG the past couple days and I keep getting this result: "C:\WINDOWS\System32\Drivers\a1lclphx.SYS and it says its a hidden driver. I press remove and I restart but when I scan again, it comes back up.Is this major issue or not and do you see anything else in logs that is alarming? Thanks in advance for the help.




DDS (Ver_09-03-16.01) - NTFSx86
Run by Administrator at 13:31:18.57 on Sun 04/12/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1874 [GMT -4:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
C:\program files\steam\steam.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [igndlm.exe] c:\program files\download manager\dlm.exe /windowsstart /startifwork
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Launch LCDMon] "c:\program files\logitech\g-series software\LCDMon.exe"
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [EverioService] "c:\program files\cyberlink\pcm4everio\EverioService.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mExplorerRun: [dPKhIDpQpE] c:\documents and settings\administrator\desktop\FlashPlayerH264Ext.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su2/ocx/15103/CTPID.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-5-28 12552]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-27 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-28 325640]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-28 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-28 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-10 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-10 298264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 951632]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-3-5 2749736]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-3-5 15656]

=============== Created Last 30 ================

2009-04-08 16:45 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-04-08 16:45 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-08 16:45 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-08 16:45 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-08 16:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-30 00:42 <DIR> --d----- c:\program files\WoWModelViewer
2009-03-20 11:53 268,648 a------- c:\windows\system32\mucltui.dll
2009-03-20 11:53 208,744 a------- c:\windows\system32\muweb.dll
2009-03-20 11:53 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-03-18 02:15 23,392 a------- c:\windows\system32\nscompat.tlb
2009-03-18 02:15 16,832 a------- c:\windows\system32\amcompat.tlb
2009-03-17 00:12 <DIR> --d----- c:\docume~1\admini~1\applic~1\The Creative Assembly
2009-03-17 00:12 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2009-03-17 00:12 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2009-03-17 00:12 514,384 a------- c:\windows\system32\XAudio2_3.dll
2009-03-17 00:12 452,440 a------- c:\windows\system32\d3dx10_40.dll
2009-03-17 00:12 235,856 a------- c:\windows\system32\xactengine3_3.dll
2009-03-17 00:12 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2009-03-17 00:12 23,376 a------- c:\windows\system32\X3DAudio1_5.dll

==================== Find3M ====================

2009-03-24 18:47 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-19 23:03 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-19 15:15 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-19 15:15 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-16 23:25 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-06-25 19:22 22,328 a------- c:\docume~1\admini~1\applic~1\PnkBstrK.sys

============= FINISH: 13:31:40.06 ===============

[Brico]

bump.... anyone? thanks in advance

[tetonbob]

Hello -


Do you have DAEMON Tools installed? Or DivX ? Or some other CD/DVD emulator?

Are you sure that's the exact file name?

[Brico]

Yea i did have daemon tools at one point..... and yes that is the exact name....

[tetonbob]

The file matches the naming convention of a DAEMON Tools hidden driver file.

You can try to upload it to this site to help ensure it's not malware

Please go to: VirusTotal

• On the page you'll find a "Browse" button.
  
• Next to the browse button you'll see a box to enter text.
• Please copy/paste the following:
  
  C:\WINDOWS\System32\Drivers\a1lclphx.SYS
  
  
• Then click the "Send File " button just below.
• This will scan the file. Please be patient.
• If you get a message saying File has already been analyzed: click Reanalyze file now
• Once scanned, copy and paste the results in your next reply.

[Brico]

OK I used avg to scan again and the file name was a bit diffrent but regardless I scanned it and here are the results:


File a8r4fihd.SYS received on 04.18.2009 23:54:48 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 1/40 (2.5%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 44 and 63 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.18 -
AhnLab-V3 5.0.0.2 2009.04.18 -
AntiVir 7.9.0.148 2009.04.18 -
Antiy-AVL 2.0.3.1 2009.04.17 -
Authentium 5.1.2.4 2009.04.18 -
Avast 4.8.1335.0 2009.04.18 -
AVG 8.5.0.287 2009.04.18 -
BitDefender 7.2 2009.04.18 -
CAT-QuickHeal 10.00 2009.04.18 -
ClamAV 0.94.1 2009.04.18 -
Comodo 1120 2009.04.18 -
DrWeb 4.44.0.09170 2009.04.18 -
eSafe 7.0.17.0 2009.04.13 Win32.Rootkit
eTrust-Vet 31.6.6455 2009.04.14 -
F-Prot 4.4.4.56 2009.04.17 -
F-Secure 8.0.14470.0 2009.04.18 -
Fortinet 3.117.0.0 2009.04.18 -
GData 19 2009.04.18 -
IkarusT 3.1.1.49.0 2009.04.18 -
K7AntiVirus 7.10.707 2009.04.17 -
Kaspersky 7.0.0.125 2009.04.18 -
McAfee 5588 2009.04.18 -
McAfee+Artemis 5588 2009.04.18 -
McAfee-GW-Edition 6.7.6 2009.04.18 -
Microsoft 1.4502 2009.04.18 -
NOD32 4019 2009.04.18 -
Norman 6.00.06 2009.04.17 -
nProtect 2009.1.8.0 2009.04.18 -
Panda 10.0.0.14 2009.04.18 -
PCTools 4.4.2.0 2009.04.17 -
Prevx1 V2 2009.04.18 -
Rising 21.25.52.00 2009.04.18 -
Sophos 4.40.0 2009.04.18 -
Sunbelt 3.2.1858.2 2009.04.18 -
Symantec 1.4.4.12 2009.04.18 -
TheHacker 6.3.4.0.309 2009.04.16 -
TrendMicro 8.700.0.1004 2009.04.17 -
VBA32 3.12.10.2 2009.04.12 -
ViRobot 2009.4.18.1685 2009.04.18 -
VirusBuster 4.6.5.0 2009.04.18 -


So from those results it doesn't look bad, well at least I think....

[tetonbob]

Those are DAEMON Tools drivers. Sometimes it doesn't uninstall cleanly. A new file seems to be generated with every use of the application, or every reboot, not sure which, as I've never used it.

HKLM\SYSTEM\CurrentControlSet\Services\sptd

C:\Program Files\DAEMON Tools Lite

It's not a threat.

Some info on uninstalling completely:

http://www.daemon-help.com/installat...tion_lite.html

http://www.duplexsecure.com/faq/

[Brico]

Ok thanks tetonbob... I was worried, but I'm relieved now. Thank you for your time and concern I really appreciate it.

[tetonbob]

Cheers, Brico, you're welcome. I see no malware in the logs, but there are a couple things I should point out, to help you remain that way...

As mentioned in our preposting topic:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Quote:

3. Uninstall the following via Add or Remove Programs in Control Panel:

• p2p programs like uTorrent, Bittorrent, LimeWire, Morpheus, etc., as they are a major conduit for malware and a likely source of your current issues.

P2P - I see you have P2P software ( µTorrent, LimeWire 5.1.2 ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

Please see this topic for more information:

Perils of P2P File Sharing

I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs.

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs):

Java(TM) 6 Update 7

This is outdated, and a security risk by having it installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should. Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

Leave Java(TM) 6 Update 13 alone, as it has the most recent security updates.

---------------------------------------------------------------------------------------------


Surf Safely, and Think Prevention!