can anone help me to remove WIN32:BHO:KD [Trj]

[seanyeung]

 
i have problem....
can anyone can help me to solve this...
i have use combofix and hijackthis...
i attached two files......for refence...
Pls help....
thanks you

[oldman]

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: (no name) - {69D4E5ED-4F45-4482-BD0C-3534D0CA7028} - C:\WINDOWS\system32\atrac.dll

Close all other browsers/windows, click fix, close HJT.




Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File::
C:\WINDOWS\system32\drivers\izsrferi.dat
C:\WINDOWS\system32\atrac.dll

This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DSS log.

[seanyeung]

Dear oldman,

thanks....i have followed your method....

i have attached the combofix file....

thank for YOUR HELP!!!!!!!

[oldman]

I will have a better look shortly, must leave for work. I'll check your logs more closely in about 1 hour.


This toolbar should also go, it an info thief.


Go to add/remove programs and uninstall the following if present

LookSmart Toolbar
ALiBaBar




Open HJT, run a system scan only, check mark these lines if present

O8 - Extra context menu item: °Å¶Kï¤å¦r:  ² > Ác - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToTrad
O8 - Extra context menu item: °Å¶Kï¤å¦r:  Ác > ² - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/ClipToSim
O8 - Extra context menu item: ºô­¶:  [²Åé] Åã¥Ü - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToSim
O8 - Extra context menu item: ºô­¶:  [ÁcÅé] Åã¥Ü - res://C:\Program Files\ALiBaBar\ALiBaBar.dll/RT_HTML/PageToTrad


Close all other browsers/windows, click fix, close HJT.




Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File::
C:\PROGRA~1\ALiBaBar\ALiBaBar.dll

Folder::
C:\PROGRA~1\ALiBaBar

This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

[seanyeung]

oldman,

i deleted the files but i can't find the Looksmart Toolbar,

and did the combo fix and hijackthis as attached

thank you

[oldman]

Sorry about the delay, got tied up the minute I got here.

Don't worry if you didn't find  Looksmart Toolbar in the add/remove, sometimes these get installed with either name.

HJT log lookes good, so does combofix. We just have to remove one little item.

After you post the result, we can move to the tools clean up part.   


Please download The Avenger by Swandog46 to your Desktop.

1.
• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

Drivers to unload:
hyqurmjf

Files to delete:
C:\WINDOWS\system32\drivers\izsrferi.dat

Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.
2. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
  
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  
• Copy/Paste all the text  in the above quote box into this window by
• MAKE SURE THE TEXT MATCHES EXACTLY
  
• Click Done
  
• Now click on the Green Light to begin execution of the script
  
• Answer "Yes" twice when prompted.
  

3. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions.  This log file will be located at  C:\avenger.txt
  
  

4. Please copy/paste the content of c:\avenger.txt into your reply

[seanyeung]

oldman,

i finished the procedure what you have instructed....

the output text file as below:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\osyjacmn

*******************

Script file located at: \??\C:\WINDOWS\wnjpsnoe.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver hyqurmjf unloaded successfully.


File C:\WINDOWS\system32\drivers\izsrferi.dat not found!
Deletion of file C:\WINDOWS\system32\drivers\izsrferi.dat failed!

Could not process line:
C:\WINDOWS\system32\drivers\izsrferi.dat
Status: 0xc0000034


thanks..

[oldman]

That took care of that. If you are not experiencing any problems, we can clean up the tools.

1. Click start button, click run, copy and paste the following line into the box, click ok

combofix /u

2. Open HJT, clcik the misc tools button, slide the slider down, click uninstall.

3. Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

Remove old restore points

4.Disk Cleanup
- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.



5. Download and run this clean up utility from the link below. You can use it regularly. When it's first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

http://www.stevengould.org/downloads/cleanup/




6. It looks like you are using windows firewall. It doesn't provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0


You can also delete any logs,notepads,etc that you may have left that were created during this.


Keep safe, Take care.

[siyete]

ei oldman,
can u also help me w/the same malware?.. here is my forum topic..
http://forum.avast.com/index.php?topic=32589.0\

yhx i would appreciate it a lot..

[oldman]

ei oldman,
can u also help me w/the same malware?.. here is my forum topic..
http://forum.avast.com/index.php?topic=32589.0\

yhx i would appreciate it a lot..

Essexboy is assisting you, As I mentioned in your thread. please wait for him. The bug was removed, let him advice you on how to procede.

[seanyeung]

oldman,

You are very helpful...........

Thanks you very much......

u help me a lot........

[oldman]

Glad to help. Everything ok now?