« previous next »
Pages: [1]   Go Down

Author Topic: Need Help with Win32:BHO-KD  (Read 7138 times)

0 Members and 1 Guest are viewing this topic.

jn4Him

  • Guest
Need Help with Win32:BHO-KD
« on: January 20, 2008, 05:37:03 AM »
I also have encountered the Win32:BHO-KD challenge. Would you please walk me through the necessary corrections?  ???

Thanks,

JN

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:08:05 PM, on 01/19/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Utilities\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Utilities\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Utilities\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Utilities\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Utilities\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Compaq_Owner\My Documents\My Download Files\Utilities\Anti-Virus\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=nelsonemail1&login=02641ce599fb562f03ce9582ff6ca38b/nelsonemail1:netzero.net/1136679714/30/sss.6.58940/&ts=43c05b22&A=0&B=1032505200000&C=1032505200000&D=1090825200000&I=7WNQ3&N=&O=A&UT=zeroport
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\Internet\NetZero\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0FC1AC31-8026-4C21-A748-67A039427FBA} - C:\WINDOWS\system32\dmserve.dll
O2 - BHO: Flash Module - {DF50F976-592A-47a4-81C7-AD34D5A3A947} - btasv.dll (file missing)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\Internet\NetZero\toolbar.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195499325046
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - E:\CDS300\__CDS2.dll (file missing)
O20 - Winlogon Notify: lmhn32 - lmhn32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Utilities\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Utilities\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Utilities\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Utilities\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Utilities\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 7625 bytes
Logged

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Need Help with Win32:BHO-KD
« Reply #1 on: January 20, 2008, 06:22:43 AM »
Hi

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: Flash Module - {DF50F976-592A-47a4-81C7-AD34D5A3A947} - btasv.dll (file missing)
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - E:\CDS300\__CDS2.dll (file missing)
O20 - Winlogon Notify: lmhn32 - lmhn32.dll (file missing)
 

Close all other browsers/windows, click fix, close HJT.


Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\system32\dmserve.dll
 

scroll down a bit and click "send file", wait for the results and post then in your next reply.


Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Do the HJT fixes first, but get a new log last.

Thanks.
Logged

jn4Him

  • Guest
Re: Need Help with Win32:BHO-KD
« Reply #2 on: January 24, 2008, 04:26:35 AM »
Thanks for your help. Here is the information that you requested:

www.virustotal.com C:\WINDOWS\system32\dmserve.dll
0 bytes size received / Se ha recibido un archivo vacio

ComboFix 08-01-23.2 - Compaq_Owner 2008-01-23 19:05:03.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.85 [GMT -8:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix(2).exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Compaq_Owner\Application Data\tmp99.tmp.exe
C:\Documents and Settings\Compaq_Owner\Application Data\tmp9A.tmp.exe
C:\Documents and Settings\Compaq_Owner\Application Data\tmp9B.tmp.exe
C:\Documents and Settings\Compaq_Owner\Application Data\tmpA1.tmp.exe
C:\Documents and Settings\Steven\Application Data\tmp134.tmp.exe
C:\Documents and Settings\Steven\Application Data\tmp136.tmp.exe
C:\Documents and Settings\Steven\Application Data\tmp9D.tmp.exe
C:\Documents and Settings\Steven\Application Data\tmp9E.tmp.exe
C:\Documents and Settings\Steven\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Steven\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Steven\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Terry\Application Data\tmp139.tmp.exe
C:\Documents and Settings\Terry\Application Data\tmp140.tmp.exe
C:\Documents and Settings\Terry\Application Data\tmp142.tmp.exe
C:\Documents and Settings\Terry\Application Data\tmp2.tmp.exe
C:\Documents and Settings\Terry\Application Data\tmp3.tmp.exe
C:\Documents and Settings\Terry\Application Data\tmp99.tmp.exe
C:\Documents and Settings\Terry\Application Data\tmp9A.tmp.exe
C:\Documents and Settings\Terry\Application Data\tmp9C.tmp.exe
C:\Documents and Settings\Terry\Application Data\tmp9D.tmp.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\conf.dat
C:\WINDOWS\system32\dmserve.dll
C:\WINDOWS\system32\drivers\fraevufm.dat
C:\WINDOWS\system32\tmp136.tmp.dll
D:\Autorun.inf

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_KIJCEBRG
-------\kijcebrg


(((((((((((((((((((((((((   Files Created from 2007-12-24 to 2008-01-24  )))))))))))))))))))))))))))))))
.

2008-01-23 19:03 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\Nircmd.exe
2008-01-19 20:04 . 2008-01-19 20:04   <DIR>   d--------   C:\Program Files\CCleaner
2008-01-19 14:55 . 2008-01-19 14:55   <DIR>   d--------   C:\Program Files\IObit
2008-01-19 14:54 . 2007-01-18 04:00   3,968   --a------   C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-19 14:52 . 2007-05-30 04:10   10,872   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 06:17   ---------   d-----w   C:\Program Files\Melody Assistant
2007-12-16 22:03   ---------   d-----w   C:\Program Files\CONEXANT
2007-12-15 16:37   ---------   d-----w   C:\Program Files\Utilities
2007-12-13 03:07   ---------   d-----w   C:\Program Files\Java
2007-12-13 03:07   ---------   d-----w   C:\Program Files\Common Files\Java
2007-12-04 14:56   93,264   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-03 04:38   ---------   d-----w   C:\Program Files\eMusic Download Manager
2007-12-03 04:03   ---------   d-----w   C:\Program Files\alot
2007-11-28 03:49   ---------   d-----w   C:\Program Files\MSXML 6.0
2007-11-28 03:48   ---------   d-----w   C:\Program Files\MSXML 4.0
2007-11-28 02:58   ---------   d-----w   C:\Program Files\Verizon
2007-11-28 02:58   ---------   d-----w   C:\Program Files\Common Files\SupportSoft
2007-11-28 02:55   ---------   d-----w   C:\Program Files\Common Files\Motive
2007-11-02 23:33   84,938   ----a-w   C:\WINDOWS\xxywwx.dll
2006-05-07 01:49   22   -csha-w   C:\WINDOWS\SMINST\HPCD.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25 6731312]

C:\Documents and Settings\Scott\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2006-07-31 09:12:35 225280]
PowerReg Scheduler.exe [2006-06-22 17:11:14 189952]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-09-20 08:26]
S3 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 02:53]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 19:15:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Logged

jn4Him

  • Guest
Re: Need Help with Win32:BHO-KD
« Reply #3 on: January 24, 2008, 04:27:37 AM »
(Continued)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:25, on 2008-01-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Utilities\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Utilities\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Utilities\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Utilities\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Utilities\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Owner\My Documents\My Download Files\Utilities\Anti-Virus\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=nelsonemail1&login=02641ce599fb562f03ce9582ff6ca38b/nelsonemail1:netzero.net/1136679714/30/sss.6.58940/&ts=43c05b22&A=0&B=1032505200000&C=1032505200000&D=1090825200000&I=7WNQ3&N=&O=A&UT=zeroport
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\Internet\NetZero\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\Internet\NetZero\toolbar.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195499325046
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Utilities\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Utilities\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Utilities\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Utilities\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Utilities\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 6930 bytes
Logged

1975maggie

  • Guest
Re: Need Help with Win32:BHO-KD
« Reply #4 on: January 25, 2008, 08:06:21 AM »
Hi, it looks like essexboy is up to his eyeballs in these things, so I'll try to clear up some of oldman's threads while he is away.

It looks pretty good, just one file left and folder.



Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.


Quote
File::
C:\WINDOWS\xxywwx.dll

Folder::
C:\Program Files\alot




This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new hjt log.


If you are not experiencing any problems, you can clean up the tools you used. If you still are having problems, let me know.


1. Click start button, click run, copy and paste the following line into the box

combofix /u


2. Open HJT, click misc tools button, slide the slider down, click uninstall. You will have to delete the hjt.exe

3. Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

4. Remove old restore points

- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.


5.Your java is a bit behind.

Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to "Java Runtime Environment (JRE) 6 Update 4...allows end-users to run Java applications".

Click the download button on the right.

 > If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.

 You do not have to install the Java Web Start ActiveX Control


Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u4-windows-i586-p.exe to your desktop; do not Run it.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure  and reboot if not prompted to do so.






6. Download and run this clean up utility. You can use it regularly. When it's first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp


7. You may want to consider this

If you are using windows firewall, please note that it doesn't provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0



Take care and keep safe.



Logged

jn4Him

  • Guest
Re: Need Help with Win32:BHO-KD
« Reply #5 on: January 26, 2008, 04:56:25 AM »
Again, thanks for the help.

ComboFix 08-01-23.2 - Compaq_Owner 2008-01-25 19:15:05.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.124 [GMT -8:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFscript.txt
 * Created a new restore point

FILE
C:\WINDOWS\xxywwx.dll
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\alot
C:\Program Files\alot\alotUninst.exe
C:\Program Files\alot\bin\alot.dll
C:\WINDOWS\xxywwx.dll
.
---- Previous Run -------
.
C:\Documents and Settings\Compaq_Owner\Application Data\tmp99.tmp.exe
C:\Documents and Settings\Compaq_Owner\Application Data\tmp9A.tmp.exe
C:\Documents and Settings\Compaq_Owner\Application Data\tmp9B.tmp.exe
C:\Documents and Settings\Compaq_Owner\Application Data\tmpA1.tmp.exe
C:\Documents and Settings\Steven\Application Data\tmp134.tmp.exe
C:\Documents and Settings\Steven\Application Data\tmp136.tmp.exe
C:\Documents and Settings\Steven\Application Data\tmp9D.tmp.exe
C:\Documents and Settings\Steven\Application Data\tmp9E.tmp.exe
C:\Documents and Settings\Steven\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Steven\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Steven\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Terry\Application Data\tmp139.tmp.exe
C:\Documents and Settings\Terry\Application Data\tmp140.tmp.exe
C:\Documents and Settings\Terry\Application Data\tmp142.tmp.exe
C:\Documents and Settings\Terry\Application Data\tmp2.tmp.exe
C:\Documents and Settings\Terry\Application Data\tmp3.tmp.exe
C:\Documents and Settings\Terry\Application Data\tmp99.tmp.exe
C:\Documents and Settings\Terry\Application Data\tmp9A.tmp.exe
C:\Documents and Settings\Terry\Application Data\tmp9C.tmp.exe
C:\Documents and Settings\Terry\Application Data\tmp9D.tmp.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\conf.dat
C:\WINDOWS\system32\dmserve.dll
C:\WINDOWS\system32\drivers\fraevufm.dat
C:\WINDOWS\system32\tmp136.tmp.dll
D:\Autorun.inf

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_KIJCEBRG
-------\kijcebrg




(((((((((((((((((((((((((   Files Created from 2007-12-26 to 2008-01-26  )))))))))))))))))))))))))))))))
.

2008-01-23 19:03 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\Nircmd.exe
2008-01-19 20:04 . 2008-01-19 20:04   <DIR>   d--------   C:\Program Files\CCleaner
2008-01-19 14:55 . 2008-01-19 14:55   <DIR>   d--------   C:\Program Files\IObit
2008-01-19 14:54 . 2007-01-18 04:00   3,968   --a------   C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-19 14:52 . 2007-05-30 04:10   10,872   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 06:17   ---------   d-----w   C:\Program Files\Melody Assistant
2007-12-16 22:03   ---------   d-----w   C:\Program Files\CONEXANT
2007-12-15 16:37   ---------   d-----w   C:\Program Files\Utilities
2007-12-13 03:07   ---------   d-----w   C:\Program Files\Java
2007-12-13 03:07   ---------   d-----w   C:\Program Files\Common Files\Java
2007-12-04 14:56   93,264   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04   837,496   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54   95,608   ----a-w   C:\WINDOWS\system32\AVASTSS.scr
2007-12-03 04:38   ---------   d-----w   C:\Program Files\eMusic Download Manager
2007-11-28 03:49   ---------   d-----w   C:\Program Files\MSXML 6.0
2007-11-28 03:48   ---------   d-----w   C:\Program Files\MSXML 4.0
2007-11-28 02:58   ---------   d-----w   C:\Program Files\Verizon
2007-11-28 02:58   ---------   d-----w   C:\Program Files\Common Files\SupportSoft
2007-11-28 02:55   ---------   d-----w   C:\Program Files\Common Files\Motive
2007-11-14 07:26   450,560   ----a-w   C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-07 09:26   721,920   ----a-w   C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26   721,920   ----a-w   C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 17:20   360,064   ----a-w   C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:43   1,287,680   ----a-w   C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43   1,287,680   ----a-w   C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-28 01:40   227,328   ----a-w   C:\WINDOWS\system32\wmasf.dll
2007-10-28 01:40   227,328   ----a-w   C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34   8,460,288   ----a-w   C:\WINDOWS\system32\dllcache\shell32.dll
2005-05-12 14:36   12,288   -c--a-w   C:\WINDOWS\Fonts\RandFont.dll
2006-05-07 01:49   22   -csha-w   C:\WINDOWS\SMINST\HPCD.sys
.

(((((((((((((((((((((((((((((   snapshot@2008-01-23_19.18.18.17   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-24 03:04:33   237,568   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-26 03:14:40   237,568   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-24 03:04:34   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-26 03:14:40   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-24 03:04:34   237,568   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-26 03:14:40   237,568   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-24 03:04:34   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-26 03:14:40   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-24 03:04:34   5,324,800   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-26 03:14:40   5,332,992   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-24 03:04:34   176,128   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-26 03:14:40   176,128   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-26 02:39:00   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_504.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25 6731312]

C:\Documents and Settings\Scott\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2006-07-31 09:12:35 225280]
PowerReg Scheduler.exe [2006-06-22 17:11:14 189952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-09-20 08:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 19:19:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Logged

jn4Him

  • Guest
Re: Need Help with Win32:BHO-KD
« Reply #6 on: January 26, 2008, 04:57:58 AM »
(Continued)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:55, on 2008-01-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Utilities\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Utilities\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Utilities\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Utilities\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Utilities\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Owner\My Documents\My Download Files\Utilities\Anti-Virus\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=nelsonemail1&login=02641ce599fb562f03ce9582ff6ca38b/nelsonemail1:netzero.net/1136679714/30/sss.6.58940/&ts=43c05b22&A=0&B=1032505200000&C=1032505200000&D=1090825200000&I=7WNQ3&N=&O=A&UT=zeroport
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\Internet\NetZero\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\Internet\NetZero\toolbar.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195499325046
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Utilities\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Utilities\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Utilities\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Utilities\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Utilities\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 6930 bytes
Logged

1975maggie

  • Guest
Re: Need Help with Win32:BHO-KD
« Reply #7 on: January 26, 2008, 06:26:54 AM »
Hi  jn4Him

Any problems?

If not clean up if you haven't all ready and you are more than welcome.

Logged

jn4Him

  • Guest
Re: Need Help with Win32:BHO-KD
« Reply #8 on: January 28, 2008, 01:11:07 AM »
Everything seems to be running fine. I have followed your recommendations for clean-up and protection. I have some questions. ???

1. I have installed Jetico Personal Firewall. (I am still working out the configuration part.) Should this run in conjunction to or in replacement of Windows Firewall?

2. When I was first trying to remove this virus initially, I was tracking recommendations made to another user. I installed AVG Anti-Spyware v7.5. Is this compatible with or redundant to avast!?

3. Will the two AVs be looking into each others Chests and re-identifying/moving viruses?

4. What is the difference between CleanUp, CCleaner and Windows Disk Cleanup?

Thanks again for all your help. You folks have been great!!  :D
Logged

1975maggie

  • Guest
Re: Need Help with Win32:BHO-KD
« Reply #9 on: January 28, 2008, 03:16:18 AM »
Quote
1. I have installed Jetico Personal Firewall. (I am still working out the configuration part.) Should this run in conjunction to or in replacement of Windows Firewall?


As a replacement.

Quote
I installed AVG Anti-Spyware v7.5. Is this compatible with or redundant to avast!?
 

Campatilbe and complimentary, one is an antispyware, the other an antivrus




Quote
Will the two AVs be looking into each others Chests and re-identifying/moving viruses?

Both chests should be encrypted by default, niether should be able to "see" into the other.



Quote
What is the difference between CleanUp, CCleaner and Windows Disk Cleanup

They are similar, though the first two probably get into a few more nooks and crannies. Windows disk cleanup can take care of removing old restore points. Suggestion..use one along with windows cleanup.

Logged
Pages: [1]   Go Up
« previous next »