Author Topic: Help me remove Trojan horse WIN32:BHO-KD[Trj]  (Read 49578 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #15 on: January 01, 2008, 08:27:58 PM »
Ok, enough information to go on with the anti-malware procedures.
I like you to do the following:
Delete all versions of Combofix you may already have.
Download Combofix.exe from here http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
to your desktop.
Double click combofix.exe & follow the prompts.
A window will open with a warning. Type "1" (and Enter) to start the fix.
When the scan completes it will open a text window.
Please attach that log back here together with a fresh HJT log.
Caution - do not touch your mouse/keyboard until the scan has completed.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.

Combofix will automatically save the log file to C:\combofix.txt Do not post the Combofix log, until you have completed the rest of the instructions below.

Please note: If you have any problems with Combofix, please do the following instead.

Please download Deckard's System Scanner (DSS) and save it to your Desktop from here:

http://www.techsupportforum.com/sectools/Deckard/dss.exe

DISCONNECT FROM THE INTERNET...REMOVE THE PLUG FROM THE BACK OF THE COMPUTER

Close all other windows before proceeding.

This means TURN OFF ALL other security programmes.
Avast Anti-virus, AVG Anti-spyware or any other security programmes you`re running.

Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please attach the main.txt and extra.txt in your next reply.

Re-enable your security programmes and reconnect to the net.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

sharadgarg2000

  • Guest
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #16 on: January 01, 2008, 09:15:51 PM »
Hi sharadgarg2000,

Please post a HijackThis log to here:

    * Download HijackThis.exe from http://downloads.malwareremoval.com/HijackThis.exe
    * Save HijackThis.exe to your desktop.
    * Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
    * Run HijackThis.exe
    * Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    * Click Save to save the log file and then the log will open in notepad.
    * Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    * Come back here to this thread and Paste the log in your next reply. Use more postings if the log is larger.
    * DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

polonus

Dear Polonus,

As directed by you, I am sending you the logfile. Kindly consider

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:42:11 AM, on 02.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: XBTBPos00 - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - C:\PROGRA~1\REDIFF~2\3.0\REDIFF~1.DLL (file missing)
O2 - BHO: (no name) - {C3662DAC-A61E-4C3E-A7E0-0B0C47497B7F} - C:\WINDOWS\system32\dmdskrest.dll
O3 - Toolbar: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\System32\svchost.exe:exe.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 4848 bytes

sharadgarg2000

  • Guest
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #17 on: January 01, 2008, 09:48:49 PM »
OK Polonus

Here is the log of two files you requested for. The system was scanned by executing the DSS.exe file downloaded from the link you sent me.

This is the main.txt
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-01-02 01:58:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; unknown error code 0x00000001


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:59:38 AM, on 02.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\DOCUME~1\ADMINI~1\Desktop\HIJACK~1\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: XBTBPos00 - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - C:\PROGRA~1\REDIFF~2\3.0\REDIFF~1.DLL (file missing)
O2 - BHO: (no name) - {C3662DAC-A61E-4C3E-A7E0-0B0C47497B7F} - C:\WINDOWS\system32\dmdskrest.dll
O3 - Toolbar: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\System32\svchost.exe:exe.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 4645 bytes


sharadgarg2000

  • Guest
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #18 on: January 01, 2008, 09:49:44 PM »
Part-II of main.txt

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 aydrddch - c:\windows\system32\drivers\qguacqol.dat
R3 cmuda (C-Media WDM Audio Interface) - c:\windows\system32\drivers\cmuda.sys <Not Verified; C-Media Inc; C-Media Audio Driver (WDM)>
R3 ialm - c:\windows\system32\drivers\ialmnt5.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>

S2 windev-9a8-4448 - c:\windows\system32\windev-9a8-4448.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 ICF - c:\windows\system32\svchost.exe:exe.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2007-12-02 and 2008-01-02 -----------------------------

2008-01-01 16:53:00      4096 --ahs---- C:\WINDOWS\system32\5558.dat
2007-12-31 19:21:34     19584 --a------ C:\WINDOWS\system32\drivers\qguacqol.dat
2007-12-31 15:28:39     84992 --a------ C:\WINDOWS\system32\dmdskrest.dll
2007-12-30 18:55:47         0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2007-12-30 14:07:53         0 d--h----- C:\WINDOWS\PIF
2007-12-30 12:27:55         0 d-------- C:\Program Files\123 Free Solitaire
2007-12-30 12:07:41     73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-12-29 05:57:05         0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-12-08 18:00:24    340334 --a------ C:\WINDOWS\xobglu32.dll
2007-12-08 18:00:23     63488 --a------ C:\WINDOWS\xobglu16.dll


-- Find3M Report ---------------------------------------------------------------

2007-12-30 18:55:47         0 d-------- C:\Program Files\Google
2007-12-15 00:09:29         0 d-------- C:\Program Files\VCDCutter
2007-11-18 23:36:47         0 d-------- C:\Program Files\WordToys
2007-11-17 00:42:25         0 d-------- C:\Program Files\Neat Image
2007-11-16 22:17:48         0 d-------- C:\Program Files\Gadwin Systems
2007-11-15 21:14:38         0 d-------- C:\Program Files\Messenger
2007-11-15 21:13:52         0 d-------- C:\Program Files\Movie Maker
2007-11-15 21:09:24         0 d-------- C:\Program Files\Windows NT
2007-11-12 16:50:06         0 d-------- C:\Program Files\MSECache
2007-11-07 18:41:27         0 d-------- C:\Program Files\Dictionaries
2007-10-24 19:47:00    610304 --a------ C:\Program Files\NeatImage.8bf <Not Verified; ABSoft; Neat Image Demo>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3662DAC-A61E-4C3E-A7E0-0B0C47497B7F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [11.03.2002 08:58 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [11.03.2002 08:50 PM]
"Cmaudio"="cmicnfg.cpl" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [04.12.2007 06:30 PM]
"@"="" []
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"userinit"=C:\WINDOWS\System32\ntos.exe

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [20.04.2007 8:56:13 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [17.02.1999 8:05:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bol IM]
"C:\Program Files\Rediff Bol\RediffMessenger.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadwin PrintScreen]
"C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" /nosplash

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKey]
C:\WINDOWS\Twain_32\4100\HotKey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\System32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\userinit]
C:\WINDOWS\System32\ntos.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"SamSs"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{619c68d8-ee63-11db-a400-0008a1903f4c}]
AutoRun\command- SSVICHOSST.exe
Open\command- SSVICHOSST.exe




-- End of Deckard's System Scanner: finished at 2008-01-02 02:01:30 ------------



Sharad Garg

extra.txt follows

sharadgarg2000

  • Guest
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #19 on: January 01, 2008, 09:51:30 PM »
Part-I Extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 1.70GHz
Percentage of Memory in Use: 44%
Physical Memory (total/avail): 254.48 MiB / 140 MiB
Pagefile Memory (total/avail): 625.42 MiB / 423.12 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1950.14 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 9.32 GiB total, 4.51 GiB free.
D: is Fixed (FAT32) - 14.63 GiB total, 11.4 GiB free.
E: is Fixed (FAT32) - 13.32 GiB total, 8.98 GiB free.
F: is CDROM (No Media)
G: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - SAMSUNG SP4002H - 37.31 GiB - 3 partitions
  \PARTITION0 (bootable) - Installable File System - 9.32 GiB - C:
  \PARTITION1 - Extended w/Extended Int 13 - 27.98 GiB - D: - E:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
AUState says computer has updates disabled.
Windows Internal Firewall is disabled.

AV: avast! antivirus 4.7.1098 [VPS 071231-0] v4.7.1098 (ALWIL Software) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SHARAD-0HNGVIOT
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\SHARAD-0HNGVIOT
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0102
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=SHARAD-0HNGVIOT
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS



sharadgarg2000

  • Guest
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #20 on: January 01, 2008, 09:52:23 PM »
Part-II Extra.txt

-- User Profiles ---------------------------------------------------------------

Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
4100 USB Scanner --> C:\WINDOWS\RunUnDrv.exe C:\WINDOWS\Twain_32\4100\PmxScan.INF DefaultUnInstall.USB.NTX86
ABBYY FineReader 5.0 Sprint --> MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
ArcSoft Panorama Maker 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5F68DC8-0278-4AD8-B413-861509B5F25B}\Setup.exe" -l0x9
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
C-Media Audio --> C:\WINDOWS\CMIUnInstall.exe
Gadwin PrintScreen --> C:\Program Files\Gadwin Systems\PrintScreen\Uninstall.exe
HijackThis 2.0.2 --> "C:\Documents and Settings\Administrator\Desktop\HijackThis\HijackThis.exe" /uninstall
hp LaserJet 1010 Series --> MsiExec.exe /x {292C47B2-8DB7-47BF-896C-C3C5EE8108C4}
Intel(R) 845G Chipset Graphics Driver Software --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562-inteluninstall
K-Lite Mega Codec Pack 1.15 --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Neat Image v5 Demo (with plug-in) --> "C:\Program Files\Neat Image\unins000.exe"
Nero - Burning Rom --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
Nikon Message Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\Setup.exe" -l0x9 UNINSTALL
OrderReminder hp LaserJet 101x --> "C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\Uninstall-hpLJ_101x\installerhelper.exe" "C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\Uninstall-hpLJ_101x\installerhelper.properties" -from-addremove
PictureProject --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF3999BE-1A7B-4738-88AA-97BF14094A4A}\Setup.exe" -l0x9 UNINSTALL
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
Rediff Bol --> C:\Program Files\Rediff Bol\uninstall.exe
Ulead Photo Express 4.0 My Custom Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{21BCE515-D5A3-11D4-8E33-0010B53EC668}\Setup.exe"
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Install Manager --> C:\WINDOWS\System32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\System32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type652 / Error
Event Submitted/Written: 12/31/2007 03:29:22 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dm7.exe, version 0.0.0.0, faulting module dm7.exe, version 0.0.0.0, fault address 0x0000b000.
Processing media-specific event for [dm7.exe!ws!]

Event Record #/Type651 / Error
Event Submitted/Written: 12/30/2007 06:59:52 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application start.exe, version 8.0.22.0, faulting module start.exe, version 8.0.22.0, fault address 0x000ad040.
Processing media-specific event for [start.exe!ws!]

Event Record #/Type650 / Error
Event Submitted/Written: 12/30/2007 06:59:30 PM
Event ID/Source: 1005 / Application Error
Event Description:
Windows cannot access the file G:\start.exe for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program Macromedia Flash Player 8.0  r22 because of this error.

Program: Macromedia Flash Player 8.0  r22
File: G:\start.exe

The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
   - It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
   - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.
Additional Data
Error value: C0000240
Disk type: 5

Event Record #/Type648 / Error
Event Submitted/Written: 12/26/2007 10:28:18 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application winword.exe, version 9.0.0.2717, faulting module winword.exe, version 9.0.0.2717, fault address 0x00203c6e.
Processing media-specific event for [winword.exe!ws!]

Event Record #/Type647 / Error
Event Submitted/Written: 12/26/2007 09:23:49 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application winword.exe, version 9.0.0.2717, faulting module winword.exe, version 9.0.0.2717, fault address 0x001266fe.
Processing media-specific event for [winword.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type29504 / Warning
Event Submitted/Written: 01/02/2008 00:27:51 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0008A1903F4C.  The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type29500 / Error
Event Submitted/Written: 01/01/2008 10:04:47 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.1.33 for the Network Card with network address 0008A1903F4C has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type29499 / Warning
Event Submitted/Written: 01/01/2008 10:04:43 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0008A1903F4C.  The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type29493 / Error
Event Submitted/Written: 01/01/2008 09:12:57 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.1.33 for the Network Card with network address 0008A1903F4C has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type29492 / Warning
Event Submitted/Written: 01/01/2008 09:12:52 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0008A1903F4C.  The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.



-- End of Deckard's System Scanner: finished at 2008-01-02 02:01:30 ------------

Sharad Garg

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #21 on: January 01, 2008, 10:10:29 PM »
Hi sharadgarg,

Hold on to your desktop, here we go again:
The following HJT entries could be flagged, and taken out.
Fire up HijackThis and tag the following entries and give an enter.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar
R3 - URLSearchHook: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe (User 'Default user')

After this post a new HijackThis log,

Also read this: http://www.housing.hawaii.edu/resources/support/restore-point.htm
what to do if ntos.exe has been deleted.

polonus
« Last Edit: January 01, 2008, 10:16:00 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #22 on: January 01, 2008, 10:29:18 PM »
Hi malware fighters,

Additional information on ntos.exe: http://www.websense.com/securitylabs/blog/blog.php?BlogID=134

We also have to run this afterwards: http://www.cexx.org/lspfix.htm

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #23 on: January 01, 2008, 11:21:04 PM »
Ntos is a password stealer

Quote
One or more of the identified infections is a backdoor Trojan and a key logger.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

I would recommend the following steps :

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Ntos will probably need an avenger run to kill it

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #24 on: January 02, 2008, 12:34:43 AM »
Hi sharadgarg2000 and essexboy,

The manual removal instructions for ntos unsollicited malware:
Manual removal

Please follow the instructions below if you would like to remove Exploit ntos.exe manually. Please notice that you must follow the instructions very carefully and delete everything that is mentioned. In most cases the removal will fail if one single item is not deleted. If Exploit ntos.exe remains on your system after stepping through the removal instructions, please double-check by stepping through them again.

   1. Start your computer in safe mode.
   2. Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
   3. Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ {98B822AD-6BE7-49BC-B773-97240B774080}', if it exists.
   4. Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Browser Helper Objects \ {98B822AD-6BE7-49BC-B773-97240B774080}', if it exists.
   5. Browse to the key:
      'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
   6. In the right pane, delete the value called 'SystemSv12', 'runner1', 'RegistryMonitor1', 'SpyVampire', 'smgr', 'System', 'spoolsvv', if they exists.
   7. Browse to the key:
      'HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
   8. In the right pane, delete the value called 'Windows update loader ', 'Service Pack 1', 'Brave-Sentry', 'WinAble', 'PestTrap', 'Windows update loader', if they exists.
   9. Exit the registry editor.
  10. Start Windows Explorer and delete:
      %SystemDir%\AClient.dll
      %SystemDir%\kernelwind32.exe
      %SystemDir%\vedxg4am1et2.exe
      %SystemDir%\vedxga4m1et4.exe
      %SystemDir%\vedxga4m1et4.exe
      %SystemDir%\spoolsvv.exe
      %SystemDir%\kernelw.sys
      %SystemDir%\aspimgr.exe
      %SystemDir%\msvcrt64.dll
      %SystemDir%\dllh8jkd1q2.exe
      %SystemDir%\max1d11643v.exe
      %SystemDir%\vedxg6ame4.exe
      %SystemDir%\vedxga1me4t1.exe
      %SystemDir%\vedxg4am1et2.exe
      %SystemDir%\vedxga4m1et4.exe
      %SystemDir%\vedxg6ame4.exe
      %SystemDir%\newmaxxsv234.exe
      %SystemDir%\winhld32.dll
      %SystemDir%\ntos.exe
      %WinDir%\avp.exe
      %WinDir%\mgrs.exe
      %WinDir%\xpupdate.exe
      %WinDir%\b122.exe
      %WinDir%\tsitra27.exe
      %WinDir%\desktop.html
      %ProgramsDir%\SpyVampire\
      %ProgramsDir%\ucleaner_setup.exe
      %ProgramsDir%\PestTrap\PestTrap.exe
      %ProgramsDir%\WinAble\winable.exe
      %ProgramsDir%\BraveSentry\
      c:\syst.exe
      c:\3456346345643.exe
      C:\winstall.exe
  11. Start Microsoft Internet Explorer.
  12. In Internet Explorer, click Tools -> Internet Options.
  13. Click the Programs tab -> Reset Web Settings.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

mimmo_dm

  • Guest
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #25 on: January 02, 2008, 08:58:52 PM »
combofix log:

ComboFix 08-01-03.3 - MIMMO 2008-01-02 20.41.37.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1040.18.87 [GMT 1:00]
Eseguito da: C:\Documents and Settings\MIMMO\Desktop\ComboFix.exe
 * Creato nuovo punto di ripristino
.

(((((((((((((((((((((((((((((((((((((   Altre eliminazioni   )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dgsetupv.dll . . . . Eliminazione Fallita

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FUFWZYLV
-------\fufwzylv


(((((((((((((((((((((((((   Files Creati Da 2007-12-03 al 2008-01-03  )))))))))))))))))))))))))))))))))))
.

2008-01-02 20:40 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-02 09:35 . 2008-01-02 09:35   118,784   -r-------   C:\WINDOWS\bwUnin-6.3.2.62-7681197L.exe
2008-01-02 09:35 . 2004-11-10 13:58   68,752   --a------   C:\WINDOWS\system32\drivers\fsdfw.sys
2008-01-02 09:35 . 2004-11-10 13:57   26,928   --a------   C:\WINDOWS\system32\drivers\fsndis5.sys
2008-01-02 09:34 . 2008-01-02 09:35   <DIR>   d--------   C:\Programmi\F-Secure
2008-01-02 09:32 . 2008-01-02 09:32   <DIR>   d--------   C:\Documents and Settings\All Users\Dati applicazioni\Avg7
2008-01-01 14:26 . 2008-01-01 18:09   <DIR>   d--------   C:\Programmi\SUPERAntiSpyware
2008-01-01 14:26 . 2008-01-01 18:09   <DIR>   d--------   C:\Documents and Settings\MIMMO\Dati applicazioni\SUPERAntiSpyware.com
2008-01-01 14:26 . 2008-01-01 14:26   <DIR>   d--------   C:\Documents and Settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2007-12-26 18:17 . 2007-12-26 18:37   58   --a------   C:\WINDOWS\CTACD.INI
2007-12-23 20:54 . 2007-12-23 20:54   1,188,375   --a------   C:\WINDOWS\system32\libeay32.dll
2007-12-23 20:54 . 2007-12-23 20:54   741,632   --a------   C:\WINDOWS\system32\ovoolkjo.dat
2007-12-23 20:54 . 2007-12-23 20:54   246,545   --a------   C:\WINDOWS\system32\libssl32.dll
2007-12-23 20:54 . 2007-12-23 20:54   42,240   --a------   C:\WINDOWS\system32\sguvldwn.dat
2007-12-23 20:54 . 2007-12-23 20:54   36,096   --a------   C:\WINDOWS\system32\zoyhlzgx.dat
2007-12-23 20:54 . 2007-12-23 20:54   35,072   --a------   C:\WINDOWS\system32\zmuhtbhf.dat
2007-12-22 21:37 . 2007-12-22 21:37   30   --a------   C:\WINDOWS\CTWave32.ini
2007-12-22 20:44 . 2007-12-25 21:09   120,576   --a------   C:\WINDOWS\system32\bbrbppyr.dat
2007-12-22 20:37 . 2007-12-23 20:54   84,992   --a------   C:\WINDOWS\system32\dgsetupv.dll.bak
2007-12-22 20:37 . 2008-01-03 20:47   84,992   --a------   C:\WINDOWS\system32\dgsetupv.dll
2007-12-22 20:36 .    19,584      C:\WINDOWS\system32\drivers\ufsncrmk.dat
2007-12-22 20:36 . 2007-12-22 20:36   16,896   --a------   C:\WINDOWS\system32\if12va.0xe
2007-12-22 20:35 . 2001-08-31 12:00   84,992   --a------   C:\WINDOWS\system32\cdmodeml.dll
2007-12-18 20:42 . 2007-12-18 20:42   <DIR>   d--------   C:\Programmi\Google
2007-12-13 11:22 . 2007-12-13 11:22   <DIR>   d---s----   C:\Documents and Settings\MIMMO\UserData
2007-12-05 18:06 . 2007-12-05 18:42   <DIR>   d--------   C:\Programmi\yengnwuy
2007-12-05 18:05 . 2007-12-05 18:05   291,328   --a------   C:\WINDOWS\system32\libcurl.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-02 19:33   ---------   d-----w   C:\Programmi\eMule
2008-01-02 08:31   ---------   d-----w   C:\Documents and Settings\All Users\Dati applicazioni\Grisoft
2007-12-22 09:31   ---------   d-----w   C:\Programmi\MSN Messenger
2007-12-22 09:31   ---------   d-----w   C:\Programmi\Messenger Plus! Live
2007-12-16 09:54   ---------   d-----w   C:\Programmi\SopCast
2007-12-16 09:22   ---------   d-----w   C:\Documents and Settings\MIMMO\Dati applicazioni\SopCast
2007-11-23 10:38   21,840   ----atw   C:\WINDOWS\system32\SIntfNT.dll
2007-11-23 10:38   17,212   ----atw   C:\WINDOWS\system32\SIntf32.dll
2007-11-23 10:38   12,067   ----atw   C:\WINDOWS\system32\SIntf16.dll
2007-11-23 10:36   ---------   d--h--w   C:\Programmi\InstallShield Installation Information
2007-11-22 17:13   ---------   d-----w   C:\Programmi\Sierra On-Line
.

(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{80B188C9-0198-4BB6-B2CB-AD40811F746E}]
2001-08-31 12:00   84992   --a------   C:\WINDOWS\system32\cdmodeml.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B2A822B0-2E56-4D7F-9782-CBB82207C7D5}]
2008-01-03 20:47   84992   --a------   c:\windows\system32\dgsetupv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 14:39 15360]
"DAEMON Tools"="C:\Programmi\DAEMON Tools\daemon.exe" [2006-11-12 11:48 157592]
"RocketDock"="C:\Programmi\RocketDock\RocketDock.exe" [2007-03-18 23:05 630784]
"CTSyncU.exe"="C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 09:06 700416]
"PcSync"="C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-19 14:59 1449984]
"updateMgr"="C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Programmi\File comuni\Real\Update_OB\realsched.exe" [2007-10-06 08:07 185896]
"RemoteControl"="C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 18:42 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50 155648]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 10:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00 90112]
"Jet Detection"="C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 00:00 28672]
"CTStartup"="C:\Programmi\Creative\Splash Screen\CTEaxSpl.exe" [2001-12-20 00:00 28672]
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" [2002-05-03 09:06 364544 C:\WINDOWS\system32\nwiz.exe]
"AdslTaskBar"="stmctrl.dll" [2003-01-22 11:01 151552 C:\WINDOWS\system32\stmctrl.dll]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2007-09-26 13:42 267064]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-06-15 11:36 229376]
"!AVG Anti-Spyware"="C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]
"F-Secure Manager"="C:\Programmi\F-Secure\Common\FSM32.exe" [2004-09-09 10:03 118832]
"F-Secure TNB"="C:\Programmi\F-Secure\TNB\TNBUtil.exe" [2004-05-27 09:57 684032]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 14:39 15360]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio veloce di Adobe Reader.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Tasto di scelta rapida per l'avvio di AutoCAD.lnk - C:\Programmi\File comuni\Autodesk Shared\acstart16.exe [2004-02-25 01:35:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2004-11-10 13:58]
R0 wfjkwxgm;wfjkwxgm;C:\WINDOWS\system32\drivers\ufsncrmk.dat []
R2 BackWeb Plug-in - 7681197;F-Secure Automatic Update;C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [2008-01-02 09:35]
R2 F-Secure Filter;F-Secure File System Filter;C:\Programmi\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2004-09-10 17:14]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Programmi\F-Secure\Anti-Virus\Win2K\FSgk.sys [2004-09-10 17:14]
R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Programmi\F-Secure\Anti-Virus\Win2K\FSrec.sys [2003-02-06 13:32]
R3 Stmatm;ATM/ADSL miniport;C:\WINDOWS\system32\DRIVERS\stmatm.sys [2002-09-25 06:37]
S3 TaurusUsb;ADSL Modem USB Service 1.09a;C:\WINDOWS\system32\DRIVERS\torususb.sys [2003-01-09 14:21]

.
Contenuto della cartella 'Scheduled Tasks'
"2008-01-01 20:43:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 20:50:19
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  CTStartup = C:\Programmi\Creative\Splash Screen\CTEaxSpl.EXE /run???????h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&2????wd??w????????\???\??????????????w-??w\???\?????????_??????C@?\???\??????s????\??????s\????&2?A??s?&2??C@?x???`|?w\?????@

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-01-03 20:52:11 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-03 19:51:59

mimmo_dm

  • Guest
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #26 on: January 02, 2008, 08:59:55 PM »
Logfile of HijackThis v1.99.1
Scan saved at 20.59.14, on 03/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programmi\F-Secure\Anti-Virus\fsgk32st.exe
C:\Programmi\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Programmi\F-Secure\Anti-Virus\FSGK32.EXE
C:\Programmi\F-Secure\Common\FSMA32.EXE
C:\Programmi\F-Secure\Anti-Virus\fssm32.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programmi\F-Secure\Common\FCH32.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programmi\F-Secure\Common\FAMEH32.EXE
C:\Programmi\F-Secure\Common\FNRB32.EXE
C:\Programmi\F-Secure\Common\FIH32.EXE
C:\Programmi\F-Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\spnpinst.exe
C:\Programmi\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\Sysocmgr.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmi\F-Secure\Common\FSM32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
C:\Programmi\RocketDock\RocketDock.exe
C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Programmi\F-Secure\FSGUI\fsguiexe.exe
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\MIMMO\Desktop\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {80B188C9-0198-4BB6-B2CB-AD40811F746E} - C:\WINDOWS\system32\cdmodeml.dll
O2 - BHO: (no name) - {B2A822B0-2E56-4D7F-9782-CBB82207C7D5} - c:\windows\system32\dgsetupv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Programmi\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programmi\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programmi\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [RocketDock] "C:\Programmi\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Tasto di scelta rapida per l'avvio di AutoCAD.lnk = C:\Programmi\File comuni\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: tnkqaqmj - C:\WINDOWS\SYSTEM32\dgsetupv.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programmi\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programmi\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Programmi\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programmi\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programmi\F-Secure\Common\FSMA32.EXE
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #27 on: January 02, 2008, 10:43:28 PM »
OK lets start removing some of this rubbish  :D

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\bwUnin-6.3.2.62-7681197L.exe
    C:\WINDOWS\system32\libeay32.dll
    C:\WINDOWS\system32\ovoolkjo.dat
    C:\WINDOWS\system32\libssl32.dll
    C:\WINDOWS\system32\sguvldwn.dat
    C:\WINDOWS\system32\zoyhlzgx.dat
    C:\WINDOWS\system32\zmuhtbhf.dat
    C:\WINDOWS\system32\bbrbppyr.dat
    C:\WINDOWS\system32\dgsetupv.dll.bak
    C:\WINDOWS\system32\dgsetupv.dll
    C:\WINDOWS\system32\drivers\ufsncrmk.dat
    C:\WINDOWS\system32\if12va.0xe
    C:\WINDOWS\system32\cdmodeml.dll



  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
[color="#ff0000"]*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes[/color].
[color="green"]**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")[/color]

Click "Exit" to close OTMoveIt.

THEN

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote
drivers to unload:
wfjkwxgm

Files to delete:
C:\WINDOWS\system32\drivers\ufsncrmk.dat

Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions.  This log file will be located at  C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log   by using Add/Reply

Also what can you tell me about this folder C:\Programmi\yengnwuy

Davey

  • Guest
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #28 on: January 03, 2008, 09:37:46 AM »
Hi,

Unfortunatley I have exactly the same problem. Has the problem been solved yet and how?

As I don't use this machine for internet banking I'm wondering if I should wait until an easy fix is created or am I being naieve?

I'm assuming this is a new trojan as Avast is not dealing with it and spyware blaster did not recognise it. I've noticed the scrolling on my laptop is really sluggish - is this because of the key logging?

Any suggestions?

mimmo_dm

  • Guest
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #29 on: January 03, 2008, 10:23:50 AM »
thanks essexboy, but I resolved the problem:
I move this file: CFScript.txt

File::
C:\WINDOWS\system32\drivers\ufsncrmk.dat
C:\WINDOWS\system32\ovoolkjo.dat
C:\WINDOWS\system32\sguvldwn.dat
C:\WINDOWS\system32\zoyhlzgx.dat
C:\WINDOWS\system32\zmuhtbhf.dat
C:\WINDOWS\system32\bbrbppyr.dat
C:\WINDOWS\system32\dgsetupv.dll.bak
C:\WINDOWS\system32\dgsetupv.dll
C:\WINDOWS\system32\if12va.0xe
C:\WINDOWS\system32\cdmodeml.dll
C:\WINDOWS\CTACD.INI
C:\WINDOWS\CTWave32.ini

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{80B188C9-0198-4BB6-B2CB-AD40811F746E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B2A822B0-2E56-4D7F-9782-CBB82207C7D5}]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wfjkwxgm]

on the combofix icon
« Last Edit: January 03, 2008, 10:25:43 AM by mimmo_dm »