Another Win32:BHO-KD Infection

Viruses and worms
21

Oldman,

I have run all the clean up instructions. One thing - I installed Cleanup 4.5 but could not find the tab to delete restore points. I have also installed Superantispyware so hopefully I should be ok now. Thanks for your help.

Phil B

22

Hello Oldman!

I need your help in removing this Shit virus. it seems i am not the only person hit by this stubborn shit.

I have followed some of the procedures you suggested to the other people hit by same shit.

I run combo fix which generated the following log…

Please advise me what next,…
ComboFix 08-01-04.1 - Fayaz Malik 2008-01-04 22:15:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.420 [GMT 0:00]
Running from: C:\Documents and Settings\Fayaz Malik\Local Settings\Temporary Internet Files\Content.IE5\N87U69IG\ComboFix[1].exe

  • Created a new restore point
    .

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\ActivationCode
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\ProductCode
C:\Documents and Settings\Family and Friends\Application Data\WinAntiVirus Pro 2007
C:\Documents and Settings\Family and Friends\Application Data\WinAntiVirus Pro 2007\avtasks.dat
C:\Documents and Settings\Family and Friends\Application Data\WinAntiVirus Pro 2007\history.db
C:\Documents and Settings\Family and Friends\Application Data\WinAntiVirus Pro 2007\Logs\update.log
C:\Documents and Settings\Family and Friends\Application Data\WinAntiVirus Pro 2007\Logs\wa7Support.log
C:\Documents and Settings\Family and Friends\Application Data\WinAntiVirus Pro 2007\Logs\winav.log
C:\Documents and Settings\Family and Friends\Application Data\WinAntiVirus Pro 2007\PGE.dat
C:\Documents and Settings\Family and Friends\err.log
C:\Documents and Settings\Family and Friends\ResErrors.log
C:\Documents and Settings\Fayaz Malik\Application Data\hidires
C:\Documents and Settings\Fayaz Malik\err.log
C:\Documents and Settings\Fayaz Malik\ResErrors.log
C:\Documents and Settings\Guest\Application Data\WinAntiVirus Pro 2007
C:\Documents and Settings\Guest\Application Data\WinAntiVirus Pro 2007\avtasks.dat
C:\Documents and Settings\Guest\Application Data\WinAntiVirus Pro 2007\CookieList.dat
C:\Documents and Settings\Guest\Application Data\WinAntiVirus Pro 2007\history.db
C:\Documents and Settings\Guest\Application Data\WinAntiVirus Pro 2007\Logs\update.log
C:\Documents and Settings\Guest\Application Data\WinAntiVirus Pro 2007\Logs\wa7Support.log
C:\Documents and Settings\Guest\Application Data\WinAntiVirus Pro 2007\Logs\winav.log
C:\Documents and Settings\Guest\Application Data\WinAntiVirus Pro 2007\PGE.dat
C:\Documents and Settings\Guest\err.log
C:\Documents and Settings\Guest\ResErrors.log
C:\Program Files\Common Files\drivecleaner free
C:\Program Files\outlook
C:\UWA7P
C:\WINDOWS\system32[u]0[/u]_exception.nls
C:\WINDOWS\system32\cnbjmo.dll
C:\WINDOWS\system32\drivers\qwkckmxa.dat
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\nsi62.dll
C:\WINDOWS\system32\stera.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FOPN
-------\LEGACY_NJOOOFLZ
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\m_hook
-------\njoooflz
-------\runtime

((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-04 22:14 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 22:56 . 2007-12-30 22:56 d-------- C:\Documents and Settings\Guest\Application Data\Yahoo!
2007-12-04 01:48 . 2007-12-22 03:12 77,353 --a------ C:\WINDOWS\system32\adssite_sidebar_uninstall.exe

23

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 13:41 --------- d-----w C:\Documents and Settings\Fayaz Malik\Application Data\Jasc Software Inc
2008-01-01 17:48 --------- d-----w C:\Documents and Settings\Fayaz Malik\Application Data\Skype
2007-12-09 15:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-09 15:17 --------- d—a-w C:\Documents and Settings\Fayaz Malik\Application Data\yahoo!
2007-12-04 20:40 --------- d-----w C:\Documents and Settings\Fayaz Malik\Application Data\DataLayer
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-03 01:48 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-22 20:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\BOC425
2007-11-21 22:36 --------- d-----w C:\Program Files\eMule
2007-11-21 21:42 --------- d-----w C:\Program Files\Dcads Games Collection
2007-11-21 21:09 --------- d-----w C:\Program Files\BearShare Applications
2007-11-21 21:06 --------- d-----w C:\Program Files\LimeWire
2007-11-17 14:10 --------- d-----w C:\Program Files\Picasa2
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 17:56 --------- d-----w C:\Program Files\SecondLife
2007-11-10 14:20 --------- d-----w C:\Documents and Settings\Fayaz Malik\Application Data\SecondLife
2007-11-10 11:41 --------- d-----w C:\Program Files\PC Registry Cleaner
2007-11-09 23:14 --------- d-----w C:\Documents and Settings\Fayaz Malik\Application Data\Nokia Multimedia Player
2007-11-06 22:12 --------- d-----w C:\Program Files\Comodo
2007-11-05 08:47 --------- d-----w C:\Documents and Settings\Fayaz Malik\Application Data\Comodo
2007-11-05 08:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo
2007-11-04 18:07 --------- d-----w C:\Program Files\McAfee.com
2007-11-04 18:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-04 18:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-04 16:13 --------- d-----w C:\Program Files\Alwil Software
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{1648E328-3E5A-4EA5-A9C6-E5F09EE272DA}]
2007-12-03 17:12 282624 --a------ C:\WINDOWS\system32\adssite_sidebar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“msnmsgr”=“C:\Program Files\MSN Messenger\msnmsgr.exe” [2007-01-19 11:54 5674352]
“Yahoo! Pager”=“C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe” [2007-08-30 16:43 4670704]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-04-02 12:04 68856]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 16:24 1694208]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“MSConfig”=“C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe” [2005-09-27 00:34 169984]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 13:00 79224]
“ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2005-08-05 21:05 344064]
“ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [2005-06-10 10:44 81920]
“ISUSPM Startup”=“C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe” [2005-06-10 10:44 249856]
“IntelWireless”=“C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” [2004-10-30 14:59 385024]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-01-20 17:32 282624]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2006-12-25 01:37 185896]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 05:00 15360]
“Nokia.PCSync”=“C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe” [2007-06-19 09:17 1241088]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“DisableRegistryTools”= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@=“Driver Group”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E967-E325-11CE-BFC1-08002BE10318}]
@=“DiskDrive”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@=“Hdc”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@=“Keyboard”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@=“Mouse”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@=“System”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@=“Volume”

24

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Fayaz Malik^Start Menu^Programs^Startup^Zapu Acceleration Engine.lnk]
path=C:\Documents and Settings\Fayaz Malik\Start Menu\Programs\Startup\Zapu Acceleration Engine.lnk
backup=C:\WINDOWS\pss\Zapu Acceleration Engine.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Fayaz Malik^Start Menu^Programs^Startup^Zapu.lnk]
path=C:\Documents and Settings\Fayaz Malik\Start Menu\Programs\Startup\Zapu.lnk
backup=C:\WINDOWS\pss\Zapu.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Activate Scanner]
C:\PROGRA~1\QUICKH~1\ACTIVATE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-06 22:46 57344 --a------ C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2004-09-13 16:33 155648 --a------ C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BOC-425]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Firewall Pro]
C:\Program Files\Comodo\Firewall\CPF.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 05:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
2007-05-04 07:17 863744 --a------ C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2005-09-01 17:24 684032 --a------ C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Disk Monitor]
C:\Documents and Settings\Fayaz Malik\Disk_Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 01:05 127035 --a------ C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlccmon.exe]
2005-07-22 07:03 425984 --a------ C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-01-27 01:02 86016 --a------ C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 16:19 53248 --------- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Email Protection]
C:\PROGRA~1\QUICKH~1\EmlProxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Globe7]
C:\Program Files\Globe7\Globe7.exe /hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hid_start]
C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\system32\gzmrotate.dll DllVerify

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger]
C:\PROGRA~1\QUICKH~1\SCANMSG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MskAgentexe]
C:\Program Files\McAfee\MSK\MskAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\On-Line Protection]
C:\PROGRA~1\QUICKH~1\CATEYE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\outlook]
C:\Program Files\outlook\outlook.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2007-10-23 21:18 443968 --a------ C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PronunciationPatterns]
2007-04-02 12:04 68856 --a------ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]

25

Hi pbunn

The esset log should be located at C:\Program Files\EsetOnlineScanner\log.txt

The clean up for the restore points that I was refering to is in windows, not the cleanup program I had you download.

Click start button, All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

Remember, if you installed the free version of SAS, it will be on demand only. Which means you will have to run scans manually and regularly. The same for AVG, though there may be a trial period with on access, then they will revert to on demand.

I have looked throgh your logs for mlvtgmlv.sys, it is nowhere to be seen. The 2nd eset detection is a folder I missed, we’ll remove that now.

I’m very curious as to where the mlvtgmlv.sys came from and if another will appear. I’d like you to run combofix again, this time before you run it rename it to pbunnfix.exe

Download ComboFix from Here or Here to your Desktop.

Don’t run it yet, we’ll run it with this script.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

This will start ComboFix .Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

Folder:: C:\Program Files\SystemErrorFixer C:\Documents and Settings\Dave Witcher\Application Data\systemerrorfixer C:\Program Files\Common Files\SystemErrorFixer C:\Program Files\SystemErrorFixer

Click here to download HJTsetup.exe

26

@faymak

I started a new thread for you in the virus and worms forum, it’s called “faymak’s BHO thread” you can reach it here

http://forum.avast.com/index.php?topic=32435.0

27

Oldman,

Eset scanner log attached - I’m doing the other stuff now…

version=4

OnlineScanner.ocx=1.0.0.56

OnlineScannerDLLA.dll=1, 0, 0, 51

OnlineScannerDLLW.dll=1, 0, 0, 51

OnlineScannerUninstaller.exe=1, 0, 0, 49

vers_standard_module=2766 (20080104)

vers_arch_module=1.060 (20071228)

vers_adv_heur_module=1.064 (20070717)

EOSSerial=7a4e967b0264f745ace04ae72880f9ab

end=finished

remove_checked=true

unwanted_checked=false

utc_time=2008-01-04 09:31:07

local_time=2008-01-04 09:31:07 (+0000, GMT Standard Time)

country=“United Kingdom”

osver=5.1.2600 NT Service Pack 2

scanned=153144

found=3

scan_time=1347

C:\Documents and Settings\Dave Witcher\My Documents\Data Backup\APEC Ltd\Collins&Aikman\Programs\Ford\CD3XX\IB2 sanity check C&A updates 200106.xls probably unknown MACRO virus (cleaned) 00000000000000000000000000000000
C:\Program Files\Common Files\SystemErrorFixer\strpmon.exe probably a variant of Win32/Genetik trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\drivers\mlvtgmlv.sys probably a variant of Win32/Rootkit.Agent.NDA trojan (unable to clean - deleted) 00000000000000000000000000000000

28

OLdman,

Combofix and HJT logs attached.

Phil B

29

These folders seem to be all over. Last one.

Seeing how I’m going to get you to download OTMOVEIT anyway, we’ll use it.

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\All Users\Application Data\systemerrorfixer

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt

Just tell me if the folder was successfully removed. :wink:

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

This looks good. I don’t see where, or what could have created that file.

Any more avast detections?

30

Oldman,

Folder was removed and a Boot Time Scan with Avast reported no issues.

I think you’ve done it!!

Thanks a lot!

Phil B

31

Well. it wasn’t me. you did all the work. sUBs, the author and developer of combofix is a real lifesaver.

Double-click OTMoveIt.exe to run it, then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

You can uninstall the eset scan, if you want , via add/remove programs.

You also asked about the avast chest files. They are safe in the chest, they can’t be run from there or accessed from outside the chest. You can leave them there for as long as you like. General recommendations is a week or two and if you are not experiencing any problems with any of your programs, then it’s probably ok to delete them from the chest. Befor you do, though, you should right click on them in the chest and select scan. If avast detects them as infected, then you can safely delete them by right click on the file and select delete.

In case you where wondering about the rename, it’s vundo related. Recently vundo has “learned” to hide from combofix, but not very successfully. A rename of combofix works. I thought perhaps that was what had happened, so I just wanted to check. Thanks for helping out.

Take care keep safe.

32

OLDMAN, I’m struggling with the same thing, I was wondering if you were going to be online this evening around 7PM to 10PM Mountain Time and would be able to help me out with my BHO-KD Infection? I’m not by the infected laptop right now but will be then. Some of the things you asked “PBUNN” to do seem specific to his particular problem so I didn’t know if it was a matter of just duplicating everything you told him to do or would you need to see the scans of my laptop, etc. Please advise oh wise one.

33

I may be on then, but I will start a thread for you with instructions to get you started. See you over there.

It’s called “jkrudy’s BHO” and you can get there from this link.

http://forum.avast.com/index.php?topic=32516.0

34

This is for oldman,I hope I’m doing this right,cause I’m new here. I have a Trojan that avast 4.7 cannot delete, WIN32:bho-kd [trj] in c:\windows\system32\cmdial3.dll[upx] oldman I read everything you and pbunn posted,and I got a headache reading,lol,because I’m new at computers and know nothing about them! biggest computer dummy ever! but i can copy and paste now. oh jeez, My OS is win xp Sp2,Compaq presaio w 1GB mem. If there is an easy way to help me,that would be great, I not ,sorry to trouble you. Everything seems to work fine after I click ( no action) Thanks for your help if you can,oldman,cause it sounds like you really know your stuff!!! whatever your getting paid ,is not near enough! God Bless! Steve Warner ???

35

Deckard’s System Scanner v20071014.68
Run by YRyan on 2008-01-17 14:06:07
Computer is in Normal Mode.

– System Restore --------------------------------------------------------------

Successfully created a Deckard’s System Scanner Restore Point.

– Last 4 Restore Point(s) –
4: 2008-01-17 19:06:45 UTC - RP950 - Deckard’s System Scanner Restore Point
3: 2008-01-17 12:06:18 UTC - RP949 - Software Distribution Service 3.0
2: 2008-01-16 08:00:54 UTC - RP948 - Software Distribution Service 3.0
1: 2008-01-15 14:43:54 UTC - RP947 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 82% (more than 75%).
Total Physical Memory: 224 MiB (512 MiB recommended).
System Drive C: has 0.65 GiB (less than 15%) free.

– HijackThis (run as YRyan.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:10:58 PM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\iWon\Messenger\bin\i1IMPipe.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iWon\Messenger\bin\i1IMPipe .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\Program Files\KMaestro\KMaestro .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Support.com\bin\tgcmd .exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp .exe
C:\Program Files\twc\medicsp2\bin\sprtcmd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\twc\medicsp2\bin\sprtcmd .exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\YRyan\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\YRyan.exe

36

Deckard’s System Scanner v20071014.68
Run by YRyan on 2008-01-17 14:06:07
Computer is in Normal Mode.

– System Restore --------------------------------------------------------------

Successfully created a Deckard’s System Scanner Restore Point.

– Last 4 Restore Point(s) –
4: 2008-01-17 19:06:45 UTC - RP950 - Deckard’s System Scanner Restore Point
3: 2008-01-17 12:06:18 UTC - RP949 - Software Distribution Service 3.0
2: 2008-01-16 08:00:54 UTC - RP948 - Software Distribution Service 3.0
1: 2008-01-15 14:43:54 UTC - RP947 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 82% (more than 75%).
Total Physical Memory: 224 MiB (512 MiB recommended).
System Drive C: has 0.65 GiB (less than 15%) free.

– HijackThis (run as YRyan.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:10:58 PM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\iWon\Messenger\bin\i1IMPipe.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iWon\Messenger\bin\i1IMPipe .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\Program Files\KMaestro\KMaestro .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Support.com\bin\tgcmd .exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp .exe
C:\Program Files\twc\medicsp2\bin\sprtcmd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\twc\medicsp2\bin\sprtcmd .exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\YRyan\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\YRyan.exe

37

spybot search and destroy works well and is also free, if needed type in name and do search.