Hi Oldman,

My PC is also infected with Win32:BHO-KD. I not a techi person thus I am hesitant to follow previously posted solutions. Might not work for my case.

It was first detected by yahoo anti-spyware as SillyDI. Now I cant use the IE7 anymore and currently using Mozilla. For McAfee, AVG and Avast, its Win32:BHO-KD, SpyDoctor says its Trojan-Spy Bzub, and I think SAS says its Trojan.Downloader.AUPD.

My current protection now are Avast anti-virus, SAS, SpyDoctor, AD-AWare, AVG Anti-Rootkit and Zone Alarm SpyBlocker… (all free editions). I believe they are all the same co’z the file name infected is always windows\system32\audiosr.dll.

All the protection softwares above (also eseNet32) cant delete the Win32:BHO… I tried deleting it manually thru RUN, and running the anti-virus and anti-spywares in safe mode… All did not work. All removing procedures are thru internet searches that I felt safe for me to do…

I was not aware before that browsing the net these days need anti-spyware and firewall protections. The PC came with McAfee Ent8 and I thought thats all i need. PC is purely for home use, with internet browsing (and downloading).

Thanks a lot in advance.
Nontech

Welcome to the forum. Please run these in the order posted. You can attach logs using the additional options button on the reply page, if you wish.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Thanks for the prompt reply… Here are the logs:

Hi Oldman,

It seems Avast, SpyTerminator and SAS can’t find it anymore. But I’ll still wait for your advise.

If not asking too much, from the logs, I would appreciate if you can tell me should you find any BAD softwares installed in my PC thats needs to be removed (for the games, I need to think about it since they are the main function of this machine;D).

Please feel free also to recommend/advise if I already have enough protection or do I still need to have more. I have licensed McAfee Enterprise 8 and EsetNod32 but prefer to use the AVAST now.

Thanks a lot for the BIG HELP.

Appears to have been ripped out by the roots, so to speak.

It looks good.

If your nod32 is paid for, I might be tempted to go with that, at least until the subscription runs out. I’ve never used it so I can’t fairly comment on it’s impact on a system as far as slowing things down. I’m just thinking of the $'s, but you must have had a reason to change and if avast is your preference then go with avast. I was a mcafee user, but it bogged my poor old machine down too much, I’ve been happy with avast.

You have at least one resident spyware and, IMO, a very good on demand scanner, in SAS, plus the anti-rootkit. That should be fine.

I would look at a firewall though, as it would appear you are using the windows firewall.

I’m sure Tech, DavidR, or someone will pop in and comment.

Clean up time, the best time… ;D

1. Click start button, click run, copy and paste the following line into the box

combofix /u

2. Open HJT, click misc tools button, slide the slider down, click uninstall.

3. Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

4. Remove old restore points

• Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

5. Download and run this clean up utility. You can use it regularly. When it’s first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp

6. You may want to consider this

If you are using windows firewall, please note that it doesn’t provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

You’re welcome. Take care and keep safe.

Done all!.. WHEW!.. THANKS A LOT… The only good thing about this virus experience is I learned much about PC protections and cleanup… ;D ;D

With regard to the firewall thing, links suggested are very informative and I think I’m now experiencing Info Overload. :o I’ll try to re-read and digest all the techy terms and ask around myself. Just hesitant to install firewall since I am not familiar with it and its configurations yet that I might end up with another connectivity problem. I’ll try to stay away from suspicious sites and unnecessary downloads for now 'til I have a good firewall running.

Again, thank you. Can’t say enough.

Best regards

Glad to help. Remember, regardless of which firewall you chose, these 3 avast components need access to the internet:

Ashwebsv.exe-webshield
Ashmaisv.exe-internet mail (outlook express)
Avast.setup-updates

Take your time, take a break. 8)

Hi Oldman,

It seems I lost the “Voice” for internet videos. I mean, when watching video clips in CNN or YouTube, there is no sounds. Windows Media player is working fine and I can play and hear music.

Could be settings on the AVAST, Spyterminator or SAS that I unknowingly ticked?

Sorry, I know this is not related to “Worms and Viruses” anymore but this happen after we cleaned the virus and I felt you can also help me with this. I remember, the file infected was windows\system32\audiosr.dll… any relations?

Thanks!

I don’t think so… they’re not related.
Maybe a hardware problem?

Maybe… If you Google audiosr.dll, did you find any info about this trojan?

When I google audiosr.dll, I get Trojan.DoS.Win32.Opdos. I’ll have to go over the logs and see what was removed.

yeah… could not be related… google said audiosr.dll is really a trojan without any mention of connections with windows…

But Im not sure if hardware problem coz I can hear music( from pc files) thru windows media player but not on video clips from CNN or YouTube… These sites were OK before the cleanup… Im going to try if I’ll be able to use the dialer in Yahoo! Messenger if I can hear the other end (havent tried after the clean up but was working before) … If I cant, possibly the settings on the my anti-spywares… I just not too familiar with what to “allow and block”…

I’ll do some “trial and error”… Anyway, if I get into mess and hit hard by another virus, I have you, guys, to run to… ;D

Combofix, for whatever reason removed this file C:\WINDOWS\system32\msacm32.drv

That may be what’s missing. Some files are backed up in another location. Try searching for msacm32.drv. If you find it, copy it to system32 folder.

No msacm32.drv file found.

Do you have access to another xp machine, you can copy it from there.

Tech’s kicking around somewhere, maybe he can check his. There might be a compressed copy in the driver cache, something I don’t have on 98se.

no other PC in the house… :(… I’ll ask around… tnx

Isn’t it on the original CD of the operational system?

Read carefully could help: http://www.adobe.com/cfusion/webforums/forum/messageview.cfm?forumid=44&catid=184&threadid=977024&enterthread=y

Also http://files.filefront.com/fixnoflashsoundreg/;8371314;/fileinfo.html

Hey, Tech, I think those links apply if the file is present, He said he can’t find the file.

I’ll have access to an xp machine tonight, I’ll see if there is a copy of the file in the cache.

Hi Tech and Oldman,

Its working now!.. Thanks! I got the file from my sis… however while using the yahoo messenger, we found out that my mic is not working. I can hear her but she cant hear me… Could be a hardware problem but since its almost midnyt here and everybody else that I can bother are already sleeping, I have to wait for tomorrow to test the mic again…

another thing, I save the one that she sent on my desktop then copied it on System32. Now I cant remove the one on the desktop. How can I delete it? The owner of this computer is my 5yo daughter ;D that is why I want the desktop clean as possible.

Also, what can you say about DeepFreeze? My sis is using it with only esetnod32. She said its worry free… IMO, I still don’t like it. But I still value your opinions.

Glad you got it, that part any way.

Try safe mode or the administator account to rename the file on the desktop. Then reboot and make sure your sound is still woking. If everthing is good then remove it.

If that doesn’t work, open windows explorer, create a folder at c:\ , call it whatever you want, click the desktop folder, find the file in the right hand panel, use the right mouse button to drag it to the new folder and select move.

I googled ‘til the wee hours and found two thing. 1 only one other instance of this file being removed by combofix, but the thread wasn’t finished, so don’t know thw outcome. 2. there is a trojan that uses that name, I had the link, but closed the wrong notepad, Darned if I can remember the search parameters I used. History on this machine if flacky, sometimes its there sometimes it not. :’(

The author of combofix (sUBs) is very diligent and since that is a common file , you’d think there would have been a rash of these. No one that I asked has had this happen. I used combofix in other threads at the same time and there probably where thousand of other usagages at the same time. Perhaps your copy was in fact infected? ???

Your yahoo mic, did you try reinstalling it? and any related software?

DeepFreeze, don’t know. There are other similar programs. I don’t know what would happen if it did get infected. There are other considerations besides updates, down loads would have to be made away from the protection.

http://en.wikipedia.org/wiki/Deep_Freeze_(software)

Tech plays with these thing, hopefully he will comment. ;D