I Need some advice removing this Trojan Horse from my daughters laptop, Avast came up with the warning for the Trojan horse Win32:BHO-KD in the system32/camoc.dll I am attaching a logfile from Hijack this. any help would be appreciated. Thanks
hmm…i don’t see the normal items associated with a win32: BHO-KD infection. The only one that stands out to me is the following which prevx lists as bad:
O2 - BHO: (no name) - {3DD9450E-8E39-4717-A4ED-ADB432B91402} - C:\WINDOWS\system32\camoc.dll
Don’t fix it yet though and wait for more help.
That’s the one. 
First, before you do any thing else, please move hijackthis.exe into it’s own folder.
examples: C:\Program Files\HJT\HijackThis.exe or C:\HJT\HijackThis.exe
Only if Hijackthis runs in an own folder it will create backups
Open HJT, run a system scan only, check mark these lines if present
O2 - BHO: (no name) - {3DD9450E-8E39-4717-A4ED-ADB432B91402} - C:\WINDOWS\system32\camoc.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
Close all other browsers/windows, click fix, close HJT.
Download ComboFix from Here or Here to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.
just one question. O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
is mcafee online virusscan correct? Does it really need to be fixed?
It’s an empty key, just house keeping.
I ran Hijackthis and checked the two files to be fixed, I also downloaded and ran combofix. I am including the two logs and will wait for further instructions.
thanks
uh oh, u still have
O2 - BHO: (no name) - {3DD9450E-8E39-4717-A4ED-ADB432B91402} - C:\WINDOWS\system32\camoc.dll
in your report :-[
oldman will have to help you again (the poor guy is overworked i tell ya).
Sorry about the delay, was working on an ornery auto run. I’m on it now.
Okay.it’s hiding from combofix, we will use a different scanner.
Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Every time I try and run the Dss scanner I get the following error, I have included the error in a jpeg file.
Thanks for your help
We’ll use this instead.
Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.
[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:
Reg - BotCheck
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and attach the log. I will review it when it comes in.
[/quote]
Here is the logfile from the WinPFind35U scan.
thanks again
Okay, got. This may take a while, thanks for your paitence
Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.
[Registry - Non-Microsoft Only] < BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ NY -> {3DD9450E-8E39-4717-A4ED-ADB432B91402} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\camoc.dll [Reg Error: Value does not exist or could not be read.] [Files/Folders - Modified Within 30 days] NY -> imsins.BAK -> %SystemRoot%\imsins.BAK YY -> uckixiza.dat -> C:\Documents and Settings\Valued Customer\Local Settings\Temp\uckixiza.dat YY -> flxsgiow.dat -> %SystemRoot%\system32\drivers\flxsgiow.dat YY -> camoc.dll -> %SystemRoot%\system32\camoc.dll NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp NY -> 3 C:\Documents and Settings\Valued Customer\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Valued Customer\Local Settings\Temp\*.tmp YY -> sed.exe -> %SystemRoot%\System32\sed.exe YY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat YY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat YY -> sed.exe -> C:\Documents and Settings\Valued Customer\Local Settings\Temp\~jujyeny.tmp\sed.exe [Empty Temp Folders]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log .
I will review the information when it comes back in.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
Please rename combofix.exe to bugout.exe and post the log along with a new HJT log.
Thanks
As requested ran the script you sent. here are the log files
Well it’s still there. so we try a different one. First though, do you have xp disks? We may need to use the recovery console. But we’ll try this and have a look from a diferent angle.
Please download The Avenger by Swandog46 to your Desktop.
1.[*]Click on Avenger.zip to open the file[*]Extract avenger.exe to your desktop
[QUOTE]Drivers to unload:
lcibmaqt
Files to delete:
C:\WINDOWS\system32\drivers\flxsgiow.dat
C:\Documents and Settings\Valued Customer\Local Settings\Temp\uckixiza.dat
C:\WINDOWS\system32\camoc.dll
[/quote]
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
2. Now, start The Avenger program by clicking on its icon on your desktop.
[*] Under “Script file to execute” choose “Input Script Manually”.
[*]Now click on the Magnifying Glass icon which will open a new window titled “View/edit script”
[*] Copy/Paste [b]all[b] the text in the above quote box into this window by
[*] MAKE SURE THE TEXT MATCHES EXACTLY
[*] Click Done
[*] Now click on the Green Light to begin execution of the script
[*] Answer “Yes” twice when prompted.
3. The Avenger will automatically do the following:
[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Unload”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
4. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DSS log
Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Did as requested, but its still there after reboot. here is the avenger log. I can’t get the dss scanner to complete always errors out right at the end. I do have the xp disks.
Thanks
forgot the avenger file.
Hang tough, I’ve got to seek some advice on the Avenger log. I won’t forget about you.
Recovery console it is then. First we need to know a little more about this guy.
1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.
RegSearch Options File[Search]
[b]
flxsgiow.dat
uckixiza.dat
camoc.dll[/b]
[Exclude]
[Options]
Filter=KVDLUI
2. Download Registry Search to your desktop.
[*]Right click on the compressed RegSearch folder, and choose “Extract All”. In the box that pops open, click “Next”, then “Next” again, and then “Finish”. You now have another RegSearch folder on your desktop.
[*]Open the new folder, and double click on regsearch.exe
[*]Click “Import” in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
[]Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
[] Please reply here with the entire contents of the Notepad file from RegSearch
If you are not sure that you set it up right or are having problems, please do not hesitate to ask.
Once you post back we’ll be set.