Hi, I’m having trouble removing a virus called Win32:BHO-KD [trj] and the infected file is C:\WINDOWS\system32\bthc.dll[UPX]
Please Help!
Thanks
Why can’t you remove it, what errors are displayed, etc. ?
Or are you saying that it comes back after removal ?
A google search for bthc.dll returns many hits, http://www.google.com/search?q=bthc.dll.
Hi, you will need to run these two programs and post their logs.
Download ComboFix from Here or Here to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.
Click here to download HJTsetup.exe
[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Hi, I ran combo fix and it appears the virus was removed. Well a zip file containing the virus appeared on the desktop and after scanning the pc with avast antivirus it came up clean. Where does the log appear?
It’s default location is C:\Combofix.txt
There may be more, so please post the log and the hijackthis log.
Thanks
hello, i have the same problem so i need help too.i did everything u said and here are the logs(attached)
please help me
thank you very much
p.s:i have a problem with Win32:Onlinegames-CAZ [trj]
can anyone please help me?
thank you ;D
There’s lot’s to do here.
There is a driver that has to be disabled first. Copy and paste this part of the instructions into a note pad and save it to your desktop , you will need them as you will be in safe mode.
Step #1
Start in Safe Mode Using the F8 method:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
Use the arrow keys to select the Safe Mode menu item.
Press the Enter key.
Step #2
Now we will need to disable the driver for this thing. Please do the following:
Click Start, click Control Panel, click Performance and Maintenance, and then click System.
On the Hardware tab, click Device Manager.
Click the View menu and if there is no checkmark in front of “Show hidden devices” then click on it to activate it.
Scroll down the list of devices and double-click Non-Plug and Play Drivers.
Locate d_kmd and right click it and then click the Properties option.
Click the Driver tab.
In the Startup section select Disable from the drop-down list.
Click General tab.
In the Device Usage drop-down list select Do not use this device (disable).
Click the Ok button and you should be prompted to reboot. You can reboot normally.
Now you can carry on in normal windows.
Please do all the steps in order and answer these questions.
How many usb devices do you have?
What are the drive letters usually assigned to them?
How many can be plugged ib at a time?
Click this link and download to your desktop this program
querymountpoints.
http://cid-32d8666f4048075b.skydrive.live.com/browse.aspx/Malware%20files
This will show us not only all the mountpoints, but also all autoruns and their contents.
Download and Install Microsoft’s TweakUI: http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx
Obtain and install TweakUI (right hand panel, 147kb in size), and then start TweakUI.
Expand the My Computer branch, then the AutoPlay branch, and then select Drives.
Turn off the checkbox next to every drive letter to disable AutoPlay – except your CD/DVD drive letters
This will prevent autoruns from running on your computer.
Download this program, Flash Drive Disinfector by sUBs from
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe
Plug in your usb device.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.
This utility will do a couple of things. First it will remove any autorun.inf it finds. There shouldn’t be one on a fixed HD anyway. There is no need for such a file on any removable storage device – iPod, USB flash drive, cell phone, .etc as you can open these drives manually.
It will create a SYSTEM protected, read-only, and perfectly harmless Autorun.inf file on any hard drive or removable storage device it finds when run. This file will not only help prevent future autorun infections, it will disable any current Autorun infection its ability to restart.
You can do this with all of your usb devices.
Go to add/remove programs and uninstall this program if present
WinFixer2006 or similar
Open HJT, run a system scan only, check mark these lines if present
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: WhenUSearch Helper - {BA2325ED-F9EB-4830-8FCE-0BC35B16969B} - C:\Program Files\WhenUSearch\search.dll (file missing)
O3 - Toolbar: (no name) - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - (no file)
O4 - HKCU..\Run: [WinFixer2006] “C:\Program Files\WinFixer_2006\uwfx6.exe” /min
Close all other browsers/windows, click fix, close HJT.
Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.
Copy and paste all the text in the quote box below into Notepad.
Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.
File:: C:\188qsm.bat C:\2ifetri.cmd C:\i.cmd C:\h.cmd C:\ylr.exe C:\xo8wr9.exe C:\WINDOWS\system32\drivers\d_kmd.sysFolder::
C:\Program Files\WinFixer_2006Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{f998f93c-8c27-11dc-a9d8-000e5063ce67}]
This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.
I will need-querymountpoints results, combofix log, HJT log and an answer to all the questions.