WIN32:BHO-KD AGAIN!

Viruses and worms
1

i too have WIN32:BO-KD in my comsvc.dll

PLEASE HELP - MY BUM HURTS FROM TRYING TO FIX THIS FOR THE PAST DAY AND A HALF

HOWEVER combofix.exe cannot be run

i get the error "not a valid win32 application

here is my HiJackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:59 AM, on 1/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe
O2 - BHO: (no name) - {00B99484-CB8D-4A41-AD4B-E7C2FAD1E900} -
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F02D978-0FF6-80F7-60BB-0426224AB7B3} - (no file)
O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - C:\Program Files\Spruce\Spruce.dll
O2 - BHO: (no name) - {6A8AFD43-167C-46EA-B467-EE608496ADB1} - C:\WINDOWS\system32\comsvc.dll
O2 - BHO: (no name) - {76F262CF-0308-0FB4-F7A3-043266F3A47C} - (no file)
O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - (no file)
O2 - BHO: {e592f23c-1eef-26b9-5a94-fa107124b65c} - {c56b4217-01af-49a5-9b62-fee1c32f295e} - C:\WINDOWS\system32\oahblfgu.dll
O2 - BHO: (no name) - {D1D0FE44-1D40-4BB6-9AF1-8B03F4DB180A} - (no file)
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\system32\bronto.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM..\Run: [Medichi] medichi.exe
O4 - HKLM..\Run: [Medichi2] medichi2.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User ‘Default user’)
O4 - Startup: infos.exe
O4 - Global Startup: autos.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra ‘Tools’ menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: murka.dat
O20 - Winlogon Notify: winxyl32 - winxyl32.dll (file missing)
O20 - Winlogon Notify: wvuurqq - wvuurqq.dll (file missing)
O20 - Winlogon Notify: __c00B267E - C:\WINDOWS\system32__c00B267E.dat
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O24 - Desktop Component 0: (no name) - (no file)


End of file - 5939 bytes

2

Hmmm…my link took you to a different forum than I expected. No matter, it works from here also. :wink: So remember , it’s in the "avast! 4.x Home/Pro " forum.

I’ll give you three things to try , please try them in order.

  1. rename combofix.exe to bummer.exe and try to run it.

  2. boot into safe mode and try to run it from there.

If either of these work, please post the combofix log and a new HJT log.

If neither work then we’'l use a different scanner.

Only if the above dosen’t work.

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

.
You can attach logs by using the additional options button on the reply page.

3

posting fast as a cleaner just popped up and too my page away

here is the main from running dss

lost extra log

how can i re-produce it

running again just produced main log

4

Go to this link and download regtmcmdrestore and controlpanelrestrictionrestore, save them to your desktop. Double click on the file to run it. It will restore regedit and control panel.

Run regtmcmdrestore first.

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: (no name) - {2F02D978-0FF6-80F7-60BB-0426224AB7B3} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe
O2 - BHO: (no name) - {6A8AFD43-167C-46EA-B467-EE608496ADB1} - C:\WINDOWS\system32\comsvc.dll
O2 - BHO: (no name) - {76F262CF-0308-0FB4-F7A3-043266F3A47C} - (no file)
O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - (no file)
O2 - BHO: {e592f23c-1eef-26b9-5a94-fa107124b65c} - {c56b4217-01af-49a5-9b62-fee1c32f295e} - C:\WINDOWS\system32\oahblfgu.dll
O2 - BHO: (no name) - {D1D0FE44-1D40-4BB6-9AF1-8B03F4DB180A} - (no file)
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:
Close all other browsers/windows, click fix, close HJT.
O4 - HKLM..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - HKCU..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O20 - AppInit_DLLs: murka.dat
O20 - Winlogon Notify: winxyl32 - winxyl32.dll (file missing)
O20 - Winlogon Notify: wvuurqq - wvuurqq.dll (file missing)
O20 - Winlogon Notify: __c00B267E - C:\WINDOWS\system32__c00B267E.dat

Please download the OTMoveIt by OldTimer from: http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe

* Save it to your desktop.
* Please double-click OTMoveIt2.exe to run it.
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\medichi.exe
C:\WINDOWS\system32\user32.dat
C:\WINDOWS\medichi2.exe
C:\WINDOWS\system32\40CA400c__.ini2
C:\WINDOWS\system32\sygwswcq.dll
C:\WINDOWS\system32\winter.exe
C:\WINDOWS\system32\qwjopxox.dll
C:\WINDOWS\system32\oahblfgu.dll
C:\WINDOWS\system32__c004AC04.dat
C:\WINDOWS\system32\kuapoqgl.ini2
C:\WINDOWS\system32\iifdcaw.dll
C:\hide
C:\WINDOWS\system32\lgqopauk.dll
C:\WINDOWS\system32\nkxypvlu.dll
C:\WINDOWS\system32\ksfewljl.dll
C:\WINDOWS\system32\mhlrfmpi.dll
C:\WINDOWS\system32\npvoeqvq.dll
C:\WINDOWS\system32\fdkcxlur.dll
C:\WINDOWS\system32\vwkldmrv.dll
C:\WINDOWS\system32\ccabgguq.dll
C:\WINDOWS\system32\lfisjdwa.dll
C:\WINDOWS\system32\svtuxgan.dll
C:\WINDOWS\system32\dwgqykcn.dll
C:\WINDOWS\system32\xwruqidm.dll
C:\WINDOWS\system32\noiyaysq.dll
C:\WINDOWS\system32\duwxxyig.dll
C:\WINDOWS\system32__c009F310.exe
C:\WINDOWS\system32\nqqaoreq.dll
C:\WINDOWS\system32\thpqwtxh.dll
C:\WINDOWS\murka.dat
C:\WINDOWS\system32\xaswieba.dll
C:\WINDOWS\system32\itodfsbx.dll
C:\WINDOWS\system32\eswbrxcx.dll
C:\WINDOWS\system32\hjqdxqug.dll
C:\WINDOWS\system32\ckpitoou.dll
C:\WINDOWS\system32\cokvhpem.dll
C:\WINDOWS\system32\lfmowrxd.dll
C:\WINDOWS\system32\apvsxdso.dll
C:\WINDOWS\system32\njprckha
C:\WINDOWS\system32\proper.exe
C:\WINDOWS\system32\jshqaljp.dll
C:\WINDOWS\system32\shtmthfi.dll
C:\WINDOWS\system32\qsegimhm.dll
C:\WINDOWS\system32\ymlfwnbq.dll
C:\WINDOWS\system32\hmvplwiv.dll
C:\WINDOWS\system32\lnbyrkfr.dll
C:\WINDOWS\system32\baimajvk.dll
C:\WINDOWS\system32\drivers\ptjpswgy.dat
C:\WINDOWS\system32\comsvc.dll
C:\WINDOWS\system32\lpcywinp.exe
C:\WINDOWS\83122.exe

* Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
* Click the red Moveit! button.
* Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
* Close OTMoveIt

Try running combofix again after you do all the above. It will be a while til I can get back to this, but this will be a big start.

Please post the combofix log (if it runs) and a new hjt log and OTMOVITE results.

If no combofix, then a new DSS log.

Thanks.

5

thank you

attached are logs requested

will restart in safe mode after you reply to see if i can get combofix to work

6

Sorry about the delay, sometimes work interferes with pleasure.

I need the OTMOVIT results, you should find them at c:\OTMOVEIT

I was hoping we got enough to allow combofix to run. That’s ok, we have a weapon for this.

Please download SmitfraudFix (by S!Ri) to your Desktop.
Download this ptool from: http://siri.urz.free.fr/Fix/SmitfraudFix.exe
Double-click Smitfraudfix.exe
Select option #1 - Search by typing 1 and press “Enter”; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply as an attachment. The report can be found at the root of the system drive, usually at C:\rapport.txt

IMPORTANT: Do NOT run any other options until you are asked to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a “RiskTool”;
it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between “good” and “malicious” use of such programs, therefore they may alert the user

7

thank you for your help

the computer is out of my hands until monday

can you please keep this thread open?

on monday, i will repeat the steps on the post before last, and send new logs

then i will do the steps in the latest post

have a great weekend

hope to get you next week

8

Thanks for letting me know. Have a good weekend yourself.

Please delete the copy of combofix you have, we can download a new one if needed.

9

HI seraphia

Don’t panic if I’m not on line, just do the steps and post the logs. I’ll get to them. 8)

10

Oldman seems to have a very extra work these days.
Thanks for your shared time to help us here!

11

Hello Oldman,

I am posting a little late here, but I haven’t had my hands on this computer since January.

I am going to run processes and post them shortly.

seraphia

12

here are the logs

i posted in the virur/worm sections too

if i get help before you get to it, i will post that here

here are my combofix and HJT logs

again, thank you

13

Hi as Oldman is a tad busy I will jump in

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:


Driver::
zkzjyiwb

File::
C:\Documents and Settings\HP_Administrator\X.exe
C:\WINDOWS\system32\__c004AC04.dat
C:\WINDOWS\system32\__c00B267E.dat
C:\WINDOWS\pss\infos.exe
C:\WINDOWS\system32\drivers\ptjpswgy.dat

Folder::
C:\Program Files\Gjioitzm
C:\WINDOWS\pss\Spruce

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00B267E]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"f448c388"=-

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt [*]A new HijackThis log.
14

thank you in advance

here are the logs

15

hi seraphia, you are in good hands. :smiley:

Thanks essexboy, it seems to be feast or famine lately.

I’ll leave you two to it.

16

Hi seraphia could you repost the combofix log please as that one only had 5 lines in it ???