WIN32:BHO-KD please help!

Viruses and worms
1

i too have WIN32:BO-KD in my comsvc.dll

OLDMAN LOGGED OFF SO I AM POSTING THIS TOPIC HERE

I cannot run combofix

so i ran dss.exe, attached is my main log

i was not able to copy the extra log

when i ran the dss.exe again all it gave me was the main log again

how can i produce the extra log

2

[quote author=seraphia link=topic=32601.msg272656#msg272656 date=1200081260]
I too have WIN32:BO-KD in my encdecr.dll

I cannot run combofix

but I am able to run HijackThisand here there is the logfile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22.00.47, on 14/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Programmi\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
D:\Programmi\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
D:\WINDOWS\system32\svchost.exe
D:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Programmi\Spyware Doctor\svcntaux.exe
D:\Programmi\File comuni\Real\Update_OB\realsched.exe
D:\Program Files\Hamlet\Adsl\dslstat.exe
D:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
D:\Programmi\Windows Defender\MSASCui.exe
D:\WINDOWS\system32\wmrfr7qxq.exe
D:\Programmi\HP\HP Software Update\HPWuSchd2.exe
D:\Programmi\iTunes\iTunesHelper.exe
D:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe
D:\Programmi\Spyware Doctor\SDTrayApp.exe
D:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
D:\Programmi\Google\Google Updater\GoogleUpdater.exe
D:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
D:\Programmi\LG PC Suite\LG PC Sync\LGSyncManager.exe
D:\Programmi\OpenOffice.org 2.1\program\soffice.exe
D:\Programmi\OpenOffice.org 2.1\program\soffice.BIN
D:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe
D:\WINDOWS\system32\svchost.exe
D:\Programmi\Alwil Software\Avast4\ashWebSv.exe
D:\Programmi\Spyware Doctor\swdsvc.exe
D:\Programmi\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\System32\alg.exe
D:\Programmi\iPod\bin\iPodService.exe
D:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Programmi\Trend Micro\HijackThis\HijackThis.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A1C33CA1-F529-44C8-A925-4CCCF98AAAE6} - d:\windows\system32\clcd16u.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\programmi\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Programmi\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {EDB956BD-B819-43B8-83ED-1B196B7B0868} - D:\WINDOWS\system32\encdecr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\programmi\google\googletoolbar1.dll
O4 - HKLM..\Run: [TkBellExe] “D:\Programmi\File comuni\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [DSLSTATEXE] D:\Program Files\Hamlet\Adsl\dslstat.exe icon
O4 - HKLM..\Run: [Adobe Photo Downloader] “D:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”
O4 - HKLM..\Run: [Windows Defender] “D:\Programmi\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “D:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [wmrfr7qxq] D:\WINDOWS\system32\wmrfr7qxq.exe
O4 - HKLM..\Run: [HP Software Update] D:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [QuickTime Task] “D:\Programmi\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “D:\Programmi\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [Google Desktop Search] “D:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - HKLM..\Run: [SDTray] “D:\Programmi\Spyware Doctor\SDTrayApp.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “D:\Programmi\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] D:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [H/PC Connection Agent] “D:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE”
O4 - HKCU..\Run: [wmrfr7qxq] D:\WINDOWS\system32\wmrfr7qxq.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘SERVIZIO LOCALE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘SERVIZIO DI RETE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: OpenOffice.org 2.1.lnk = D:\Programmi\OpenOffice.org 2.1\program\quickstart.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = D:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Google Updater.lnk = D:\Programmi\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Programmi\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Programmi\Microsoft ActiveSync\inetrepl.dll
O9 - Extra ‘Tools’ menuitem: Crea preferiti portatile… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Programmi\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Organizzatore ricerche - {9455301C-CF6B-11D3-A266-00C04F689C50} - D:\Programmi\File comuni\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip..{109208AF-5A54-4D68-936A-FFADD7EDC067}: NameServer = 193.12.150.2 212.247.152.2
O17 - HKLM\System\CS1\Services\Tcpip..{109208AF-5A54-4D68-936A-FFADD7EDC067}: NameServer = 193.12.150.2 212.247.152.2
O20 - AppInit_DLLs: D:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O20 - Winlogon Notify: firicaxy - D:\WINDOWS\SYSTEM32\clcd16u.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoogleDesktopManager - Google - D:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - D:\Programmi\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Programmi\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Programmi\Spyware Doctor\swdsvc.exe


End of file - 9186 bytes

PLEASE HELP ME!

3

I am working a fix now bear with me

4

seraphia OK this is a biggie - by the time we have finished the MS files should be in the majority again. I may have duplicated some files and missed a few out as my eyes started to wander

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe
O2 - BHO: (no name) - {00B99484-CB8D-4A41-AD4B-E7C2FAD1E900} - \

O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - C:\Program Files\Spruce\Spruce.dll
O2 - BHO: (no name) - {6A8AFD43-167C-46EA-B467-EE608496ADB1} - C:\WINDOWS\system32\comsvc.dll
O2 - BHO: (no name) - {76F262CF-0308-0FB4-F7A3-043266F3A47C} - (no file)
O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - (no file)
O2 - BHO: {e592f23c-1eef-26b9-5a94-fa107124b65c} - {c56b4217-01af-49a5-9b62-fee1c32f295e} - C:\WINDOWS\system32\oahblfgu.dll
O2 - BHO: (no name) - {D1D0FE44-1D40-4BB6-9AF1-8B03F4DB180A} - (no file)
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\system32\bronto.dll
O4 - HKLM..\Run: [Medichi] medichi.exe
O4 - HKLM..\Run: [Medichi2] medichi2.exe
O4 - HKLM..\Run: [Undefined] C:\WINDOWS\system32\winter.exeO2 - BHO: (no name) - {2F02D978-0FF6-80F7-60BB-0426224AB7B3} - (no file)
O4 - HKCU..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User ‘Default user’)
O4 - Startup: infos.exe
O4 - Global Startup: autos.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs: murka.dat
O20 - Winlogon Notify: winxyl32 - winxyl32.dll (file missing)
O20 - Winlogon Notify: wvuurqq - wvuurqq.dll (file missing)
O20 - Winlogon Notify: __c00B267E - C:\WINDOWS\system32__c00B267E.dat

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Please download the OTMoveIt2 by OldTimer.

[*] Save it to your desktop.
[*] Please double-click OTMoveIt2.exe to run it.
[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


 C:\WINDOWS\medichi2.exe
C:\WINDOWS\system32\40CA400c__.ini2
C:\WINDOWS\system32\sygwswcq.dll
C:\WINDOWS\system32\winter.exeO2
C:\WINDOWS\system32\__c00B267E.dat
C:\WINDOWS\system32\winter.exe
C:\WINDOWS\medichi.exe
C:\Program Files\Spruce
C:\WINDOWS\system32\oahblfgu.dll
C:\WINDOWS\system32\proper.exe
C:\WINDOWS\system32\bronto.dll
C:\WINDOWS\system32\qwjopxox.dll
C:\WINDOWS\system32\oahblfgu.dll
C:\WINDOWS\system32\__c004AC04.dat
C:\WINDOWS\system32\appmgmt
C:\WINDOWS\system32\kuapoqgl.ini2
C:\Program Files\Outerinfo
C:\WINDOWS\system32\iifdcaw.dll
C:\Program Files\New Folder
C:\hide
C:\WINDOWS\system32\lgqopauk.dll
C:\WINDOWS\system32\nkxypvlu.dll
C:\WINDOWS\system32\ksfewljl.dll
C:\WINDOWS\system32\mhlrfmpi.dll
C:\WINDOWS\system32\npvoeqvq.dll
C:\WINDOWS\system32\fdkcxlur.dll
C:\WINDOWS\system32\vwkldmrv.dll
C:\WINDOWS\system32\ccabgguq.dll
C:\WINDOWS\system32\lfisjdwa.dll
C:\WINDOWS\system32\svtuxgan.dll
C:\WINDOWS\system32\dwgqykcn.dll
C:\WINDOWS\system32\xwruqidm.dll
C:\WINDOWS\system32\noiyaysq.dll
C:\WINDOWS\system32\duwxxyig.dll
C:\WINDOWS\system32\__c009F310.exe
C:\WINDOWS\system32\nqqaoreq.dll
C:\WINDOWS\system32\thpqwtxh.dll
C:\WINDOWS\murka.dat
C:\WINDOWS\system32\xaswieba.dll
C:\WINDOWS\system32\itodfsbx.dll
C:\WINDOWS\system32\eswbrxcx.dll
C:\WINDOWS\system32\hjqdxqug.dll
C:\WINDOWS\system32\ckpitoou.dll
C:\WINDOWS\system32\cokvhpem.dll
C:\WINDOWS\system32\lfmowrxd.dll
C:\WINDOWS\system32\apvsxdso.dll
C:\WINDOWS\system32\njprckha
C:\Program Files\SecCenter
C:\WINDOWS\system32\proper.exe
C:\WINDOWS\system32\jshqaljp.dll
C:\Program Files\Helper
C:\WINDOWS\system32\ineWc12
C:\Documents and Settings\HP_Administrator\X.exe
C:\WINDOWS\system32\bronto.dll 
C:\WINDOWS\system32\shtmthfi.dll
C:\WINDOWS\system32\qsegimhm.dll
C:\Program Files\EliteProtector
C:\Documents and Settings\HP_Administrator\Application Data\antivirus.exe
C:\WINDOWS\system32\ymlfwnbq.dll
C:\WINDOWS\system32\hmvplwiv.dll
C:\WINDOWS\system32\lnbyrkfr.dll
C:\WINDOWS\system32\baimajvk.dll
C:\WINDOWS\system32\drivers\ptjpswgy.dat
C:\WINDOWS\system32\comsvc.dll
C:\WINDOWS\system32\__c00B267E.dat
C:\Program Files\Gjioitzm
C:\WINDOWS\system32\sttss.ini2
C:\WINDOWS\system32\drvwizr.dll
C:\WINDOWS\system32\drvwiz.dll
C:\WINDOWS\system32\lpcywinp.exe
C:\WINDOWS\83122.exe
C:\WINDOWS\system32\sstts.dll

[*] Return to OTMoveIt2, right click in the “Paste List of Files/Folders to be Moved” window (under the light blue bar) and choose Paste.

[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


purity

[*] Return to OTMoveIt2, right click in the “Paste List Of Files/Patterns To Search For and Move” window (under the yellow bar) and choose Paste.

[*]Click the red Moveit! button.
[*]Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
[*]Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

5

licione could you start your own thread as this may become confusing otherwise ;D