Avast finds but cannot deal with Win32:BHO-KD (Trojan)

[oldman]

Download  superantispyware

First update SAS Then Boot into safe mode and setup SAS as follows.

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked
- CHECK ALL BOXES




Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.(and other fixed drives)

Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

When the scan is done, quarentine everything found . Reboot if asked. You can post the log in your next reply if you wish.

[Chronos2k]

Is this a guess or did you see something to tell you that this will work?  I'm not being smart I'm simply asking because I'm about to spend $30 on it.  Also....if this is some kind of a worm or something is it safe to use my credit card to buy this?


Oops...sorry just saw that there's a free edition. 

[Chronos2k]

Hey, That seemed to work.  It found the file, quarantined it and rebooted the system.  When I got back on IE there is no sign of the virus.  THANKS!!!!   

[dholliday]

Thanks Tech, it's just that I already had Archive Scanning on and still it's Access Denied.  Temp files have all been checked and cleaned.  All other programs I've installed recognise the Trojan but can't do anything about it...even in Safe Mode/DOS mode.

I appreciate the links tho' and have noted them to better bulk up my PC security.

But the problem still remains.  I somehow need to force my ownership on the .dll file so I am authorised to delete it/move it to chest.

Can you follow the general cleaning process?

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on. These can avoid the access denied problem (files in use). Send files to Chest and do not delete them directly.
4. Use AVG Antispyware; SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

[/color]

[dholliday]

Hi Chronos2k...can you run that by me what you did exactly?

Thanks.

Hey, That seemed to work.  It found the file, quarantined it and rebooted the system.  When I got back on IE there is no sign of the virus.  THANKS!!!!   

[/color]

[dholliday]

Update:

Superantispyware does not find the Trojan.  It does find a non-existent adware elsewhere 

[pino-88]

My C:\WINDOWS\system32\AC3AP.dll\[UPX] file is infected by a Trojan Horse detected by Avast Home edition. The name of Trojan Horse is WIN32:BHO-KD[trj].

It was revealed by Avast! in its automatic scan when I started my PC. Avast! suggested action is "move to waste basket", but when I click on the relevant button Avast! replies "Access denied: I can not process file C:\WINDOWS\system32\AC3AP.dll\[UPX]." (access denied).

Then I have run a boot scan, but the scan found the trojan, but was unable to deal with it.

the scan found the infected file in C:\ , but I have another copy of file "system32\AC3AP.dll\[UPX]." in E:\ which has also been scanned, but apparently not found infected.

Therefore if I simply copy the apparently non-infected file from E:\ and paste it on C:\ , replacing the infected one, would it solve the problem? Or is it too simple?

Thanks
What shall I do?

[oldman]

That may or may not work, I can't say for sure.

To submit a file to virustoal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\system32\AC3AP.dll

scroll down a bit and click "send file", wait for the results and post then in your next reply. Post the results here.

You may also want to try the SAS posted at the top of this page.

[dholliday]

Hi Oldman.

I tried sending the file but get the following message in an otherwise blank white screen:

0 bytes size received


The affected .dll can not be copied or moved so that means it also can not be uploaded.

[pino-88]

Here is what virustotal gave me.

The answer is in Italian, which is fine for me because it is my mother language.

I hope you will understand nevertheless:



File AC3AP.dll_ ricevuto il 2008.01.01 23:52:01 (CET)
Stato corrente: Carico ... in coda attesa scansione finito NON TROVATO INTERROTTO

Risultato:
Carico informazioni server...
Il tuo file è in coda in posizione: 5.
Tempo stimato inizio tra 50 e 72 secondi.
Non chiudere la finestra fino al termine della scansione.
Lo scanner che stava processando il tuo file si è fermato in questo momento, stiamo aspettando alcuni secondi per tentare di recuperare i tuoi risultati.
Se stai aspettando da più di cinque minuti devi rimandare il tuo file.
VirusTotal sta controllando il tuo file in questo momento,
i risultati saranno visualizzati mentre vengono generati.
 Formattato Stampa risultati 
Il tuo file è scaduto o non esiste.
Il servizio è fermo in questo momento, il tuo file sta aspettando di essere controllato (posizione: ) da un tempo indefinito.

Puoi aspettare la risposta sul web (ricarico automatico) o digitare il tuo indirizzo email nel riquadro qui sotto e premere "richiesta" così il sistema ti invierà una notifica al termine della scansione.
 Email: 
 

Antivirus Versione Ultimo aggiornamento Risultato
AhnLab-V3 2008.1.1.10 2007.12.31 Win-Trojan/Bho.84992.E
AntiVir 7.6.0.46 2007.12.31 TR/BHO.agz.16
Authentium 4.93.8 2007.12.31 -
Avast 4.7.1098.0 2008.01.01 Win32:BHO-KD
AVG 7.5.0.516 2008.01.01 Generic9.AJGV
BitDefender 7.2 2008.01.01 Trojan.Spy.Bzub.NGP
CAT-QuickHeal 9.00 2007.12.31 Trojan.BHO.agz
ClamAV 0.91.2 2008.01.01 -
DrWeb 4.44.0.09170 2007.12.31 Trojan.DownLoader.38058
eSafe 7.0.15.0 2008.01.01 -
eTrust-Vet 31.3.5421 2008.01.01 Win32/Kvol!generic
Ewido 4.0 2008.01.01 Trojan.BHO.agz
Informazioni addizionali
File size: 90880 bytes
MD5: 78dc77baf74190269500facd24c738eb
SHA1: b7904100d761fe31c441c5e0674b48f2bb6fd64a
PEiD: -
packers: UPX
packers: UPX


 ATTENZIONE: VirusTotal è un servizio gratuito offerto da Hispasec Sistemas. Non esiste garanzia circa la disponibilità e la continuità di questo servizio. Nonostante il livello di identificazione conseguito da multipli motori antivirus sia molto superiore a quello offerto dal singolo prodotto, questi risultati NON garantiscono la sicurezza di un file. Attualmente, non esiste soluzione che offra certezza al 100% sull'identificazione di virus e malware.

[oldman]

@pino-88

It's definatley infected. I' don't know if you can replace it as you suggested. It may be worth a try. It's also possible SAS will remove it, if you want to try.

Click on this link for download and set up instructions.

http://forum.avast.com/index.php?topic=32338.msg270447#msg270447

Failing that, we can use a different method.

[oldman]

@ dholliday

When you ran SAS did you update and run it in safe mode with these settings?

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked
- CHECK ALL BOXES




Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.(and other fixed drives)
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

[dholliday]

Update:

The file crypt3.dll appears to be almost like a phantom.  When I tried to email it to VirusTotal the email just sent with the file apparently uploaded and attached but when I looked in Sent Objects the email that was sent did not have an attachment.

So in summary:

- SuperAntiSpyware does not find the Trojan
- Avast does find the Trojan
- Security Task Manager identifies crypt3.dll as being a 92% dangerous file, but cannot delete/move it
- Upon Boot scan with Avast with Archive ON Trojan file is found but remains Access Denied
- crypt3.dll will not let itself be moved, copied or uploaded.  It has no identifiable properties.  It has next to zero mentions on the web apart from an ongoing epic saga here:

http://www.bleepingcomputer.com/forums/topic121819.html


We do not yet know:

- what Win32:BHO-KD is exactly as I haven't found any sites that identify it.
- how to force ownership of the affected file so that we can quarantine it.
- what kind of file crypt3.dll is supposed to be: of what processes/applications it runs from or where it comes from.

[dholliday]

Hi Oldman...I've just now seen yr post so will try SAS in safe and report back.

Thanks.

@ dholliday

When you ran SAS did you update and run it in safe mode with these settings?

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked
- CHECK ALL BOXES




Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.(and other fixed drives)
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

[pino-88]

Hallo Oldman,

I have performed the suggested procedure, but the trojan is still there.

My experience is similar to that of dholyday i.e.

- SuperAntiSpyware does not find the Trojan
- Avast does find the Trojan
- Upon Boot scan with Avast with Archive ON Trojan file is found but remains Access Denied


I also tried (unsuccesfully) a low-tech solution by copying a non-infected copy of c:\windows\system32\ac3ap.dll\[UPX] from partition e: and replacing the infected file.

- have you any idea of what this trojan exactly does? If it simply "spyes" on me there will be no problem: I never process sensible/confidential information on this PC/connection.

- it must be connected to Internet explorer because when I start the browser avast pops up with it. So what will happen if I simply stop to use IE and use anoter browser instead? (Opera? what is the most basic one?)