Author Topic: Win32 BHO-KD outbreak - look for strange fruits inside Windows!  (Read 3104 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33624
  • malware fighter
Win32 BHO-KD outbreak - look for strange fruits inside Windows!
« on: January 02, 2008, 03:22:39 PM »
Hi malware fighters,

We see a lot of victims with a Win32 BHO-KD trojan infection. BHO = browser helper object, there are good ones, and malicious ones, there is a modified winlogon, there are file allocation changes, there are altered dll with names just slightly different than the normal Microsoft or driver variants, in a nutshell strange fruit inside Windows.
Read here for aspects of a more general malware problem: http://www.geocities.jp/kiskzo/index.html

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

tonie

  • Guest
Re: Win32 BHO-KD outbreak - look for strange fruits inside Windows!
« Reply #1 on: January 04, 2008, 04:45:36 AM »
Hi this is my first time, name is tonie, i have a sample of malware win32;BHO-KD[trj] cmprop.dll.
avast can't delete it saying access denied, i used spybot, spyware terminator 2, and regclean, when i go to start sometimes avast kicks in and picks up the malware please help! tonie

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Win32 BHO-KD outbreak - look for strange fruits inside Windows!
« Reply #2 on: January 04, 2008, 07:33:08 AM »
Hi tonie, as not to hijack  Polonus' thread, I started one for you in the virus/worms forum.  ;)

I've offered you help there. It's called "tonie's BHO thread" . You can get there by clicking this link.

http://forum.avast.com/index.php?topic=32411.0

tonie

  • Guest
Re: Win32 BHO-KD outbreak - look for strange fruits inside Windows!
« Reply #3 on: January 07, 2008, 12:36:22 AM »
greetings oldman this is tonie did what you told me, ran combofix/hijackthis here are the results:

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33624
  • malware fighter
Re: Win32 BHO-KD outbreak - look for strange fruits inside Windows!
« Reply #4 on: January 07, 2008, 12:39:17 AM »
Hi tonie:

HJT file seems OK, maybe oldman wants to check some services,

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

tonie

  • Guest
Re: Win32 BHO-KD outbreak - look for strange fruits inside Windows!
« Reply #5 on: January 07, 2008, 12:43:07 AM »
just sent combo fix results.

tonie

  • Guest
Re: Win32 BHO-KD outbreak - look for strange fruits inside Windows!
« Reply #6 on: January 07, 2008, 12:47:00 AM »
thanks

tonie

  • Guest
Re: Win32 BHO-KD outbreak - look for strange fruits inside Windows!
« Reply #7 on: January 07, 2008, 12:49:40 AM »
i'm going now c u'll 2morrow peace.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Win32 BHO-KD outbreak - look for strange fruits inside Windows!
« Reply #8 on: January 07, 2008, 01:04:36 AM »
Sorry polonus, but it seems toonie want to be helped here.  ;)

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\drivers\fnhmpxto.dat


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new combofix log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33624
  • malware fighter
Re: Win32 BHO-KD outbreak - look for strange fruits inside Windows!
« Reply #9 on: January 07, 2008, 02:31:50 AM »
Hi oldman,

I give this thread over to you two now, help tonie here, and I keep an eye on it as well,

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!