Win32:BHO-WF Trojan

[Confused1971]

My daughters laptop somehow got this Trojan on it and I can't seem to get rid of it.  I have both Avast professional virus program as well as Malwarbytes anti-malware programs and neither can get rid of this virus.  It is in her C:\\WINDOWS\System32\datacle.dll file.  She has Windows XP so I can go through command prompt if someone knows the sequence.  Any suggestions?

[BSAA]

Why dont you try SAS? (Super Anti Spyware)
http://filehippo.com/download_superantispyware/         

[DavidR]

I have both Avast professional virus program as well as Malwarbytes anti-malware programs and neither can get rid of this virus.  It is in her C:\\WINDOWS\System32\datacle.dll file. 

Why can't either get rid of it ?
e.g. file in use, protected, keeps coming back, etc. what errors.

If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php.

[Confused1971]

I have both Avast professional virus program as well as Malwarbytes anti-malware programs and neither can get rid of this virus.  It is in her C:\\WINDOWS\System32\datacle.dll file. 

Why can't either get rid of it ?
e.g. file in use, protected, keeps coming back, etc. what errors.

If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php.

Avast access is denied to move or delete the virus.  That is all it says is access denied.  Malwarbytes is denied as well, even on reboot.

[DavidR]

In the access is denied situation, the avast boot-time scan should get round that problem.

[Confused1971]

In the access is denied situation, the avast boot-time scan should get round that problem.

Well, this just keeps getting better.  It deleted that virus on boot-time scan but it also brought up several more viruses that it couldn't touch.  Win32:winfixer-AH [trj].  Granted, this is partially my fault... I shouldn't have given her administrator access.  Any ideas for viruses that cannot be deleted by boot-time scan.  They seem to be in her local settings\Temp files.

[Lisandro]

Strange, at boot time, avast should have access to them
Read the instructions, download and burn (maybe from another computer), finally use one of this rescue CD's:
1. Avira
2. Kaspersky
3. BitDefender
4. F-Secure
5. Dr. Web

[Pondus]

For difficult bugs

http://www.norman.com/Virus/Virus_removal_tools/24789/en        Norman Malware Cleaner

http://www.freedrweb.com/      Dr.Web Cureit

[Confused1971]

Strange, at boot time, avast should have access to them
Read the instructions, download and burn (maybe from another computer), finally use one of this rescue CD's:
1. Avira
2. Kaspersky
3. BitDefender
4. F-Secure
5. Dr. Web

In boot-time it is allowing me to delete the virus, but when I open the computer, avast is still giving me the alert that the virus is still present and it won't let me delete it in the account.  But each time I run a boot-time scan, it says virus was deleted successfully.  This is driving me insane.  I used to be able to delete them by command prompt easily.  I am ready to scream.....  I am an ICU nurse, not a computer technician.  Is there a way to get rid of this without having to download more programs?  I downloaded and bought the SAS program suggested in an earlier post so I now have 3 programs-avast, SAS, and Malbytware, all paid for and none can remove this???

[DavidR]

First deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate.

When you remove something it isn't uncommon to find other issues as it may have been hiding or protecting those.

You provided the file name, malware name and location in the first post, please continue that practice. Because it is it the same file and location there are other elements restoring it. Try running MBAM from safe mode and see if that is any more effective. So is this the same file name and location ?

Both SAS and MBAM have free options and would have worked to the same degree (so I only wish you had asked before paying) the only difference is when you pay you get the resident protection module, that is the only difference from the free versions of SAS and MBAM.

Have you tried any of the suggested on-line scanners that you quoted ?

[Confused1971]

First deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate.

When you remove something it isn't uncommon to find other issues as it may have been hiding or protecting those.

You provided the file name, malware name and location in the first post, please continue that practice. Because it is it the same file and location there are other elements restoring it. Try running MBAM from safe mode and see if that is any more effective. So is this the same file name and location ?

Both SAS and MBAM have free options and would have worked to the same degree (so I only wish you had asked before paying) the only difference is when you pay you get the resident protection module, that is the only difference from the free versions of SAS and MBAM.

Have you tried any of the suggested on-line scanners that you quoted ?

MBAM doesn't even detect the virus.  The last boot-time scan got rid of the extra viruses that popped up.  But despite saying it was successfully deleted, the WIN32 trojan is still there, in the exact same location and the exact same file name.

Now, I could sit here and pretend I would know what to "investigate" if I opted to move it to chest rather than delete it, but I don't have the first clue what I would be investigating and as it isn't being deleted in boot-time scan, would it be moved any more effective.

Patience with computers isn't my strong suit obviously. So purchasing programs isn't a bad thing for me, but this is getting silly.  In all my years of nursing, I can honestly say I thought that the human body threw more curve balls than anything else on this planet ever would.  I am discovering quite quickly that I am wrong.........

[DavidR]

Well you are doing the investigation now, I'm just putting the point across that deletion isn't a good option as one day it could bite you in the rear.

Whilst you say MBAM didn't detect it or anything was it run from safe mode (?) as that can in some cases make if more effective, like the avast boot-time scan.

What we are trying to find is what is restoring the file after deletion by avast as that is the real problem.

This topic from the avast forums also relating to this detection http://forum.avast.com/index.php?topic=33037.0, it looks like it is quite stubborn.
 
Also see http://www.prevx.com/filenames/X1333954911684471889-X1/DATACLE.DLL.html.


Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip.
- Trend Micro RootkitBuster - http://www.trendmicro.com/download/rbuster.asp
- F-Secure Blacklight may not always be available, http://www.f-secure.com/blacklight

[Confused1971]

Well you are doing the investigation now, I'm just putting the point across that deletion isn't a good option as one day it could bite you in the rear.

Whilst you say MBAM didn't detect it or anything was it run from safe mode (?) as that can in some cases make if more effective, like the avast boot-time scan.

What we are trying to find is what is restoring the file after deletion by avast as that is the real problem.

This topic from the avast forums also relating to this detection http://forum.avast.com/index.php?topic=33037.0, it looks like it is quite stubborn.
 
Also see http://www.prevx.com/filenames/X1333954911684471889-X1/DATACLE.DLL.html.


Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip.
- Trend Micro RootkitBuster - http://www.trendmicro.com/download/rbuster.asp
- F-Secure Blacklight may not always be available, http://www.f-secure.com/blacklight

Well, at least I am not the only one ready to go insane.  Under my profile on her laptop, I can move it to the chest, but when I go back to my daughters profile, it pops right back up and I can't do anything with it under her profile.  I will run MABM in safe mode and see if it can detect it.  I can effectively delete it with spybots (After making back up point) but then several applications won't initiate on start up so I end up restoring what spybots deleted to get the other applications running.

[polonus]

Hi Confused1971,

Let me explain, why DavidR mentions this. First before you do anything to cure an infection, you have to follow some steps in a particular sequence and step by step.
1. Establish if you are infected or not. Is this a real time genuine infection or a false positive,
there is a sticky in this forum where we explain how to best go about this.
2. See what the infection is all about and that with all the evidence, so run hijackthis or other scanners but do nothing with these yet,
3. We have established what we have at hand and where it resides, then move to the chest, and the end option is to delete but better to fix. It could well be that a hidden infection vector process will re-install the infection on reboot or some system files were not taken out, or something in the registry could revive the malware circus anew.
So when advice is given follow these instructions meticulously, because the helpers have your best interest at heart and will take care not to harm your precious OS nor data,

polonus

[Confused1971]

Hi Confused1971,

Let me explain, why DavidR mentions this. First before you do anything to cure an infection, you have to follow some steps in a particular sequence and step by step.
1. Establish if you are infected or not. Is this a real time genuine infection or a false positive,
there is a sticky in this forum where we explain how to best go about this.
2. See what the infection is all about and that with all the evidence, so run hijackthis or other scanners but do nothing with these yet,
3. We have established what we have at hand and where it resides, then move to the chest, and the end option is to delete but better to fix. It could well be that a hidden infection vector process will re-install the infection on reboot or some system files were not taken out, or something in the registry could revive the malware circus anew.
So when advice is given follow these instructions meticulously, because the helpers have your best interest at heart and will take care not to harm your precious OS nor data,

polonus

LOL, thanks for dummying down the process for me.  I wasn't even aware you could have a false positive.  MBAM is still showing nothing in safe mode. spy bot picks it up, and avast still allows me to move it to the chest in boot time but when I open Windows, it shows it present again, I move it to the chest and instead of one infection, it shows me three:
Kernel32.dll in  C:\\Windows\System32 folder
winsock.dll in the same folder
wnsock32.dll in same folder

Michelle