Another day, another person infected with Win32:BHO-KD

Viruses and worms
1

Except the infected file is different from everyone elses. :frowning:
I can’t delete the file in question, it gets detected by Avast, but can’t delete, can’t move to chest, can’t move, or anything - access denied. The only thing I can do is ignore it. The file in question is datacle.dll
I’m not very tech savvy but I want to get rid of this thing. Thanks for any help in advance.

2

Are you using Windows XP?
Can you schedule a boot-time scanning?

Click on the Menu button.
Choose Schedule Boot Time Scan.
Doing so displays a dialog allowing you to schedule virus scanning.
Check Archives, if you want scan all the archives.
Specify whether all the disks or just a specific folder should be scanned.
Select Advanced options for scheduling details.
Select how to automatically process infected files.
Choose how to automatically process infected system files.
Click the Schedule button to confirm the settings.

If infected files are found, it’s safer to send them to Chest instead of deleting them.
This way you can further analysis them.

3

Just tried that, and I got ‘access denied’ again - I cannot move it, delete it or anything - forced to ‘ignore’ it.

4

Can you say what is the infected file name, where was it found (C:\windows\system32\infected-file-name.xxx)?
What avast! version and virus database are you using? (see About dialog of avast!)

5

C:\windows\system32\datacle.dll is the infected file.

My Avast version is 4.7 Home Edition, database file version 080103-0 (January 3 '08)

6

So, you’re saying that in boot time scanning the file is not allowed to be accessed?

I suggest:

  1. Disable System Restore and reenable it after step 2.
  2. Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.

Please, post the results.

7

I can scan the file, and it shows up that its infected - but when I try to move it to the chest, or move it, or delete it, it says ‘access denied’.

I’ll try your next suggestion.

8

I’m not saying scanning just this file, but I’m talking about boot time scanning? Did you schedule it and run?

9

Yep I did perform a boot time scan - and I was still unable to move or otherwise do anything with the infected file when it was detected. My apologies for being unclear - it’s kind of late here. :-[

I performed the anti-rootkit scan with AVG and it detected no rootkits installed.

Edit: Its almost midnight here, so I’m off to sleep. I’ll check this thread when I wake up, thanks again for your help in advance. :slight_smile:

10

Why avast can’t have full access at boot time? This is my doubt… hope they can help us.

11

When trying the Delete button, did you check the “If necessary, delete the file during next boot” box?
That should work…

Thanks

12

Vlk, and so? ???

13

SilentAngel , You can also attach the boot time scan log file, C:\Program Files\ALWIL Software\Avast4\Data\Log\aswBoot.log :wink:

14

I’m talking to myself…

15

Would seem so…

16

Okay, I’m awake again and back to try kill this thing. :wink:

Vlk, I tried to do that when the virus detection dialog box came up - when I rebooted its like nothing had happened - still getting that its being detected and the same file/directory.

I’ll attach the boot log in my next post.

17

CmdLine - quick
aswBoot.exe /M:46c04315 /A:“" /L:“English” /KBD:2
CmdLine end
Processing file operations…
c:\windows\system32\datacle.dll> … c0000022
c:\windows\system32\datacle.dll> … c0000022
ProcessFileOperations: 0
CreateKbThread
new CKbBuffer
CKbBuffer::Init
CKbBuffer::Init end
NtCreateEvent(g_hStopEvent)
NtAllocateVirtualMemory - stack
NtGetContextThread - NtCurrentThread
NtCreateThread - KbThread
CreateKbThread end
NtInitializeRegistry
KbThread start
ReadRegistry
DATA=C:\Program Files\Alwil Software\Avast4\DATA
PROG=C:\Program Files\Alwil Software\Avast4
BUILD=1098
Microsoft Windows XP Service Pack 2
SystemRoot=C:\WINDOWS
TEMP=C:\WINDOWS\TEMP
TMP=C:\WINDOWS\TEMP
ReadRegistry end
CreateTemp
CreateTemp end
cmnbInit
SetFolders
SetFolders end
aswEnginDllMain(DLL_PROCESS_ATTACH)
InitLog
InitLog end
CmdLine - full
aswBoot.exe /M:46c04315 /A:"” /L:“English” /KBD:2
CmdLine end
Unschedule
61,00,75,00,74,00,6F,00,63,00,68,00,65,00,63,00,
6B,00,20,00,61,00,75,00,74,00,6F,00,63,00,68,00,
6B,00,20,00,2A,00,00,00,61,00,73,00,77,00,42,00,
6F,00,6F,00,74,00,2E,00,65,00,78,00,65,00,20,00,
2F,00,4D,00,3A,00,34,00,36,00,63,00,30,00,34,00,
33,00,31,00,35,00,20,00,2F,00,41,00,3A,00,22,00,
2A,00,22,00,20,00,2F,00,4C,00,3A,00,22,00,45,00,
6E,00,67,00,6C,00,69,00,73,00,68,00,22,00,20,00,
2F,00,4B,00,42,00,44,00,3A,00,32,00,00,00,00,00,

Unschedule end
LoadResources
LoadResources end
InitReport
InitReport end
NtSetEvent(g_hInitEvent) - 1
InitKeyboard
g_dwKbdNum: 2
s_dwKbdClassCnt: 2
InitKeyboard end
NtSetEvent(g_hInitEvent) - 2
GetKey
FreeMemory: 356331520
aswintegInitialize
avworkInitialize
FreeMemory: 324481024
CKbBuffer::Wait
CKbBuffer::Get
CKbBuffer::Get end
CKbBuffer::Wait end
ProcessArea
avfilesScanReal(MBR0)
avfilesScanReal C:
CKbBuffer::Get
0, 1, 3, 0, 0
0, 2, 0, 0, 0
GetKey end
CKbBuffer::Put
CKbBuffer::Put end
GetKey
CKbBuffer::Get end
MarkFileRemoval
MarkFileRemoval end
0, 2, 1, 0, 0
CKbBuffer::Get
0, 1, 3, 0, 0
0, 6, 0, 0, 0
GetKey end
CKbBuffer::Put
CKbBuffer::Put end
GetKey
CKbBuffer::Get end
CKbBuffer::Get
0, 6, 1, 0, 0
0, 2, 0, 0, 0
GetKey end
CKbBuffer::Put
CKbBuffer::Put end
GetKey
CKbBuffer::Get end
0, 2, 1, 0, 0
GetErrorText
CKbBuffer::Get
0, 8, 0, 0, 0
GetKey end
CKbBuffer::Put
CKbBuffer::Put end
GetKey
CKbBuffer::Get end
GetErrorText
0, 8, 1, 0, 0
CKbBuffer::Get
0, 2, 0, 0, 0
GetKey end
CKbBuffer::Put
CKbBuffer::Put end
GetKey
CKbBuffer::Get end
CKbBuffer::Get
0, 2, 1, 0, 0
0, 2, 0, 0, 0
GetKey end
CKbBuffer::Put
CKbBuffer::Put end
GetKey
CKbBuffer::Get end
GetErrorText
0, 2, 1, 0, 0
CKbBuffer::Get
0, 4, 0, 0, 0
GetKey end
CKbBuffer::Put
CKbBuffer::Put end
GetKey
CKbBuffer::Get end
CKbBuffer::Get
0, 4, 1, 0, 0
0, 2, 0, 0, 0
GetKey end
CKbBuffer::Put
CKbBuffer::Put end
GetKey
CKbBuffer::Get end
GetErrorText
0, 2, 1, 0, 0
CKbBuffer::Get
0, 10, 0, 0, 0
GetKey end
CKbBuffer::Put
CKbBuffer::Put end
GetKey
CKbBuffer::Get end
0, 10, 1, 0, 0
avworkClose
aswintegClose
TerminateKbThread
GetKey end
CloseKeyboard
CloseKeyboard end
KbThread stop
CKbBuffer::~CKbBuffer
CKbBuffer::~CKbBuffer end
aswEnginDllMain(DLL_PROCESS_DETACH)
cmnbFree
FreeResources
CloseReport
CloseLog

18

???

19

I was reading through the other threads concerning this virus, and decided to run Combofix to see if it would help the problem.
And I think it actually fixed the problem. :o
I can’t find any traces of datacle.dll in the system32 directory, and no more popups when I open IE are occurring. YAY!
I will run a boot scan again just to make sure that the little bugger is gone.

20

If you ran combofix, you might as well post the log and we can see if anything is left over. And a current hiackthis log.