Win32 BHO-KD outbreak - look for strange fruits inside Windows!

General Topics
1

Hi malware fighters,

We see a lot of victims with a Win32 BHO-KD trojan infection. BHO = browser helper object, there are good ones, and malicious ones, there is a modified winlogon, there are file allocation changes, there are altered dll with names just slightly different than the normal Microsoft or driver variants, in a nutshell strange fruit inside Windows.
Read here for aspects of a more general malware problem: http://www.geocities.jp/kiskzo/index.html

polonus

2

Hi this is my first time, name is tonie, i have a sample of malware win32;BHO-KD[trj] cmprop.dll.
avast can’t delete it saying access denied, i used spybot, spyware terminator 2, and regclean, when i go to start sometimes avast kicks in and picks up the malware please help! tonie

3

Hi tonie, as not to hijack Polonus’ thread, I started one for you in the virus/worms forum. :wink:

I’ve offered you help there. It’s called “tonie’s BHO thread” . You can get there by clicking this link.

http://forum.avast.com/index.php?topic=32411.0

4

greetings oldman this is tonie did what you told me, ran combofix/hijackthis here are the results:

5

Hi tonie:

HJT file seems OK, maybe oldman wants to check some services,

pol

6

just sent combo fix results.

7

thanks

8

i’m going now c u’ll 2morrow peace.

9

Sorry polonus, but it seems toonie want to be helped here. :wink:

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\drivers\fnhmpxto.dat

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new combofix log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

10

Hi oldman,

I give this thread over to you two now, help tonie here, and I keep an eye on it as well,

pol