Help for removing malware: BHO-KD found in Bitsprx3n.dll

Hi all.
I have a problem: my Avast Antivirus has detected a Troyan named BHO-KD in file "Bitsprx3n.dll". Avast cannot remove it. Then I tried to follow the instruction explained in another thread, using AVG and Spybot, but they didn't succeed. Can you suggest me a removal procedure for this troyan?
Sorry for my english...I am italian, and thanks a lot for your help.

Fulvia

 

Hi fulvia!
Welcome to Major Geeks!
I believe this person has a similar issue and it's a tough one! http://forums.majorgeeks.com/showthread.php?t=147135

Please follow ALL the instructions in the READ & RUN ME FIRST and post the requested logs so we can see how to proceed. Make sure to look at the instructions which are for your operating system.

abri

 

Hi abri,
thank you very much for your answer!
I run the applications that you suggested to me and I obtained these log files.
What can I do now? Please...help

Fulvia

 

I apologize for having attached other logs to this message, but now I am sure that I have followed EXACTLY the instructions of the "Read and run me first" and then those of the "Windows XP cleaning procedures" till the Step3.
I add that I've also run the AVG complete scan and it has not produced a report file, but the risult is that it has found the following:
-Trojan.BHO.agz
-TrackingCookie.Tribalfusion
I select the action of eliminate them and I don't know if successfully.

However the main problem, that is BHO-KD in "bitsrzx3n.dll" has not been eliminated :cry

Is anyone so kind to read my new logs and give me some suggestions?

Thank you :wave

Fulvia

 

Hi Fulvia!

Please do the following:

1) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {56E5BEE6-0FDC-4463-B4D8-3214CB233A15} - C:\WINDOWS\system32\bitsprx3n.dll


After you click fix, just close hijackthis.

2) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

3) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


4) Go to add/remove programs and uninstall the below:

- Java 2 Runtime Environment Standard Edition v1.3.1_13

5) Reboot after uninstalling the above.

6) Install the current version of Sun Java from: Sun Java Runtime Environment


7) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Hi abri!
I thank you very much again!
I have done everything you told me and I have attached the file MGlogs.zip.
The only thing that has not worked is that Avenger has not produced any log... that is: It has opened a Notepad with an empty "Avenger.txt".
And the virus is still in my computer. Avast gives to me always the same message about BHO-KD.
I hope that you have some other suggestions and thank you for the time that you spend for me:wave

Ciao ciao

Fulvia

 

Hi fulvia!

Please print out the following instructions now before you continue:

1) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

2) Avenger is sometimes blocked from running by antivirus or anti-spyware programs. Please shut down your computer and physically unplug it computer from the internet. Then boot back up without the internet disable any antivirus and firewall applications. Once you've done that do the following:


3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {56E5BEE6-0FDC-4463-B4D8-3214CB233A15} - C:\WINDOWS\system32\bitsprx3n.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime

After you click fix, just close hijackthis.

4) Please copy the bold text below (including the word REGEDIT4 ) to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry. When it prompts to Add in to the registry, say yes.

5) Now runThe Avenger[/color][/url] by Swandog46

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

6) Now run CCleaner in the default setting with the Windows tab on the top. It will give you a warning message that it will permanently delete files. Just say okay and when it finishes close the program.


7) Please run C:\MGtools\GetLogs.bat and reconnect your computer to the intenet so you can attach the hijackthis log and the avenger log to your next post.

Be sure that your antivirus and antispyware programs are enabled when you reconnect!!

Let me know how things are running now?

abri

 

Hi abri,
here are my new logs.
The first thing you told me was that this problem is a tough one...and this is really really true!!!
After all the steps (from 1 to 7) the virus is still alive!

And now?
I hope to read you again

Fulvia

 

Hi fulvia!
Stubborn little monster! Let's try the following:

1) Continue by downloading a tool we will need

- Process Explorer

Extract it to its own folder somewhere that you will be able to locate it later.

Make sure you have rebooted in Normal Mode (do not open any other processes)

Make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.
bitsprx3n.dll

After you have killed all instances of any of the above DLLs under winlogon click ok.
(If you do not find these DLLS, just continue on.)

Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
bitsprx3n.dll

After you have killed all instances of any of the above DLLs under Explorer click ok.
(If you do not find these DLLS, just continue on.)

Next double click on iexplore.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
bitsprx3n.dll

After you have killed all instances of any of the above DLLs under iexplore click ok.
(If you do not find these DLLS, just continue on.)

Now just exit Process Explorer.

2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {56E5BEE6-0FDC-4463-B4D8-3214CB233A15} - C:\WINDOWS\system32\bitsprx3n.dll

3) Now runThe Avenger by Swandog46

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

4) Now run CCleaner in the default setting with the Windows tab on the top. It will give you a warning message that it will permanently delete files. Just say okay and when it finishes close the program.


5) Please run C:\MGtools\GetLogs.bat attach the MGlogs.zip and the avenger log to your next post.[/B]

abri

 

Hi abri!
I've waited much time before writing before I wanted to be sure that the problem was solved.... but I'm not yet sure!
I have done everything you told me in your last post, for two times (that is the reason why I have posted two couples of logs). After the first time that I have done all the procedures Avast did not find the malware any more, during the memory scan, and so I was very happy! After, the warning of the virus appeared again, not during the memory scan, only once when I opened Internet Explorer. And so I have repeated all the steps beginning from the "Process Explorer".
Now I don't understand anithing more :cry :cry

I think that this malware is still in my computer but I'm not sure!

What do you think about this?

Thank you for everything :wave

 

Hi fulvia!
Some of the files in this fix are not showing in your logs anymore. I will try them anyway, because I think it's okay if they are not found. I hope this will get rid of the driver that's causing problems. If the instructions don't all work, just tell me.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot


After clicking Fix, exit HJT.


Now print the below instructions because at a point during them you MUST (this is can be critical) shutdown all browsers. I will tell you when to exit the browsers during the muti-part procedure.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have the below icons on your Desktop (click the link to see what they look like)

http://forums.majorgeeks.com/attachment.php?attachmentid=79346&thumb=1&d=1199242009

• Now refer to the above image and use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from ComboFix.

Make sure you tell me how things are working now!

abri

 

Hi abri!
Yesterday I've done all you told me and here are my logs after Combofix.
It seemed to me that things were going better but today I have run the Avast scan and it has found the "Troyan horse BHO-KD" again, in bitsprx3n.dll. This time Avast was able to move it to chest. Then I have made another scan (I am getting fool ) and Avast found the same troyan in A0002386.dll !!!! I have moved it to chest too. And now? In the registry I don't find "bitsprx3n.dll" nor "A0002386.dll", but I think that my computer is still infected.

I execute with much care all the procedures you tell me, but maybe I do something wrong?
Have I got to disable Avast during this actions? And Windows firewall?

I always thank you for your patience!!!

Fulvia

 

Hi fulvia!
Something is causing the trojan to come back. When Avast finds it, please have Avast not only quarantine it, but delete it. You will have to delete the contents of the quarantine. Then run CCleaner to make sure the trash is empty as well. I'm going to give you some things to fix and then ask you to run two lengthy scans which pick up things other antivirus programs miss. I would like to see if they find these. To gain that information, it would be better to run these two scans (BitDefender and Panda), before you run Avast again. Please note that these two scans can only be run using Internet Explorer and only with Active X turned on. Before you run the scans, there are two other steps.

1) Open your Windows Live Messenger, go to Help -> Customer Experience Improvement Program and turn it off. That will stop you getting all those sqm files.


2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [MsgCenterExe] "C:\Programmi\File comuni\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"

After you click fix, just close hijackthis.

3) And now continue with the below instructions for the two online scans.

Please read the directions carefully to get the logs in the form we need them.


Bitdefender agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files. Once Bitdefender completes the scan:

Click-on the Detected Problems tab. Then select Click here to export the scan report

When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us.

Post the bdscan.txt file as an ATTACHMENT. You MUST attach the Bitdefender log even it it indicates no problems. We want to see it anyway!!!! Also if you run things out of order you will notice BitDefender showing the below which is a false detection from PandaActiveScan:


C:\WINDOWS\system32\ActiveScan\pskahk.dll
Infected with: Generic.Malware.SIMDWYNVdprn.D9407F4E

• Panda ActiveScan It will only fix certain viruses and trojans. Most items found will not be fixed. When it finishes the scan click on See Report . Then in the next window click Save Report. The default report name is Activescan.txt. Just save it where you can find it so you can attach to your message when you begin a thread with a request for help. If you have any problems trying to get a PandaActiveScan log, see the following link with more detail and follow it step by step: Using PandaActiveScan

If you use Avast antivirus and it gives you an error like below when trying to use Panda, just disable Avast while your run the scan. The error is a false positive. See the below link for more info.​

Quote:
http://www.avast.com/eng/faq_panda.html
​

4) When you finish, attach the BitDefender and Panda logs in their requested form. Give me a progress report on your computer.

abri

abri

 

Hi abri, hi chaslang!
After my last post, I have rebooted my computer and then I had no more advices from Avast ... so I think and I hope that chaslang is right!
However I have done all the things suggested by abri:
- Bitdefender has not found any viruses
- Panda has found an infection, but I'm not able to understand if it is a false or true one.
So, here are the new logs: you can judge yourselves.
Thank you very very much! :wave

Fulvia

 

Hi abri! Hi chaslang!
Everything is ok now!

I thank you all very much, you are wonderful! I didn't know this forum before, but I will always praise it from now on! :wave

Fulvia

 

Thanks so much fulvia!
Best wishes for you and your computer!

abri