Avast finds but cannot deal with Win32:BHO-KD (Trojan)

Viruses and worms
1

Hi all and happy new year. After many happy months with the Avast 4.7 Home I have come across my first problem.

The following file:

C/Windows/system32/crypt3.dll

is infected with Win32:BHO-KD. Avast just flashed this message to me a few hours ago:

“A Trojan Horse was found! Do you want to DELETE / MOVE TO CHEST…etc”

Unfortunately, the file has a hardcore Access Denied status. Avast cannot process any action on it, nor can different Force Delete wares I’ve been trying. The same message keeps on coming: “cannot delete the file as maybe a program is using it” or “access denied” or “file in use”. System restarts don’t help, neither does deleting from DOS.

I’ve no idea what the file is, or what sort of Trojan is in play here. Google searches bring very little results either way.

I’m a bit worried as I paid for a flight and train ticket with my Visa card at home on the internet a couple of days ago…otherwise I don’t do any internet banking and have no other crucial user data or sensitive files.

Thanks in advance for any advice or information.

[i]Extra file info to my crypt3.dll:

size: 107KB
type of file: application extension
date modified: 04.08.2004 (one year before I purchased my used PC)
date created: 07.11.2007 (no Trojan warning until the 31.12.2007)
date accessed: 31.12.2007 at 22:57 (probably when I tried to permanently delete it using other software)
other: no other file information (Owner, Company, File Version etc are all blank)
FILE PROPERTIES: reveals only a GENERAL tab - no SUMMARY or other information is available.

There are other crypt dll’s in system32 which are signed by Microsoft and were modified and created on 04.08.2004. There is also a crypt3.1 file with type: “1 File” which shares the same file info as above apart from the file type and size of 93KB (and presents a SUMMARY tab in PROPERTIES). This one can be deleted, but it’s not the one that’s infected.

I have already run a full Avast scan, the one where it scans everything upon reboot before Windows starts proper. Avast found nothing apart from this one Trojan - again, it would not move or delete, I had to select IGNORE.

[/i]

2

Can you follow the general cleaning process?

  1. Disable System Restore and reenable it after step 3.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on. These can avoid the access denied problem (files in use). Send files to Chest and do not delete them directly.
  4. Use AVG Antispyware; SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
  6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.
3

I have same problem, cant to delete that virus - Access denied to delete this file.

File: c:\windows\system32\jgmd40.dll
Detection: Win32: BHO-KD [trj]

But I make system disk and after that boot my computer from CD (only in MSDOS command prompt), than I go to c:, go to this folder and manually delete this file.
After this problem is solved.

You can to try this.

4

c:\windows\system32\jgmd40.dll
That is the JGD Midi player dll

5

Did you submit the file to VirusTotal?
Is it infected or it is a false positive?

6

I dont know what is VirusTotal.
But it was in boot memory and Access denied when I try to delete it in windows (I try to delete it and in all modes - safe mode etc…).

I have this infected file in zip archive and will send you if you need to analize it.

7

???

I’m having the same issue. I ran Boot Time Scan and still got “Error: 0xC0000022 [access denied]”

I have no idea what to do from here. *runs around screaming

:smiley:

8

Try this:
http://forum.avast.com/index.php?topic=32338.msg270406#msg270406

9

The JGMD.dll file has not come up on any of my scans though. I’m showing C:\windows\system32\atioglxxe.dll[upx]

I found the file in my registry…should I delete it from there?

10

That returns no hits so is highly suspect I suugest uploading to Jotti and then Quarantining

11

I hit browse on Jotti and it says there is no C:\windows\system32\atioglxxe.dll file ???

12

www.virustotal.com
It will give you a clue about the infection or not of the file.

Send it to virus (at) avast (dot) com

13

I can’t get “C:\windows\system32\atioglxxe.dll[upx]” to run on that site either. I’m so confused ???

Should I delet that file from my registry or is that unsafe?

14

It’s probly a hidden file. Try copying and pasting this line into the submit box

C:\windows\system32\atioglxxe.dll

15

I get this…

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
I have the normal Windows XP firewall up…have no idea how to disable that or even if I should.

16

Download superantispyware

First update SAS Then Boot into safe mode and setup SAS as follows.

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked

  • CHECK ALL BOXES

Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.(and other fixed drives)

Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

When the scan is done, quarentine everything found . Reboot if asked. You can post the log in your next reply if you wish.

17

Is this a guess or did you see something to tell you that this will work? I’m not being smart I’m simply asking because I’m about to spend $30 on it. Also…if this is some kind of a worm or something is it safe to use my credit card to buy this?

Oops…sorry just saw that there’s a free edition. :smiley:

18

Hey, That seemed to work. It found the file, quarantined it and rebooted the system. When I got back on IE there is no sign of the virus. THANKS!!! ;D

19

[b]Thanks Tech, it’s just that I already had Archive Scanning on and still it’s Access Denied. Temp files have all been checked and cleaned. All other programs I’ve installed recognise the Trojan but can’t do anything about it…even in Safe Mode/DOS mode.

I appreciate the links tho’ and have noted them to better bulk up my PC security.

But the problem still remains. I somehow need to force my ownership on the .dll file so I am authorised to delete it/move it to chest.[/b]

20

[b]Hi Chronos2k…can you run that by me what you did exactly?

Thanks.[/b]