Avast finds but cannot deal with Win32:BHO-KD (Trojan)

[dholliday]

Hi all and happy new year.  After many happy months with the Avast 4.7 Home I have come across my first problem.

The following file:

C/Windows/system32/crypt3.dll

is infected with Win32:BHO-KD.  Avast just flashed this message to me a few hours ago:

"A Trojan Horse was found!  Do you want to DELETE / MOVE TO CHEST...etc"


Unfortunately, the file has a hardcore Access Denied status.  Avast cannot process any action on it, nor can different Force Delete wares I've been trying.  The same message keeps on coming: "cannot delete the file as maybe a program is using it" or "access denied" or "file in use".  System restarts don't help, neither does deleting from DOS.

I've no idea what the file is, or what sort of Trojan is in play here.  Google searches bring very little results either way.

I'm a bit worried as I paid for a flight and train ticket with my Visa card at home on the internet a couple of days ago...otherwise I don't do any internet banking and have no other crucial user data or sensitive files.

Thanks in advance for any advice or information.


Extra file info to my crypt3.dll:

size: 107KB
type of file: application extension
date modified: 04.08.2004 (one year before I purchased my used PC)
date created: 07.11.2007 (no Trojan warning until the 31.12.2007)
date accessed: 31.12.2007 at 22:57 (probably when I tried to permanently delete it using other software)
other: no other file information (Owner, Company, File Version etc are all blank)
FILE PROPERTIES: reveals only a GENERAL tab - no SUMMARY or other information is available.

There are other crypt dll's in system32 which are signed by Microsoft and were modified and created on 04.08.2004.  There is also a crypt3.1 file with type: "1 File" which shares the same file info as above apart from the file type and size of 93KB (and presents a SUMMARY tab in PROPERTIES).  This one can be deleted, but it's not the one that's infected.


I have already run a full Avast scan, the one where it scans everything upon reboot before Windows starts proper.  Avast found nothing apart from this one Trojan - again, it would not move or delete, I had to select IGNORE.

[Lisandro]

Can you follow the general cleaning process?

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on. These can avoid the access denied problem (files in use). Send files to Chest and do not delete them directly.
4. Use AVG Antispyware; SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

[mladja04]

I have same problem, cant to delete that virus - Access denied to delete this file.

File: c:\windows\system32\jgmd40.dll
Detection: Win32: BHO-KD [trj]


But I make system disk and after that boot my computer from CD (only in MSDOS command prompt), than I go to c:, go to this folder and manually delete this file.
After this problem is solved.

You can to try this.

[essexboy]

c:\windows\system32\jgmd40.dll
That is the JGD Midi player dll

[Lisandro]

Did you submit the file to VirusTotal?
Is it infected or it is a false positive?

[mladja04]

I dont know what is VirusTotal.
But it was in boot memory and Access denied when I try to delete it in windows (I try to delete it and in all modes - safe mode etc...).

I have this infected file in zip archive and will send you if you need to analize it.

[Chronos2k]

 

I'm having the same issue.  I ran Boot Time Scan and still got "Error: 0xC0000022 [access denied]"

I have no idea what to do from here.  *runs around screaming

 

[mladja04]

Try this:
http://forum.avast.com/index.php?topic=32338.msg270406#msg270406

[Chronos2k]

Try this:
http://forum.avast.com/index.php?topic=32338.msg270406#msg270406

The JGMD.dll file has not come up on any of my scans though.  I'm showing C:\windows\system32\atioglxxe.dll\[upx]

I found the file in my registry....should I delete it from there?

[essexboy]

That returns no hits so is highly suspect I suugest uploading to Jotti and then Quarantining

[Chronos2k]

I hit browse on Jotti and it says there is no C:\windows\system32\atioglxxe.dll file 

[Lisandro]

I dont know what is VirusTotal.

www.virustotal.com
It will give you a clue about the infection or not of the file.

I have this infected file in zip archive and will send you if you need to analize it.

Send it to virus (at) avast (dot) com

[Chronos2k]

I can't get "C:\windows\system32\atioglxxe.dll\[upx]" to run on that site either.  I'm so confused 

Should I delet that file from my registry or is that unsafe?

[oldman]

I hit browse on Jotti and it says there is no C:\windows\system32\atioglxxe.dll file 

It's probly a hidden file. Try copying and pasting this line into the submit box

C:\windows\system32\atioglxxe.dll

[Chronos2k]

I hit browse on Jotti and it says there is no C:\windows\system32\atioglxxe.dll file 

It's probly a hidden file. Try copying and pasting this line into the submit box

C:\windows\system32\atioglxxe.dll

I get this...

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

I have the normal Windows XP firewall up...have no idea how to disable that or even if I should.