Author Topic: Help me remove Trojan horse WIN32:BHO-KD[Trj]  (Read 49577 times)

0 Members and 1 Guest are viewing this topic.

sharadgarg2000

  • Guest
Help me remove Trojan horse WIN32:BHO-KD[Trj]
« on: January 01, 2008, 09:34:26 AM »
My windows/system32/dmdskrest.dll\[UPX] file is infected by a Trojan Horse detected by Avast Home edition. The name of Trojan Horse is WIN32:BHO-KD[trj].

Plz tell me what does this Trojan do and how to remove it?

pino-88

  • Guest
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #1 on: January 01, 2008, 11:26:41 AM »
My windows/system32/dmdskrest.dll\[UPX] file is infected by a Trojan Horse detected by Avast Home edition. The name of Trojan Horse is WIN32:BHO-KD[trj].

Plz tell me what does this Trojan do and how to remove it?

I got the same Trojan Win32:BHO-KD [trj], which infected my C:\WINDOWS\system32\AC3AP.dll\[UPX].
It was revealed by Avast! in its automatic scan when I started my PC. Avast! suggested action is "move to waste basket", but when I click on the relevant button Avast! replies "Access denied: I can not process file C:\WINDOWS\system32\AC3AP.dll\[UPX].".

So I am stuck. Other possible actions are: "move/ rename..." and "cancel...".

What shall I do?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #2 on: January 01, 2008, 02:25:40 PM »
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning.
Select for scanning archives.
Boot.
If infected files are found, it's safer to send them to Chest instead of deleting them.
This way you can further analysis them.

Access denied means, generally, that the file is in use by another process (program) and cannot be repaired/cleaned/moved/handled by avast!
The report file is created automatically in <avast4>\Data\Report\aswBoot.txt
The best things in life are free.

golicon

  • Guest
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #3 on: January 01, 2008, 03:47:53 PM »
I have received the same information win32:bho-kd (TRJ) has been found... I have gone through a boot scan, says acccess denied, I have tried to move to the waste basket access denied..... I can't get to it to remove it... please advise.  thanks!!!! golicon@wavecable.com

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #4 on: January 01, 2008, 03:55:52 PM »
I have received the same information win32:bho-kd (TRJ) has been found... I have gone through a boot scan, says acccess denied, I have tried to move to the waste basket access denied..... I can't get to it to remove it... please advise.  thanks!!!!
1st Don't use your email here or you'll receive spam from robots that 'discover' it here.
2nd It's strange that at boot time the access to the file is denied. Maybe you should boot and run antirootkits like AVG or Panda or TrendMicro.

A full computer on-line scanning:
Kaspersky
Trendmicro housecall
Ewido
F-Secure
Spysweeper
The best things in life are free.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #5 on: January 01, 2008, 06:19:44 PM »
Hi sharadgarg2000,

Please post a HijackThis log to here:

    * Download HijackThis.exe from http://downloads.malwareremoval.com/HijackThis.exe
    * Save HijackThis.exe to your desktop.
    * Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
    * Run HijackThis.exe
    * Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    * Click Save to save the log file and then the log will open in notepad.
    * Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    * Come back here to this thread and Paste the log in your next reply. Use more postings if the log is larger.
    * DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

mladja04

  • Guest
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #6 on: January 01, 2008, 07:00:26 PM »
I have same problem, cant to delete that virus - Access denied to delete this file.

File: c:\windows\system32\jgmd40.dll
Detection: Win32: BHO-KD [trj]


But I make system disk (floppy disk) and after that boot my computer from it (only in MSDOS command prompt), than I go to c:, go to this folder and manually delete this file.
After this problem is solved.

I have zipped this infected file and will send you if someone need to investergate it.

mimmo_dm

  • Guest
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #7 on: January 01, 2008, 07:01:50 PM »
I have the same problem, the file c:\windows\system32\cdmodeml.dll\[UPX] is infected.
Logfile of HijackThis:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\spnpinst.exe
C:\WINDOWS\system32\Sysocmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\Programmi\RocketDock\RocketDock.exe
C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Documents and Settings\MIMMO\Desktop\hijackthis_199\HijackThis.exe

mimmo_dm

  • Guest
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #8 on: January 01, 2008, 07:02:12 PM »
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {80B188C9-0198-4BB6-B2CB-AD40811F746E} - C:\WINDOWS\system32\cdmodeml.dll
O2 - BHO: (no name) - {B2A822B0-2E56-4D7F-9782-CBB82207C7D5} - c:\windows\system32\dgsetupv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Programmi\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [RocketDock] "C:\Programmi\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Tasto di scelta rapida per l'avvio di AutoCAD.lnk = C:\Programmi\File comuni\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: tnkqaqmj - C:\WINDOWS\SYSTEM32\dgsetupv.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #9 on: January 01, 2008, 07:17:48 PM »
Hi mimmo_dm,

Download vundo.fix from here:
http://www.atribune.org/ccount/click.php?id=4
    * Double-click VundoFix.exe to run it.
    * When VundoFix re-opens, click the Scan for Vundo button.
    * Once it's done scanning, click the Remove Vundo button.
    * You will receive a prompt asking if you want to remove the files, click YES
    * Once you click yes, your desktop will go blank as it starts removing Vundo.
    * When completed, it will prompt that it will reboot your computer, click OK.

 Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

After this post a new hijackthis log,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

mimmo_dm

  • Guest
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #10 on: January 01, 2008, 07:43:44 PM »
vundofix:
done searching for files. no infected files were found

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #11 on: January 01, 2008, 07:56:33 PM »
Hi mimmo_dm,

Before we continue, I like you to upload the following dll's to virustotal and see what engines flag what:
> cdmodeml.dll
and also
> dgsetupv.dll
If you search for these dll's in your system32 folder, the latter dgsetupv.dll also starts up as a F020 Winlogon, which is considered as very suspicious, because only a very small number of dll's (like that of ZoneAlarm for instance) do this, mostly that do are part of a  trojan in this Hijackthis entry. Please for these dll's give all the info virustotal gives on the uploaded files, hash info and all.
virustotal is here: http://www.virustotal.com/

polonus
« Last Edit: January 01, 2008, 07:58:14 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

mimmo_dm

  • Guest
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #12 on: January 01, 2008, 08:03:16 PM »
c:\windows\system32\cdmodeml.dll\[UPX] file is infected by a Trojan Horse detected by Avast Home edition

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #13 on: January 01, 2008, 08:13:01 PM »
Hi mimmo_dm,

What did the others scanners at virustotal.com mention?

Did you upload the two files, cdmodeml.dll and dgsetupv.dll  to virustotal?

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

mimmo_dm

  • Guest
Re: Help me remove Trojan horse WIN32:BHO-KD[Trj]
« Reply #14 on: January 01, 2008, 08:23:20 PM »
No, because IE "error loading page"